Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeating Audio in background


  • This topic is locked This topic is locked
23 replies to this topic

#1 dankwest

dankwest

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 11 December 2013 - 08:34 PM

Had the FBI ransomeware which was removed on a previous post. Had issues with inability to login to computer using the primary user account which was also resolved. I purchased and installed Malwarebytes anti malware software.  I created a new admin account. Now I have encountered this problem of having the multiple sources of audio playing in the background, plus malwarebytes continues to notify me of their blocking efforts to connect to an external website.

 

dds.txt  log file attached

Attached Files

  • Attached File  dds.txt   13.15KB   2 downloads


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 12 December 2013 - 07:15 PM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 12 December 2013 - 08:13 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-12-2013 03
Ran by SHEILA 1 (administrator) on SHEILA-PC on 12-12-2013 20:03:44
Running from C:\Users\SHEILA 1\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-29] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe [497504 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1482080 2009-08-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-09-17] (TOSHIBA Corporation)
HKLM\...\Run: [lxdwmon.exe] - C:\Program Files (x86)\Lexmark 7600 Series\lxdwmon.exe [676520 2008-09-10] ()
HKLM\...\Run: [lxdwamon] - C:\Program Files (x86)\Lexmark 7600 Series\lxdwamon.exe [16040 2008-09-10] ()
HKLM\...\Run: [IntelliType Pro] - C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1464984 2012-10-12] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] - C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2075288 2012-10-12] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\ScCertProp: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [MyTOSHIBA] - C:\Program Files (x86)\Toshiba\My Toshiba\MyToshiba.exe [264048 2009-08-06] (TOSHIBA)
HKCU\...\Run: [AOL Fast Start] - C:\Program Files (x86)\AOL Desktop 9.6\aol.exe [42320 2010-11-24] (AOL Inc.)
HKCU\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TobuActivation.exe [529256 2009-07-16] (Toshiba)
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] - C:\Program Files (x86)\Toshiba\TOSHIBA Web Camera Application\TWebCamera.exe [2446648 2009-08-11] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [HostManager] - C:\Program Files (x86)\Common Files\AOL\1291565820\ee\aolsoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM-x32\...\Run: [Lexmark 7600 Series] - C:\Program Files (x86)\Lexmark 7600 Series\fm3032.exe [311976 2008-09-10] ()
HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [103768 2009-09-12] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [VMM Mode Selection] - C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe [43520 2011-02-14] ()
HKLM-x32\...\Run: [Mobile Connectivity Suite] - C:\Program Files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe [598016 2009-11-19] (Teleca Sweden AB)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKU\Administrator\...\Run: [MyTOSHIBA] - C:\Program Files (x86)\Toshiba\My Toshiba\MyToshiba.exe [264048 2009-08-06] (TOSHIBA)
HKU\Administrator\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-09-03] (Google Inc.)
HKU\Guest\...\Run: [MyTOSHIBA] - C:\Program Files (x86)\Toshiba\My Toshiba\MyToshiba.exe [264048 2009-08-06] (TOSHIBA)
HKU\Sheila\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-09-03] (Google Inc.)
HKU\Sheila\...\Run: [DW6] - "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe"
HKU\Sheila\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKU\Sheila\...\Run: [GarminExpressTrayApp] - C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [885200 2013-01-04] (Garmin Ltd or its subsidiaries)
HKU\Sheila\...\Run: [Google Update] - C:\Users\Sheila\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-12-05] (Google Inc.)
HKU\Sheila\...\Run: [Verizon Wireless] - regsvr32.exe "C:\Users\Sheila\AppData\Local\Verizon Wireless\EP0NH434.DLL" <===== ATTENTION
HKU\Sheila\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Sheila\AppData\Local\ef9220ad-b8a6-41cb-b357-cfd76d67affead\efadbacbbcfddaffead.exe <===== ATTENTION
HKU\Sheila\...\Run: [TOSHIBA_Corporation] - rundll32 "C:\Users\Sheila\AppData\Local\Microsoft\TOSHIBA_Corporation\hpebfohg.dll",DllRegisterServer <===== ATTENTION
HKU\Sheila\...\Run: [AOL Fast Start] - C:\Program Files (x86)\AOL Desktop 9.6\aol.exe [42320 2010-11-24] (AOL Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x36822B43D6F6CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {C06D85C8-2232-43DE-8FD2-F8F125CA7565} URL =
SearchScopes: HKCU - {C06D85C8-2232-43DE-8FD2-F8F125CA7565} URL =
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Skype Plug-In - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 68.237.161.12

==================== Services (Whitelisted) =================

S2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [180688 2013-01-04] (Garmin Ltd or its subsidiaries)
S2 lxdwCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdwserv.exe [33960 2008-05-16] (Lexmark International, Inc.)
S2 lxdw_device; C:\windows\system32\lxdwcoms.exe [1040552 2008-05-16] ( )
S2 lxdw_device; C:\windows\SysWow64\lxdwcoms.exe [594600 2008-05-16] ( )
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S3 RTL8187Se; C:\Windows\System32\DRIVERS\RTL8187Se.sys [427008 2009-06-10] (Realtek Semiconductor Corporation                           )
S3 S3XXx64; C:\Windows\System32\DRIVERS\S3XXx64.sys [73984 2013-06-05] (Identive)
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-12-12 20:03 - 2013-12-12 20:03 - 01927274 _____ (Farbar) C:\Users\SHEILA 1\Downloads\FRST64.exe
2013-12-12 20:03 - 2013-12-12 20:03 - 00000000 _____ C:\Users\SHEILA 1\Downloads\FRST.txt
2013-12-12 20:02 - 2013-12-12 20:02 - 01060839 _____ (Farbar) C:\Users\SHEILA 1\Downloads\FRST.exe
2013-12-11 20:23 - 2013-12-11 20:23 - 00015222 _____ C:\Users\SHEILA 1\Desktop\Attach dds.txt
2013-12-11 20:19 - 2013-12-11 20:26 - 00013467 _____ C:\Users\SHEILA 1\Desktop\dds.txt
2013-12-11 20:19 - 2013-12-11 20:19 - 00015222 _____ C:\Users\SHEILA 1\Desktop\attach.txt
2013-12-11 19:53 - 2013-12-11 19:54 - 00276712 _____ C:\windows\Minidump\121113-94224-01.dmp
2013-12-05 13:52 - 2013-12-05 13:52 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Macromedia
2013-12-05 13:52 - 2013-12-05 13:52 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\AOL
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Teleca
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\ICAClient
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Apple Computer
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\7600 Series
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\TOSHIBA
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\Citrix
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\AOL
2013-12-05 13:48 - 2013-12-05 13:48 - 00001428 _____ C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-05 13:48 - 2013-12-05 13:48 - 00000000 ___RD C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-05 13:48 - 2013-12-05 13:48 - 00000000 ___RD C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-12-05 13:48 - 2013-12-05 13:48 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Adobe
2013-12-05 13:47 - 2013-12-05 13:54 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\VirtualStore
2013-12-05 13:46 - 2013-12-05 13:48 - 00000000 ____D C:\Users\SHEILA 1
2013-12-05 13:46 - 2013-12-05 13:46 - 00000020 ___SH C:\Users\SHEILA 1\ntuser.ini
2013-12-05 13:46 - 2012-01-08 11:26 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\Microsoft Help
2013-12-05 13:46 - 2009-07-13 23:54 - 00000000 ___RD C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-05 13:46 - 2009-07-13 23:49 - 00000000 ___RD C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-05 11:05 - 2013-12-05 11:05 - 00276704 _____ C:\windows\Minidump\120513-95503-01.dmp
2013-12-04 20:16 - 2013-12-04 20:16 - 00001754 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\Program Files\iTunes
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\Program Files\iPod
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-12-04 20:15 - 2013-12-04 20:15 - 00000000 ____D C:\Users\Administrator\AppData\Local\Apple Computer
2013-11-29 13:25 - 2013-12-04 20:15 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer
2013-11-24 21:34 - 2013-11-24 21:35 - 00276704 _____ C:\windows\Minidump\112413-94895-01.dmp

==================== One Month Modified Files and Folders =======

2013-12-12 20:03 - 2013-12-12 20:03 - 01927274 _____ (Farbar) C:\Users\SHEILA 1\Downloads\FRST64.exe
2013-12-12 20:03 - 2013-12-12 20:03 - 00000000 _____ C:\Users\SHEILA 1\Downloads\FRST.txt
2013-12-12 20:02 - 2013-12-12 20:02 - 01060839 _____ (Farbar) C:\Users\SHEILA 1\Downloads\FRST.exe
2013-12-12 04:38 - 2010-12-03 17:57 - 01158784 _____ C:\windows\WindowsUpdate.log
2013-12-12 03:30 - 2009-07-14 00:13 - 00780090 _____ C:\windows\system32\PerfStringBackup.INI
2013-12-11 20:26 - 2013-12-11 20:19 - 00013467 _____ C:\Users\SHEILA 1\Desktop\dds.txt
2013-12-11 20:23 - 2013-12-11 20:23 - 00015222 _____ C:\Users\SHEILA 1\Desktop\Attach dds.txt
2013-12-11 20:19 - 2013-12-11 20:19 - 00015222 _____ C:\Users\SHEILA 1\Desktop\attach.txt
2013-12-11 19:54 - 2013-12-11 19:53 - 00276712 _____ C:\windows\Minidump\121113-94224-01.dmp
2013-12-11 19:53 - 2011-02-21 19:18 - 00000000 ____D C:\windows\Minidump
2013-12-11 19:52 - 2011-02-21 19:18 - 414682199 _____ C:\windows\MEMORY.DMP
2013-12-11 19:43 - 2010-12-05 11:04 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-11 19:41 - 2013-01-15 10:32 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2013-12-11 19:31 - 2011-03-05 10:17 - 00000912 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4280437723-3974185522-1874671452-1000UA.job
2013-12-11 19:16 - 2010-12-05 11:04 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-11 19:07 - 2013-01-15 10:32 - 00003768 _____ C:\windows\System32\Tasks\Adobe Flash Player Updater
2013-12-11 19:07 - 2012-05-18 08:29 - 00692616 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2013-12-11 19:07 - 2011-06-29 06:41 - 00071048 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-12-11 19:06 - 2013-08-24 19:25 - 00000342 ____H C:\windows\Tasks\{44090356-F01B-4E39-8BA5-57F8DA30E235}.job
2013-12-11 19:06 - 2011-03-05 10:17 - 00000860 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4280437723-3974185522-1874671452-1000Core.job
2013-12-09 11:39 - 2011-01-06 10:22 - 00088791 _____ C:\ProgramData\lxdwJSW.log
2013-12-09 11:39 - 2010-12-13 13:44 - 00000000 ____D C:\ProgramData\Lx_cats
2013-12-09 11:16 - 2009-07-13 23:45 - 00015792 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-09 11:16 - 2009-07-13 23:45 - 00015792 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-05 23:38 - 2010-12-05 11:04 - 00003894 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-12-05 23:38 - 2010-12-05 11:04 - 00003642 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-12-05 13:54 - 2013-12-05 13:47 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\VirtualStore
2013-12-05 13:54 - 2009-07-14 00:32 - 00000000 ____D C:\windows\system32\FxsTmp
2013-12-05 13:52 - 2013-12-05 13:52 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Macromedia
2013-12-05 13:52 - 2013-12-05 13:52 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\AOL
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Teleca
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\ICAClient
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Apple Computer
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\7600 Series
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\TOSHIBA
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\Citrix
2013-12-05 13:49 - 2013-12-05 13:49 - 00000000 ____D C:\Users\SHEILA 1\AppData\Local\AOL
2013-12-05 13:48 - 2013-12-05 13:48 - 00001428 _____ C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-05 13:48 - 2013-12-05 13:48 - 00000000 ___RD C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-05 13:48 - 2013-12-05 13:48 - 00000000 ___RD C:\Users\SHEILA 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-12-05 13:48 - 2013-12-05 13:48 - 00000000 ____D C:\Users\SHEILA 1\AppData\Roaming\Adobe
2013-12-05 13:48 - 2013-12-05 13:46 - 00000000 ____D C:\Users\SHEILA 1
2013-12-05 13:46 - 2013-12-05 13:46 - 00000020 ___SH C:\Users\SHEILA 1\ntuser.ini
2013-12-05 13:29 - 2009-07-14 00:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-12-05 13:27 - 2009-09-03 20:33 - 00258112 _____ C:\windows\PFRO.log
2013-12-05 13:27 - 2009-07-13 23:51 - 00061300 _____ C:\windows\setupact.log
2013-12-05 11:05 - 2013-12-05 11:05 - 00276704 _____ C:\windows\Minidump\120513-95503-01.dmp
2013-12-04 20:16 - 2013-12-04 20:16 - 00001754 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\Program Files\iTunes
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\Program Files\iPod
2013-12-04 20:16 - 2013-12-04 20:16 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-12-04 20:15 - 2013-12-04 20:15 - 00000000 ____D C:\Users\Administrator\AppData\Local\Apple Computer
2013-12-04 20:15 - 2013-11-29 13:25 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer
2013-11-29 13:27 - 2013-08-13 16:40 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2013-11-24 21:35 - 2013-11-24 21:34 - 00276704 _____ C:\windows\Minidump\112413-94895-01.dmp

Files to move or delete:
====================
C:\Users\Sheila\AppData\Roaming\skype.ini
C:\Users\Sheila\acrobatreader.exe
C:\Users\Sheila\chrome.exe
C:\Users\Sheila\icq.exe
C:\Users\Sheila\opera.exe
C:\Windows\Tasks\{44090356-F01B-4E39-8BA5-57F8DA30E235}.job

Some content of TEMP:
====================
C:\Users\Guest\AppData\Local\Temp\bj8zecru.dll
C:\Users\Sheila\AppData\Local\Temp\ac6mbrvi.dll
C:\Users\Sheila\AppData\Local\Temp\ekfpts2c.dll
C:\Users\Sheila\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-08-13 07:57

==================== End Of Log ============================

 

Did not create "addition.txt" file....  :(



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 12 December 2013 - 11:39 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKU\Sheila\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Sheila\AppData\Local\ef9220ad-b8a6-41cb-b357-cfd76d67affead\efadbacbbcfddaffead.exe <===== ATTENTION
C:\Users\Sheila\AppData\Local\ef9220ad-b8a6-41cb-b357-cfd76d67affead\efadbacbbcfddaffead.exe
C:\Windows\Tasks\{44090356-F01B-4E39-8BA5-57F8DA30E235}.job
C:\Users\Guest\AppData\Local\Temp\bj8zecru.dll
C:\Users\Sheila\AppData\Local\Temp\ac6mbrvi.dll
C:\Users\Sheila\AppData\Local\Temp\ekfpts2c.dll
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 13 December 2013 - 08:51 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-12-2013 01
Ran by SHEILA 1 at 2013-12-13 08:49:38 Run:3
Running from C:\Users\SHEILA 1\Desktop
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
HKU\Sheila\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Sheila\AppData\Local\ef9220ad-b8a6-41cb-b357-cfd76d67affead\efadbacbbcfddaffead.exe <===== ATTENTION
C:\Users\Sheila\AppData\Local\ef9220ad-b8a6-41cb-b357-cfd76d67affead\efadbacbbcfddaffead.exe
C:\Windows\Tasks\{44090356-F01B-4E39-8BA5-57F8DA30E235}.job
C:\Users\Guest\AppData\Local\Temp\bj8zecru.dll
C:\Users\Sheila\AppData\Local\Temp\ac6mbrvi.dll
C:\Users\Sheila\AppData\Local\Temp\ekfpts2c.dll
*****************

HKU\Sheila\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
"C:\Users\Sheila\AppData\Local\ef9220ad-b8a6-41cb-b357-cfd76d67affead\efadbacbbcfddaffead.exe" => File/Directory not found.
C:\Windows\Tasks\{44090356-F01B-4E39-8BA5-57F8DA30E235}.job => Moved successfully.
C:\Users\Guest\AppData\Local\Temp\bj8zecru.dll => Moved successfully.
C:\Users\Sheila\AppData\Local\Temp\ac6mbrvi.dll => Moved successfully.
C:\Users\Sheila\AppData\Local\Temp\ekfpts2c.dll => Moved successfully.

==== End of Fixlog ====



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 13 December 2013 - 11:53 AM

Please do this next:

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 13 December 2013 - 01:19 PM

ComboFix 13-12-13.01 - SHEILA 1 12/13/2013 12:54:44.1.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2940.1433 [GMT -5:00]
Running from: c:\users\SHEILA 1\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM\255C.tmp
c:\programdata\SPL13A0.tmp
c:\programdata\SPL13E5.tmp
c:\programdata\SPL179B.tmp
c:\programdata\SPL18B.tmp
c:\programdata\SPL19DC.tmp
c:\programdata\SPL1A54.tmp
c:\programdata\SPL1CD9.tmp
c:\programdata\SPL1D9E.tmp
c:\programdata\SPL1DE1.tmp
c:\programdata\SPL1DE2.tmp
c:\programdata\SPL2010.tmp
c:\programdata\SPL211F.tmp
c:\programdata\SPL2437.tmp
c:\programdata\SPL27A4.tmp
c:\programdata\SPL2811.tmp
c:\programdata\SPL293.tmp
c:\programdata\SPL2AB6.tmp
c:\programdata\SPL2AEB.tmp
c:\programdata\SPL308F.tmp
c:\programdata\SPL32B9.tmp
c:\programdata\SPL330.tmp
c:\programdata\SPL3355.tmp
c:\programdata\SPL3489.tmp
c:\programdata\SPL3522.tmp
c:\programdata\SPL388A.tmp
c:\programdata\SPL38FB.tmp
c:\programdata\SPL3BA7.tmp
c:\programdata\SPL3C97.tmp
c:\programdata\SPL3EFE.tmp
c:\programdata\SPL4152.tmp
c:\programdata\SPL4182.tmp
c:\programdata\SPL4252.tmp
c:\programdata\SPL4338.tmp
c:\programdata\SPL4451.tmp
c:\programdata\SPL4743.tmp
c:\programdata\SPL474C.tmp
c:\programdata\SPL480F.tmp
c:\programdata\SPL4C62.tmp
c:\programdata\SPL4D0E.tmp
c:\programdata\SPL4DBE.tmp
c:\programdata\SPL4F15.tmp
c:\programdata\SPL5444.tmp
c:\programdata\SPL5447.tmp
c:\programdata\SPL5596.tmp
c:\programdata\SPL562.tmp
c:\programdata\SPL5833.tmp
c:\programdata\SPL587.tmp
c:\programdata\SPL5875.tmp
c:\programdata\SPL5935.tmp
c:\programdata\SPL5A3B.tmp
c:\programdata\SPL5EDE.tmp
c:\programdata\SPL5F66.tmp
c:\programdata\SPL6113.tmp
c:\programdata\SPL619F.tmp
c:\programdata\SPL63E5.tmp
c:\programdata\SPL6424.tmp
c:\programdata\SPL6474.tmp
c:\programdata\SPL649B.tmp
c:\programdata\SPL6932.tmp
c:\programdata\SPL6A66.tmp
c:\programdata\SPL6E8.tmp
c:\programdata\SPL719D.tmp
c:\programdata\SPL71BD.tmp
c:\programdata\SPL7292.tmp
c:\programdata\SPL72C0.tmp
c:\programdata\SPL731.tmp
c:\programdata\SPL76AF.tmp
c:\programdata\SPL773A.tmp
c:\programdata\SPL77D5.tmp
c:\programdata\SPL77D9.tmp
c:\programdata\SPL7850.tmp
c:\programdata\SPL7A3.tmp
c:\programdata\SPL7C07.tmp
c:\programdata\SPL7D08.tmp
c:\programdata\SPL7E32.tmp
c:\programdata\SPL7E80.tmp
c:\programdata\SPL821A.tmp
c:\programdata\SPL859.tmp
c:\programdata\SPL87C6.tmp
c:\programdata\SPL8A46.tmp
c:\programdata\SPL8AA1.tmp
c:\programdata\SPL8B09.tmp
c:\programdata\SPL8B54.tmp
c:\programdata\SPL8C0B.tmp
c:\programdata\SPL8D26.tmp
c:\programdata\SPL8E22.tmp
c:\programdata\SPL8F92.tmp
c:\programdata\SPL9199.tmp
c:\programdata\SPL93BD.tmp
c:\programdata\SPL962A.tmp
c:\programdata\SPL9693.tmp
c:\programdata\SPL9716.tmp
c:\programdata\SPL9717.tmp
c:\programdata\SPL98C.tmp
c:\programdata\SPL9B0E.tmp
c:\programdata\SPL9B4C.tmp
c:\programdata\SPL9BA7.tmp
c:\programdata\SPL9ED4.tmp
c:\programdata\SPL9FDE.tmp
c:\programdata\SPLA0C0.tmp
c:\programdata\SPLA2B2.tmp
c:\programdata\SPLA2FE.tmp
c:\programdata\SPLA360.tmp
c:\programdata\SPLA3D5.tmp
c:\programdata\SPLA5F1.tmp
c:\programdata\SPLA690.tmp
c:\programdata\SPLA99B.tmp
c:\programdata\SPLA9F9.tmp
c:\programdata\SPLAAE2.tmp
c:\programdata\SPLAC99.tmp
c:\programdata\SPLAE3A.tmp
c:\programdata\SPLAEAB.tmp
c:\programdata\SPLAF67.tmp
c:\programdata\SPLB00A.tmp
c:\programdata\SPLB0F2.tmp
c:\programdata\SPLB118.tmp
c:\programdata\SPLB4DB.tmp
c:\programdata\SPLB561.tmp
c:\programdata\SPLB7D2.tmp
c:\programdata\SPLB8DB.tmp
c:\programdata\SPLB999.tmp
c:\programdata\SPLBB29.tmp
c:\programdata\SPLBD6A.tmp
c:\programdata\SPLC07.tmp
c:\programdata\SPLC16D.tmp
c:\programdata\SPLC16F.tmp
c:\programdata\SPLC1C6.tmp
c:\programdata\SPLC1CE.tmp
c:\programdata\SPLC37.tmp
c:\programdata\SPLC3CC.tmp
c:\programdata\SPLC52A.tmp
c:\programdata\SPLC60F.tmp
c:\programdata\SPLC666.tmp
c:\programdata\SPLCC0D.tmp
c:\programdata\SPLCD3.tmp
c:\programdata\SPLCF.tmp
c:\programdata\SPLCF8F.tmp
c:\programdata\SPLD1BB.tmp
c:\programdata\SPLD317.tmp
c:\programdata\SPLD637.tmp
c:\programdata\SPLD762.tmp
c:\programdata\SPLD7E4.tmp
c:\programdata\SPLDC04.tmp
c:\programdata\SPLE09E.tmp
c:\programdata\SPLE0E8.tmp
c:\programdata\SPLE17A.tmp
c:\programdata\SPLE211.tmp
c:\programdata\SPLE2E5.tmp
c:\programdata\SPLE8A0.tmp
c:\programdata\SPLE9.tmp
c:\programdata\SPLED33.tmp
c:\programdata\SPLEF95.tmp
c:\programdata\SPLF1E1.tmp
c:\programdata\SPLF452.tmp
c:\programdata\SPLF530.tmp
c:\programdata\SPLF65.tmp
c:\programdata\SPLF691.tmp
c:\programdata\SPLF6F1.tmp
c:\programdata\SPLFB43.tmp
c:\programdata\SPLFC2E.tmp
c:\programdata\SPLFD11.tmp
c:\programdata\SPLFE7F.tmp
c:\users\Sheila\acrobatreader.exe
c:\users\Sheila\chrome.exe
c:\users\Sheila\icq.exe
c:\users\Sheila\opera.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-11-13 to 2013-12-13 )))))))))))))))))))))))))))))))
.
.
2013-12-13 18:07 . 2013-12-13 18:07 -------- d-----w- c:\users\Sheila\AppData\Local\temp
2013-12-13 18:07 . 2013-12-13 18:07 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-12-13 18:07 . 2013-12-13 18:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-13 18:07 . 2013-12-13 18:07 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-12-12 08:04 . 2013-12-12 08:04 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9378B04A-5E71-4B1A-B08B-F267FB85FE23}\offreg.dll
2013-12-12 07:59 . 2013-11-18 06:28 10285968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9378B04A-5E71-4B1A-B08B-F267FB85FE23}\mpengine.dll
2013-12-05 18:46 . 2013-12-05 18:48 -------- d-----w- c:\users\SHEILA 1
2013-12-05 01:16 . 2013-12-05 01:16 -------- d-----w- c:\program files\iPod
2013-12-05 01:16 . 2013-12-05 01:16 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-12-05 01:16 . 2013-12-05 01:16 -------- d-----w- c:\program files\iTunes
2013-12-05 01:16 . 2013-12-05 01:16 -------- d-----w- c:\program files (x86)\iTunes
2013-12-05 01:15 . 2013-12-05 01:15 -------- d-----w- c:\users\Administrator\AppData\Local\Apple Computer
2013-11-29 18:25 . 2013-12-05 01:15 -------- d-----w- c:\users\Administrator\AppData\Roaming\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-12 00:07 . 2012-05-18 13:29 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-12 00:07 . 2011-06-29 11:41 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-27 01:14 . 2012-02-27 01:16 16409960 ----a-w- c:\program files\spybotsd162.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyTOSHIBA"="c:\program files (x86)\Toshiba\My Toshiba\MyToshiba.exe" [2009-08-06 264048]
"AOL Fast Start"="c:\program files (x86)\AOL Desktop 9.6\AOL.EXE" [2010-11-24 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"HostManager"="c:\program files (x86)\Common Files\AOL\1291565820\ee\AOLSoftware.exe" [2010-03-08 41800]
"Lexmark 7600 Series"="c:\program files (x86)\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"Mobile Connectivity Suite"="c:\program files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-11-02 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [x]
R2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [x]
R2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe;c:\windows\SYSNATIVE\lxdwcoms.exe [x]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdwserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\lxdwserv.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys;c:\windows\SYSNATIVE\DRIVERS\Rts516xIR.sys [x]
R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys;c:\windows\SYSNATIVE\DRIVERS\S3XXx64.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys;c:\windows\SYSNATIVE\DRIVERS\FwLnk.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files (x86)\Toshiba\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-18 00:07]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-05 16:04]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-05 16:04]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4280437723-3974185522-1874671452-1000Core.job
- c:\users\Sheila\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-05 16:09]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4280437723-3974185522-1874671452-1000UA.job
- c:\users\Sheila\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-05 16:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 365592]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-29 7982112]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 709976]
"lxdwmon.exe"="c:\program files (x86)\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files (x86)\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-10-12 1464984]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-10-12 2075288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-12-13 13:14:34
ComboFix-quarantined-files.txt 2013-12-13 18:14
.
Pre-Run: 238,790,815,744 bytes free
Post-Run: 240,035,004,416 bytes free
.
- - End Of File - - 7B3D6354E6DEE97ECD89CAF0019D6663
5B5E648D12FCADC244C1EC30318E1EB9

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 13 December 2013 - 04:44 PM

Please do this next:

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

icon11.gif  You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:FRST\Quarantine or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • adwCleaner log
  • MBAM log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 13 December 2013 - 06:52 PM

# AdwCleaner v3.015 - Report created 13/12/2013 at 16:51:53
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : SHEILA 1 - SHEILA-PC
# Running from : C:\Users\SHEILA 1\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\.bdc
Key Found : HKLM\SOFTWARE\Classes\.bgl
Key Found : HKLM\SOFTWARE\Classes\.bof
Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Found : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\Trymedia Systems
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{64B00DAC-870D-4E6A-8D34-3A6E3E427A30}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16635


*************************

AdwCleaner[0].txt - [9963 octets] - [14/08/2013 07:05:07]
AdwCleaner[1].txt - [822 octets] - [14/08/2013 07:16:17]
AdwCleaner[R0].txt - [1711 octets] - [13/12/2013 16:51:53]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1771 octets] ##########

#10 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 13 December 2013 - 06:54 PM

Now scanning with Malwarebytes.....

#11 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 13 December 2013 - 08:14 PM

Now scanning with Malwarebytes.....


results: looks like 1 more problem

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.13.08

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16635
SHEILA 1 :: SHEILA-PC [administrator]

Protection: Disabled

12/13/2013 6:53:56 PM
MBAM-log-2013-12-13 (20-12-21).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 488447
Time elapsed: 54 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 14 December 2013 - 12:16 AM

How is your computer running now?  Please do this next:

icon11.gif   Run MBAM again, this time letting it take care of that detection

icon11.gif  Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • adwCleaner log
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 14 December 2013 - 10:08 AM

(Note: Windows shut down right after I ran mbam , had to reboot)

 

# AdwCleaner v3.000 - Report created14/08/2013at08:16:17
# Updated 13/08/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Sheila - SHEILA-PC
# Running from : E:\AdwCleaner.exe

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

 

 

# AdwCleaner v3.015 - Report created 14/12/2013 at 09:39:53
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Administrator - SHEILA-PC
# Running from : C:\Users\Administrator\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\.bdc
Key Deleted : HKLM\SOFTWARE\Classes\.bgl
Key Deleted : HKLM\SOFTWARE\Classes\.bof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{64B00DAC-870D-4E6A-8D34-3A6E3E427A30}
Key Deleted : HKLM\Software\Trymedia Systems

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16635

*************************

AdwCleaner[0].txt - [9963 octets] - [14/08/2013 07:05:07]
AdwCleaner[1].txt - [822 octets] - [14/08/2013 07:16:17]
AdwCleaner[R0].txt - [1855 octets] - [13/12/2013 16:51:53]
AdwCleaner[R1].txt - [2253 octets] - [14/12/2013 09:37:17]
AdwCleaner[S0].txt - [2206 octets] - [14/12/2013 09:39:53]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2266 octets] ##########

***** [ Browsers ] *****

 

 

Note: right after I ran these, had to do re-boot (to access adw cleaner file) Very slow to reboot, had error message: "Failed to connect to a windows service- system notifications-) computer very slow to respond, then a shutdown with the error: "A problem has been detected, and Windows has been shut down to protect the computer... I then rebooted in Safe Mode so I could post these files.... I will try to post the results of ESET run in my next post

-\\ Internet Explorer v10.0.9200.16635

[OK] No bad entry found.

-\\ Google Chrome v

[ File : C:\Users\Sheila\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[OK] No bad entry found.

*************************

AdwCleaner[0].txt - [9963 octets] - [14/08/2013 08:05:07]
AdwCleaner[1].txt - [686 octets] - [14/08/2013 08:16:17]

########## EOF - C:\AdwCleaner\AdwCleaner[1].txt - [744 octets] ##########



#14 dankwest

dankwest
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:12586
  • Local time:04:15 PM

Posted 14 December 2013 - 10:19 AM

ESET was downloaded, but will not install (error message indicates that malware may be present to prevent install taking place).  Offers to download and install "specialized cleaner"....



#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 14 December 2013 - 10:57 AM

Please do this now:

icon11.gif  Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected.  Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.7.1.0_19.01.2012_17.24.26_log.txt
  • Post that log, please.

Please include the following in your next post:

  • TDSSKiller log

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users