Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected ZeroAccess rootkit. MSE won't open - blocked by group policy


  • This topic is locked This topic is locked
17 replies to this topic

#1 rkwittig

rkwittig

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 09 January 2014 - 09:32 PM

Computer is Vista 32 bit.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Basic 
Boot Device: \Device\HarddiskVolume3
Install Date: 6/8/2009 7:15:52 PM
System Uptime: 1/9/2014 8:44:22 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0U880P
Processor: Pentium® Dual-Core  CPU      E5200  @ 2.50GHz | CPU 1 | 2003/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 283 GiB total, 220.128 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 10.336 GiB free.
E: is CDROM (CDFS)
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
3600_Help
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.1
Adobe Shockwave Player 11.5
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Software Update
Backyard Basketball
Banctec Service Agreement
BPD_Scan
BPDSoftware
BPDSoftware_Ini
BrowserSafeguard
BufferChm
CapJax MathFax
Choice Guard
Compatibility Pack for the 2007 Office system
Conexant D850 PCI V.92 Modem
CustomerResearchQFolder
Dell Edoc Viewer
Dell Getting Started Guide
Dell Remote Access
Destinations
DeviceManagementQFolder
Digital Line Detect
DocProc
DocProcQFolder
EA Download Manager
eSupportQFolder
Fax
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Officejet J3600 Series
HP Smart Web Printing
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
Intel® Graphics Media Accelerator Driver
Intel® TV Wizard
J3600
Junk Mail filter update
Kid Pix Deluxe 4
L&H TTS3000 Español
Lernout & Hauspie TruVoice American English TTS Engine
Malwarebytes Anti-Malware version 1.75.0.1300
MarketResearch
Math 4 Teaching Textbook
Math 6 Teaching Textbook 
Math 7 Teaching Textbook 
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Midtown Madness
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Web Publishing Wizard 1.52
Microsoft Works
Modem Diagnostic Tool
MSRedist
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
OGA Notifier 2.0.0048.0
PL-2303 USB-to-Serial
PL-2303 Vista Driver Installer
PowerDVD
PrintMaster 12
ProductContext
Quicken 2011
QuickTime
Realtek High Definition Audio Driver
Revo Uninstaller 1.95
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scan
SeaWorld Adventure Park Tycoon
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2817641) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2827329) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition 
Security Update for Microsoft Office Word 2007 (KB2827330) 32-Bit Edition 
Serif DrawPlus Starter Edition
Shockwave
SIM editor 4.0
SIM MAX
SmarThru
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
SPORE™
Status
Study Helpers Math Booster
Stunt Track Driver
The Hobbit™
Toolbox
TrayApp
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2850085) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Updater
USIM Editor 1.0.28.0
WeatherBug
WebEx
WebReg
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Zoo Tycoon 2 - Ultimate Collection
Zoombinis Island Odyssey
.
==== Event Viewer Messages From Past Week ========
.
1/9/2014 8:47:38 PM, Error: netbt [4321]  - The name "KATESLAPTOP    :0" could not be registered on the interface with IP address 192.168.1.105. The computer with the IP address 192.168.1.116 did not allow the name to be claimed by this computer.
1/9/2014 8:47:16 PM, Error: netbt [4321]  - The name "KATEOFFICE     :0" could not be registered on the interface with IP address 192.168.1.105. The computer with the IP address 192.168.1.106 did not allow the name to be claimed by this computer.
1/9/2014 8:45:20 PM, Error: Microsoft-Windows-DistributedCOM [10000]  - Unable to start a DCOM Server: {4F5E3A76-F453-4882-AB42-7224F3310DE7}. The error: "740" Happened while starting this command: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe -Embedding
1/9/2014 8:35:53 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Computer Backup (MyPC Backup) service to connect.
1/9/2014 8:35:53 PM, Error: Service Control Manager [7000]  - The Computer Backup (MyPC Backup) service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
1/9/2014 7:37:48 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/9/2014 7:06:47 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  MpFilter spldr Wanarpv6
1/9/2014 7:06:47 PM, Error: Service Control Manager [7001]  - The Microsoft Network Inspection System service depends on the Microsoft Malware Protection Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
1/9/2014 7:06:47 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
1/9/2014 7:05:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/9/2014 7:05:33 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/9/2014 7:05:26 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/9/2014 6:37:45 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.1473.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8007043c   Error description: This service cannot be started in Safe Mode 
1/9/2014 5:34:19 PM, Error: Service Control Manager [7030]  - The MgAssist Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
1/9/2014 5:21:54 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/9/2014 2:37:45 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.1473.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8007043c   Error description: This service cannot be started in Safe Mode 
1/9/2014 11:55:31 AM, Error: netbt [4321]  - The name "J-WITT         :0" could not be registered on the interface with IP address 192.168.1.105. The computer with the IP address 192.168.1.112 did not allow the name to be claimed by this computer.
1/9/2014 11:44:19 AM, Error: netbt [4321]  - The name "ABIGAIL-PC     :0" could not be registered on the interface with IP address 192.168.1.105. The computer with the IP address 192.168.1.118 did not allow the name to be claimed by this computer.
1/9/2014 10:52:10 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.1473.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8007043c   Error description: This service cannot be started in Safe Mode 
1/9/2014 10:37:45 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.1473.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8007043c   Error description: This service cannot be started in Safe Mode 
1/9/2014 1:15:08 PM, Error: netbt [4321]  - The name "ELI-PC         :0" could not be registered on the interface with IP address 192.168.1.105. The computer with the IP address 192.168.1.117 did not allow the name to be claimed by this computer.
1/8/2014 8:34:10 PM, Error: Service Control Manager [7034]  - The Afa Card Reader Service service terminated unexpectedly.  It has done this 1 time(s).
1/8/2014 8:33:42 PM, Error: Service Control Manager [7034]  - The XAudioService service terminated unexpectedly.  It has done this 1 time(s).
1/8/2014 11:11:17 AM, Error: netbt [4321]  - The name "WITTIG         :0" could not be registered on the interface with IP address 192.168.1.105. The computer with the IP address 192.168.1.131 did not allow the name to be claimed by this computer.
1/8/2014 10:42:18 PM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
1/8/2014 10:29:12 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.1473.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8007043c   Error description: This service cannot be started in Safe Mode 
1/8/2014 10:29:12 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/5/2014 2:44:47 PM, Error: netbt [4321]  - The name "SARAH          :0" could not be registered on the interface with IP address 192.168.1.105. The computer with the IP address 192.168.1.109 did not allow the name to be claimed by this computer.
1/2/2014 7:06:59 PM, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 192.168.1.107 for the Network Card with network address 002564011778 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/2/2014 7:06:23 PM, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 192.168.1.110 for the Network Card with network address 002564011778 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/2/2014 7:06:07 PM, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 192.168.1.104 for the Network Card with network address 002564011778 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/2/2014 7:03:57 PM, Error: netbt [4321]  - The name "KATEOFFICE     :0" could not be registered on the interface with IP address 192.168.1.104. The computer with the IP address 192.168.1.106 did not allow the name to be claimed by this computer.
1/2/2014 5:52:36 PM, Error: netbt [4321]  - The name "J-WITT         :0" could not be registered on the interface with IP address 192.168.1.104. The computer with the IP address 192.168.1.116 did not allow the name to be claimed by this computer.
.
==== End Of File ===========================
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16526
Run by Ronald Wittig at 20:56:16 on 2014-01-09
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3036.1687 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\quicktime\qttask.exe
C:\Program Files\USIM Editor\iconcs226045823.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Windows\system32\afasrv32.exe
c:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\google\Chrome\Application\chrome.exe
C:\Program Files\google\Chrome\Application\chrome.exe
C:\Program Files\google\Chrome\Application\chrome.exe
C:\Program Files\google\Chrome\Application\chrome.exe
C:\Program Files\google\Chrome\Application\chrome.exe
C:\Program Files\google\Chrome\Application\chrome.exe
C:\Program Files\google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyServer = hxxp=127.0.0.1:50135;https=127.0.0.1:50135
uProxyOverride = <-loopback>
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - c:\program files\internet explorer\iedvtool.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon] "c:\windows\system32\rundll32.exe" "c:\users\ronald wittig\appdata\roaming\valueapps\ch\TBVerifier.dll",RunConduitFloatingPlugin lcnnhcneegeeojhgpfijnlnocjdmlaon
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [USBestCR] c:\program files\usim editor\iconcs226045823.exe RunFromReg
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [BrowserSafeguard] "c:\program files\browsersafeguard\BrowserSafeguard.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\PMremind.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:129
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{B1885AD0-3F02-498A-8C3A-F1C13D273662} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2009-6-9 81920]
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [2010-9-7 65536]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 104768]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2009-8-2 5120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [2010-9-10 51072]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-01-09 22:36:17 -------- d-----w- c:\program files\Uninstaller
2014-01-09 22:34:50 -------- d-----w- c:\program files\VS Revo Group
2014-01-09 22:34:24 -------- d-----w- c:\users\ronald wittig\.android
2014-01-09 22:34:23 -------- d-----w- c:\users\ronald wittig\appdata\local\cache
2014-01-09 22:34:21 -------- d-----w- c:\users\ronald wittig\appdata\local\genienext
2014-01-09 22:34:20 -------- d-----w- c:\users\ronald wittig\appdata\local\Mobogenie
2014-01-09 22:34:15 -------- d-----w- c:\users\ronald wittig\appdata\local\SwvUpdater
2014-01-09 22:34:00 -------- d-----w- c:\program files\MyPC Backup
2014-01-09 22:33:59 -------- d-----w- c:\users\ronald wittig\appdata\local\Conduit
2014-01-09 22:33:59 -------- d-----w- c:\program files\Conduit
2014-01-09 22:33:39 -------- d-----w- c:\users\ronald wittig\appdata\local\SearchProtect
2014-01-09 16:12:13 -------- d-----w- c:\programdata\TubeDimmer
2014-01-09 03:50:38 -------- d-----w- c:\programdata\Updater
2014-01-09 03:50:38 -------- d-----w- c:\programdata\RHelpers
2014-01-09 03:49:37 -------- d-----w- c:\program files\sp
2014-01-09 03:43:44 -------- d-----w- c:\users\ronald wittig\appdata\local\temp
2014-01-09 03:19:11 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5885784e-6236-40db-82c8-927461f7cf9d}\mpengine.dll
2014-01-09 01:33:03 98816 ----a-w- c:\windows\sed.exe
2014-01-09 01:33:03 256000 ----a-w- c:\windows\PEV.exe
2014-01-09 01:33:03 208896 ----a-w- c:\windows\MBR.exe
2014-01-08 23:29:11 -------- d-----w- c:\programdata\Oracle
2014-01-08 23:27:09 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-08 20:24:01 -------- d-----w- c:\programdata\HitmanPro
2014-01-08 19:38:50 -------- d-----w- c:\windows\Migration
2014-01-08 19:33:48 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-01-08 18:05:02 -------- d-----w- c:\programdata\Malwarebytes
2014-01-08 18:04:59 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-08 18:04:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M  ====================
.
2013-12-10 19:00:16 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-10 19:00:15 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-14 22:50:50 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-11-14 22:42:41 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-11-14 22:42:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-14 22:35:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-30 02:13:01 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12:54 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-10-30 01:43:04 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43:06 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35:24 2050560 ----a-w- c:\windows\system32\win32k.sys
2013-10-22 07:19:59 158208 ----a-w- c:\windows\system32\imagehlp.dll
.
============= FINISH: 20:56:24.39 ===============
 
 
Combofix report
 
ComboFix 14-01-08.03 - Ronald Wittig 01/09/2014  21:09:19.2.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3036.1997 [GMT -5:00]
Running from: F:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
c:\users\Ronald Wittig\AppData\Roaming\64dlls.exe
c:\users\Ronald Wittig\AppData\Roaming\intel64.exe
c:\users\Ronald Wittig\AppData\Roaming\Kernel32.exe
c:\users\Ronald Wittig\AppData\Roaming\localsys64.exe
c:\users\Ronald Wittig\AppData\Roaming\ntos.exe
c:\users\Ronald Wittig\AppData\Roaming\oembios.exe
c:\users\Ronald Wittig\AppData\Roaming\sdra64.exe
c:\users\Ronald Wittig\AppData\Roaming\sdra73.exe
c:\users\Ronald Wittig\AppData\Roaming\swin32.exe
c:\users\Ronald Wittig\AppData\Roaming\twex.exe
c:\users\Ronald Wittig\AppData\Roaming\twext.exe
c:\users\Ronald Wittig\AppData\Roaming\win32avs.exe
c:\users\Ronald Wittig\AppData\Roaming\wsnpoema.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-10 to 2014-01-10  )))))))))))))))))))))))))))))))
.
.
2014-01-10 02:17 . 2014-01-10 02:19 -------- d-----w- c:\users\Ronald Wittig\AppData\Local\temp
2014-01-10 02:17 . 2014-01-10 02:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-09 22:36 . 2014-01-09 22:36 -------- d-----w- c:\program files\Uninstaller
2014-01-09 22:34 . 2014-01-09 22:34 -------- d-----w- c:\program files\VS Revo Group
2014-01-09 22:34 . 2014-01-09 22:34 -------- d-----w- c:\users\Ronald Wittig\.android
2014-01-09 22:34 . 2014-01-09 22:34 -------- d-----w- c:\users\Ronald Wittig\AppData\Local\cache
2014-01-09 22:34 . 2014-01-09 22:34 -------- d-----w- c:\users\Ronald Wittig\AppData\Local\genienext
2014-01-09 22:34 . 2014-01-09 22:41 -------- d-----w- c:\users\Ronald Wittig\AppData\Local\Mobogenie
2014-01-09 22:34 . 2014-01-10 01:28 -------- d-----w- c:\users\Ronald Wittig\AppData\Local\SwvUpdater
2014-01-09 22:34 . 2014-01-10 01:37 -------- d-----w- c:\program files\MyPC Backup
2014-01-09 22:33 . 2014-01-10 01:32 -------- d-----w- c:\users\Ronald Wittig\AppData\Local\Conduit
2014-01-09 22:33 . 2014-01-10 01:32 -------- d-----w- c:\program files\Conduit
2014-01-09 22:33 . 2014-01-09 23:40 -------- d-----w- c:\users\Ronald Wittig\AppData\Local\SearchProtect
2014-01-09 16:12 . 2014-01-09 16:12 -------- d-----w- c:\programdata\TubeDimmer
2014-01-09 03:50 . 2014-01-10 01:31 -------- d-----w- c:\programdata\RHelpers
2014-01-09 03:50 . 2014-01-10 01:19 -------- d-----w- c:\programdata\Updater
2014-01-09 03:49 . 2014-01-09 03:49 -------- d-----w- c:\program files\sp
2014-01-09 03:19 . 2013-12-04 02:57 7760024 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5885784E-6236-40DB-82C8-927461F7CF9D}\mpengine.dll
2014-01-08 23:29 . 2014-01-08 23:29 -------- d-----w- c:\programdata\Oracle
2014-01-08 23:27 . 2014-01-08 23:26 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-08 20:24 . 2014-01-08 20:38 -------- d-----w- c:\programdata\HitmanPro
2014-01-08 19:38 . 2014-01-08 19:38 -------- d-----w- c:\windows\Migration
2014-01-08 19:33 . 2013-12-04 02:57 7760024 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-08 18:05 . 2014-01-08 18:05 -------- d-----w- c:\programdata\Malwarebytes
2014-01-08 18:04 . 2014-01-08 18:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-08 18:04 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-10 19:00 . 2012-05-09 13:14 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-10 19:00 . 2012-05-09 13:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-19 10:21 . 2012-01-30 02:32 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-30 02:13 . 2009-06-09 06:56 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12 . 2013-12-10 23:03 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-10-30 01:43 . 2013-12-10 23:03 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43 . 2013-12-10 23:03 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35 . 2013-12-10 23:03 2050560 ----a-w- c:\windows\system32\win32k.sys
2013-10-22 07:19 . 2013-12-10 23:03 158208 ----a-w- c:\windows\system32\imagehlp.dll
2013-10-19 07:16 . 2013-12-06 08:17 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A8AEA09-B29C-4A86-9C0D-B80A7EA31E69}\gapaengine.dll
2013-10-19 07:16 . 2013-08-22 11:59 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-22 39408]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2013-01-11 1653760]
"ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon"="c:\users\Ronald Wittig\AppData\Roaming\ValueApps\CH\TBVerifier.dll" [2013-08-25 281888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-05 6711840]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2009-08-24 413696]
"USBestCR"="c:\program files\USIM Editor\iconcs226045823.exe" [2010-09-11 7041024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-8 50688]
Event Reminder.lnk - c:\program files\broderbund\PrintMaster\PMremind.exe [2009-9-7 331776]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1535769525-1320706262-4005447959-1001]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R1 abrnwpuu;abrnwpuu;c:\windows\system32\drivers\abrnwpuu.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-05 81920]
S2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [2010-09-11 65536]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ   PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-05 05:55 1210320 ----a-w- c:\program files\google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 19:00]
.
2014-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 16:23]
.
2014-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 16:23]
.
2014-01-10 c:\windows\Tasks\User_Feed_Synchronization-{EEFEA4B3-79AF-4FAC-927B-333B18AAB383}.job
- c:\windows\system32\msfeedssync.exe [2012-07-04 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:50135;https=127.0.0.1:50135
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-BrowserSafeguard - c:\program files\Browsersafeguard\BrowserSafeguard.exe
AddRemove-Browsersafeguard - c:\program files\Browsersafeguard\uninstall.BrowserSafeguard.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-09 21:19
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1535769525-1320706262-4005447959-1001\Software\SecuROM\License information*]
"datasecu"=hex:b3,51,7a,07,ec,aa,e1,01,66,e9,69,ea,eb,42,9a,39,77,7d,86,64,dd,
   60,30,fc,57,71,1e,35,6e,05,94,26,18,ed,b5,bd,63,02,0c,4b,2c,d2,f3,93,64,29,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
.
**************************************************************************
.
Completion time: 2014-01-09  21:22:42 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-10 02:22
ComboFix2.txt  2014-01-09 03:43
ComboFix3.txt  2014-01-09 01:51
.
Pre-Run: 236,324,675,584 bytes free
Post-Run: 236,365,438,976 bytes free
.
- - End Of File - - A5930F7EE99FCCA9CF8886907FB4DD5D
5C616939100B85E558DA92B899A0FC36
 
 
The first time I ran ComboFix it didn't find anything. I didn't save the log so I just re-ran it and it found root activity. At the end of the scan I got a message saying: " Illegal operation attempted on a registry key that has been marked for deletion"
 
I just tried to open Security Essentials but got the same message - I cannot open the program because it is blocked by group policy
 
I have tried Malwarebytes, ESETSirefefCleaner, FixZeroAccess and a couple of other fixes. There were a number of trojans found by Malwarebytes.
 
I have looked a little at the registry but I cannot find anything obvious.
 
Thank you for looking into this for us.
 
rkwittig

 



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:41 PM

Posted 11 January 2014 - 06:06 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

cXfZ4wS.png


#3 rkwittig

rkwittig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 January 2014 - 11:19 AM

Thank you so much for helping. Two files attached.

Kate

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:41 PM

Posted 12 January 2014 - 05:35 AM

Hi,

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 rkwittig

rkwittig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 12 January 2014 - 09:01 PM

File attached, 

Kate

Attached Files



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:41 PM

Posted 13 January 2014 - 04:00 PM

Hi Kate,

 

How are things now? Does MSE find anything now?

 

I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed!!
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Rootkit mbamicontw5.gif and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

 

 

STEP 5

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

 

STEP 6

 

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

STEP 7

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 8

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#7 rkwittig

rkwittig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 15 January 2014 - 07:42 PM

OK. The TDS Killer found nothing. I couldn't back up the files so I didn't run the Malwarebytes Anti-Rootkit. The Hitman Pro ran but it didn't behave the way you said. It found threats and I deleted them. I'm hoping this wasn't the wrong action.

 

Thanks so much for helping with this. The Security Essentials does open now. I am going to try to run a scan now.

Kate

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:41 PM

Posted 15 January 2014 - 08:17 PM

Hi Kate,

 

It seems that you deleted the entries found by RogueKiller (by yourself) and this is a dangerous practice. Fortunately this didn't cause any problems because the entries were harmless.

As for Hitmanpro you probably missed this note in my instructions:

 

Note: if there isn't a dropdown menu when the scan is done like in the picture below:

 

6-scanfin-choose.jpg

 

then please don't delete anything and close HitmanPro...

 

Anyway, you was lucky again because the entries were harmless again. :)

 

 

I couldn't back up the files so I didn't run the Malwarebytes Anti-Rootkit.

 

Ok, please run MBAM instead of MBAR then:

 

  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.

 

 

 

Also let's remove a few remnants from the system and then I'll give you my final recommendations:

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also you forgot to post the log from SecurityCheck. :)

 

 

 

Regards,

Georgi

 

 

 


cXfZ4wS.png


#9 rkwittig

rkwittig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 16 January 2014 - 05:28 PM

Files attached. 

Thanks,

Kate

Attached Files



#10 rkwittig

rkwittig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 16 January 2014 - 08:25 PM

I did have another question. I have had a message a couple of times about having a conflicting IP address, Is this related?

Thanks,

Kate



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:41 PM

Posted 17 January 2014 - 07:20 AM

Hi Kate,

 

You messed the things a bit...

 

Please rename the file fixlist (1).txt back to fixlist.txt

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Also you attached a few old logs I didn't asked you to attach:

Also you forgot to attach the log from SecurityCheck again. :)

 

 

 

I did have another question. I have had a message a couple of times about having a conflicting IP address, Is this related?

 

You have probably wrong internet configuration settings  set:

 

  • Please download MiniToolBox.exe by Farbar save it to your desktop and run it.
  • Checkmark all boxes.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.


Note: When using "Reset FF Proxy Settings" option Firefox should be closed!

 

 

Regards,

Georgi


cXfZ4wS.png


#12 rkwittig

rkwittig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 21 January 2014 - 06:55 PM

I'm so sorry Georgi, I just had a very busy few days!
I got really confused with all the logs on my desktop and in my download folder. I think I've done this right this time but I don't know which fixlog.txt I should be using. I've attached the one I think is right but please let me know if it's not.
I'm attaching the Result.txt but when I try to run the Security check I get a message saying "Unsupported operating system! Aborted!

Attached Files



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:41 PM

Posted 22 January 2014 - 05:30 PM

Hello Kate,

 

 

There is no need to apologize.I understand this can be frustrating for you. :)

Thanks for the log from MiniToolBox. However the fixlog.txt isn't the one I wanted to see.

Anyway to make it easier for you please delete all frst, addition, fixlog log files and then please repeat these steps:

 

 

Please download the following file => txt.gif  fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

when I try to run the Security check I get a message saying "Unsupported operating system! Aborted!

 

Please reboot the system and run it again. it should produce a log file this time. :)

 

 

 

Regards,

Georgi


cXfZ4wS.png


#14 rkwittig

rkwittig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 23 January 2014 - 02:08 PM

Files attached!
Kate

Attached Files



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:41 PM

Posted 23 January 2014 - 03:11 PM

Great work Kate...You did it! :)

 

Before I set you free, may I ask that you do the following:

 

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 11.0.06 to your PC's desktop.
 

  • Uninstall Adobe Reader 9 via Start => Control Panel > Uninstall a program
  • Install the new downloaded updated software.

 

  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.  
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

 

 

Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.  
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

Next please post a new log from SecurityCheck and then I'll give you my final recommendations.

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users