Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your Computer Has Been LOCKED - Help!


  • This topic is locked This topic is locked
24 replies to this topic

#1 carp104

carp104

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 27 November 2013 - 10:10 AM

So it looks like I got the "Your computer has been locked" virus, and I have tried everything I have found online to remove it with no success.  System Restore is not an option as there is only one restore point (more than 60 days old) and it gives an error when trying to restore.

 

The locked screen only pops up under the username that was infected.  If I login as admin it does not pop up.  Tried Malwarebytes, Webroot, Rkill, and some others and no success.

 

Running Windows Vista

64 Bit

 

Please HELP!


Edited by carp104, 27 November 2013 - 10:10 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 AM

Posted 27 November 2013 - 11:02 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 27 November 2013 - 11:28 AM

Hello Marius and thank you for the prompt reply.

 

Before I get started, will the files on the flash drive I use for this be safe, or should I use an empty flash drive?

 

Thanks!



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 AM

Posted 27 November 2013 - 11:39 AM

The files will not be harmed but it is better to use an empty one (as you have a better overview then...)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 27 November 2013 - 05:49 PM

Saved recovery scan tool to flash drive, but can't even get past Step 1. 

 

Upon booting into system recovery options, there is NO option for "Repair your computer". 

 

Here are my recovery options.  How to proceed?

 

 

 

2ihtguc.jpg



#6 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 27 November 2013 - 06:02 PM

I was able to select "Last known good configuration" from the above options and log into the infected user account.  I ran the Farbar recovery scan tool from the flash drive this way, I don't know if it will make a difference or not doing it this way as I know this is not what you suggested, but I'll post the log anyway and wait on your reponse:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-11-2013 01
Ran by Matt (administrator) on MATT-PC on 27-11-2013 17:56:33
Running from C:\Users\Matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RA08G0M
Windows Vista ™ Home Premium Service Pack 2 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Could not list processes ===============

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoViewOnDrive] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [NoFile] 0
HKLM\...\Policies\Explorer: [HideClock] 0
HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0
HKLM\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKLM\...\Policies\Explorer: [NoSetFolders] 0
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoLogoff] 0
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoSaveSettings] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKLM\...\Policies\Explorer: [NoDesktop] 0
HKCU\...\Run: [AROReminder] - [x]
HKCU\...\Run: [Google Update] - C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-01-30] (Google Inc.)
HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-07-23] (Google Inc.)
HKCU\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Matt\AppData\Local\c750843f-8555-4ab8-87f2-ce4c01f6f51bad\cfabfcecffbad.exe <===== ATTENTION
HKCU\...\Run: [KB4957206] - C:\Users\Matt\AppData\Local\KB4957206\KB4957206.exe [103978 2013-11-26] ()
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-2913236317-814230174-4002188810-1000\$a09761e99f17bdb887d9b6d1d5d87ed8\n. ATTENTION! ====> ZeroAccess?
HKCU\...\Policies\system: [DisableCMD] 0
HKCU\...\Policies\system: [NoDispAppearancePage] 0
HKCU\...\Policies\system: [NoDispBackgroundPage] 0
HKCU\...\Policies\system: [NoDispSettingsPage] 0
HKCU\...\Policies\Explorer: [NoFolderOptions] 0
HKCU\...\Policies\Explorer: [NoViewOnDrive] 0
HKCU\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKCU\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKCU\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKCU\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKCU\...\Policies\Explorer: [NoViewContextMenu] 0
HKCU\...\Policies\Explorer: [NoShellSearchButton] 0
HKCU\...\Policies\Explorer: [NoFind] 0
HKCU\...\Policies\Explorer: [NoFile] 0
HKCU\...\Policies\Explorer: [HideClock] 0
HKCU\...\Policies\Explorer: [NoTrayContextMenu] 0
HKCU\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKCU\...\Policies\Explorer: [NoSetFolders] 0
HKCU\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKCU\...\Policies\Explorer: [NoSetTaskbar] 0
HKCU\...\Policies\Explorer: [NoDeletePrinter] 0
HKCU\...\Policies\Explorer: [NoDFSTab] 0
HKCU\...\Policies\Explorer: [NoChangeStartMenu] 0
HKCU\...\Policies\Explorer: [NoLogoff] 0
HKCU\...\Policies\Explorer: [NoWindowsUpdate] 0
HKCU\...\Policies\Explorer: [NoEncryptOnMove] 0
HKCU\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKCU\...\Policies\Explorer: [NoResolveSearch] 0
HKCU\...\Policies\Explorer: [NoSaveSettings] 0
HKCU\...\Policies\Explorer: [NoHardwareTab] 0
HKCU\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Secure Search\vprot.exe [2420248 2013-11-10] ()
HKLM-x32\...\Run: [WRSVC] - C:\Program Files (x86)\Webroot\WRSA.exe [756840 2013-11-03] (Webroot)
HKLM-x32\...\Run: [ArcSoft Connection Service] - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKU\Administrator\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Administrator\...\Run: [OM2_Monitor] - "C:\Program Files (x86)\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
HKU\Administrator\...\Policies\system: [DisableCMD] 0
HKU\Administrator\...\Policies\system: [NoDispAppearancePage] 0
HKU\Administrator\...\Policies\system: [NoDispBackgroundPage] 0
HKU\Administrator\...\Policies\system: [NoDispSettingsPage] 0
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x9DCBA4F48892C101
URLSearchHook: HKLM-x32 - WinZipBar Toolbar - {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - C:\Program Files (x86)\WinZipBar\prxtbWin0.dll No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 - {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=tb50trie7
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3106777
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&lang=en&ds=hk011&pr=sa&d=2012-06-18 02:37:39&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO: Webroot Filtering Extension - {C9C42510-9B41-42c1-9DCD-7282A2D07C61} - C:\Program Files\WRData\PKG\Vistax64\wrflt.dll (Webroot)
BHO-x32: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: WinZipBar Toolbar - {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - C:\Program Files (x86)\WinZipBar\prxtbWin0.dll No File
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll (AVG Secure Search)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Webroot Filtering Extension - {C9C42510-9B41-42c1-9DCD-7282A2D07C61} - C:\Program Files\WRData\PKG\Vistax86\wrflt.dll (Webroot)
BHO-x32: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll No File
BHO-x32: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - WinZipBar Toolbar - {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - C:\Program Files (x86)\WinZipBar\prxtbWin0.dll No File
Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKCU - No Name - {50FAFAF0-70A9-419D-A109-FA4B4FFD4E37} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: HKLM-x32 {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} http://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.1.2\ViProtocol.dll (AVG Secure Search)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
Hosts: 127.0.0.2 licensing.intellimon.com mailserver.intellimon.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default
FF DefaultSearchEngine: WinZipBar Customized Web Search
FF SelectedSearchEngine: WinZipBar Customized Web Search
FF Homepage: hxxp://isearch.avg.com/?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&lang=en&ds=hk011&pr=sa&d=2012-06-18 02:37:39&v=15.3.0.11&pid=avg&sg=0&sap=hp
FF Keyword.URL: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3106777&SearchSource=2&CUI=UN14202307865863557&UM=&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_117.dll ()
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 - C:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.1.2\\npsitesafety.dll (AVG Technologies)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/VirtualEarth3D,version=4.0 - C:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\Matt\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Matt\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Matt\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\Matt\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Matt\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Matt\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\searchplugins\bing-zugo.xml
FF SearchPlugin: C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\searchplugins\winzipbar-customized-web-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml
FF Extension: Search Toolbar - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\Extensions\searchtoolbar@zugo.com
FF Extension: LastPass - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\Extensions\support@lastpass.com
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: SeoQuake - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\Extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
FF Extension: WinZipBar  - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\Extensions\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\17.1.2.1
FF Extension: AVG Security Toolbar - C:\ProgramData\AVG Secure Search\FireFoxExt\17.1.2.1
FF HKLM-x32\...\Firefox\Extensions: [webrootsecure@webroot.com] - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer
FF Extension: Webroot Filtering Extension - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer

Chrome:
=======
CHR HomePage: hxxp://isearch.avg.com/?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&lang=en&ds=hk011&pr=sa&d=2012-06-18 02:37:39&v=15.3.0.11&pid=avg&sg=0&sap=hp
CHR RestoreOnStartup: "hxxp://isearch.avg.com/?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&lang=en&ds=hk011&pr=sa&d=2012-06-18 02:37:39&v=15.3.0.11&pid=avg&sg=0&sap=hp"]},"tabs":{"use_vertical_tabs"
CHR Extension: (YouTube) - C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0
CHR Extension: (Google Search) - C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0
CHR Extension: (WinZip Courier) - C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilckobikkmajlmhhdenkhonjkoaneclk\3.5.0_0
CHR Extension: (Gmail) - C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0
CHR HKLM-x32\...\Chrome\Extension: [dblebgkanaecgapcfefmedflbdhmblog] - C:\ProgramData\WRData\PKG\CHROME\CHROME_1.0.0.14.crx
CHR HKLM-x32\...\Chrome\Extension: [fjpdnoojnohifgekbkmnfbiobhcbedka] - C:\Program Files (x86)\outobox\fjpdnoojnohifgekbkmnfbiobhcbedka.crx
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\17.1.2.1\avg.crx

==================== Services (Whitelisted) =================

R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [38440 2013-09-19] (Just Develop It)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [109352 2013-11-26] (SurfRight B.V.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [227232 2010-01-15] (McAfee, Inc.)
R2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75064 2010-02-24] ()
R2 PnkBstrB; C:\Windows\SysWow64\PnkBstrB.exe [99904 2010-04-11] ()
R2 vToolbarUpdater17.1.2; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.1.2\ToolbarUpdater.exe [1734680 2013-11-10] (AVG Secure Search)
R2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [756840 2013-11-03] (Webroot)

==================== Drivers (Whitelisted) ====================

S3 Arctosa; C:\Windows\System32\drivers\Arctosa.sys [20480 2008-09-12] (Razer USA Ltd.)
R2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [14392 2007-12-17] ()
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-11-10] (AVG Technologies)
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32512 2013-11-27] ()
S3 ialm; C:\Windows\System32\DRIVERS\igdkmd64.sys [1930176 2006-10-18] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-10-31] ()
S3 PnkBstrK; C:\Windows\SysWow64\drivers\PnkBstrK.sys [22584 2010-04-11] ()
R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [114720 2013-11-03] (Webroot)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
U4 Messenger;
S3 NVHDA; system32\drivers\nvhda64v.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
U0 SR;
U2 srservice;
S3 USBAAPL64; System32\Drivers\usbaapl64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-27 17:57 - 2013-11-27 17:57 - 00000508 _____ C:\Windows\system32\.crusader
2013-11-27 17:56 - 2013-11-27 17:56 - 00000000 ____D C:\FRST
2013-11-27 17:43 - 2013-11-27 17:43 - 00126885 _____ C:\Users\Administrator\Desktop\1
2013-11-27 06:00 - 2013-11-27 06:01 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Administrator\Downloads\SpyHunter-Installer(1).exe
2013-11-27 05:56 - 2013-11-27 06:04 - 00000000 ____D C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-11-27 05:54 - 2013-11-27 05:54 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Administrator\Downloads\SpyHunter-Installer.exe
2013-11-27 05:35 - 2013-11-27 05:36 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Administrator\Downloads\mbam2(1).exe
2013-11-27 05:33 - 2013-11-27 05:33 - 01898232 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Downloads\rkill(1).com
2013-11-26 23:51 - 2013-11-26 23:51 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Administrator\Downloads\mbam2.exe
2013-11-26 23:48 - 2013-11-27 05:34 - 00006502 _____ C:\Users\Administrator\Desktop\Rkill.txt
2013-11-26 23:47 - 2013-11-26 23:47 - 01898232 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Downloads\rkill.com
2013-11-26 23:37 - 2013-11-26 23:37 - 00688992 ____R (Swearware) C:\Users\Administrator\Downloads\dds.com
2013-11-26 23:37 - 2013-11-26 23:37 - 00017054 _____ C:\Users\Administrator\Desktop\dds.txt
2013-11-26 23:37 - 2013-11-26 23:37 - 00011406 _____ C:\Users\Administrator\Desktop\attach.txt
2013-11-26 23:20 - 2013-11-26 23:20 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia
2013-11-26 23:06 - 2013-11-27 17:57 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2013-11-26 23:06 - 2013-11-27 17:57 - 00000180 _____ C:\Windows\system32\bootdelete.lst
2013-11-26 22:55 - 2013-11-26 22:55 - 00001740 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-11-26 22:55 - 2013-11-26 22:55 - 00000000 ____D C:\Program Files\HitmanPro
2013-11-26 22:54 - 2013-11-26 23:06 - 00000000 ____D C:\ProgramData\HitmanPro
2013-11-26 22:53 - 2013-11-26 22:54 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2013-11-26 22:53 - 2013-11-26 22:53 - 00000894 _____ C:\Users\Administrator\Desktop\MyPC Backup.lnk
2013-11-26 22:53 - 2013-11-26 22:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup
2013-11-26 20:13 - 2013-11-26 20:13 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\ArcSoft
2013-11-26 20:13 - 2013-11-26 20:13 - 00000000 ____D C:\Users\Administrator\AppData\Local\ArcSoft
2013-11-23 10:35 - 2013-11-23 10:35 - 00000000 ____D C:\Users\Matt\AppData\Local\KB6202314
2013-11-23 10:21 - 2013-11-23 10:21 - 00000000 ____D C:\Program Files\WRData
2013-11-16 10:38 - 2013-11-16 10:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-11-13 01:21 - 2013-11-13 01:35 - 00308224 _____ C:\Users\Matt\Desktop\shallow water anchor.msam
2013-11-13 01:16 - 2013-11-13 01:16 - 00000810 _____ C:\Users\Public\Desktop\Market Samurai.lnk
2013-11-13 01:16 - 2013-11-13 01:16 - 00000000 ____D C:\Program Files (x86)\Market Samurai

==================== One Month Modified Files and Folders =======

2013-11-27 17:57 - 2013-11-27 17:57 - 00000508 _____ C:\Windows\system32\.crusader
2013-11-27 17:57 - 2013-11-26 23:06 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2013-11-27 17:57 - 2013-11-26 23:06 - 00000180 _____ C:\Windows\system32\bootdelete.lst
2013-11-27 17:56 - 2013-11-27 17:56 - 00000000 ____D C:\FRST
2013-11-27 17:56 - 2013-07-18 20:30 - 00000000 ____D C:\ProgramData\WRData
2013-11-27 17:54 - 2006-11-02 10:27 - 00049415 _____ C:\Windows\setupact.log
2013-11-27 17:53 - 2013-01-01 22:10 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-27 17:52 - 2013-06-03 19:28 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-11-27 17:52 - 2010-02-10 17:20 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-27 17:52 - 2009-05-15 18:50 - 00000000 ____D C:\ProgramData\NVIDIA
2013-11-27 17:52 - 2006-11-02 10:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-27 17:52 - 2006-11-02 10:22 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-27 17:52 - 2006-11-02 10:22 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-27 17:50 - 2006-11-02 10:42 - 00032638 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-11-27 17:43 - 2013-11-27 17:43 - 00126885 _____ C:\Users\Administrator\Desktop\1
2013-11-27 17:42 - 2011-01-13 02:41 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2013-11-27 07:01 - 2012-02-02 22:37 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000UA.job
2013-11-27 07:01 - 2010-02-10 17:20 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-27 06:59 - 2013-09-02 12:53 - 00000322 ____H C:\Windows\Tasks\{83042319-ECF7-4890-BFE3-4B1897C8E3C5}.job
2013-11-27 06:04 - 2013-11-27 05:56 - 00000000 ____D C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-11-27 06:01 - 2013-11-27 06:00 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Administrator\Downloads\SpyHunter-Installer(1).exe
2013-11-27 05:54 - 2013-11-27 05:54 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Administrator\Downloads\SpyHunter-Installer.exe
2013-11-27 05:36 - 2013-11-27 05:35 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Administrator\Downloads\mbam2(1).exe
2013-11-27 05:36 - 2013-07-11 23:35 - 00000916 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-27 05:36 - 2013-07-11 23:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-11-27 05:34 - 2013-11-26 23:48 - 00006502 _____ C:\Users\Administrator\Desktop\Rkill.txt
2013-11-27 05:33 - 2013-11-27 05:33 - 01898232 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Downloads\rkill(1).com
2013-11-26 23:51 - 2013-11-26 23:51 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Administrator\Downloads\mbam2.exe
2013-11-26 23:47 - 2013-11-26 23:47 - 01898232 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Downloads\rkill.com
2013-11-26 23:37 - 2013-11-26 23:37 - 00688992 ____R (Swearware) C:\Users\Administrator\Downloads\dds.com
2013-11-26 23:37 - 2013-11-26 23:37 - 00017054 _____ C:\Users\Administrator\Desktop\dds.txt
2013-11-26 23:37 - 2013-11-26 23:37 - 00011406 _____ C:\Users\Administrator\Desktop\attach.txt
2013-11-26 23:21 - 2009-05-15 18:10 - 01708253 _____ C:\Windows\WindowsUpdate.log
2013-11-26 23:20 - 2013-11-26 23:20 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia
2013-11-26 23:20 - 2012-03-03 23:46 - 00000390 ____H C:\Windows\Tasks\User_Feed_Synchronization-{3A7C50D9-16DF-40BC-B7D8-BC9F68A778BF}.job
2013-11-26 23:20 - 2012-03-02 22:25 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{3A7C50D9-16DF-40BC-B7D8-BC9F68A778BF}
2013-11-26 23:19 - 2012-07-21 17:37 - 00000000 ____D C:\Users\Administrator\AppData\Local\AVG Secure Search
2013-11-26 23:10 - 2011-01-13 02:41 - 00094912 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2013-11-26 23:07 - 2008-01-20 22:26 - 00654692 _____ C:\Windows\PFRO.log
2013-11-26 23:06 - 2013-11-26 22:54 - 00000000 ____D C:\ProgramData\HitmanPro
2013-11-26 22:55 - 2013-11-26 22:55 - 00001740 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-11-26 22:55 - 2013-11-26 22:55 - 00000000 ____D C:\Program Files\HitmanPro
2013-11-26 22:54 - 2013-11-26 22:53 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2013-11-26 22:53 - 2013-11-26 22:53 - 00000894 _____ C:\Users\Administrator\Desktop\MyPC Backup.lnk
2013-11-26 22:53 - 2013-11-26 22:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup
2013-11-26 22:53 - 2011-01-13 02:38 - 00000000 ___RD C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-11-26 22:50 - 2011-01-13 02:37 - 00000000 ____D C:\Users\Administrator
2013-11-26 22:32 - 2012-01-08 02:32 - 00000000 ____D C:\Windows\pss
2013-11-26 20:13 - 2013-11-26 20:13 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\ArcSoft
2013-11-26 20:13 - 2013-11-26 20:13 - 00000000 ____D C:\Users\Administrator\AppData\Local\ArcSoft
2013-11-25 23:41 - 2009-07-24 02:20 - 00000000 ____D C:\Users\Matt\AppData\Roaming\vlc
2013-11-25 21:01 - 2012-02-02 22:36 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000Core.job
2013-11-23 10:35 - 2013-11-23 10:35 - 00000000 ____D C:\Users\Matt\AppData\Local\KB6202314
2013-11-23 10:21 - 2013-11-23 10:21 - 00000000 ____D C:\Program Files\WRData
2013-11-23 10:21 - 2013-07-18 20:30 - 00154312 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2013-11-23 10:21 - 2013-07-18 20:30 - 00104872 _____ (Webroot) C:\Windows\system32\WRusr.dll
2013-11-18 19:56 - 2012-10-07 15:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-11-16 10:38 - 2013-11-16 10:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-11-14 23:01 - 2012-04-18 21:10 - 00000000 ____D C:\Program Files (x86)\WinZipBar
2013-11-14 23:00 - 2010-11-21 22:54 - 00000336 _____ C:\Windows\Tasks\Regwork.job
2013-11-13 01:35 - 2013-11-13 01:21 - 00308224 _____ C:\Users\Matt\Desktop\shallow water anchor.msam
2013-11-13 01:16 - 2013-11-13 01:16 - 00000810 _____ C:\Users\Public\Desktop\Market Samurai.lnk
2013-11-13 01:16 - 2013-11-13 01:16 - 00000000 ____D C:\Program Files (x86)\Market Samurai
2013-11-12 07:38 - 2012-01-22 21:30 - 00001178 _____ C:\Users\Public\Desktop\Micro Niche Finder 5.0.lnk
2013-11-12 07:38 - 2012-01-22 21:29 - 00000000 ____D C:\Program Files (x86)\Micro Niche Finder 5.0
2013-11-11 20:02 - 2010-09-15 23:11 - 00000000 ____D C:\Users\Matt\AppData\Roaming\Mozilla
2013-11-10 10:26 - 2013-07-29 19:05 - 00003727 _____ C:\Program Files (x86)\Mozilla Firefoxavg-secure-search.xml
2013-11-10 10:13 - 2012-09-03 20:57 - 00046368 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
2013-11-10 10:13 - 2012-06-18 01:37 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-11-07 23:40 - 2009-07-22 20:27 - 00176128 _____ C:\Users\Matt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-11-03 10:04 - 2013-07-18 20:30 - 00114720 _____ (Webroot) C:\Windows\system32\Drivers\WRkrn.sys
2013-10-31 23:05 - 2010-06-16 14:10 - 00000000 ____D C:\Users\Matt\AppData\Local\CrashDumps

ZeroAccess:
C:\Windows\Installer\{a09761e9-9f17-bdb8-87d9-b6d1d5d87ed8}
C:\Windows\Installer\{a09761e9-9f17-bdb8-87d9-b6d1d5d87ed8}\L\00000004.@
C:\Windows\Installer\{a09761e9-9f17-bdb8-87d9-b6d1d5d87ed8}\L\201d3dde
C:\Windows\Installer\{a09761e9-9f17-bdb8-87d9-b6d1d5d87ed8}\L\76603ac3

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$a09761e99f17bdb887d9b6d1d5d87ed8

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2913236317-814230174-4002188810-1000\$a09761e99f17bdb887d9b6d1d5d87ed8

Files to move or delete:
====================
C:\Users\Matt\AppData\Roaming\skype.ini
C:\Users\Matt\alg.exe
C:\Users\Matt\icq.exe
C:\Users\Matt\mstsc.exe
C:\Users\Matt\vlcplayer.exe
C:\Windows\Tasks\{83042319-ECF7-4890-BFE3-4B1897C8E3C5}.job

Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\BackupSetup.exe
C:\Users\Administrator\AppData\Local\Temp\SHSetup.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-12-03 11:03] - [2013-07-18 21:23] - 0380928 ____A (Microsoft Corporation) F8DCE3BED869F69C9F7C562B943BC255

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-11-27 17:57

==================== End Of Log ============================


Edited by carp104, 27 November 2013 - 06:02 PM.


#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 AM

Posted 28 November 2013 - 03:04 PM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 29 November 2013 - 02:02 PM

Here's the combofix log:

 

 

ComboFix 13-11-27.01 - Matt 11/29/2013  13:28:32.1.4 - x64
Running from: C:\Users\Matt\Desktop\ComboFix.exe
 * Created a new restore point

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files (x86)\Search Toolbar
C:\Program Files (x86)\Search Toolbar\icon.ico
C:\Program Files (x86)\Search Toolbar\SearchToolbarUninstall.exe
C:\Users\Matt\alg.exe
C:\Users\Matt\AppData\Roaming\doesexist
C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\searchplugins\bing-zugo.xml
C:\Users\Matt\AppData\Roaming\skype.ini
C:\Windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
C:\Windows\Downloaded Program Files\IDropPTB.dll
C:\Windows\SysWow64\FlashPlayerApp.exe

C:\Windows\system32\Services.exe . . . is infected!!

C:\Windows\System32\bitsadmin.exe . . . is infected!!

C:\Windows\SysWOW64\bitsadmin.exe . . . is infected!!

(((((((((((((((((((((((((   Files Created from 2013-10-28 to 2013-11-29  )))))))))))))))))))))))))))))))

2013-11-29 18:51:50 . 2013-11-29 18:53:45 -------- d-----w- C:\Users\Administrator\AppData\Local\temp
2013-11-29 18:51:50 . 2013-11-29 18:51:50 -------- d-----w- C:\Users\UpdatusUser\AppData\Local\temp
2013-11-29 18:51:50 . 2013-11-29 18:51:50 -------- d-----w- C:\Users\Matt\AppData\Local\temp
2013-11-29 18:51:50 . 2013-11-29 18:51:50 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-11-27 22:56:25 . 2013-11-27 22:56:25 -------- d-----w- C:\FRST
2013-11-27 10:56:53 . 2013-11-27 11:04:20 -------- d-----w- C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-11-27 10:56:50 . 2013-11-27 10:56:50 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-11-27 04:20:07 . 2013-11-27 04:20:07 -------- d-----w- C:\Users\Administrator\AppData\Local\Macromedia
2013-11-27 03:55:04 . 2013-11-27 03:55:04 -------- d-----w- C:\Program Files\HitmanPro
2013-11-27 03:54:21 . 2013-11-27 04:06:24 -------- d-----w- C:\ProgramData\HitmanPro
2013-11-27 03:53:47 . 2013-11-27 03:54:07 -------- d-----w- C:\Program Files (x86)\MyPC Backup
2013-11-27 01:13:59 . 2013-11-27 01:13:59 -------- d-----w- C:\Users\Administrator\AppData\Local\ArcSoft
2013-11-27 01:13:28 . 2013-11-27 01:13:58 -------- d-----w- C:\Users\Administrator\AppData\Roaming\ArcSoft
2013-11-23 15:35:07 . 2013-11-23 15:35:11 -------- d-----w- C:\Users\Matt\AppData\Local\KB6202314
2013-11-23 15:21:19 . 2013-11-23 15:21:19 -------- d-----w- C:\Program Files\WRData
2013-11-13 06:16:33 . 2013-11-13 06:16:34 -------- d-----w- C:\Program Files (x86)\Market Samurai
.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-11-23 15:21:07 . 2013-07-19 01:30:26 154312 ----a-w- C:\Windows\SysWow64\WRusr.dll
2013-11-23 15:21:07 . 2013-07-19 01:30:26 104872 ----a-w- C:\Windows\system32\WRusr.dll
2013-11-10 15:13:32 . 2012-09-04 01:57:09 46368 ----a-w- C:\Windows\system32\drivers\avgtpx64.sys
2013-11-03 15:04:49 . 2013-07-19 01:30:25 114720 ----a-w- C:\Windows\system32\drivers\WRkrn.sys
2013-10-10 21:53:27 . 2011-12-10 06:13:20 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2013-07-19 02:23:55 . F8DCE3BED869F69C9F7C562B943BC255 . 380928 . . [6.0.6000.16386 (vista_rtm.061101-2205)] .. C:\Windows\system32\services.exe

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-11-10 15:13:31 3353624 ----a-w- C:\Program Files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 02:44:28 1400712 ----a-w- C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll" [2010-09-29 02:44:28 1400712]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "C:\Program Files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll" [2013-11-10 15:13:31 3353624]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 07:10:53 1555968]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 06:28:23 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5.5ServiceManager"="C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 12:08:56 1523360]
"SwitchBoard"="C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 18:37:14 517096]
"AdobeCS5ServiceManager"="C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 09:57:06 406992]
"vProt"="C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2013-11-10 15:13:31 2420248]
"WRSVC"="C:\Program Files (x86)\Webroot\WRSA.exe" [2013-11-03 15:04:48 756840]
"ArcSoft Connection Service"="C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 00:17:52 207424]

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MyPC Backup.lnk - C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe [2013-9-19 1953320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ    Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-23 16:02:13 1210320 ----a-w- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe

Contents of the 'Scheduled Tasks' folder

2013-11-28 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-02 03:10:48 . 2013-10-10 21:53:27]

2013-11-29 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 22:20:24 . 2010-02-10 22:20:17]

2013-11-28 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 22:20:24 . 2010-02-10 22:20:17]

2013-11-28 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000Core.job
- C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 03:36:59 . 2012-01-31 03:15:38]

2013-11-28 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000UA.job
- C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 03:36:59 . 2012-01-31 03:15:38]

2013-11-29 C:\Windows\Tasks\User_Feed_Synchronization-{3A7C50D9-16DF-40BC-B7D8-BC9F68A778BF}.job
- C:\Windows\system32\msfeedssync.exe [2012-12-12 23:17:51 . 2012-11-09 07:12:06]

--------- X64 Entries -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 22:42:18 499608]

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = C:\Windows\SysWOW64\blank.htm
IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.1.2\ViProtocol.dll
FF - ProfilePath - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\
FF - prefs.js: browser.startup.homepage - hxxps://isearch.avg.com?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&ds=hk011&v=17.1.2.1&lang=en&pr=sa&d=2012-06-18%2002%3A37%3A39&sap=hp
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&ds=hk011&v=17.1.2.1&lang=en&pr=sa&d=2012-06-18%2002%3A37%3A39&sap=ku&q=
FF - ExtSQL: 2013-11-10 10:26; avg@toolbar; C:\ProgramData\AVG Secure Search\FireFoxExt\17.1.2.1
FF - ExtSQL: 2013-11-12 13:15; firefox@outobox.net; C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\extensions\firefox@outobox.net.xpi
FF - ExtSQL: 2013-11-23 10:21; webrootsecure@webroot.com; C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer
FF - ExtSQL: 2013-11-26 23:18; {20a82645-c095-46ed-80e3-08825760534b}; C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
FF - ExtSQL: !HIDDEN! 2009-09-02 00:55; {20a82645-c095-46ed-80e3-08825760534b}; C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

------- File Associations -------

inifile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
txtfile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1

- - - - ORPHANS REMOVED - - - -

BHO-{50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - C:\Program Files (x86)\WinZipBar\prxtbWin0.dll
Toolbar-{50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - C:\Program Files (x86)\WinZipBar\prxtbWin0.dll
Wow6432Node-HKCU-Run-OM2_Monitor - C:\Program Files (x86)\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-22842834.sys
SafeBoot-26886283.sys
SafeBoot-66700896.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
WebBrowser-{50FAFAF0-70A9-419D-A109-FA4B4FFD4E37} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-Adobe Shockwave Player - C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Search Toolbar - C:\Program Files (x86)\Search Toolbar\SearchToolbarUninstall.exe



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 AM

Posted 02 December 2013 - 03:11 AM

The log is incomplete - please post up the whole content of C:\combofix.txt.

 

 

Scan with SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    Services.exe
    bitsadmin.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 02 December 2013 - 10:22 PM

That was the entire contents of the Combofix.txt file, did it not fully complete?

 

 

Here is the log for the SystemLook scan:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 22:20 on 02/12/2013 by Matt
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "Services.exe"
C:\Windows\System32\services.exe ------- 279552 bytes [16:03 03/12/2009] [02:18 19/07/2013] D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\SysWOW64\services.exe ------- 279552 bytes [16:03 03/12/2009] [02:18 19/07/2013] D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe --a---- 384512 bytes [02:49 21/01/2008] [02:49 21/01/2008] DFAC660F0F139276CC9299812DE42719
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --a---- 384512 bytes [16:03 03/12/2009] [07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [02:50 21/01/2008] [02:50 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe ------- 279552 bytes [16:03 03/12/2009] [02:18 19/07/2013] D4E6D91C1349B7BFB3599A6ADA56851B

Searching for "bitsadmin.exe"
C:\Windows\System32\bitsadmin.exe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0
C:\Windows\SysWOW64\bitsadmin.exe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0
C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.0.6001.18000_none_a9302c85c4c97d34\bitsadmin.exe --a---- 240128 bytes [02:50 21/01/2008] [02:50 21/01/2008] DDAC8EA4B885EE17B6ACE0B2167721AC
C:\Windows\winsxs\x86_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.0.6001.18000_none_4d1191020c6c0bfe\bitsadmin.exe --a---- 192000 bytes [02:48 21/01/2008] [02:48 21/01/2008] E2954DDABA3FA4D53AEC2F51AFB488C0

-= EOF =-



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 AM

Posted 03 December 2013 - 04:17 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 03 December 2013 - 08:29 PM

Here's the Combofix Log:

 

 

ComboFix 13-12-01.01 - Matt 12/03/2013  20:15:00.2.4 - x64
Running from: C:\Users\Matt\Desktop\ComboFix.exe
Command switches used :: C:\ComboFix\CFScript.txt
 * Created a new restore point

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

---- Previous Run -------

C:\Program Files (x86)\Search Toolbar\icon.ico
C:\Program Files (x86)\Search Toolbar\SearchToolbarUninstall.exe
C:\Users\Matt\alg.exe
C:\Users\Matt\AppData\Roaming\doesexist
C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\60nid781.default\searchplugins\bing-zugo.xml
C:\Users\Matt\AppData\Roaming\skype.ini
C:\Windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
C:\Windows\Downloaded Program Files\IDropPTB.dll
C:\Windows\SysWow64\FlashPlayerApp.exe

-- Previous Run --

C:\Windows\system32\Services.exe . . . is infected!!

C:\Windows\system32\Services.exe . . . is infected!!

C:\Windows\System32\bitsadmin.exe . . . is infected!!

C:\Windows\system32\Services.exe . . . is infected!!

C:\Windows\System32\bitsadmin.exe . . . is infected!!

C:\Windows\SysWOW64\bitsadmin.exe . . . is infected!!

--------

C:\Windows\system32\Services.exe . . . is infected!!

C:\Windows\System32\bitsadmin.exe . . . is infected!!

C:\Windows\SysWOW64\bitsadmin.exe . . . is infected!!

(((((((((((((((((((((((((   Files Created from 2013-11-04 to 2013-12-04  )))))))))))))))))))))))))))))))

2013-12-04 01:25:37 . 2013-12-04 01:25:37 -------- d-----w- C:\Users\UpdatusUser\AppData\Local\temp
2013-12-04 01:25:37 . 2013-12-04 01:25:37 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-12-04 01:25:37 . 2013-12-04 01:25:37 -------- d-----w- C:\Users\Administrator\AppData\Local\temp
2013-11-30 15:07:53 . 2013-11-30 15:11:06 -------- d--h--w- C:\Windows\msdownld.tmp
2013-11-30 13:21:35 . 2013-11-30 13:23:56 -------- d-----w- C:\Windows\system32\MRT
2013-11-29 19:23:49 . 2013-04-17 13:04:03 30720 ----a-w- C:\Windows\system32\cryptdlg.dll
2013-11-29 19:22:59 . 2013-10-13 14:14:43 31744 ----a-w- C:\Windows\system32\jsproxy.dll
2013-11-29 19:22:59 . 2013-10-13 14:14:03 219136 ----a-w- C:\Windows\system32\ieui.dll
2013-11-29 19:22:59 . 2013-10-13 14:13:59 252416 ----a-w- C:\Windows\system32\iepeers.dll
2013-11-29 19:22:59 . 2013-10-13 14:11:21 23040 ----a-w- C:\Windows\system32\corpol.dll
2013-11-29 19:22:58 . 2013-10-13 14:21:54 108032 ----a-w- C:\Windows\system32\url.dll
2013-11-29 19:22:58 . 2013-10-13 14:18:05 1062912 ----a-w- C:\Windows\system32\mstime.dll
2013-11-29 19:22:58 . 2013-10-13 14:17:20 98304 ----a-w- C:\Windows\system32\mshtmled.dll
2013-11-29 19:22:58 . 2013-10-13 14:17:20 9344000 ----a-w- C:\Windows\system32\mshtml.dll
2013-11-29 19:22:56 . 2013-10-13 14:14:03 132096 ----a-w- C:\Windows\system32\iesysprep.dll
2013-11-29 19:22:56 . 2013-10-13 11:49:39 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-11-29 19:22:56 . 2013-10-13 10:55:39 162816 ----a-w- C:\Windows\system32\ieUnatt.exe
2013-11-29 19:22:56 . 2013-10-13 08:28:01 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-11-29 19:21:53 . 2013-06-29 02:25:32 274944 ----a-w- C:\Windows\system32\drivers\usbhub.sys
2013-11-29 19:21:53 . 2012-11-08 04:26:22 1570816 ----a-w- C:\Windows\system32\quartz.dll
2013-11-29 19:21:53 . 2012-11-08 03:48:38 1314816 ----a-w- C:\Windows\SysWow64\quartz.dll
2013-11-29 19:21:52 . 2013-06-29 02:25:27 95744 ----a-w- C:\Windows\system32\drivers\usbccgp.sys
2013-11-29 19:21:52 . 2013-06-29 02:25:21 259584 ----a-w- C:\Windows\system32\drivers\usbport.sys
2013-11-29 19:21:52 . 2013-06-29 02:25:14 7552 ----a-w- C:\Windows\system32\drivers\usbd.sys
2013-11-29 19:21:52 . 2013-03-08 04:17:12 2425344 ----a-w- C:\Windows\system32\mstscax.dll
2013-11-29 19:21:52 . 2013-03-08 03:52:22 2067968 ----a-w- C:\Windows\SysWow64\mstscax.dll
2013-11-29 19:21:52 . 2011-05-05 14:17:49 49664 ----a-w- C:\Windows\system32\drivers\usbehci.sys
2013-11-29 19:21:52 . 2011-05-05 14:17:47 29184 ----a-w- C:\Windows\system32\drivers\usbuhci.sys
2013-11-29 19:16:09 . 2013-05-02 04:16:27 686080 ----a-w- C:\Windows\system32\win32spl.dll
2013-11-29 19:16:09 . 2013-05-02 04:04:25 443904 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-11-29 19:16:09 . 2013-05-02 04:03:42 37376 ----a-w- C:\Windows\SysWow64\printcom.dll
2013-11-29 18:51:50 . 2013-12-04 01:25:37 -------- d-----w- C:\Users\Matt\AppData\Local\temp
2013-11-27 22:56:25 . 2013-11-27 22:56:25 -------- d-----w- C:\FRST
2013-11-27 10:56:53 . 2013-11-27 11:04:20 -------- d-----w- C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-11-27 10:56:50 . 2013-11-27 10:56:50 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-11-27 04:20:07 . 2013-11-27 04:20:07 -------- d-----w- C:\Users\Administrator\AppData\Local\Macromedia
2013-11-27 03:55:04 . 2013-11-27 03:55:04 -------- d-----w- C:\Program Files\HitmanPro
2013-11-27 03:54:21 . 2013-11-27 04:06:24 -------- d-----w- C:\ProgramData\HitmanPro
2013-11-27 03:53:47 . 2013-11-27 03:54:07 -------- d-----w- C:\Program Files (x86)\MyPC Backup
2013-11-27 01:13:59 . 2013-11-27 01:13:59 -------- d-----w- C:\Users\Administrator\AppData\Local\ArcSoft
2013-11-27 01:13:28 . 2013-11-27 01:13:58 -------- d-----w- C:\Users\Administrator\AppData\Roaming\ArcSoft
2013-11-23 15:35:07 . 2013-11-23 15:35:11 -------- d-----w- C:\Users\Matt\AppData\Local\KB6202314
2013-11-23 15:21:19 . 2013-11-23 15:21:19 -------- d-----w- C:\Program Files\WRData
2013-11-13 06:16:33 . 2013-11-13 06:16:34 -------- d-----w- C:\Program Files (x86)\Market Samurai
.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-11-23 15:21:07 . 2013-07-19 01:30:26 154312 ----a-w- C:\Windows\SysWow64\WRusr.dll
2013-11-23 15:21:07 . 2013-07-19 01:30:26 104872 ----a-w- C:\Windows\system32\WRusr.dll
2013-11-10 15:13:32 . 2012-09-04 01:57:09 46368 ----a-w- C:\Windows\system32\drivers\avgtpx64.sys
2013-11-07 21:00:54 . 2006-11-02 12:35:00 82896128 ----a-w- C:\Windows\system32\mrt.exe
2013-11-03 15:04:49 . 2013-07-19 01:30:25 114720 ----a-w- C:\Windows\system32\drivers\WRkrn.sys
2013-10-10 21:53:27 . 2011-12-10 06:13:20 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[7] 2009-04-11 07:10:50 . 934E0B7D77FF78C18D9F8891221B6DE3 . 384512 . . [6.0.6002.18005 (lh_sp2rtm.090410-1830)] .. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[7] 2008-01-21 02:49:44 . DFAC660F0F139276CC9299812DE42719 . 384512 . . [6.0.6001.18000 (longhorn_rtm.080118-1840)] .. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[-] 2013-07-19 02:23:55 . F8DCE3BED869F69C9F7C562B943BC255 . 380928 . . [6.0.6000.16386 (vista_rtm.061101-2205)] .. C:\Windows\system32\services.exe

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
C:\Program Files (x86)\WinZipBar\prxtbWin0.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-11-10 15:13:31 3353624 ----a-w- C:\Program Files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 02:44:28 1400712 ----a-w- C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll" [2010-09-29 02:44:28 1400712]
"{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}"= "C:\Program Files (x86)\WinZipBar\prxtbWin0.dll" [BU]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "C:\Program Files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll" [2013-11-10 15:13:31 3353624]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-24 03:41:59 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5.5ServiceManager"="C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 12:08:56 1523360]
"SwitchBoard"="C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 18:37:14 517096]
"AdobeCS5ServiceManager"="C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 09:57:06 406992]
"vProt"="C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2013-11-10 15:13:31 2420248]
"WRSVC"="C:\Program Files (x86)\Webroot\WRSA.exe" [2013-11-03 15:04:48 756840]
"ArcSoft Connection Service"="C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 00:17:52 207424]

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MyPC Backup.lnk - C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe [2013-9-19 1953320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ    Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-23 16:02:13 1210320 ----a-w- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe

Contents of the 'Scheduled Tasks' folder

2013-12-04 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-02 03:10:48 . 2013-10-10 21:53:27]

2013-12-04 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 22:20:24 . 2010-02-10 22:20:17]

2013-12-04 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 22:20:24 . 2010-02-10 22:20:17]

2013-11-28 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000Core.job
- C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 03:36:59 . 2012-01-31 03:15:38]

2013-12-04 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000UA.job
- C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 03:36:59 . 2012-01-31 03:15:38]

2013-12-03 C:\Windows\Tasks\User_Feed_Synchronization-{3A7C50D9-16DF-40BC-B7D8-BC9F68A778BF}.job
- C:\Windows\system32\msfeedssync.exe [2013-11-29 19:23:04 . 2013-10-13 08:26:18]

--------- X64 Entries -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 22:42:18 499608]

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = C:\Windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.1.2\ViProtocol.dll
FF - ProfilePath - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\
FF - prefs.js: browser.startup.homepage - hxxps://isearch.avg.com?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&ds=hk011&v=17.1.2.1&lang=en&pr=sa&d=2012-06-18%2002%3A37%3A39&sap=hp
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&ds=hk011&v=17.1.2.1&lang=en&pr=sa&d=2012-06-18%2002%3A37%3A39&sap=ku&q=
FF - ExtSQL: 2013-11-10 10:26; avg@toolbar; C:\ProgramData\AVG Secure Search\FireFoxExt\17.1.2.1
FF - ExtSQL: 2013-11-12 13:15; firefox@outobox.net; C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\extensions\firefox@outobox.net.xpi
FF - ExtSQL: 2013-11-23 10:21; webrootsecure@webroot.com; C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer
FF - ExtSQL: 2013-11-26 23:18; {20a82645-c095-46ed-80e3-08825760534b}; C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
FF - ExtSQL: !HIDDEN! 2009-09-02 00:55; {20a82645-c095-46ed-80e3-08825760534b}; C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKCU-Run-AROReminder - (no file)
Wow6432Node-HKCU-Run-Adobe CSS5.1 Manager - C:\Users\Matt\AppData\Local\c750843f-8555-4ab8-87f2-ce4c01f6f51bad\cfabfcecffbad.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
WebBrowser-{50FAFAF0-70A9-419D-A109-FA4B4FFD4E37} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-Adobe Shockwave Player - C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Search Toolbar - C:\Program Files (x86)\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-Applet - C:\Windows\system32\javaws.exe
AddRemove-JNLP - C:\Windows\system32\javaws.exe



#13 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 04 December 2013 - 04:51 AM

And here's the Malwarebytes log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.04.01

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 8.0.6001.19483
Matt :: MATT-PC [administrator]

12/3/2013 8:30:45 PM
mbam-log-2013-12-03 (20-30-45).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 561547
Time elapsed: 1 hour(s), 11 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\Conduit\FF (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 AM

Posted 06 December 2013 - 03:58 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 carp104

carp104
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 07 December 2013 - 01:15 PM

Combofix Log:

 

ComboFix 13-12-07.01 - Matt 12/07/2013  11:59:00.4.4 - x64
Running from: c:\users\Matt\Desktop\ComboFix.exe
Command switches used :: c:\users\Matt\Desktop\CFScript.txt
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
--------
.
c:\windows\system32\Services.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
--------
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
--------
.
c:\windows\system32\Services.exe . . . is infected!!
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
--------
.
c:\windows\System32\bitsadmin.exe . . . is infected!!
.
c:\windows\SysWOW64\bitsadmin.exe . . . is infected!!
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --> c:\windows\system32\services.exe
.
(((((((((((((((((((((((((   Files Created from 2013-11-07 to 2013-12-07  )))))))))))))))))))))))))))))))
.
.
2013-12-07 17:09 . 2013-12-07 17:09 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-12-07 17:09 . 2013-12-07 17:09 -------- d-----w- c:\users\Matt\AppData\Local\temp
2013-12-07 17:09 . 2013-12-07 17:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-07 17:09 . 2013-12-07 17:09 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-11-30 15:07 . 2013-11-30 15:11 -------- d--h--w- c:\windows\msdownld.tmp
2013-11-30 13:21 . 2013-11-30 13:23 -------- d-----w- c:\windows\system32\MRT
2013-11-29 19:23 . 2013-04-17 13:04 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-11-29 19:22 . 2013-10-13 14:14 31744 ----a-w- c:\windows\system32\jsproxy.dll
2013-11-29 19:22 . 2013-10-13 14:14 219136 ----a-w- c:\windows\system32\ieui.dll
2013-11-29 19:22 . 2013-10-13 14:13 252416 ----a-w- c:\windows\system32\iepeers.dll
2013-11-29 19:22 . 2013-10-13 14:11 23040 ----a-w- c:\windows\system32\corpol.dll
2013-11-29 19:22 . 2013-10-13 14:21 108032 ----a-w- c:\windows\system32\url.dll
2013-11-29 19:22 . 2013-10-13 14:18 1062912 ----a-w- c:\windows\system32\mstime.dll
2013-11-29 19:22 . 2013-10-13 14:17 98304 ----a-w- c:\windows\system32\mshtmled.dll
2013-11-29 19:22 . 2013-10-13 14:17 9344000 ----a-w- c:\windows\system32\mshtml.dll
2013-11-29 19:22 . 2013-10-13 14:14 132096 ----a-w- c:\windows\system32\iesysprep.dll
2013-11-29 19:22 . 2013-10-13 11:49 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
2013-11-29 19:22 . 2013-10-13 10:55 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-29 19:22 . 2013-10-13 08:28 133632 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-11-29 19:21 . 2013-06-29 02:25 274944 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-11-29 19:21 . 2012-11-08 04:26 1570816 ----a-w- c:\windows\system32\quartz.dll
2013-11-29 19:21 . 2012-11-08 03:48 1314816 ----a-w- c:\windows\SysWow64\quartz.dll
2013-11-29 19:21 . 2013-06-29 02:25 95744 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-11-29 19:21 . 2013-06-29 02:25 259584 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-11-29 19:21 . 2013-06-29 02:25 7552 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-11-29 19:21 . 2013-03-08 04:17 2425344 ----a-w- c:\windows\system32\mstscax.dll
2013-11-29 19:21 . 2013-03-08 03:52 2067968 ----a-w- c:\windows\SysWow64\mstscax.dll
2013-11-29 19:21 . 2011-05-05 14:17 49664 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-11-29 19:21 . 2011-05-05 14:17 29184 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-11-29 19:16 . 2013-05-02 04:16 686080 ----a-w- c:\windows\system32\win32spl.dll
2013-11-29 19:16 . 2013-05-02 04:04 443904 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-11-29 19:16 . 2013-05-02 04:03 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2013-11-27 22:56 . 2013-11-27 22:56 -------- d-----w- C:\FRST
2013-11-27 10:56 . 2013-11-27 11:04 -------- d-----w- c:\windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-11-27 10:56 . 2013-11-27 10:56 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-11-27 04:20 . 2013-11-27 04:20 -------- d-----w- c:\users\Administrator\AppData\Local\Macromedia
2013-11-27 03:55 . 2013-11-27 03:55 -------- d-----w- c:\program files\HitmanPro
2013-11-27 03:54 . 2013-11-27 04:06 -------- d-----w- c:\programdata\HitmanPro
2013-11-27 03:53 . 2013-11-27 03:54 -------- d-----w- c:\program files (x86)\MyPC Backup
2013-11-27 01:13 . 2013-11-27 01:13 -------- d-----w- c:\users\Administrator\AppData\Local\ArcSoft
2013-11-27 01:13 . 2013-11-27 01:13 -------- d-----w- c:\users\Administrator\AppData\Roaming\ArcSoft
2013-11-23 15:35 . 2013-11-23 15:35 -------- d-----w- c:\users\Matt\AppData\Local\KB6202314
2013-11-23 15:21 . 2013-11-23 15:21 -------- d-----w- c:\program files\WRData
2013-11-13 06:16 . 2013-11-13 06:16 -------- d-----w- c:\program files (x86)\Market Samurai
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-06 00:21 . 2013-07-19 01:30 152744 ----a-w- c:\windows\SysWow64\WRusr.dll
2013-12-06 00:21 . 2013-07-19 01:30 103304 ----a-w- c:\windows\system32\WRusr.dll
2013-12-06 00:21 . 2013-07-19 01:30 113664 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2013-11-10 15:13 . 2012-09-04 01:57 46368 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2013-11-07 21:00 . 2006-11-02 12:35 82896128 ----a-w- c:\windows\system32\mrt.exe
2013-10-10 21:53 . 2011-12-10 06:13 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
c:\program files (x86)\WinZipBar\prxtbWin0.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-11-10 15:13 3353624 ----a-w- c:\program files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 02:44 1400712 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
"{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}"= "c:\program files (x86)\WinZipBar\prxtbWin0.dll" [BU]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll" [2013-11-10 3353624]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AROReminder"="" [BU]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-24 39408]
"Adobe CSS5.1 Manager"="c:\users\Matt\AppData\Local\c750843f-8555-4ab8-87f2-ce4c01f6f51bad\cfabfcecffbad.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2013-11-10 2420248]
"WRSVC"="c:\program files (x86)\Webroot\WRSA.exe" [2013-12-06 758880]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MyPC Backup.lnk - c:\program files (x86)\MyPC Backup\MyPC Backup.exe [2013-9-19 1953320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ    Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-06 01:07 1210320 ----a-w- c:\program files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-02 21:53]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 22:20]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-10 22:20]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000Core.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 03:15]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913236317-814230174-4002188810-1000UA.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 03:15]
.
2013-12-07 c:\windows\Tasks\User_Feed_Synchronization-{3A7C50D9-16DF-40BC-B7D8-BC9F68A778BF}.job
- c:\windows\system32\msfeedssync.exe [2013-11-29 08:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.1.2\ViProtocol.dll
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\
FF - prefs.js: browser.startup.homepage - hxxps://isearch.avg.com?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&ds=hk011&v=17.1.2.1&lang=en&pr=sa&d=2012-06-18%2002%3A37%3A39&sap=hp
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid={FE8D4B56-1438-4810-88FC-AAEFC8D62E0A}&mid=a6cb63c3949b42b5a4a36ae22cc741a5-47169adb81368b6208dea8bfe576cab244d98947&ds=hk011&v=17.1.2.1&lang=en&pr=sa&d=2012-06-18%2002%3A37%3A39&sap=ku&q=
FF - ExtSQL: 2013-11-10 10:26; avg@toolbar; c:\programdata\AVG Secure Search\FireFoxExt\17.1.2.1
FF - ExtSQL: 2013-11-12 13:15; firefox@outobox.net; c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\extensions\firefox@outobox.net.xpi
FF - ExtSQL: 2013-11-23 10:21; webrootsecure@webroot.com; c:\programdata\WRData\PKG\FIREFOX\WebrootSecure_SocketServer
FF - ExtSQL: 2013-11-26 23:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\38f2u43e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
FF - ExtSQL: !HIDDEN! 2009-09-02 00:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
WebBrowser-{50FAFAF0-70A9-419D-A109-FA4B4FFD4E37} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
Completion time: 2013-12-07  12:12:20
ComboFix-quarantined-files.txt  2013-12-07 17:12
.
Pre-Run: 193,562,308,608 bytes free
Post-Run: 193,505,607,680 bytes free
.
- - End Of File - - 932A7169D645F7453FE91FFABF0F3393
F05261C246CE4B3C544521FFFF7AEF5D






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users