Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked, popups everywhere, internet not working


  • This topic is locked This topic is locked
20 replies to this topic

#1 LucaBC

LucaBC

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 12 December 2013 - 02:39 AM

Hello there, my 13 year old son just got a new laptop for his birthday a month ago, and wouldn't you know it, a month later the thing is infected something nasty. The browsers are hijacked and full of adware, and occasionally pretends that the internet isn't working. One of the programs I was able to remove was called Scorpion Saver, but there are so many more toolbars and popups, I don't even know where to begin. I hope this is enough information, let me know if you'd like to know anything else? Thank you so much for your assistance!

Because of the tenuous internet connection, I'm using my own laptop to post this log, and not the infected one. 
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Ying at 23:08:51 on 2013-12-11
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5921.4145 [GMT -8:00]
.
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\P4G\BatteryLife.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\FaceLogon\sensorsrv.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Windows\SysWOW64\ACEngSvr.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Social Privacy  DNS\dnswatch.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\AsScrPro.exe
C:\Program Files\Trend Micro\Titanium\TiMiniService.exe
C:\Program Files\Trend Micro\Titanium\TiResumeSrv.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1381\6.5.1234\TmIEPlg32.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: TBSB07898 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - 
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} - 
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [MobileAppSync] "C:\Program Files (x86)\Mobile App Sync\D2MClient.exe"
mRun: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini"
mRun: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE"
mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S
mRun: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
mRun: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ApnTBMon] "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [dnsshield] C:\Program Files (x86)\Social Privacy  DNS\dnswatch.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FANCYS~1.LNK - C:\Windows\Installer\{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}\_77B5857C27147149171BE7.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TCP: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{45AEA371-44B6-49A1-AD88-445AC7A05056} : NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{45AEA371-44B6-49A1-AD88-445AC7A05056} : DHCPNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F} : NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F} : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F}\34163756976696163736F6 : NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F}\34163756976696163736F6 : DHCPNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F}\3456E647572797C496E6B693335303 : DHCPNameServer = 192.168.0.1 205.171.2.25
TCP: Interfaces\{7546DD8C-C993-437E-8F1A-1F2283BD9CCF} : NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963} : NameServer = 75.126.206.18,184.173.169.186
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1381\6.5.1234\TmIEPlg32.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll      c:\progra~2\sk_enh~1\psupport.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://www.nationzoom.com/?type=hp&ts=1386125640&from=tugs&uid=TOSHIBAXMK7559GSXP_128LC2F0TXX128LC2F0T
x64-mSearch Page = hxxp://www.nationzoom.com/web/?type=ds&ts=1386125640&from=tugs&uid=TOSHIBAXMK7559GSXP_128LC2F0TXX128LC2F0T&q={searchTerms}
x64-mDefault_Page_URL = hxxp://www.nationzoom.com/?type=hp&ts=1386125640&from=tugs&uid=TOSHIBAXMK7559GSXP_128LC2F0TXX128LC2F0T
x64-mDefault_Search_URL = hxxp://www.nationzoom.com/web/?type=ds&ts=1386125640&from=tugs&uid=TOSHIBAXMK7559GSXP_128LC2F0TXX128LC2F0T&q={searchTerms}
x64-BHO: Plus-HD-1.3: {11111111-1111-1111-1111-110311121157} - 
x64-BHO: surff aNd keep: {118B2809-0EB4-3026-2BE4-205CEB209F8C} - 
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
x64-BHO: YoutubeAdblocker: {2352FEC2-344A-3202-126F-0EB6DC90D885} - 
x64-BHO: surf and  keeeep: {239898A1-6553-422B-1744-C56474277197} - 
x64-BHO: surf aned keep: {4892EEA0-48BB-62B9-FC9F-AFDC01BC38FB} - 
x64-BHO: surFa And keep: {8E7BFDA8-7BC7-E897-64BD-8BCCE102B9D4} - 
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Social Privacy: {91FBEA5C-E3C7-42EA-8C2B-B168189AB5BE} - 
x64-BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe64.dll
x64-BHO: surf And keepe: {D1533319-8C05-3ADA-6CBB-870A7D45A9AA} - 
x64-Run: [VizorHtmlDialog.exe] "C:\Program Files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe" "DEF" "EULA" "C:\Program Files\Trend Micro\Titanium\UI\Installer.cmpt\resources\preinstall_01_welcome_trial.html" "DEF" "DEF" "DEF"
x64-Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
x64-Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\VizorShortCut.exe -ReFlush "none" "none"
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3 
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SynAsusAcpi] C:\Program Files (x86)\Synaptics\SynTP\SynAsusAcpi.exe
x64-Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe64.dll
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: browser.search.selectedEngine - nationzoom
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/firefox/?fr=sfp-yff25
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=U079DF&PC=U079&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Ying\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-11-14 16:24; {635abd67-4fe9-1b23-4f01-e679fa7484c1}; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - ExtSQL: 2013-11-14 16:36; toolbar_ORJ-V7C@apn.ask.com; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\toolbar_ORJ-V7C@apn.ask.com.xpi
FF - ExtSQL: 2013-11-16 17:33; o9fd@uyvxtqdx.org; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\o9fd@uyvxtqdx.org
FF - ExtSQL: 2013-11-18 00:30; emdmbr@euoeyptynjf.edu; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\emdmbr@euoeyptynjf.edu
FF - ExtSQL: 2013-11-18 00:30; 1.3c5qzoo@pfiuy-.edu; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\1.3c5qzoo@pfiuy-.edu
FF - ExtSQL: 2013-11-20 00:43; iieayiauo@fdo-aaye.org; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\iieayiauo@fdo-aaye.org
FF - ExtSQL: 2013-11-23 13:21; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - ExtSQL: 2013-11-26 16:46; affv3pr_f@pwggvjrrlbf.com; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\affv3pr_f@pwggvjrrlbf.com
FF - ExtSQL: 2013-11-28 22:35; 6psjgaye@sacl-.co.uk; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\6psjgaye@sacl-.co.uk
FF - ExtSQL: 2013-11-29 19:56; mvwbfglzqoz@qqmgrtn.net; C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\mvwbfglzqoz@qqmgrtn.net
FF - ExtSQL: !HIDDEN! 2013-11-23 13:21; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.enabledAddons - sp2@sp.com:1.0
FF - user.js: extensions.enabledScopes - 15
user_pref(extensions.newAddons,false);
FF - user.js: extensions.autoDisableScopes - 0
FF - user.js: extensions.shownSelectionUI - true
.
============= SERVICES / DRIVERS ===============
.
R1 ATKWMIACPIIO;ATKWMIACPI Driver;C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-9-7 17536]
R2 AFBAgent;AFBAgent;C:\Windows\System32\FBAgent.exe [2012-12-2 379520]
R2 APNMCP;Ask Update Service;C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [2013-11-8 166352]
R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-12-3 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-12-3 701512]
R2 tmevtmgr;tmevtmgr;C:\Windows\System32\drivers\tmevtmgr.sys [2011-10-17 67664]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-12-2 2656280]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-10-3 129512]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-10-3 394728]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-12-20 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-12-20 169584]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-12-3 25928]
R3 TiMiniService;TiMiniService;C:\Program Files\Trend Micro\Titanium\TiMiniService.exe [2011-4-28 241488]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2011-10-17 267480]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\System32\drivers\AmUStor.sys [2011-3-17 74840]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-10-17 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-12-11 111616]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-10 56832]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-18 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2011-2-18 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-11-25 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-12-12 01:08:06 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
2013-12-12 01:08:06 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2013-12-12 01:08:06 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2013-12-12 01:08:05 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2013-12-12 01:07:00 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-12-12 01:07:00 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2013-12-12 01:07:00 235216 ----a-w- C:\Program Files (x86)\Internet Explorer\sqmapi.dll
2013-12-12 00:49:31 335360 ----a-w- C:\Windows\System32\msieftp.dll
2013-12-12 00:49:31 301568 ----a-w- C:\Windows\SysWow64\msieftp.dll
2013-12-12 00:49:26 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-12-12 00:49:20 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-12-12 00:49:20 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-12-12 00:49:14 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-12-12 00:49:14 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-12-12 00:49:10 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-12-12 00:49:10 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-12-12 00:49:03 230400 ----a-w- C:\Windows\System32\drivers\portcls.sys
2013-12-12 00:49:03 116736 ----a-w- C:\Windows\System32\drivers\drmk.sys
2013-12-12 00:48:59 202752 ----a-w- C:\Windows\System32\scrrun.dll
2013-12-12 00:48:59 168960 ----a-w- C:\Windows\System32\wscript.exe
2013-12-12 00:48:59 163840 ----a-w- C:\Windows\SysWow64\scrrun.dll
2013-12-12 00:48:59 156160 ----a-w- C:\Windows\System32\cscript.exe
2013-12-12 00:48:59 150016 ----a-w- C:\Windows\System32\wshom.ocx
2013-12-12 00:48:59 141824 ----a-w- C:\Windows\SysWow64\wscript.exe
2013-12-12 00:48:59 126976 ----a-w- C:\Windows\SysWow64\cscript.exe
2013-12-12 00:48:59 121856 ----a-w- C:\Windows\SysWow64\wshom.ocx
2013-12-04 02:56:13 -------- d-----w- C:\Users\Ying\AppData\Roaming\Malwarebytes
2013-12-04 02:56:05 -------- d-----w- C:\ProgramData\Malwarebytes
2013-12-04 02:56:04 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-12-04 02:56:04 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-04 02:54:34 -------- d-----w- C:\Program Files (x86)\MyPC Backup
2013-12-04 02:54:08 -------- d-----w- C:\ProgramData\WPM
2013-12-01 04:37:52 439296 ----a-w- C:\Windows\System32\AdpeakProxy64.dll
2013-11-30 04:42:13 -------- d-----w- C:\Users\Ying\AppData\Roaming\Optimizer Pro
2013-11-30 04:36:36 -------- d-----w- C:\temp
2013-11-30 04:36:35 -------- d-----w- C:\Program Files\Level Quality Watcher
2013-11-30 04:36:31 -------- d-----w- C:\ProgramData\Updater
2013-11-30 04:36:31 -------- d-----w- C:\ProgramData\RHelpers
2013-11-30 04:36:08 -------- d-----w- C:\Users\Ying\AppData\Local\SearchProtect
2013-11-30 04:36:02 -------- d-----w- C:\Program Files (x86)\Social Privacy  DNS
2013-11-30 04:36:00 -------- d-----w- C:\Program Files (x86)\sp
2013-11-30 04:35:52 -------- d-----w- C:\Program Files (x86)\DownLite
2013-11-30 04:18:28 81768 ------w- C:\Windows\SysWow64\xinput1_3.dll
2013-11-30 04:18:28 74072 ------w- C:\Windows\SysWow64\XAPOFX1_5.dll
2013-11-30 04:18:28 527192 ------w- C:\Windows\SysWow64\XAudio2_7.dll
2013-11-30 04:18:28 2106216 ------w- C:\Windows\SysWow64\D3DCompiler_43.dll
2013-11-30 04:18:28 1998168 ------w- C:\Windows\SysWow64\D3DX9_43.dll
2013-11-30 04:18:27 62744 ------w- C:\Windows\SysWow64\xinput1_2.dll
2013-11-30 04:17:54 -------- d-----w- C:\Program Files (x86)\Intrusion2
2013-11-30 03:56:00 -------- d-----w- C:\ProgramData\surf  aannd keep
2013-11-30 03:56:00 -------- d-----w- C:\Program Files (x86)\surf  aannd keep
2013-11-29 06:35:02 -------- d-----w- C:\ProgramData\surFa And keep
2013-11-29 06:35:02 -------- d-----w- C:\Program Files (x86)\surFa And keep
2013-11-27 00:46:51 -------- d-----w- C:\ProgramData\surf aned keep
2013-11-27 00:46:50 -------- d-----w- C:\Program Files (x86)\surf aned keep
2013-11-27 00:34:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-11-27 00:34:40 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-11-27 00:34:34 67072 ----a-w- C:\Windows\splwow64.exe
2013-11-27 00:34:34 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2013-11-26 14:34:45 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2013-11-26 07:47:22 -------- d-----w- C:\Windows\SysWow64\Wat
2013-11-26 07:47:22 -------- d-----w- C:\Windows\System32\Wat
2013-11-26 06:39:50 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-11-26 05:52:37 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-11-26 05:52:37 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-11-26 05:52:37 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-11-26 05:52:36 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-11-26 05:52:36 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-11-26 05:52:36 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-11-26 05:52:36 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-11-26 05:36:16 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-11-26 05:36:16 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-11-26 05:36:16 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-11-25 23:14:02 633856 ----a-w- C:\Windows\System32\comctl32.dll
2013-11-25 23:14:02 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll
2013-11-25 23:12:55 1572864 ----a-w- C:\Windows\System32\quartz.dll
2013-11-25 23:11:55 515584 ----a-w- C:\Windows\System32\timedate.cpl
2013-11-25 23:10:57 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-11-25 23:09:59 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-11-25 23:08:56 76800 ----a-w- C:\Windows\System32\drivers\hidclass.sys
2013-11-25 23:08:56 42496 ----a-w- C:\Windows\System32\drivers\usbscan.sys
2013-11-25 23:08:56 32896 ----a-w- C:\Windows\System32\drivers\hidparse.sys
2013-11-25 23:08:56 209920 ----a-w- C:\Windows\System32\profsvc.dll
2013-11-25 23:08:19 81920 ----a-w- C:\Windows\SysWow64\davclnt.dll
2013-11-25 23:08:19 259584 ----a-w- C:\Windows\System32\WebClnt.dll
2013-11-25 23:08:19 205824 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2013-11-25 23:08:19 140800 ----a-w- C:\Windows\System32\drivers\mrxdav.sys
2013-11-25 23:08:19 102400 ----a-w- C:\Windows\System32\davclnt.dll
2013-11-25 23:08:12 478208 ----a-w- C:\Windows\System32\dpnet.dll
2013-11-25 23:08:12 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
2013-11-25 23:08:06 624128 ----a-w- C:\Windows\System32\qedit.dll
2013-11-25 23:08:06 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2013-11-25 23:07:54 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2013-11-25 23:05:46 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2013-11-25 23:05:46 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2013-11-25 23:05:46 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2013-11-25 23:05:46 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2013-11-25 23:05:39 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2013-11-25 23:03:20 552960 ----a-w- C:\Windows\System32\drivers\bthport.sys
2013-11-25 23:03:14 95744 ----a-w- C:\Windows\System32\synceng.dll
2013-11-25 23:03:14 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2013-11-25 23:01:55 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2013-11-25 23:00:28 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2013-11-25 22:26:55 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-11-25 22:26:55 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-11-25 22:26:55 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-11-25 22:20:37 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-11-25 22:20:32 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-11-25 22:20:24 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-11-25 22:20:24 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-11-25 14:05:25 -------- d-----w- C:\Users\Ying\AppData\Local\Unity
2013-11-25 10:03:04 -------- d-----w- C:\Users\Ying\AppData\Local\Humanbalance
2013-11-25 10:03:02 -------- d-----w- C:\Program Files (x86)\GraphicsGale FreeEdition
2013-11-25 09:53:56 -------- d-----w- C:\Users\Ying\AppData\Local\.doomseeker
2013-11-25 09:53:34 -------- d-----w- C:\Users\Ying\AppData\Roaming\.doomseeker
2013-11-24 03:08:35 -------- d-----w- C:\Program Files (x86)\DoomRL
2013-11-24 03:08:22 -------- d-----w- C:\Users\Ying\AppData\Local\Programs
2013-11-23 21:27:56 -------- d-----w- C:\ProgramData\WEBREG
2013-11-23 21:22:33 248320 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpfpp70v.dll
2013-11-23 21:21:56 -------- d-----w- C:\ProgramData\HP Photo Creations
2013-11-23 21:21:56 -------- d-----w- C:\Program Files (x86)\HP Photo Creations
2013-11-23 21:21:52 -------- d-----w- C:\Users\Ying\AppData\Roaming\HpUpdate
2013-11-23 21:20:47 -------- d-----w- C:\Program Files (x86)\Common Files\HP
2013-11-23 21:20:43 -------- d-----w- C:\Program Files (x86)\Common Files\Hewlett-Packard
2013-11-23 21:20:17 136704 ----a-w- C:\Windows\System32\hpf3l70v.dll
2013-11-23 21:19:32 -------- d-----w- C:\Program Files (x86)\HP
2013-11-23 21:19:16 -------- d-----w- C:\Program Files\HP
2013-11-23 21:18:11 880640 ----a-w- C:\Windows\System32\hposwia_p02c.dll
2013-11-23 21:18:11 642360 ----a-w- C:\Windows\System32\hpzids40.dll
2013-11-23 21:18:11 551424 ----a-w- C:\Windows\System32\hppldcoi.dll
2013-11-23 21:18:11 515072 ----a-w- C:\Windows\System32\hposc_p02a.dll
2013-11-23 21:18:11 1403904 ----a-w- C:\Windows\System32\hpost_p02c.dll
2013-11-23 21:12:41 -------- d-----w- C:\Users\Ying\AppData\Local\ElevatedDiagnostics
2013-11-20 08:43:53 -------- d-----w- C:\ProgramData\surf And keepe
2013-11-20 08:43:52 -------- d-----w- C:\Program Files (x86)\surf And keepe
2013-11-18 08:30:05 -------- d-----w- C:\ProgramData\QuickSet
2013-11-18 08:30:02 -------- d-----w- C:\ProgramData\YoutubeAdblocker
2013-11-18 08:30:02 -------- d-----w- C:\Program Files (x86)\YoutubeAdblocker
2013-11-18 08:29:56 -------- d-----w- C:\ProgramData\surff aNd keep
2013-11-18 08:29:56 -------- d-----w- C:\Program Files (x86)\surff aNd keep
2013-11-17 06:10:32 -------- d-----w- C:\Program Files (x86)\Jnes
2013-11-17 01:33:04 -------- d-----w- C:\ProgramData\WinterSoft
2013-11-17 01:33:02 -------- d-----w- C:\Program Files (x86)\Sk_Enhancer
2013-11-17 01:33:00 -------- d-----w- C:\Users\Ying\AppData\Local\Packages
2013-11-17 01:33:00 -------- d-----w- C:\ProgramData\surf and  keeeep
2013-11-17 01:33:00 -------- d-----w- C:\Program Files (x86)\surf and  keeeep
2013-11-17 01:32:57 -------- d-----w- C:\ProgramData\e3339eeada9e6aed
2013-11-17 01:32:50 -------- d-----w- C:\ProgramData\InstallMate
2013-11-15 05:47:59 -------- d-----w- C:\Users\Ying\AppData\Roaming\UFOAI
2013-11-15 05:41:06 -------- d-----w- C:\Program Files (x86)\UFOAI-2.4
2013-11-15 01:08:14 -------- d-----w- C:\Users\Ying\AppData\Local\Macromedia
2013-11-15 01:08:02 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-15 01:08:02 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-15 00:36:11 -------- d-----w- C:\ProgramData\AskPartnerNetwork
2013-11-15 00:36:11 -------- d-----w- C:\Program Files (x86)\AskPartnerNetwork
2013-11-15 00:36:06 -------- d-----w- C:\ProgramData\APN
2013-11-15 00:34:25 -------- d-----w- C:\Users\Ying\AppData\Roaming\.minecraft
2013-11-15 00:34:10 -------- d-----w- C:\ProgramData\Oracle
2013-11-15 00:33:53 96168 ------w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-11-15 00:24:08 -------- d-----w- C:\Users\Ying\AppData\Local\Mozilla
2013-11-15 00:23:10 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2013-11-15 00:18:54 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
2013-11-15 00:18:53 -------- d-----w- C:\Program Files (x86)\Steam
2013-11-14 22:35:45 -------- d-----w- C:\Users\Ying\AppData\Roaming\FLEXnet
.
==================== Find3M  ====================
.
2013-12-12 06:47:32 45056 ----a-w- C:\Windows\SysWow64\acovcnt.exe
2013-11-26 10:18:23 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2013-11-26 09:48:07 66048 ----a-w- C:\Windows\System32\iesetup.dll
2013-11-26 09:46:25 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2013-11-26 09:18:39 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-11-26 09:18:09 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2013-11-26 09:16:57 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2013-11-26 08:35:02 5769216 ----a-w- C:\Windows\System32\jscript9.dll
2013-11-26 08:28:16 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2013-11-26 08:16:12 4243968 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-11-26 08:02:16 1995264 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-11-26 07:32:06 1928192 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-11-26 07:07:57 2334208 ----a-w- C:\Windows\System32\wininet.dll
2013-11-26 06:33:33 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll
2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-09-28 01:09:10 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll
2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll
2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2013-09-25 01:57:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe
.
============= FINISH: 23:09:16.07 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 12 December 2013 - 08:38 PM

Hi and Welcome!!   

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.


Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 
weVCzW0.jpg Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------
 
81mYIKe.jpg  AdwCleaner

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 LucaBC

LucaBC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 13 December 2013 - 01:54 AM

Holy cow, I was not expecting such a quick response, thank you! I don't know if something magical happened when I started up the laptop this time, but even before running these programs, the browsers have been a lot smoother with a lot fewer ads. Maybe it just took an extra restart to get rid of that Scorpion program? Both scans didn't yield much, the TDSSKiller one didn't find anything, and the AdwCleaner one only found one thing. It looks good now, but let me know if there's anything else I should look for? Here's the AdwCleaner log, and the TDSSKiller one is attached:

Again, thank you for your quick response!
 

# AdwCleaner v3.015 - Report created 12/12/2013 at 22:39:37
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ying - PC
# Running from : C:\Users\Ying\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : APNMCP
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\AskPartnerNetwork
Folder Deleted : C:\ProgramData\QuickSet
Folder Deleted : C:\ProgramData\WinterSoft
Folder Deleted : C:\ProgramData\YoutubeAdblocker
Folder Deleted : C:\ProgramData\surf  aannd keep
Folder Deleted : C:\ProgramData\surf and  keeeep
Folder Deleted : C:\ProgramData\surf And keepe
Folder Deleted : C:\ProgramData\surf aned keep
Folder Deleted : C:\ProgramData\surFa And keep
Folder Deleted : C:\ProgramData\surff aNd keep
Folder Deleted : C:\Program Files (x86)\AskPartnerNetwork
Folder Deleted : C:\Program Files (x86)\MyPC Backup
Folder Deleted : C:\Program Files (x86)\Sk_Enhancer
Folder Deleted : C:\Program Files (x86)\YoutubeAdblocker
Folder Deleted : C:\Program Files (x86)\surf  aannd keep
Folder Deleted : C:\Program Files (x86)\surf and  keeeep
Folder Deleted : C:\Program Files (x86)\surf And keepe
Folder Deleted : C:\Program Files (x86)\surf aned keep
Folder Deleted : C:\Program Files (x86)\surFa And keep
Folder Deleted : C:\Program Files (x86)\surff aNd keep
Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Users\Ying\AppData\Local\Searchprotect
Folder Deleted : C:\Users\Ying\AppData\Local\Temp\apn
Folder Deleted : C:\Users\Ying\AppData\LocalLow\Toolbar4
Folder Deleted : C:\Users\Ying\AppData\Roaming\optimizer pro
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\1.3c5qzoo@pfiuy-.edu
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\6psjgaye@sacl-.co.uk
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\affv3pr_f@pwggvjrrlbf.com
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\emdmbr@euoeyptynjf.edu
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\iieayiauo@fdo-aaye.org
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\mvwbfglzqoz@qqmgrtn.net
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\o9fd@uyvxtqdx.org
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\ScorpionSaver@jetpack
Folder Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\Extensions\support@tubedimmerapp.com
File Deleted : C:\Windows\System32\AdpeakProxy.ini
File Deleted : C:\Windows\System32\AdpeakProxyOff.ini
File Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\invalidprefs.js
File Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\searchplugins\ask-search.xml
File Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\searchplugins\bingp.xml
File Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\searchplugins\conduit-search.xml
File Deleted : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\user.js
 
***** [ Shortcuts ] *****
 
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
Shortcut Disinfected : C:\Users\Ying\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\Ying\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Shortcut Disinfected : C:\Users\Ying\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Shortcut Disinfected : C:\Users\Ying\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\Ying\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk
 
***** [ Registry ] *****
 
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{8e7d6746-77a0-402a-b4ab-a6f73a41db80}]
Key Deleted : HKLM\SOFTWARE\Classes\and
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1
Key Deleted : HKLM\SOFTWARE\Classes\speedupmypc
Key Deleted : HKLM\SOFTWARE\Classes\surf
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnTbMon]
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_bf299197
Key Deleted : HKLM\SOFTWARE\Classes\TBSB07898.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\TBSB07898.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\TBSB07898.TBSB07898
Key Deleted : HKLM\SOFTWARE\Classes\TBSB07898.TBSB07898.3
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.TBSB07898
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.TBSB07898.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9DC8FA51-B596-4F77-802C-5B295919C205}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE91F9CE-0900-4E2A-B673-F3F6E4FC54D9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322122257}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366126657}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322122257}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366126657}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKCU\Software\Adpeak, Inc.
Key Deleted : HKCU\Software\AskPartnerNetwork
Key Deleted : HKCU\Software\FLEXnet
Key Deleted : HKCU\Software\installedbrowserextensions
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
Key Deleted : HKCU\Software\AppDataLow\Software\Scorpion Saver
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\AskPartnerNetwork
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}
Key Deleted : [x64] HKLM\SOFTWARE\Adpeak, Inc.
Key Deleted : [x64] HKLM\SOFTWARE\Scorpion Saver
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6E810AB6-F34E-49A3-A93F-9E503660F718}
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL
Key Deleted : HKLM\Software\Classes\Installer\Features\6BA018E6E43F3A949AF3E90563067F81
Key Deleted : HKLM\Software\Classes\Installer\Products\6BA018E6E43F3A949AF3E90563067F81
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
 
-\\ Mozilla Firefox v25.0.1 (en-US)
 
[ File : C:\Users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\prefs.js ]
 
Line Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Line Deleted : user_pref("aol_toolbar.default.search.check", false);
Line Deleted : user_pref("browser.newtab.url", "hxxp://www.nationzoom.com/newtab/?type=nt&ts=1386125640&from=tugs&uid=TOSHIBAXMK7559GSXP_128LC2F0TXX128LC2F0T");
Line Deleted : user_pref("browser.search.defaultenginename", "nationzoom");
Line Deleted : user_pref("browser.search.selectedEngine", "nationzoom");
Line Deleted : user_pref("extensions.7Y3mW06rZm.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.to[...]
Line Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Line Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Line Deleted : user_pref("extensions.CGV.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.top){var [...]
Line Deleted : user_pref("extensions.UOt.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self==window.top){var script=document.createElement('script');script.type=[...]
Line Deleted : user_pref("extensions.ZTx3_ydFs.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.top[...]
Line Deleted : user_pref("extensions.crossrider.bic", "142bb88506ba3c87a1cb90f35c8ccb52");
Line Deleted : user_pref("extensions.grKsq_k.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.top){[...]
Line Deleted : user_pref("extensions.juuPEZbC4.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.top[...]
Line Deleted : user_pref("extensions.wfT4E.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.top){va[...]
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Line Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Line Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");
 
*************************
 
AdwCleaner[R0].txt - [27466 octets] - [12/12/2013 22:37:05]
AdwCleaner[R1].txt - [27527 octets] - [12/12/2013 22:37:59]
AdwCleaner[S0].txt - [19122 octets] - [12/12/2013 22:39:37]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [19183 octets] ##########
 

Attached Files



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 13 December 2013 - 07:27 AM

Hi,
 
With the number of entries found by AdwCleaner let's keep going and see what else we can find.  :)
 
ComboFix

Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.



--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 LucaBC

LucaBC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 13 December 2013 - 10:00 AM

Okay sounds good. Here's the log:

ComboFix 13-12-13.01 - Ying 12/13/2013   6:47.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5921.3601 [GMT -8:00]
Running from: c:\users\Ying\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}
c:\windows\Installer\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}\icon64.ico
c:\windows\msvcr71.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-13 to 2013-12-13  )))))))))))))))))))))))))))))))
.
.
2013-12-13 14:51 . 2013-12-13 14:51    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-12-13 07:01 . 2013-12-13 07:01    --------    d-----w-    c:\users\Ying\AppData\Roaming\Avira
2013-12-13 06:59 . 2013-12-13 06:54    83160    ----a-w-    c:\windows\system32\drivers\avnetflt.sys
2013-12-13 06:59 . 2013-12-13 06:54    28600    ----a-w-    c:\windows\system32\drivers\avkmgr.sys
2013-12-13 06:59 . 2013-12-13 06:54    132600    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2013-12-13 06:59 . 2013-12-13 06:54    107416    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-12-13 06:59 . 2013-12-13 06:59    --------    d-----w-    c:\programdata\Avira
2013-12-13 06:59 . 2013-12-13 06:59    --------    d-----w-    c:\program files (x86)\Avira
2013-12-13 06:58 . 2010-09-17 08:52    525792    ----a-w-    c:\windows\DIFxAPI.dll
2013-12-13 06:58 . 2010-09-17 08:52    232272    ----a-w-    c:\windows\TmNSCIns.dll
2013-12-13 06:36 . 2013-12-13 06:39    --------    d-----w-    C:\AdwCleaner
2013-12-12 05:42 . 2013-09-04 12:12    343040    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-12-12 05:42 . 2013-09-04 12:11    325120    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-12-12 05:42 . 2013-09-04 12:11    99840    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-12-12 05:42 . 2013-09-04 12:11    52736    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-12-12 05:42 . 2013-09-04 12:11    30720    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-12-12 05:42 . 2013-09-04 12:11    25600    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-12-12 05:42 . 2013-09-04 12:11    7808    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-12-12 01:08 . 2013-05-10 05:56    12625920    ----a-w-    c:\windows\system32\wmploc.DLL
2013-12-12 01:08 . 2013-05-10 04:30    167424    ----a-w-    c:\program files\Windows Media Player\wmplayer.exe
2013-12-12 01:08 . 2013-05-10 03:48    164864    ----a-w-    c:\program files (x86)\Windows Media Player\wmplayer.exe
2013-12-12 01:08 . 2013-05-10 04:56    12625408    ----a-w-    c:\windows\SysWow64\wmploc.DLL
2013-12-12 01:08 . 2013-05-10 05:56    14631424    ----a-w-    c:\windows\system32\wmp.dll
2013-12-12 01:07 . 2013-11-27 00:20    235216    ----a-w-    c:\program files (x86)\Internet Explorer\sqmapi.dll
2013-12-12 01:07 . 2013-11-26 10:19    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2013-12-12 01:07 . 2013-11-26 09:23    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2013-12-12 00:49 . 2013-10-30 02:32    335360    ----a-w-    c:\windows\system32\msieftp.dll
2013-12-12 00:49 . 2013-10-30 02:19    301568    ----a-w-    c:\windows\SysWow64\msieftp.dll
2013-12-12 00:49 . 2013-10-30 01:24    3155968    ----a-w-    c:\windows\system32\win32k.sys
2013-12-12 00:49 . 2013-11-23 18:26    417792    ----a-w-    c:\windows\SysWow64\WMPhoto.dll
2013-12-12 00:49 . 2013-11-23 17:47    465920    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-12-12 00:49 . 2013-10-19 02:18    81408    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-12 00:49 . 2013-10-19 01:36    159232    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2013-12-12 00:49 . 2013-11-12 02:23    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-12-12 00:49 . 2013-11-12 02:07    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-12-12 00:49 . 2013-10-04 02:16    116736    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-12 00:49 . 2013-10-04 01:36    230400    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-12 00:48 . 2013-10-12 02:32    150016    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-12 00:48 . 2013-10-12 02:31    202752    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-12 00:48 . 2013-10-12 02:04    121856    ----a-w-    c:\windows\SysWow64\wshom.ocx
2013-12-12 00:48 . 2013-10-12 02:03    163840    ----a-w-    c:\windows\SysWow64\scrrun.dll
2013-12-12 00:48 . 2013-10-12 01:33    156160    ----a-w-    c:\windows\system32\cscript.exe
2013-12-12 00:48 . 2013-10-12 01:33    168960    ----a-w-    c:\windows\system32\wscript.exe
2013-12-12 00:48 . 2013-10-12 01:15    141824    ----a-w-    c:\windows\SysWow64\wscript.exe
2013-12-12 00:48 . 2013-10-12 01:15    126976    ----a-w-    c:\windows\SysWow64\cscript.exe
2013-12-04 02:56 . 2013-12-04 02:56    --------    d-----w-    c:\users\Ying\AppData\Roaming\Malwarebytes
2013-12-04 02:56 . 2013-12-04 02:56    --------    d-----w-    c:\programdata\Malwarebytes
2013-12-04 02:54 . 2013-12-04 03:16    --------    d-----w-    c:\programdata\WPM
2013-12-01 04:37 . 2013-10-16 18:18    439296    ----a-w-    c:\windows\system32\AdpeakProxy64.dll
2013-11-30 04:36 . 2013-12-05 17:50    --------    d-----w-    C:\temp
2013-11-30 04:36 . 2013-12-04 03:16    --------    d-----w-    c:\programdata\Updater
2013-11-30 04:36 . 2013-12-04 03:16    --------    d-----w-    c:\programdata\RHelpers
2013-11-30 04:36 . 2013-11-30 04:36    --------    d-----w-    c:\program files (x86)\Social Privacy  DNS
2013-11-30 04:36 . 2013-11-30 04:36    --------    d-----w-    c:\program files (x86)\sp
2013-11-30 04:35 . 2013-11-30 04:35    --------    d-----w-    c:\program files (x86)\DownLite
2013-11-30 04:18 . 2010-06-02 12:55    74072    ------w-    c:\windows\SysWow64\XAPOFX1_5.dll
2013-11-30 04:18 . 2010-06-02 12:55    527192    ------w-    c:\windows\SysWow64\XAudio2_7.dll
2013-11-30 04:18 . 2010-05-26 19:41    2106216    ------w-    c:\windows\SysWow64\D3DCompiler_43.dll
2013-11-30 04:18 . 2010-05-26 19:41    1998168    ------w-    c:\windows\SysWow64\D3DX9_43.dll
2013-11-30 04:18 . 2007-04-05 02:53    81768    ------w-    c:\windows\SysWow64\xinput1_3.dll
2013-11-30 04:18 . 2006-07-28 17:30    62744    ------w-    c:\windows\SysWow64\xinput1_2.dll
2013-11-30 04:17 . 2013-11-30 04:18    --------    d-----w-    c:\program files (x86)\Intrusion2
2013-11-27 00:34 . 2013-04-17 07:02    1230336    ----a-w-    c:\windows\SysWow64\WindowsCodecs.dll
2013-11-27 00:34 . 2013-04-17 06:24    1424384    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-11-27 00:34 . 2012-02-11 06:36    559104    ----a-w-    c:\windows\system32\spoolsv.exe
2013-11-27 00:34 . 2012-02-11 06:36    67072    ----a-w-    c:\windows\splwow64.exe
2013-11-26 14:38 . 2013-10-15 02:00    28368    ----a-w-    c:\windows\system32\IEUDINIT.EXE
2013-11-26 14:34 . 2013-11-26 14:34    --------    d-----w-    c:\program files (x86)\MSXML 4.0
2013-11-26 07:47 . 2013-11-26 07:47    --------    d-----w-    c:\windows\SysWow64\Wat
2013-11-26 07:47 . 2013-11-26 07:47    --------    d-----w-    c:\windows\system32\Wat
2013-11-26 06:39 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-11-26 06:10 . 2013-11-26 06:10    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-11-26 06:10 . 2013-11-26 06:10    --------    d-----w-    c:\program files (x86)\Microsoft Silverlight
2013-11-26 05:52 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-11-26 05:52 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-11-26 05:52 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-11-26 05:52 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-11-26 05:52 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2013-11-26 05:52 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-11-26 05:52 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-11-26 05:36 . 2012-03-01 06:46    23408    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-11-26 05:36 . 2012-03-01 06:28    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-11-26 05:36 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2013-11-25 23:14 . 2013-07-04 12:50    633856    ----a-w-    c:\windows\system32\comctl32.dll
2013-11-25 23:14 . 2013-07-04 11:50    530432    ----a-w-    c:\windows\SysWow64\comctl32.dll
2013-11-25 23:12 . 2011-10-26 05:25    1572864    ----a-w-    c:\windows\system32\quartz.dll
2013-11-25 23:11 . 2011-12-30 06:26    515584    ----a-w-    c:\windows\system32\timedate.cpl
2013-11-25 23:10 . 2013-09-25 02:26    95680    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2013-11-25 23:09 . 2013-07-25 09:25    1888768    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-11-25 23:08 . 2013-07-03 04:40    42496    ----a-w-    c:\windows\system32\drivers\usbscan.sys
2013-11-25 23:08 . 2013-07-03 04:05    76800    ----a-w-    c:\windows\system32\drivers\hidclass.sys
2013-11-25 23:08 . 2013-07-03 04:05    32896    ----a-w-    c:\windows\system32\drivers\hidparse.sys
2013-11-25 23:08 . 2012-05-01 05:40    209920    ----a-w-    c:\windows\system32\profsvc.dll
2013-11-25 23:08 . 2013-07-04 12:57    259584    ----a-w-    c:\windows\system32\WebClnt.dll
2013-11-25 23:08 . 2013-07-04 12:50    102400    ----a-w-    c:\windows\system32\davclnt.dll
2013-11-25 23:08 . 2013-07-04 11:57    205824    ----a-w-    c:\windows\SysWow64\WebClnt.dll
2013-11-25 23:08 . 2013-07-04 11:51    81920    ----a-w-    c:\windows\SysWow64\davclnt.dll
2013-11-25 23:08 . 2013-07-04 10:11    140800    ----a-w-    c:\windows\system32\drivers\mrxdav.sys
2013-11-25 23:08 . 2012-11-02 05:59    478208    ----a-w-    c:\windows\system32\dpnet.dll
2013-11-25 23:08 . 2012-11-02 05:11    376832    ----a-w-    c:\windows\SysWow64\dpnet.dll
2013-11-25 23:08 . 2013-06-04 06:00    624128    ----a-w-    c:\windows\system32\qedit.dll
2013-11-25 23:08 . 2013-06-04 04:53    509440    ----a-w-    c:\windows\SysWow64\qedit.dll
2013-11-25 23:07 . 2012-08-21 21:01    245760    ----a-w-    c:\windows\system32\OxpsConverter.exe
2013-11-25 23:05 . 2011-08-17 05:26    613888    ----a-w-    c:\windows\system32\psisdecd.dll
2013-11-25 23:05 . 2011-08-17 05:25    108032    ----a-w-    c:\windows\system32\psisrndr.ax
2013-11-25 23:05 . 2011-08-17 04:24    465408    ----a-w-    c:\windows\SysWow64\psisdecd.dll
2013-11-25 23:05 . 2011-08-17 04:19    75776    ----a-w-    c:\windows\SysWow64\psisrndr.ax
2013-11-25 23:05 . 2012-04-28 03:55    210944    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2013-11-25 23:03 . 2012-07-06 20:07    552960    ----a-w-    c:\windows\system32\drivers\bthport.sys
2013-11-25 23:03 . 2012-09-25 22:47    78336    ----a-w-    c:\windows\SysWow64\synceng.dll
2013-11-25 23:03 . 2012-09-25 22:46    95744    ----a-w-    c:\windows\system32\synceng.dll
2013-11-25 23:03 . 2013-07-26 02:24    14172672    ----a-w-    c:\windows\system32\shell32.dll
2013-11-25 23:03 . 2013-07-26 02:24    197120    ----a-w-    c:\windows\system32\shdocvw.dll
2013-11-25 23:01 . 2013-01-24 06:01    223752    ----a-w-    c:\windows\system32\drivers\fvevol.sys
2013-11-25 23:00 . 2012-06-06 06:05    495616    ----a-w-    c:\program files\Common Files\System\ado\msadox.dll
2013-11-25 22:26 . 2012-02-17 06:38    1031680    ----a-w-    c:\windows\system32\rdpcore.dll
2013-11-25 22:26 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\SysWow64\rdpcore.dll
2013-11-25 22:26 . 2012-02-17 04:57    23552    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-11-25 22:20 . 2012-06-02 22:19    2428952    ----a-w-    c:\windows\system32\wuaueng.dll
2013-11-25 22:20 . 2012-06-02 22:19    57880    ----a-w-    c:\windows\system32\wuauclt.exe
2013-11-25 22:20 . 2012-06-02 22:19    44056    ----a-w-    c:\windows\system32\wups2.dll
2013-11-25 22:20 . 2012-06-02 22:15    2622464    ----a-w-    c:\windows\system32\wucltux.dll
2013-11-25 22:20 . 2012-06-02 22:19    38424    ----a-w-    c:\windows\system32\wups.dll
2013-11-25 22:20 . 2012-06-02 22:19    701976    ----a-w-    c:\windows\system32\wuapi.dll
2013-11-25 22:20 . 2012-06-02 22:15    99840    ----a-w-    c:\windows\system32\wudriver.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-13 14:39 . 2012-12-02 09:14    45056    ----a-w-    c:\windows\SysWow64\acovcnt.exe
2013-11-15 01:19 . 2011-03-29 01:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-10-18 3331312]
"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"SonicMasterTray"="c:\program files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe" [2010-07-10 984400]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-07-21 5716608]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2011-10-19 2319536]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-19 54576]
"dnsshield"="c:\program files (x86)\Social Privacy  DNS\dnswatch.exe" [2013-11-13 148480]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-12-13 683576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [2011-10-17 549040]
FancyStart daemon.lnk - c:\windows\Installer\{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}\_77B5857C27147149171BE7.exe -d [2012-12-2 12862]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe;c:\windows\SYSNATIVE\FBAgent.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]
S2 avnetflt;avnetflt;c:\windows\system32\DRIVERS\avnetflt.sys;c:\windows\SYSNATIVE\DRIVERS\avnetflt.sys [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-11-15 01:39]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-07-28 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-07-28 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-07-28 416024]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2011-03-21 361984]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{45AEA371-44B6-49A1-AD88-445AC7A05056}: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F}: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F}\C696E6B6379737: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{7546DD8C-C993-437E-8F1A-1F2283BD9CCF}: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: NameServer = 75.126.206.18,184.173.169.186
FF - ProfilePath - c:\users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/firefox/?fr=sfp-yff25
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=U079DF&PC=U079&q=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-11-14 16:36; toolbar_ORJ-V7C@apn.ask.com; c:\users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\toolbar_ORJ-V7C@apn.ask.com.xpi
FF - ExtSQL: 2013-11-23 13:21; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - ExtSQL: !HIDDEN! 2013-11-23 13:21; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files (x86)\Coupons.com CouponBar\tbcore3.dll
Wow6432Node-HKCU-Run-MobileAppSync - c:\program files (x86)\Mobile App Sync\D2MClient.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
BHO-{11111111-1111-1111-1111-110311121157} - c:\program files (x86)\Plus-HD-1.3\Plus-HD-1.3-bho64.dll
BHO-{118B2809-0EB4-3026-2BE4-205CEB209F8C} - c:\program files (x86)\surff aNd keep\0Fglh.x64.dll
BHO-{2352FEC2-344A-3202-126F-0EB6DC90D885} - c:\program files (x86)\YoutubeAdblocker\W.x64.dll
BHO-{239898A1-6553-422B-1744-C56474277197} - c:\program files (x86)\surf and  keeeep\qFBqJ9j.x64.dll
BHO-{4892EEA0-48BB-62B9-FC9F-AFDC01BC38FB} - c:\program files (x86)\surf aned keep\qDsmGmD6.x64.dll
BHO-{8E7BFDA8-7BC7-E897-64BD-8BCCE102B9D4} - c:\program files (x86)\surFa And keep\vwQxESE.x64.dll
BHO-{91FBEA5C-E3C7-42EA-8C2B-B168189AB5BE} - c:\program files (x86)\Social Privacy\sp64.dll
BHO-{D1533319-8C05-3ADA-6CBB-870A7D45A9AA} - c:\program files (x86)\surf And keepe\I0i.x64.dll
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SynAsusAcpi - c:\program files (x86)\Synaptics\SynTP\SynAsusAcpi.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-12-13  06:53:24
ComboFix-quarantined-files.txt  2013-12-13 14:53
.
Pre-Run: 240,169,644,032 bytes free
Post-Run: 241,384,189,952 bytes free
.
- - End Of File - - AF545F129FE08889498497FEFDE10AB7
 



#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 13 December 2013 - 10:18 AM

Are you using any type of proxy software or do you recognize Social Privacy  DNS??


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 LucaBC

LucaBC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 13 December 2013 - 10:59 AM

No, I don't believe he would need to use a proxy for any reason.



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 14 December 2013 - 11:12 AM

Sorry for any delay.  :)
 
ComboFix

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::

    File::
    c:\windows\system32\AdpeakProxy64.dll

    Folder::
    c:\program files (x86)\Social Privacy  DNS

    Firefox::
    FF - ProfilePath - c:\users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\
    FF - ExtSQL: 2013-11-14 16:36; toolbar_ORJ-V7C@apn.ask.com; c:\users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\toolbar_ORJ-V7C@apn.ask.com.xpi

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

 

Post the new ComboFix log and let me know how your system is running now.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 LucaBC

LucaBC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 14 December 2013 - 08:22 PM

No problem. Here's the combofix log:

ComboFix 13-12-13.01 - Ying 12/14/2013  17:14:28.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5921.4457 [GMT -8:00]
Running from: c:\users\Ying\Desktop\ComboFix.exe
Command switches used :: c:\users\Ying\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"c:\windows\system32\AdpeakProxy64.dll"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Social Privacy  DNS
c:\program files (x86)\Social Privacy  DNS\dnswatch.exe
c:\program files (x86)\Social Privacy  DNS\Uninstall.exe
c:\users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\toolbar_ORJ-V7C@apn.ask.com.xpi
c:\windows\system32\AdpeakProxy64.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-15 to 2013-12-15  )))))))))))))))))))))))))))))))
.
.
2013-12-15 01:19 . 2013-12-15 01:19    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-12-14 16:10 . 2013-12-14 16:41    --------    d-----w-    C:\GOG Games
2013-12-13 07:01 . 2013-12-13 07:01    --------    d-----w-    c:\users\Ying\AppData\Roaming\Avira
2013-12-13 06:59 . 2013-12-13 06:54    83160    ----a-w-    c:\windows\system32\drivers\avnetflt.sys
2013-12-13 06:59 . 2013-12-13 06:54    28600    ----a-w-    c:\windows\system32\drivers\avkmgr.sys
2013-12-13 06:59 . 2013-12-13 06:54    132600    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2013-12-13 06:59 . 2013-12-13 06:54    107416    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-12-13 06:59 . 2013-12-13 06:59    --------    d-----w-    c:\programdata\Avira
2013-12-13 06:59 . 2013-12-13 06:59    --------    d-----w-    c:\program files (x86)\Avira
2013-12-13 06:36 . 2013-12-13 06:39    --------    d-----w-    C:\AdwCleaner
2013-12-12 05:42 . 2013-09-04 12:12    343040    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-12-12 05:42 . 2013-09-04 12:11    325120    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-12-12 05:42 . 2013-09-04 12:11    99840    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-12-12 05:42 . 2013-09-04 12:11    52736    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-12-12 05:42 . 2013-09-04 12:11    30720    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-12-12 05:42 . 2013-09-04 12:11    25600    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-12-12 05:42 . 2013-09-04 12:11    7808    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-12-12 01:08 . 2013-05-10 05:56    12625920    ----a-w-    c:\windows\system32\wmploc.DLL
2013-12-12 01:08 . 2013-05-10 04:30    167424    ----a-w-    c:\program files\Windows Media Player\wmplayer.exe
2013-12-12 01:08 . 2013-05-10 03:48    164864    ----a-w-    c:\program files (x86)\Windows Media Player\wmplayer.exe
2013-12-12 01:08 . 2013-05-10 04:56    12625408    ----a-w-    c:\windows\SysWow64\wmploc.DLL
2013-12-12 01:08 . 2013-05-10 05:56    14631424    ----a-w-    c:\windows\system32\wmp.dll
2013-12-12 01:07 . 2013-11-27 00:20    235216    ----a-w-    c:\program files (x86)\Internet Explorer\sqmapi.dll
2013-12-12 01:07 . 2013-11-26 10:19    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2013-12-12 01:07 . 2013-11-26 09:23    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2013-12-12 00:49 . 2013-10-30 02:32    335360    ----a-w-    c:\windows\system32\msieftp.dll
2013-12-12 00:49 . 2013-10-30 02:19    301568    ----a-w-    c:\windows\SysWow64\msieftp.dll
2013-12-12 00:49 . 2013-10-30 01:24    3155968    ----a-w-    c:\windows\system32\win32k.sys
2013-12-12 00:49 . 2013-11-23 18:26    417792    ----a-w-    c:\windows\SysWow64\WMPhoto.dll
2013-12-12 00:49 . 2013-11-23 17:47    465920    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-12-12 00:49 . 2013-10-19 02:18    81408    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-12 00:49 . 2013-10-19 01:36    159232    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2013-12-12 00:49 . 2013-11-12 02:23    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-12-12 00:49 . 2013-11-12 02:07    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-12-12 00:49 . 2013-10-04 02:16    116736    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-12 00:49 . 2013-10-04 01:36    230400    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-12 00:48 . 2013-10-12 02:32    150016    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-12 00:48 . 2013-10-12 02:31    202752    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-12 00:48 . 2013-10-12 02:04    121856    ----a-w-    c:\windows\SysWow64\wshom.ocx
2013-12-12 00:48 . 2013-10-12 02:03    163840    ----a-w-    c:\windows\SysWow64\scrrun.dll
2013-12-12 00:48 . 2013-10-12 01:33    156160    ----a-w-    c:\windows\system32\cscript.exe
2013-12-12 00:48 . 2013-10-12 01:33    168960    ----a-w-    c:\windows\system32\wscript.exe
2013-12-12 00:48 . 2013-10-12 01:15    141824    ----a-w-    c:\windows\SysWow64\wscript.exe
2013-12-12 00:48 . 2013-10-12 01:15    126976    ----a-w-    c:\windows\SysWow64\cscript.exe
2013-12-04 02:56 . 2013-12-04 02:56    --------    d-----w-    c:\users\Ying\AppData\Roaming\Malwarebytes
2013-12-04 02:56 . 2013-12-04 02:56    --------    d-----w-    c:\programdata\Malwarebytes
2013-12-04 02:54 . 2013-12-04 03:16    --------    d-----w-    c:\programdata\WPM
2013-11-30 04:36 . 2013-12-05 17:50    --------    d-----w-    C:\temp
2013-11-30 04:36 . 2013-12-04 03:16    --------    d-----w-    c:\programdata\Updater
2013-11-30 04:36 . 2013-12-04 03:16    --------    d-----w-    c:\programdata\RHelpers
2013-11-30 04:36 . 2013-11-30 04:36    --------    d-----w-    c:\program files (x86)\sp
2013-11-30 04:35 . 2013-11-30 04:35    --------    d-----w-    c:\program files (x86)\DownLite
2013-11-30 04:18 . 2010-06-02 12:55    74072    ------w-    c:\windows\SysWow64\XAPOFX1_5.dll
2013-11-30 04:18 . 2010-06-02 12:55    527192    ------w-    c:\windows\SysWow64\XAudio2_7.dll
2013-11-30 04:18 . 2010-05-26 19:41    2106216    ------w-    c:\windows\SysWow64\D3DCompiler_43.dll
2013-11-30 04:18 . 2010-05-26 19:41    1998168    ------w-    c:\windows\SysWow64\D3DX9_43.dll
2013-11-30 04:18 . 2007-04-05 02:53    81768    ------w-    c:\windows\SysWow64\xinput1_3.dll
2013-11-30 04:18 . 2006-07-28 17:30    62744    ------w-    c:\windows\SysWow64\xinput1_2.dll
2013-11-30 04:17 . 2013-11-30 04:18    --------    d-----w-    c:\program files (x86)\Intrusion2
2013-11-27 00:34 . 2013-04-17 07:02    1230336    ----a-w-    c:\windows\SysWow64\WindowsCodecs.dll
2013-11-27 00:34 . 2013-04-17 06:24    1424384    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-11-27 00:34 . 2012-02-11 06:36    559104    ----a-w-    c:\windows\system32\spoolsv.exe
2013-11-27 00:34 . 2012-02-11 06:36    67072    ----a-w-    c:\windows\splwow64.exe
2013-11-26 14:38 . 2013-10-15 02:00    28368    ----a-w-    c:\windows\system32\IEUDINIT.EXE
2013-11-26 14:34 . 2013-11-26 14:34    --------    d-----w-    c:\program files (x86)\MSXML 4.0
2013-11-26 07:47 . 2013-11-26 07:47    --------    d-----w-    c:\windows\SysWow64\Wat
2013-11-26 07:47 . 2013-11-26 07:47    --------    d-----w-    c:\windows\system32\Wat
2013-11-26 06:39 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-11-26 06:10 . 2013-11-26 06:10    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-11-26 06:10 . 2013-11-26 06:10    --------    d-----w-    c:\program files (x86)\Microsoft Silverlight
2013-11-26 05:52 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-11-26 05:52 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-11-26 05:52 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-11-26 05:52 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-11-26 05:52 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2013-11-26 05:52 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-11-26 05:52 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-11-26 05:36 . 2012-03-01 06:46    23408    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-11-26 05:36 . 2012-03-01 06:28    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-11-26 05:36 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2013-11-25 23:14 . 2013-07-04 12:50    633856    ----a-w-    c:\windows\system32\comctl32.dll
2013-11-25 23:14 . 2013-07-04 11:50    530432    ----a-w-    c:\windows\SysWow64\comctl32.dll
2013-11-25 23:12 . 2011-10-26 05:25    1572864    ----a-w-    c:\windows\system32\quartz.dll
2013-11-25 23:11 . 2011-12-30 06:26    515584    ----a-w-    c:\windows\system32\timedate.cpl
2013-11-25 23:10 . 2013-09-25 02:26    95680    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2013-11-25 23:09 . 2013-07-25 09:25    1888768    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-11-25 23:08 . 2013-07-03 04:40    42496    ----a-w-    c:\windows\system32\drivers\usbscan.sys
2013-11-25 23:08 . 2013-07-03 04:05    76800    ----a-w-    c:\windows\system32\drivers\hidclass.sys
2013-11-25 23:08 . 2013-07-03 04:05    32896    ----a-w-    c:\windows\system32\drivers\hidparse.sys
2013-11-25 23:08 . 2012-05-01 05:40    209920    ----a-w-    c:\windows\system32\profsvc.dll
2013-11-25 23:08 . 2013-07-04 12:57    259584    ----a-w-    c:\windows\system32\WebClnt.dll
2013-11-25 23:08 . 2013-07-04 12:50    102400    ----a-w-    c:\windows\system32\davclnt.dll
2013-11-25 23:08 . 2013-07-04 11:57    205824    ----a-w-    c:\windows\SysWow64\WebClnt.dll
2013-11-25 23:08 . 2013-07-04 11:51    81920    ----a-w-    c:\windows\SysWow64\davclnt.dll
2013-11-25 23:08 . 2013-07-04 10:11    140800    ----a-w-    c:\windows\system32\drivers\mrxdav.sys
2013-11-25 23:08 . 2012-11-02 05:59    478208    ----a-w-    c:\windows\system32\dpnet.dll
2013-11-25 23:08 . 2012-11-02 05:11    376832    ----a-w-    c:\windows\SysWow64\dpnet.dll
2013-11-25 23:08 . 2013-06-04 06:00    624128    ----a-w-    c:\windows\system32\qedit.dll
2013-11-25 23:08 . 2013-06-04 04:53    509440    ----a-w-    c:\windows\SysWow64\qedit.dll
2013-11-25 23:07 . 2012-08-21 21:01    245760    ----a-w-    c:\windows\system32\OxpsConverter.exe
2013-11-25 23:05 . 2011-08-17 05:26    613888    ----a-w-    c:\windows\system32\psisdecd.dll
2013-11-25 23:05 . 2011-08-17 05:25    108032    ----a-w-    c:\windows\system32\psisrndr.ax
2013-11-25 23:05 . 2011-08-17 04:24    465408    ----a-w-    c:\windows\SysWow64\psisdecd.dll
2013-11-25 23:05 . 2011-08-17 04:19    75776    ----a-w-    c:\windows\SysWow64\psisrndr.ax
2013-11-25 23:05 . 2012-04-28 03:55    210944    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2013-11-25 23:03 . 2012-07-06 20:07    552960    ----a-w-    c:\windows\system32\drivers\bthport.sys
2013-11-25 23:03 . 2012-09-25 22:47    78336    ----a-w-    c:\windows\SysWow64\synceng.dll
2013-11-25 23:03 . 2012-09-25 22:46    95744    ----a-w-    c:\windows\system32\synceng.dll
2013-11-25 23:03 . 2013-07-26 02:24    14172672    ----a-w-    c:\windows\system32\shell32.dll
2013-11-25 23:03 . 2013-07-26 02:24    197120    ----a-w-    c:\windows\system32\shdocvw.dll
2013-11-25 23:01 . 2013-01-24 06:01    223752    ----a-w-    c:\windows\system32\drivers\fvevol.sys
2013-11-25 23:00 . 2012-06-06 06:05    495616    ----a-w-    c:\program files\Common Files\System\ado\msadox.dll
2013-11-25 22:26 . 2012-02-17 06:38    1031680    ----a-w-    c:\windows\system32\rdpcore.dll
2013-11-25 22:26 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\SysWow64\rdpcore.dll
2013-11-25 22:26 . 2012-02-17 04:57    23552    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-11-25 22:20 . 2012-06-02 22:19    2428952    ----a-w-    c:\windows\system32\wuaueng.dll
2013-11-25 22:20 . 2012-06-02 22:19    57880    ----a-w-    c:\windows\system32\wuauclt.exe
2013-11-25 22:20 . 2012-06-02 22:19    44056    ----a-w-    c:\windows\system32\wups2.dll
2013-11-25 22:20 . 2012-06-02 22:15    2622464    ----a-w-    c:\windows\system32\wucltux.dll
2013-11-25 22:20 . 2012-06-02 22:19    38424    ----a-w-    c:\windows\system32\wups.dll
2013-11-25 22:20 . 2012-06-02 22:19    701976    ----a-w-    c:\windows\system32\wuapi.dll
2013-11-25 22:20 . 2012-06-02 22:15    99840    ----a-w-    c:\windows\system32\wudriver.dll
2013-11-25 22:20 . 2012-06-02 23:19    186752    ----a-w-    c:\windows\system32\wuwebv.dll
2013-11-25 22:20 . 2012-06-02 23:15    36864    ----a-w-    c:\windows\system32\wuapp.exe
2013-11-25 14:05 . 2013-11-25 14:05    --------    d-----w-    c:\users\Ying\AppData\Local\Unity
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-14 18:52 . 2012-12-02 09:14    45056    ----a-w-    c:\windows\SysWow64\acovcnt.exe
2013-12-12 01:39 . 2013-11-15 01:08    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-12 01:39 . 2013-11-15 01:08    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-11-15 01:19 . 2011-03-29 01:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-11-15 00:33 . 2013-11-15 00:33    96168    ------w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files (x86)\Coupons.com CouponBar\tbcore3.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-10-18 3331312]
"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"SonicMasterTray"="c:\program files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe" [2010-07-10 984400]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-07-21 5716608]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2011-10-19 2319536]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-19 54576]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-12-13 683576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [2011-10-17 549040]
FancyStart daemon.lnk - c:\windows\Installer\{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}\_77B5857C27147149171BE7.exe -d [2012-12-2 12862]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe;c:\windows\SYSNATIVE\FBAgent.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]
S2 avnetflt;avnetflt;c:\windows\system32\DRIVERS\avnetflt.sys;c:\windows\SYSNATIVE\DRIVERS\avnetflt.sys [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-11-15 01:39]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11111111-1111-1111-1111-110311121157}]
c:\program files (x86)\Plus-HD-1.3\Plus-HD-1.3-bho64.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{118B2809-0EB4-3026-2BE4-205CEB209F8C}]
c:\program files (x86)\surff aNd keep\0Fglh.x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2352FEC2-344A-3202-126F-0EB6DC90D885}]
c:\program files (x86)\YoutubeAdblocker\W.x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{239898A1-6553-422B-1744-C56474277197}]
c:\program files (x86)\surf and  keeeep\qFBqJ9j.x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4892EEA0-48BB-62B9-FC9F-AFDC01BC38FB}]
c:\program files (x86)\surf aned keep\qDsmGmD6.x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E7BFDA8-7BC7-E897-64BD-8BCCE102B9D4}]
c:\program files (x86)\surFa And keep\vwQxESE.x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91FBEA5C-E3C7-42EA-8C2B-B168189AB5BE}]
c:\program files (x86)\Social Privacy\sp64.dll [BU]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1533319-8C05-3ADA-6CBB-870A7D45A9AA}]
c:\program files (x86)\surf And keepe\I0i.x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-07-28 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-07-28 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-07-28 416024]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2011-03-21 361984]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SynAsusAcpi"="c:\program files (x86)\Synaptics\SynTP\SynAsusAcpi.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{45AEA371-44B6-49A1-AD88-445AC7A05056}: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F}: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{65C4C895-2440-496B-9562-5566B2E3D34F}\C696E6B6379737: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{7546DD8C-C993-437E-8F1A-1F2283BD9CCF}: NameServer = 75.126.206.18,184.173.169.186
TCP: Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: NameServer = 75.126.206.18,184.173.169.186
FF - ProfilePath - c:\users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/firefox/?fr=sfp-yff25
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=U079DF&PC=U079&q=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-11-14 16:36; toolbar_ORJ-V7C@apn.ask.com; c:\users\Ying\AppData\Roaming\Mozilla\Firefox\Profiles\ly47v0bl.default\extensions\toolbar_ORJ-V7C@apn.ask.com.xpi
FF - ExtSQL: 2013-11-23 13:21; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - ExtSQL: !HIDDEN! 2013-11-23 13:21; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-dnsshield - c:\program files (x86)\Social Privacy  DNS\dnswatch.exe
AddRemove-dnsshield - c:\program files (x86)\Social Privacy  DNS\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-12-14  17:20:49
ComboFix-quarantined-files.txt  2013-12-15 01:20
ComboFix2.txt  2013-12-13 14:53
.
Pre-Run: 206,121,807,872 bytes free
Post-Run: 205,950,304,256 bytes free
.
- - End Of File - - 9416B785BC94FBA67F98031256088188
 



#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 15 December 2013 - 12:39 PM

and let me know how your system is running now.

 

:)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 LucaBC

LucaBC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 16 December 2013 - 01:07 AM

Laptop's working great now, thanks so much! Any tips on good anti-virus / malware programs? I just installed Avira, and gave him the talk about installing bundled software, so hopefully this won't happen again...



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 16 December 2013 - 07:55 AM

Hi,
 
Great to hear!!  :)  I will give you some good information when we clean up our tools but lets check for anything else that might be hiding in there before we do that. 
 
GUZVCQN.jpgMalwarebytes

Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------
 
ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 18 December 2013 - 07:49 AM

Still with me?  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#14 LucaBC

LucaBC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 December 2013 - 08:45 AM

Hi, sorry I'm still here, I just haven't had access to the laptop the last couple of days. I'll jump on it sometime this morning, or in the evening. Sorry about the delay!

#15 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 18 December 2013 - 09:09 AM

No problem....just checking.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users