Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe hogging CPU triggers audio--please make it stop


  • This topic is locked This topic is locked
18 replies to this topic

#1 hasuye

hasuye

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 12 March 2014 - 05:52 AM

Cannot get rid of svchost.exe. it is overloading the CPU almost 100% usage for long periods of time also it plays sound that I cannot get rid of over the top of every thing. At first beleived it was an audio stream from a website, but closed all web driven applications and it did not go away, only by killing the svchost.exe process with highest resource usage did it stop, but then I had connectivity issues (but I am not certain the two  are related). When connectivity was restored the issue re-emerged at start-up. Please help!

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18904
Run by maya at 23:36:01 on 2014-03-11
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.2037.379 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Fitbit Connect\FitbitConnectService.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Fitbit Connect\Fitbit Connect.exe
C:\Users\maya\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\maya\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR Genie\bin\genie2_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_12_0_0_70_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\maya\Documents\ProcessExplorer[1]\procexp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Users\maya\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://hclib.org/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = Preserve
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Webroot Filtering Extension: {C9C42510-9B41-42c1-9DCD-7282A2D07C61} - c:\program files\webroot\wrdata\pkg\vistax86\wrflt.dll
uRun: [GoogleChromeAutoLaunch_FA3693DF56D76D36FA19A4724AD23039] "c:\users\maya\appdata\local\google\chrome\application\chrome.exe" --no-startup-window
uRun: [Fitbit Connect] "c:\program files\fitbit connect\Fitbit Connect.exe" /autorun
uRun: [Google Update] "c:\users\maya\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Spotify Web Helper] "c:\users\maya\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [NETGEARGenie] "c:\program files\netgear genie\bin\NETGEARGenie.exe" -mini -redirect
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_12_0_0_70_ActiveX.exe -update activex
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Fitbit Connect] "c:\program files\fitbit connect\Fitbit Connect.exe" /autorun
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{21505E1E-85A0-4202-A58E-B9E08EB52903} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{8BA66E67-2DFB-4489-9F89-41D37DE82CCE} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\maya\appdata\roaming\mozilla\firefox\profiles\b3342110.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\users\maya\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\maya\appdata\local\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1207148.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_70.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2012-12-22 118240]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2012-12-23 26248]
R2 Fitbit Connect;Fitbit Connect Service;c:\program files\fitbit connect\FitbitConnectService.exe [2012-11-9 1200160]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2012-12-23 1053184]
R2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files\netgear genie\bin\NETGEARGenieDaemon.exe [2013-11-14 195840]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2012-9-22 35088]
R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2012-12-23 68464]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-2-8 111104]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2012-1-18 22176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2013-10-31 19456]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-2-8 73728]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-2-8 30192]
S4 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
S4 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service --> c:\windows\system32\lxdvcoms.exe -service [?]
S4 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdvserv.exe [2007-10-18 98984]
S4 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
.
=============== File Associations ===============
.
FileExt: .scr: scrfile=NOTEPAD.EXE "%1"
FileExt: .reg: regfile=NOTEPAD.EXE "%1"
FileExt: .vbe: VBEFile=NOTEPAD.EXE "%1"
FileExt: .vbs: VBSFile=NOTEPAD.EXE "%1"
FileExt: .js: JSFile=NOTEPAD.EXE "%1"
FileExt: .jse: JSEFile=NOTEPAD.EXE "%1"
FileExt: .wsf: WSFFile=NOTEPAD.EXE "%1"
.
=============== Created Last 30 ================
.
2014-03-07 21:10:11 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f2fc6512-1bee-4889-927f-63040b0fbb03}\offreg.dll
2014-03-07 20:41:34 7947048 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f2fc6512-1bee-4889-927f-63040b0fbb03}\mpengine.dll
.
==================== Find3M  ====================
.
2014-03-12 04:18:57 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-12 04:18:56 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-08 13:48:55 154248 ----a-w- c:\windows\system32\WRusr.dll
2014-03-08 13:48:55 118240 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2014-02-22 09:08:11 96784 ----a-w- c:\windows\system32\packet.dll
2014-02-22 09:08:11 281104 ----a-w- c:\windows\system32\wpcap.dll
2014-02-22 09:08:10 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2013-12-18 12:13:56 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 23:40:19.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 12 March 2014 - 06:04 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 hasuye

hasuye
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 12 March 2014 - 10:06 PM

Marius thank you for your assistance.

 

As I followed the steps you outlined I ran into a problem. After downloading gmer and follow you directions I began the scan. About one minute into the scan I received a Microsoft Windows pop-up that stated the following: b9eq7v85.exe  A problem caused this program to stop running correctly. Windows will close the program and notfiy you if a solution is available. There was also a button to "close program" within the pop-up. When I received the pop-up, gmer grayed out and a blue spinning circle appeared. I waited 15 minutes and nothing changed. I later clicked the close program button within the Microsoft Windows pop-up.



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 13 March 2014 - 08:35 AM

Skip Gmer

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 hasuye

hasuye
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 14 March 2014 - 08:50 PM

Hello Again,

 

Here is the information you requested:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-03-14 20:20:56
-----------------------------
20:20:56.715    OS Version: Windows 6.0.6000 
20:20:56.716    Number of processors: 2 586 0xF0D
20:20:56.719    ComputerName: MAYA-PC  UserName: maya
20:21:03.925    Initialize success
20:25:12.839    AVAST engine defs: 14031401
20:25:34.489    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:25:34.494    Disk 0 Vendor: TOSHIBA_ LB11 Size: 152627MB BusType: 3
20:25:34.783    Disk 0 MBR read successfully
20:25:34.788    Disk 0 MBR scan
20:25:34.935    Disk 0 Windows VISTA default MBR code
20:25:34.971    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       62 MB offset 63
20:25:35.084    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10240 MB offset 129024
20:25:35.163    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS       139763 MB offset 21100544
20:25:35.175    Disk 0 Partition - 00     0F Extended LBA              2560 MB offset 307335168
20:25:35.411    Disk 0 Partition 4 00     DD              MSDOS5.0     2559 MB offset 307337216
20:25:35.527    Disk 0 scanning sectors +312578048
20:25:35.982    Disk 0 scanning C:\Windows\system32\drivers
20:26:16.853    Service scanning
20:27:32.741    Service WRkrn C:\Windows\System32\drivers\WRkrn.sys **LOCKED** 32
20:27:39.191    Modules scanning
20:28:00.843    Disk 0 trace - called modules:
20:28:00.873    ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll 
20:28:00.897    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84c50680]
20:28:00.908    3 ntkrnlpa.exe[820b07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84270030]
20:28:04.660    AVAST engine scan C:\Windows
20:28:11.692    AVAST engine scan C:\Windows\system32
20:35:39.183    AVAST engine scan C:\Windows\system32\drivers
20:36:09.658    AVAST engine scan C:\Users\maya
20:46:43.483    Disk 0 MBR has been saved successfully to "C:\Users\maya\Desktop\MBR.dat"
20:46:43.504    The log file has been saved successfully to "C:\Users\maya\Desktop\aswMBR.txt"
 
 


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 15 March 2014 - 08:59 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 hasuye

hasuye
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 15 March 2014 - 12:37 PM

Here is the combofix log:

 

ComboFix 14-03-13.01 - maya 03/15/2014  11:49:35.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.2037.1020 [GMT -5:00]
Running from: c:\users\maya\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\maya\AppData\Local\ATT Connect\Participant\MSMAsk32.ocx
c:\users\maya\AppData\Roaming\.#
c:\users\maya\AppData\Roaming\.#\MBX@216C@13028D8.###
c:\users\maya\AppData\Roaming\.#\MBX@216C@1302908.###
c:\users\maya\AppData\Roaming\.#\MBX@216C@1302938.###
c:\users\maya\AppData\Roaming\B143F7
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-15 to 2014-03-15  )))))))))))))))))))))))))))))))
.
.
2014-03-15 12:42 . 2014-02-06 07:08 7947048 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2B0825B9-5B14-449E-9043-10C4F3644945}\mpengine.dll
2014-03-13 10:51 . 2014-03-13 10:51 -------- d-----w- c:\program files\Cobian Backup 11
2014-03-08 02:03 . 2014-03-08 02:03 -------- d-----w- c:\windows\Sun
2014-02-28 21:02 . 2014-02-28 21:02 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 05:17 . 2012-06-18 12:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-12 05:17 . 2011-12-24 13:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-08 13:48 . 2012-12-23 00:12 154248 ----a-w- c:\windows\system32\WRusr.dll
2014-03-08 13:48 . 2012-12-23 00:12 118240 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2014-02-22 09:08 . 2012-09-22 11:45 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2013-12-18 12:13 . 2012-04-23 16:14 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-03-03 . 301AE00E12408650BADDC04DBC832830 . 551424 . . [6.0.6001.18226] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_69bb41ac3deac876\rpcss.dll
[7] 2009-03-03 . 4DFCBDEF3CCAA98F99038DED78945253 . 551424 . . [6.0.6001.22389] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_6a06ffcd57365beb\rpcss.dll
[-] 2009-03-03 . E049745A29102A35A1B1DEC0A975C40F . 550912 . . [6.0.6000.16386] . . c:\windows\System32\rpcss.dll
[-] 2009-03-03 04:19 . !HASH: COULD NOT OPEN FILE !!!!! . 549888 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_67c4315e40d1bb6c\rpcss.dll
[7] 2009-03-03 . B1BB45E24717A7F790B4411C4446EF5E . 550400 . . [6.0.6000.21023] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_685b771559e4be8c\rpcss.dll
[7] 2008-01-19 . 33FB1F0193EE2051067441492D56113C . 547328 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\rpcss.dll
[7] 2006-11-02 . B46D8EA6DD30BAA49F674DACDC4C491F . 545792 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16386_none_67941a0040f4ed68\rpcss.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_FA3693DF56D76D36FA19A4724AD23039"="c:\users\maya\AppData\Local\Google\Chrome\Application\chrome.exe" [2014-03-02 859464]
"Fitbit Connect"="c:\program files\Fitbit Connect\Fitbit Connect.exe" [2012-11-09 2796576]
"Spotify Web Helper"="c:\users\maya\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-05-22 1105408]
"NETGEARGenie"="c:\program files\NETGEAR Genie\bin\NETGEARGenie.exe" [2013-11-14 602880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2014-03-08 765528]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"Fitbit Connect"="c:\program files\Fitbit Connect\Fitbit Connect.exe" [2012-11-09 2796576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2013-11-27 106496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0autocheck smrgdf c:\users\maya\AppData\Roaming\iolo\\0iolobtdfg c:\windows\system32
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^maya^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^maya^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
backup=c:\windows\pss\wkcalrem.LNK.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileDocuments
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-07 06:49 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2012-02-23 16:38 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 19:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 22:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
2006-08-04 14:31 952088 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-08-27 04:00 138096 ----atw- c:\users\maya\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-11-16 01:47 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-10-20 04:00 136176 ----atw- c:\users\maya\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleChromeAutoLaunch_FA3693DF56D76D36FA19A4724AD23039]
2014-03-02 02:35 859464 ----a-w- c:\users\maya\AppData\Local\Google\Chrome\Application\chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2014-01-30 21:05 21822128 ----a-w- c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-12-15 03:53 154136 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 19:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-15 03:54 137752 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-03-29 20:41 222128 ----a-w- c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 17:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 18:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5400 Series Fax Server]
2007-11-02 08:38 307880 ----a-w- c:\program files\Lexmark X5400 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-11-11 19:08 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvamon]
2007-11-02 08:38 25256 ----a-w- c:\program files\Lexmark X5400 Series\lxdvamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvmon.exe]
2007-11-02 08:38 455336 ----a-w- c:\program files\Lexmark X5400 Series\lxdvmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-08-28 05:51 36864 ----a-w- c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 21:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-15 03:53 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Push Client]
2010-06-03 21:17 965872 ----a-w- c:\users\maya\AppData\Local\ATT Connect\Participant\pull.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 09:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-11-12 11:07 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-11-14 22:42 20584608 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-02-08 06:40 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
2007-02-27 17:30 184320 ----a-w- c:\program files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-02-08 13:55 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-18 05:18]
.
2014-03-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000Core.job
- c:\users\maya\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-27 04:00]
.
2014-03-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000UA.job
- c:\users\maya\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-27 04:00]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 20:59]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 20:59]
.
2014-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000Core.job
- c:\users\maya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-08 04:00]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000UA.job
- c:\users\maya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-08 04:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hclib.org/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\maya\AppData\Roaming\Mozilla\Firefox\Profiles\b3342110.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE "%1"
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-15 12:11
Windows 6.0.6000  NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Fitbit Connect\FitbitConnectService.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\iolo\Common\Lib\ioloServiceManager.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\WerCon.exe
c:\windows\system32\Bubbles.scr
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2014-03-15  12:25:19 - machine was rebooted
ComboFix-quarantined-files.txt  2014-03-15 17:24
.
Pre-Run: 4,436,135,936 bytes free
Post-Run: 3,701,821,440 bytes free
.
- - End Of File - - 124960AAFB8DE9B612A510C328FCD5D5
5C616939100B85E558DA92B899A0FC36
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 15 March 2014 - 02:49 PM

No Antivirus Program installed!

I don't see an Anti Virus Program running on your machine.

Download and install an antivirus program, and make sure that you keep it updated New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

Two good antivirus programs free for non-commercial home use are
Avast!
or
Microsoft Security Essentials

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

 

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 hasuye

hasuye
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 15 March 2014 - 03:17 PM

I have Webroot SecureAnywhere installed I disabled it to run combofix. Are you saying this program is not sufficient? Are you reccommending I install Avast or MS Security Essentials?



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 15 March 2014 - 03:55 PM

It is not displayed by Combofix. This may happen under some circumstances.

Please proceed with Combofix script


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 hasuye

hasuye
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 15 March 2014 - 03:58 PM

ComboFix 14-03-13.01 - maya 03/15/2014  15:34:30.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.2037.1042 [GMT -5:00]
Running from: c:\users\maya\Desktop\ComboFix.exe
Command switches used :: c:\users\maya\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16386_none_67941a0040f4ed68\rpcss.dll --> c:\windows\System32\rpcss.dll
.
(((((((((((((((((((((((((   Files Created from 2014-02-15 to 2014-03-15  )))))))))))))))))))))))))))))))
.
.
2014-03-15 20:49 . 2014-03-15 20:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-15 17:25 . 2014-03-15 20:49 -------- d-----w- c:\users\maya\AppData\Local\temp
2014-03-15 12:42 . 2014-02-06 07:08 7947048 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2B0825B9-5B14-449E-9043-10C4F3644945}\mpengine.dll
2014-03-13 10:51 . 2014-03-13 10:51 -------- d-----w- c:\program files\Cobian Backup 11
2014-03-08 02:03 . 2014-03-08 02:03 -------- d-----w- c:\windows\Sun
2014-02-28 21:02 . 2014-02-28 21:02 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 05:17 . 2012-06-18 12:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-12 05:17 . 2011-12-24 13:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-08 13:48 . 2012-12-23 00:12 154248 ----a-w- c:\windows\system32\WRusr.dll
2014-03-08 13:48 . 2012-12-23 00:12 118240 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2014-02-22 09:08 . 2012-09-22 11:45 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2013-12-18 12:13 . 2012-04-23 16:14 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-01-30 21:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_FA3693DF56D76D36FA19A4724AD23039"="c:\users\maya\AppData\Local\Google\Chrome\Application\chrome.exe" [2014-03-15 859976]
"Fitbit Connect"="c:\program files\Fitbit Connect\Fitbit Connect.exe" [2012-11-09 2796576]
"Spotify Web Helper"="c:\users\maya\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-05-22 1105408]
"NETGEARGenie"="c:\program files\NETGEAR Genie\bin\NETGEARGenie.exe" [2013-11-14 602880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2014-03-08 765528]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"Fitbit Connect"="c:\program files\Fitbit Connect\Fitbit Connect.exe" [2012-11-09 2796576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2013-11-27 106496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0autocheck smrgdf c:\users\maya\AppData\Roaming\iolo\\0iolobtdfg c:\windows\system32
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^maya^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^maya^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
backup=c:\windows\pss\wkcalrem.LNK.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-07 06:49 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2012-02-23 16:38 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 19:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 22:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
2006-08-04 14:31 952088 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-08-27 04:00 138096 ----atw- c:\users\maya\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-11-16 01:47 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-10-20 04:00 136176 ----atw- c:\users\maya\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleChromeAutoLaunch_FA3693DF56D76D36FA19A4724AD23039]
2014-03-15 00:50 859976 ----a-w- c:\users\maya\AppData\Local\Google\Chrome\Application\chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2014-01-30 21:05 21822128 ----a-w- c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-12-15 03:53 154136 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 19:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-15 03:54 137752 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-03-29 20:41 222128 ----a-w- c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 17:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 18:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5400 Series Fax Server]
2007-11-02 08:38 307880 ----a-w- c:\program files\Lexmark X5400 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-11-11 19:08 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvamon]
2007-11-02 08:38 25256 ----a-w- c:\program files\Lexmark X5400 Series\lxdvamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvmon.exe]
2007-11-02 08:38 455336 ----a-w- c:\program files\Lexmark X5400 Series\lxdvmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-08-28 05:51 36864 ----a-w- c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 21:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-15 03:53 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Push Client]
2010-06-03 21:17 965872 ----a-w- c:\users\maya\AppData\Local\ATT Connect\Participant\pull.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 09:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-11-12 11:07 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-11-14 22:42 20584608 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-02-08 06:40 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
2007-02-27 17:30 184320 ----a-w- c:\program files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-02-08 13:55 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-18 05:18]
.
2014-03-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000Core.job
- c:\users\maya\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-27 04:00]
.
2014-03-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000UA.job
- c:\users\maya\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-27 04:00]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 20:59]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 20:59]
.
2014-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000Core.job
- c:\users\maya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-08 04:00]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007851965-2511140675-2661981024-1000UA.job
- c:\users\maya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-08 04:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hclib.org/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\maya\AppData\Roaming\Mozilla\Firefox\Profiles\b3342110.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-SMRequiresRestart - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-15 15:49
Windows 6.0.6000  NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-03-15  15:55:34
ComboFix-quarantined-files.txt  2014-03-15 20:55
ComboFix2.txt  2014-03-15 17:25
.
Pre-Run: 4,721,147,904 bytes free
Post-Run: 4,426,039,296 bytes free
.
- - End Of File - - 45170B3515D92C0EB0810D64D8EB6C14
5C616939100B85E558DA92B899A0FC36
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 15 March 2014 - 04:00 PM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 hasuye

hasuye
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 15 March 2014 - 10:37 PM

Log from Malwarebytes:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.15.04

Windows Vista x86 NTFS
Internet Explorer 8.0.6001.18904
maya :: MAYA-PC [administrator]

3/15/2014 4:10:45 PM
mbam-log-2014-03-15 (16-10-45).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 424105
Time elapsed: 2 hour(s), 45 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\maya\Documents\HomeworkSimplified MATH.exe (PUP.Optional.MindSpark.A) -> Quarantined and deleted successfully.
C:\Windows\System32\unamjy.nfu (Trojan.Zekos.Patchedwv0) -> Quarantined and deleted successfully.

(end)

 

Log from ESET:

C:\Qoobox\Quarantine\C\Windows\System32\rpcss.dll.vir Win32/Patched.IB trojan



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 17 March 2014 - 03:07 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.

  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also

Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Edited by TB-Psychotic, 17 March 2014 - 03:07 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 hasuye

hasuye
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 18 March 2014 - 05:41 AM

AdwCleaner log:

# AdwCleaner v3.022 - Report created 18/03/2014 at 04:55:58
# Updated 13/03/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium  (32 bits)
# Username : maya - MAYA-PC
# Running from : C:\Users\maya\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQUCXSMC\2-adwcleaner[1].exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Key Deleted : HKCU\Software\YahooPartnerToolbar

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18904

-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\maya\AppData\Roaming\Mozilla\Firefox\Profiles\b3342110.default\prefs.js ]

-\\ Google Chrome v

[ File : C:\Users\maya\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [1663 octets] - [18/03/2014 04:49:56]
AdwCleaner[S0].txt - [1600 octets] - [18/03/2014 04:55:58]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1660 octets] ##########

 

JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows Vista ™ Home Premium x86
Ran by maya on Tue 03/18/2014 at  5:22:49.53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ FireFox

Emptied folder: C:\Users\maya\AppData\Roaming\mozilla\firefox\profiles\b3342110.default\minidumps [12 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 03/18/2014 at  5:31:49.32
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Security Check Log:

 

 UNSUPPORTED OPERATING SYSTEM! ABORTED!
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users