Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rocketfuel / Conduit / Mobogenie


  • This topic is locked This topic is locked
38 replies to this topic

#1 Selmy

Selmy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 13 March 2014 - 04:26 PM

Hi all,

 

I've been struggling with an infection for the last couple days that I believe resulted from trying to install a bogus fraps/game recorder. I noticed the issues immediately after the installation and began taking steps to clean up my computer, but still seem to be having problems. Below will be a short description and I have attached DDS logs for both Normal and Safemode windows. I'll be checking back periodically so I appreciate anyone who takes the time to help me out. Thanks!

 

-----

Description:

MoboGenie, Rocketfuel and Conduit Search detected on the computer.

Attached File  Attach Normal.txt   10.67KB   1 downloadsAttached File  DDS Normal.txt   12.01KB   10 downloadsAttached File  Attach SM.txt   10.9KB   1 downloadsAttached File  DDS SM.txt   10.44KB   0 downloads

 

Symptoms:

Slow browsing with Chrome and IE 10

Frequent slowdowns / locking of the computer that freezes everything from windows explorer to task manager

(Possibly related?) inability to connect to Steam through the steam client

 

Steps Taken:

Cleared Windows and User temp files, reset browsers to defaults, reinstalled Chrome

Ran adwcleaner, MBAM (quick/fullscan), MBAR, Kaspersky TDSSKiller, RogueKiller, HItman Pro

 

I have run this gauntlet twice now, once in normal windows and once in SM w/N. There appears to be temporary relief but the issue persists and malware reappears on the machine.

 

Windows Startup items disabled:

Disabled ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon

mobilegeni daemon

 

Windows Services disabled:

none

 

-----

 

As stated above, after trying to clean up the issues still persist. If I run a full MBAM in normal windows it returns clean but the mobilegeni daemon and ConduitFloatPlugin are still listed under msconfig.

 

Any help would be greatly appreciated. Thanks in advance for your time!


Edited by Selmy, 13 March 2014 - 04:28 PM.


BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 13 March 2014 - 07:32 PM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 13 March 2014 - 07:34 PM

LlJESjW.jpgMalwarebytes Anti-Rootkit
 
Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
  • If malware is found, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.

If there is no malware found, please let me know as well.
----------
 

81mYIKe.jpg  AdwCleaner
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#4 Selmy

Selmy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 13 March 2014 - 08:36 PM

MBAR:

No malware found!

 

AdwCleaner:

 

# AdwCleaner v3.022 - Report created 13/03/2014 at 21:28:22
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : ~ - ~-PC
# Running from : C:\Users\~\Downloads\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16843
 
 
-\\ Google Chrome v33.0.1750.146
 
[ File : C:\Users\~\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [3526 octets] - [09/03/2014 21:26:21]
AdwCleaner[R1].txt - [3253 octets] - [13/03/2014 16:43:17]
AdwCleaner[R2].txt - [935 octets] - [13/03/2014 21:27:48]
AdwCleaner[R3].txt - [796 octets] - [13/03/2014 21:28:22]
AdwCleaner[S0].txt - [3378 octets] - [13/03/2014 16:44:49]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R3].txt - [915 octets] ##########
 
 
Looks like a clean slate according to these programs, which I guess does not surprise me. I will keep an eye on it and reply if I find any further indication of this being related to malware. Thanks for your reply!

Edited by Selmy, 13 March 2014 - 08:38 PM.


#5 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 14 March 2014 - 11:01 AM

Hi,
 
There are some entries that do need to be repaired and removed though.   :)
 
Let's continue....
 
ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 16 March 2014 - 10:05 AM

Still with me?  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 17 March 2014 - 11:11 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#8 hamluis

hamluis

    Moderator


  • Moderator
  • 56,131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:01 AM

Posted 19 March 2014 - 05:49 AM

Topic reopened, OP opened topic in AII (which I closed).

 

Louis



#9 Selmy

Selmy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 19 March 2014 - 08:06 AM

Hi Jeff!

I'm back and still having issues. Please let me know what the next steps should be and I'll be happy to proceed. I've posted some new and hopefully relevant information below.

 

=====

Symptoms:

1. Computer will freeze within less than 5 minutes of startup, all programs/explorers/browsers are non responsive

 

2. Intel CPU Usage monitor pegs Core1 over to 100% and stays stuck there for the period of the "Freeze"

 

3. Computer sometimes breaks out of this after several minutes and returns to normal operations, only to freeze again in another 5-15 minutes

=====

 

=====

Steps Taken:

1. Comprehensive malware scanning & virus removal procedure (see link to other topic above)

 

2. Updated Video drivers, chipset drivers, etc. to most recent stable versions

 

3. Ran Windows updates and installed all priority updates

 

4. Ran Windows Memory Diagnostic (good)

 

5. Modified windows virtual memory cache size from (~alot) to 2048mb

=====

 

=====

Important Event Viewer entry under Administrative Events

Timestamps seem to coincide with the onset of the issue

 

Source: WMI

 

Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

=====

 

=====

Minitoolkit Logfile

Thanks for reading!

======

MiniToolBox by Farbar  Version: 23-01-2014
Ran by User (administrator) on 18-03-2014 at 20:15:03
Running from "D:\Downloads"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
54.225.95.126 ajakpekbmnkgnjbpajgkdhimcbeoocam
 
========================= IP Configuration: ================================
 
Realtek PCIe GBE Family Controller = Local Area Connection (Connected)
Hamachi Network Interface = Hamachi (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Hamachi" nexthop=25.0.0.1 publish=Yes
set interface interface="Hamachi" forwarding=disabled advertise=disabled metric=9000 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : User-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Belkin
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : C8-60-00-C3-98-4E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5088:cd70:19b:5cbf%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, March 18, 2014 8:09:56 PM
   Lease Expires . . . . . . . . . . : Saturday, April 25, 2150 2:43:20 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 248012800
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-5A-AA-A1-C8-60-00-C3-98-4E
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Hamachi:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Hamachi Network Interface
   Physical Address. . . . . . . . . : 7A-79-19-14-03-10
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2620:9b::1914:310(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::6171:f01b:a5c1:787a%15(Preferred) 
   IPv4 Address. . . . . . . . . . . : 25.20.3.16(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, March 18, 2014 8:09:55 PM
   Lease Expires . . . . . . . . . . : Tuesday, March 18, 2014 8:18:23 PM
   Default Gateway . . . . . . . . . : 2620:9b::1900:1
                                       25.0.0.1
   DHCP Server . . . . . . . . . . . : 25.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 343570713
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-5A-AA-A1-C8-60-00-C3-98-4E
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{FE194944-471B-45EF-BED0-4E52496B2888}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:3c80:3f4f:cd4b:3479(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::3c80:3f4f:cd4b:3479%13(Preferred) 
   Default Gateway . . . . . . . . . : 
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter isatap.Belkin:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
 
Name:    google.com
Addresses:  2607:f8b0:4002:c06::66
 74.125.21.101
 74.125.21.100
 74.125.21.139
 74.125.21.138
 74.125.21.113
 74.125.21.102
 
 
Pinging google.com [74.125.21.101] with 32 bytes of data:
Reply from 74.125.21.101: bytes=32 time=13ms TTL=45
Reply from 74.125.21.101: bytes=32 time=14ms TTL=45
 
Ping statistics for 74.125.21.101:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 13ms, Maximum = 14ms, Average = 13ms
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
 
Name:    yahoo.com
Addresses:  98.139.183.24
 206.190.36.45
 98.138.253.109
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=55ms TTL=51
Reply from 98.139.183.24: bytes=32 time=58ms TTL=51
 
Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 55ms, Maximum = 58ms, Average = 56ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...c8 60 00 c3 98 4e ......Realtek PCIe GBE Family Controller
 15...7a 79 19 14 03 10 ......Hamachi Network Interface
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         25.0.0.1       25.20.3.16   9256
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.100     10
         25.0.0.0        255.0.0.0         On-link        25.20.3.16   9256
       25.20.3.16  255.255.255.255         On-link        25.20.3.16   9256
   25.255.255.255  255.255.255.255         On-link        25.20.3.16   9256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.100    266
    192.168.1.100  255.255.255.255         On-link     192.168.1.100    266
    192.168.1.255  255.255.255.255         On-link     192.168.1.100    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.100    266
        224.0.0.0        240.0.0.0         On-link        25.20.3.16   9256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.100    266
  255.255.255.255  255.255.255.255         On-link        25.20.3.16   9256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         25.0.0.1  Default 
===========================================================================
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 15   9020 ::/0                     2620:9b::1900:1
  1    306 ::1/128                  On-link
 13     58 2001::/32                On-link
 13    306 2001:0:9d38:6ab8:3c80:3f4f:cd4b:3479/128
                                    On-link
 15    276 2620:9b::/64             On-link
 15    276 2620:9b::/96             On-link
 15    276 2620:9b::1914:310/128    On-link
 11    266 fe80::/64                On-link
 15    276 fe80::/64                On-link
 13    306 fe80::/64                On-link
 13    306 fe80::3c80:3f4f:cd4b:3479/128
                                    On-link
 11    266 fe80::5088:cd70:19b:5cbf/128
                                    On-link
 15    276 fe80::6171:f01b:a5c1:787a/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
 15    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
 If Metric Network Destination      Gateway
  0 4294967295 2620:9b::/96             On-link
  0   9000 ::/0                     2620:9b::1900:1
===========================================================================
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (03/18/2014 08:11:50 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/18/2014 08:09:59 PM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x80070005.
 
Error: (03/18/2014 08:07:46 PM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x80070005.
 
Error: (03/18/2014 08:04:01 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/18/2014 08:02:14 PM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x80070005.
 
Error: (03/18/2014 07:56:00 PM) (Source: Application Hang) (User: )
Description: The program taskmgr.exe version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 16f0
 
Start Time: 01cf430546231b55
 
Termination Time: 2
 
Application Path: C:\Windows\system32\taskmgr.exe
 
Report Id: d590a452-aef8-11e3-bf9b-c86000c3984e
 
Error: (03/18/2014 07:53:45 PM) (Source: Application Hang) (User: )
Description: The program explorer.exe version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1110
 
Start Time: 01cf43052eee5e28
 
Termination Time: 4970
 
Application Path: C:\Windows\explorer.exe
 
Report Id: 85300e58-aef8-11e3-bf9b-c86000c3984e
 
Error: (03/18/2014 07:52:55 PM) (Source: Application Hang) (User: )
Description: The program Explorer.EXE version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: b04
 
Start Time: 01cf43047f930fa8
 
Termination Time: 16538
 
Application Path: C:\Windows\Explorer.EXE
 
Report Id: 5febde37-aef8-11e3-bf9b-c86000c3984e
 
Error: (03/18/2014 07:49:52 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/18/2014 07:48:01 PM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x80070005.
 
 
System errors:
=============
Error: (03/18/2014 08:08:04 PM) (Source: NetBT) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.100.
The computer with the IP address 192.168.1.101 did not allow the name to be claimed by
this computer.
 
Error: (03/18/2014 08:07:41 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 8:06:28 PM on ?3/?18/?2014 was unexpected.
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/18/2014 07:43:38 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
 
Microsoft Office Sessions:
=========================
Error: (03/18/2014 08:11:50 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/18/2014 08:09:59 PM) (Source: Winlogon)(User: )
Description: 0x800700050x00000000
 
Error: (03/18/2014 08:07:46 PM) (Source: Winlogon)(User: )
Description: 0x800700050x00000000
 
Error: (03/18/2014 08:04:01 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/18/2014 08:02:14 PM) (Source: Winlogon)(User: )
Description: 0x800700050x00000000
 
Error: (03/18/2014 07:56:00 PM) (Source: Application Hang)(User: )
Description: taskmgr.exe6.1.7601.1751416f001cf430546231b552C:\Windows\system32\taskmgr.exed590a452-aef8-11e3-bf9b-c86000c3984e
 
Error: (03/18/2014 07:53:45 PM) (Source: Application Hang)(User: )
Description: explorer.exe6.1.7601.17514111001cf43052eee5e284970C:\Windows\explorer.exe85300e58-aef8-11e3-bf9b-c86000c3984e
 
Error: (03/18/2014 07:52:55 PM) (Source: Application Hang)(User: )
Description: Explorer.EXE6.1.7601.17514b0401cf43047f930fa816538C:\Windows\Explorer.EXE5febde37-aef8-11e3-bf9b-c86000c3984e
 
Error: (03/18/2014 07:49:52 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/18/2014 07:48:01 PM) (Source: Winlogon)(User: )
Description: 0x800700050x00000000
 
 
CodeIntegrity Errors:
===================================
  Date: 2013-06-24 22:35:19.848
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-06-24 22:35:19.848
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-06-24 22:35:15.050
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\AtihdW76.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-06-24 22:35:15.050
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\AtihdW76.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-06-24 22:27:55.136
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-06-24 22:27:55.120
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
=========================== Installed Programs ============================
 
µTorrent (Version: 3.3.2.30303)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
7-Zip 9.25 (x64 edition) (Version: 9.25.00.0)
A Game of Thrones version 0.6 (Version: 0.6)
Adobe Photoshop CC (Version: 14.0)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
Akamai NetSession Interface
AMD Accelerated Video Transcoding (Version: 13.20.100.31206)
AMD Catalyst Control Center (Version: 2013.1206.1603.28764)
AMD Catalyst Install Manager (Version: 8.0.915.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Media Foundation Decoders (Version: 1.0.81206.1620)
AMD Wireless Display v3.0 (Version: 1.0.0.12)
AMD Wireless Display v3.0 (Version: 1.0.0.14)
Baldur's Gate: Enhanced Edition
BIT.TRIP Presents... Runner2: Future Legend of Rhythm Alien
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2013.1206.1603.28764)
Catalyst Control Center InstallProxy (Version: 2013.0328.2218.38225)
Catalyst Control Center InstallProxy (Version: 2013.1206.1603.28764)
Catalyst Control Center Localization All (Version: 2013.1206.1603.28764)
CCC Help Chinese Standard (Version: 2013.1206.1602.28764)
CCC Help Chinese Traditional (Version: 2013.1206.1602.28764)
CCC Help Czech (Version: 2013.1206.1602.28764)
CCC Help Danish (Version: 2013.1206.1602.28764)
CCC Help Dutch (Version: 2013.1206.1602.28764)
CCC Help English (Version: 2013.1206.1602.28764)
CCC Help Finnish (Version: 2013.1206.1602.28764)
CCC Help French (Version: 2013.1206.1602.28764)
CCC Help German (Version: 2013.1206.1602.28764)
CCC Help Greek (Version: 2013.1206.1602.28764)
CCC Help Hungarian (Version: 2013.1206.1602.28764)
CCC Help Italian (Version: 2013.1206.1602.28764)
CCC Help Japanese (Version: 2013.1206.1602.28764)
CCC Help Korean (Version: 2013.1206.1602.28764)
CCC Help Norwegian (Version: 2013.1206.1602.28764)
CCC Help Polish (Version: 2013.1206.1602.28764)
CCC Help Portuguese (Version: 2013.1206.1602.28764)
CCC Help Russian (Version: 2013.1206.1602.28764)
CCC Help Spanish (Version: 2013.1206.1602.28764)
CCC Help Swedish (Version: 2013.1206.1602.28764)
CCC Help Thai (Version: 2013.1206.1602.28764)
CCC Help Turkish (Version: 2013.1206.1602.28764)
ccc-utility64 (Version: 2013.1206.1603.28764)
Core Temp version 0.99.7 (Version: 0.99.7)
Corsair SSD Toolbox 1.2.0.9 (Version: 1.2.0.9)
CPUID CPU-Z 1.67
Crusader Kings II
Dawn Of Fantasy (Version: 1.0.0.0)
Divinity Original Sin
Dragon Age Awakening Redesigned
Dragon Age Awakening Velanna Redesigned©
Dragon Age Redesigned © Morrigan
Dragon Age Redesigned- Leliana's Song
Dragon Age Redesigned Oghren©
Dragon Age Redesigned©
Dragon Age Redesigned© Leliana
Dragon Age Redesigned© Sten
Dragon Age Redesigned© Wynne
Dropbox (Version: 2.4.11)
FINAL FANTASY XIV: A Realm Reborn
Google Chrome (Version: 33.0.1750.154)
Google Update Helper (Version: 1.3.22.5)
HP Deskjet 3050 J610 series Basic Device Software (Version: 28.0.1315.0)
Intel® Management Engine Components (Version: 8.1.0.1252)
Intel® USB 3.0 eXtensible Host Controller Driver (Version: 1.0.4.220)
Intel® Trusted Connect Service Client (Version: 1.24.388.1)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
League of Legends (Version: 3.0.0)
Left 4 Dead 2
LogMeIn Hamachi (Version: 2.2.0.173)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4.5 (Version: 4.5.50709)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.5.92.0)
Microsoft Games for Windows Marketplace (Version: 3.5.50.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (Version: 11.0.50727.1)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (Version: 11.0.50727.1)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727 (Version: 11.0.50727)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727 (Version: 11.0.50727)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727 (Version: 11.0.50727)
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727 (Version: 11.0.50727)
Notepad++ (Version: 6.5.3)
NVIDIA PhysX (Version: 9.11.1107)
OpenOffice 4.0.1 (Version: 4.01.9714)
PDF Settings CC (Version: 12.0)
PeerBlock 1.2 (r693) (Version: 1.2.0.693)
PlanetSide 2
PowerISO (Version: 5.7)
Realtek Ethernet Controller Driver (Version: 7.61.612.2012)
Realtek High Definition Audio Driver (Version: 6.0.1.6657)
Scrivener (Version: 1610)
seaafeeweB (Version: 4.3.0.1667)
Shadowrun Returns
Skype™ 6.11 (Version: 6.11.102)
Space Pirates and Zombies
Starbound
StarCraft II
Steam (Version: 1.0.0.0)
Surgeon Simulator 2013
SW.Booster (Version: 2.2.0.1110)
SW.Sustainer 1.80
TeamSpeak 3 Client (Version: 3.0.14)
The Showdown Effect
The Stanley Parable
The Witcher 2: Assassins of Kings Enhanced Edition
Ultima Online Classic Client (Version: )
Ultima Online Forever (Version: 1.0.0)
VASSAL (3.2.8) (Version: 3.2.8)
Ventrilo Client for Windows x64 (Version: 3.0.8.0)
Vizzed Retro Game Room (Version: 2.0.0)
VLC media player 2.0.6 (Version: 2.0.6)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
YoutubeAdblocker (Version: 2.2.0.1281)
 
========================= Memory info: ===================================
 
Percentage of memory in use: 10%
Total physical RAM: 32719.64 MB
Available physical RAM: 29250.43 MB
Total Pagefile: 34765.82 MB
Available Pagefile: 30830.06 MB
Total Virtual: 4095.88 MB
Available Virtual: 3978.09 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:167.58 GB) (Free:72.33 GB) NTFS
2 Drive d: (Bulk HD) (Fixed) (Total:465.76 GB) (Free:254.42 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\User-PC
 
Administrator            User                     Guest                    
 
========================= Minidump Files ==================================
 
No minidump file found
 
 
**** End of log ****


#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 19 March 2014 - 11:38 AM

Hi,

 

Ok...since it has been a couple of days, please run a new scan with DDS as well so that we can see the most recent information.  Please post both DDS.txt and Attach.txt.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 Selmy

Selmy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 19 March 2014 - 03:58 PM

Hi Jeff! :) 

Thanks again for taking the time to help me out with this. The logs you requested are below.

 

=====

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16843  BrowserJavaVersion: 10.25.2
Run by User at 16:54:36 on 2014-03-19
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.32720.29130 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Corsair SSD Toolbox\CSSDTService.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Users\User\AppData\Local\GCC\Controller.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Users\User\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Users\User\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Users\User\AppData\Local\GCC\Controller.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Users\User\AppData\Local\GCC\CHROME~1\chrome.exe
C:\Users\User\AppData\Local\GCC\CHROME~1\chrome.exe
C:\Users\User\AppData\Local\GCC\CHROME~1\chrome.exe
C:\Users\User\AppData\Local\GCC\CHROME~1\chrome.exe
C:\Users\User\AppData\Local\GCC\CHROME~1\chrome.exe
C:\Users\User\AppData\Local\GCC\CHROME~1\chrome.exe
C:\Users\User\AppData\Local\GCC\CHROME~1\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: YoutubeAdblocker: {451512C6-2077-B2B8-36EC-636B63949721} - C:\Program Files (x86)\YoutubeAdblocker\s4snW5E.dll
BHO: seaafeeweB: {5D362140-796B-D736-8E18-AC5903BCD024} - C:\Program Files (x86)\seaafeeweB\h.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Akamai NetSession Interface] "C:\Users\User\AppData\Local\Akamai\netsession_win.exe"
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun: [AdobeCEPServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
StartupFolder: C:\Users\User\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{DAB4EF9A-DE72-41A8-A767-796173695ED3} : NameServer = 8.8.8.8
TCP: Interfaces\{DAB4EF9A-DE72-41A8-A767-796173695ED3} : DHCPNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - 
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
AppInit_DLLs= c:\progra~2\sw30e4~1.boo
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: YoutubeAdblocker: {451512C6-2077-B2B8-36EC-636B63949721} - C:\Program Files (x86)\YoutubeAdblocker\s4snW5E.x64.dll
x64-BHO: seaafeeweB: {5D362140-796B-D736-8E18-AC5903BCD024} - C:\Program Files (x86)\seaafeeweB\h.x64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: TidyNetwork: {9C7F308F-2CC3-3D14-E6AF-2E4A51C4980F} - 
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 54.225.95.126 ajakpekbmnkgnjbpajgkdhimcbeoocam
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-2-27 16152]
R2 1a34a8e0;SW.Sustainer;C:\Windows\System32\rundll32.exe [2009-7-13 45568]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-12-6 239616]
R2 CorsairSSDToolBox;Corsair SSD Toolbox;C:\Program Files (x86)\Corsair SSD Toolbox\CSSDTService.exe [2014-3-16 1845864]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-6-24 166720]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-6-24 365376]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-9-24 94208]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-2-27 356120]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-2-27 788760]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-6-24 726160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe --> C:\Program Files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;C:\Windows\System32\drivers\hitmanpro37.sys [2014-3-13 32512]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2010-11-21 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-6-24 1255736]
S4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2014-2-26 2224976]
S4 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [2014-2-26 377616]
.
=============== File Associations ===============
.
ShellExec: SC2Editor.exe: open="C:/Program Files (x86)/StarCraft II/Support/SC2Editor.exe" "%1"
ShellExec: SC2Switcher.exe: open="C:/Program Files (x86)/StarCraft II/Support/SC2Switcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-03-18 23:44:05 4296192 ----a-w- C:\Program Files (x86)\SW.Booster
2014-03-18 23:44:05 4210176 ----a-w- C:\Program Files (x86)\SW_x64.Booster
2014-03-18 23:44:05 174928 ----a-w- C:\Program Files (x86)\SWSvc.dll
2014-03-18 23:43:57 -------- d-----w- C:\ProgramData\YoutubeAdblocker
2014-03-18 23:43:57 -------- d-----w- C:\Program Files (x86)\YoutubeAdblocker
2014-03-18 23:43:55 -------- d-----w- C:\Users\User\AppData\Local\Packages
2014-03-18 23:43:55 -------- d-----w- C:\ProgramData\seaafeeweB
2014-03-18 23:43:55 -------- d-----w- C:\Program Files (x86)\seaafeeweB
2014-03-18 23:43:52 -------- d-----w- C:\Users\User\AppData\Local\Torch
2014-03-18 23:43:52 -------- d-----w- C:\Users\User\AppData\Local\Comodo
2014-03-18 23:43:52 -------- d-----w- C:\ProgramData\6f34004b4062c82b
2014-03-18 23:42:12 -------- d-----w- C:\ProgramData\ApPure
2014-03-18 23:41:51 -------- d-----w- C:\ProgramData\InstallMate
2014-03-18 23:37:45 122 ----a-w- C:\delwpa.bat
2014-03-17 00:55:16 -------- d-----w- C:\Program Files (x86)\AMD AVT
2014-03-17 00:54:51 -------- d-----w- C:\Program Files\AMD
2014-03-17 00:39:16 -------- d-----w- C:\Users\User\AppData\Local\Corsair
2014-03-17 00:39:15 -------- d-----w- C:\Program Files (x86)\Corsair SSD Toolbox
2014-03-16 05:05:46 -------- d-----w- C:\Users\User\AppData\Local\CrashDumps
2014-03-14 03:02:42 -------- d-----w- C:\Users\User\AppData\Local\Scrivener
2014-03-14 03:02:15 -------- d-----w- C:\Program Files (x86)\Scrivener
2014-03-13 20:39:07 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-13 20:38:16 32512 ----a-w- C:\Windows\System32\drivers\hitmanpro37.sys
2014-03-13 01:25:22 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-03-13 01:25:21 10536864 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{85466BA2-2AD3-4260-9202-5315E88FF45F}\mpengine.dll
2014-03-13 01:04:45 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-13 00:51:35 -------- d-----w- C:\Windows\System32\MRT
2014-03-13 00:46:58 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2014-03-13 00:45:53 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2014-03-13 00:44:47 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2014-03-13 00:42:29 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2014-03-13 00:42:28 99840 ----a-w- C:\Windows\System32\wudriver.dll
2014-03-13 00:42:28 36864 ----a-w- C:\Windows\System32\wuapp.exe
2014-03-13 00:42:28 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2014-03-10 01:26:07 -------- d-----w- C:\AdwCleaner
2014-03-10 01:23:49 -------- d-----w- C:\Windows\ERUNT
2014-03-10 01:10:50 -------- d-----w- C:\Windows\pss
2014-03-06 02:42:20 -------- d-----w- C:\ProgramData\HitmanPro
2014-03-06 02:38:39 -------- d-----w- C:\Users\User\AppData\Local\GCC
2014-03-06 02:36:45 -------- d-----w- C:\Users\User\.android
2014-03-06 02:36:44 -------- d-----w- C:\Users\User\AppData\Local\cache
2014-02-28 02:07:32 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2014-02-20 18:55:26 -------- d-----w- C:\Users\User\AppData\Roaming\MinMaxGames
.
==================== Find3M  ====================
.
2014-03-14 01:23:08 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-03-13 01:04:45 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-02-03 17:20:54 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
.
============= FINISH: 16:54:46.20 ===============
 

Attached Files



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 19 March 2014 - 08:14 PM

Hi,
 
ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 Selmy

Selmy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 19 March 2014 - 09:23 PM

Hi Jeff,

 

I ran ComboFix with admin rights, here's the error log:

 

=====

ComboFix 14-03-19.01 - User 03/19/2014  22:12:51.1.8 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.32720.28419 [GMT -4:00]
Running from: d:\downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\YoutubeAdblocker
c:\program files (x86)\YoutubeAdblocker\s4snW5E.dat
c:\program files (x86)\YoutubeAdblocker\s4snW5E.dll
c:\program files (x86)\YoutubeAdblocker\s4snW5E.tlb
c:\program files (x86)\YoutubeAdblocker\s4snW5E.x64.dll
c:\users\User\AppData\Local\Temp\GC\Profiles\{783E8F78-1F8E-4385-91DD-D3A08938C2BF}\Default\Extensions\jmiibbdogibcphdfkkmlimfffneaecbc\2.4_0\plugin\convenience.dll
D:\install.exe
D:\setup.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-20 to 2014-03-20  )))))))))))))))))))))))))))))))
.
.
2014-03-20 02:17 . 2014-03-20 02:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-18 23:44 . 2014-03-18 23:44 4296192 ----a-w- c:\program files (x86)\SW.Booster
2014-03-18 23:41 . 2014-03-18 23:43 -------- d-----w- c:\programdata\InstallMate
2014-03-18 23:37 . 2014-03-18 23:37 122 ----a-w- C:\delwpa.bat
2014-03-17 00:55 . 2014-03-17 00:55 -------- d-----w- c:\programdata\ATI
2014-03-17 00:55 . 2014-03-17 00:55 -------- d-----w- c:\program files (x86)\AMD AVT
2014-03-17 00:54 . 2014-03-17 00:54 -------- d-----w- c:\program files\AMD
2014-03-17 00:39 . 2014-03-17 00:39 -------- d-----w- c:\users\User\AppData\Local\Corsair
2014-03-17 00:39 . 2014-03-17 00:39 -------- d-----w- c:\program files (x86)\Corsair SSD Toolbox
2014-03-16 05:05 . 2014-03-20 02:12 -------- d-----w- c:\users\User\AppData\Local\CrashDumps
2014-03-14 03:02 . 2014-03-14 03:02 -------- d-----w- c:\users\User\AppData\Local\Scrivener
2014-03-14 03:02 . 2014-03-14 03:02 -------- d-----w- c:\program files (x86)\Scrivener
2014-03-13 20:39 . 2014-03-14 01:27 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-13 20:38 . 2014-03-13 20:38 32512 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-03-13 01:25 . 2014-02-17 06:32 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{85466BA2-2AD3-4260-9202-5315E88FF45F}\mpengine.dll
2014-03-13 01:04 . 2014-03-13 01:04 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-13 00:51 . 2014-03-13 00:51 -------- d-----w- c:\windows\system32\MRT
2014-03-13 00:46 . 2013-05-13 05:50 52224 ----a-w- c:\windows\system32\certenc.dll
2014-03-13 00:45 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2014-03-13 00:44 . 2013-10-12 02:30 830464 ----a-w- c:\windows\system32\nshwfp.dll
2014-03-13 00:42 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2014-03-13 00:42 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2014-03-13 00:42 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2014-03-13 00:42 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2014-03-13 00:42 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2014-03-13 00:42 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2014-03-13 00:42 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2014-03-13 00:42 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2014-03-13 00:42 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2014-03-10 01:26 . 2014-03-14 01:28 -------- d-----w- C:\AdwCleaner
2014-03-10 01:23 . 2014-03-10 01:23 -------- d-----w- c:\windows\ERUNT
2014-03-06 02:42 . 2014-03-06 02:45 -------- d-----w- c:\programdata\HitmanPro
2014-03-06 02:38 . 2014-03-06 02:44 -------- d-----w- c:\users\User\AppData\Local\GCC
2014-03-06 02:36 . 2014-03-06 02:36 -------- d-----w- c:\users\User\.android
2014-03-06 02:36 . 2014-03-06 02:36 -------- d-----w- c:\users\User\AppData\Local\cache
2014-02-28 02:07 . 2014-02-28 02:07 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2014-02-20 18:55 . 2014-02-20 18:55 -------- d-----w- c:\users\User\AppData\Roaming\MinMaxGames
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-14 01:23 . 2014-01-09 22:10 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-02-03 17:20 . 2010-11-21 03:27 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-26 23:05 . 2014-01-26 23:05 129536 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{8FCF50BD-0D11-43CD-B712-6F28D9DBF565}\DoF.exe
2013-12-29 00:10 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2013-12-29 00:10 . 2009-08-18 16:24 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2013-06-25 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2013-06-25 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{5D362140-796B-D736-8E18-AC5903BCD024}]
2014-03-18 23:43 423936 ----a-w- c:\program files (x86)\seaafeeweB\h.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\User\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2014-02-25 1821888]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-27 291608]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2013-07-22 337432]
"AdobeCEPServiceManager"="c:\program files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" [2013-03-13 1039248]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2013-12-06 766208]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-1-2 30714328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 1a34a8e0;SW.Sustainer;c:\windows\system32\rundll32.exe;c:\windows\SYSNATIVE\rundll32.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 ALSysIO;ALSysIO;c:\users\User\AppData\Local\Temp\ALSysIO64.sys;c:\users\User\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cpuz136;cpuz136;c:\users\User\AppData\Local\Temp\cpuz136\cpuz136_x64.sys;c:\users\User\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe;c:\program files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [x]
R4 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe;c:\program files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 CorsairSSDToolBox;Corsair SSD Toolbox;c:\program files (x86)\Corsair SSD Toolbox\CSSDTService.exe;c:\program files (x86)\Corsair SSD Toolbox\CSSDTService.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 17:03 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-25 01:30]
.
2014-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-25 01:30]
.
2014-03-18 c:\windows\Tasks\SW.Booster-S-990783876.job
- c:\programdata\appure\sw.booster\SW.Booster.exe [2014-03-18 23:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D362140-796B-D736-8E18-AC5903BCD024}]
2014-03-18 23:43 472064 ----a-w- c:\program files (x86)\seaafeeweB\h.x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-06-13 472984]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: vizzed.com\www
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DAB4EF9A-DE72-41A8-A767-796173695ED3}: NameServer = 8.8.8.8
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{451512C6-2077-B2B8-36EC-636B63949721} - c:\program files (x86)\YoutubeAdblocker\s4snW5E.dll
BHO-{451512C6-2077-B2B8-36EC-636B63949721} - c:\program files (x86)\YoutubeAdblocker\s4snW5E.x64.dll
BHO-{9C7F308F-2CC3-3D14-E6AF-2E4A51C4980F} - c:\program files (x86)\TidyNetwork\petn64.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-03-19  22:18:36
ComboFix-quarantined-files.txt  2014-03-20 02:18
.
Pre-Run: 75,428,179,968 bytes free
Post-Run: 77,181,112,320 bytes free
.
- - End Of File - - CCE8B6CAED662C4463499E7A1286F3FE
A36C5E4F47E84449FF07ED3517B43A31


#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:01 AM

Posted 20 March 2014 - 06:29 AM

Oooops....could you move ComboFix directly to your Desktop and then run it from there please?  Post the new log and also let me know how your system is running.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 Selmy

Selmy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 20 March 2014 - 08:42 AM

Oops indeed! Sorry about that. Here you go, ran from the desktop this time.

 

=====

ComboFix 14-03-19.01 - User 03/20/2014   9:36.2.8 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.32720.30216 [GMT -4:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-20 to 2014-03-20  )))))))))))))))))))))))))))))))
.
.
2014-03-20 13:39 . 2014-03-20 13:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-18 23:44 . 2014-03-18 23:44 4296192 ----a-w- c:\program files (x86)\SW.Booster
2014-03-18 23:41 . 2014-03-18 23:43 -------- d-----w- c:\programdata\InstallMate
2014-03-18 23:37 . 2014-03-18 23:37 122 ----a-w- C:\delwpa.bat
2014-03-17 00:55 . 2014-03-17 00:55 -------- d-----w- c:\programdata\ATI
2014-03-17 00:55 . 2014-03-17 00:55 -------- d-----w- c:\program files (x86)\AMD AVT
2014-03-17 00:54 . 2014-03-17 00:54 -------- d-----w- c:\program files\AMD
2014-03-17 00:39 . 2014-03-17 00:39 -------- d-----w- c:\users\User\AppData\Local\Corsair
2014-03-17 00:39 . 2014-03-17 00:39 -------- d-----w- c:\program files (x86)\Corsair SSD Toolbox
2014-03-16 05:05 . 2014-03-20 02:12 -------- d-----w- c:\users\User\AppData\Local\CrashDumps
2014-03-14 03:02 . 2014-03-14 03:02 -------- d-----w- c:\users\User\AppData\Local\Scrivener
2014-03-14 03:02 . 2014-03-14 03:02 -------- d-----w- c:\program files (x86)\Scrivener
2014-03-13 20:39 . 2014-03-14 01:27 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-13 20:38 . 2014-03-13 20:38 32512 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-03-13 01:25 . 2014-02-17 06:32 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{85466BA2-2AD3-4260-9202-5315E88FF45F}\mpengine.dll
2014-03-13 01:04 . 2014-03-13 01:04 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-13 00:51 . 2014-03-13 00:51 -------- d-----w- c:\windows\system32\MRT
2014-03-13 00:46 . 2013-05-13 05:50 52224 ----a-w- c:\windows\system32\certenc.dll
2014-03-13 00:45 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2014-03-13 00:44 . 2013-10-12 02:30 830464 ----a-w- c:\windows\system32\nshwfp.dll
2014-03-13 00:42 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2014-03-13 00:42 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2014-03-13 00:42 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2014-03-13 00:42 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2014-03-13 00:42 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2014-03-13 00:42 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2014-03-13 00:42 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2014-03-13 00:42 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2014-03-13 00:42 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2014-03-10 01:26 . 2014-03-14 01:28 -------- d-----w- C:\AdwCleaner
2014-03-10 01:23 . 2014-03-10 01:23 -------- d-----w- c:\windows\ERUNT
2014-03-06 02:42 . 2014-03-06 02:45 -------- d-----w- c:\programdata\HitmanPro
2014-03-06 02:38 . 2014-03-06 02:44 -------- d-----w- c:\users\User\AppData\Local\GCC
2014-03-06 02:36 . 2014-03-06 02:36 -------- d-----w- c:\users\User\.android
2014-03-06 02:36 . 2014-03-06 02:36 -------- d-----w- c:\users\User\AppData\Local\cache
2014-02-28 02:07 . 2014-02-28 02:07 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2014-02-20 18:55 . 2014-02-20 18:55 -------- d-----w- c:\users\User\AppData\Roaming\MinMaxGames
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-14 01:23 . 2014-01-09 22:10 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-02-03 17:20 . 2010-11-21 03:27 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-26 23:05 . 2014-01-26 23:05 129536 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{8FCF50BD-0D11-43CD-B712-6F28D9DBF565}\DoF.exe
2013-12-29 00:10 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2013-12-29 00:10 . 2009-08-18 16:24 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2013-06-25 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2013-06-25 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{451512C6-2077-B2B8-36EC-636B63949721}]
c:\program files (x86)\YoutubeAdblocker\s4snW5E.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{5D362140-796B-D736-8E18-AC5903BCD024}]
2014-03-18 23:43 423936 ----a-w- c:\program files (x86)\seaafeeweB\h.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\User\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2014-02-25 1821888]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-27 291608]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2013-07-22 337432]
"AdobeCEPServiceManager"="c:\program files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" [2013-03-13 1039248]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2013-12-06 766208]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-1-2 30714328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 ALSysIO;ALSysIO;c:\users\User\AppData\Local\Temp\ALSysIO64.sys;c:\users\User\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cpuz136;cpuz136;c:\users\User\AppData\Local\Temp\cpuz136\cpuz136_x64.sys;c:\users\User\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe;c:\program files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [x]
R4 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe;c:\program files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S2 1a34a8e0;SW.Sustainer;c:\windows\system32\rundll32.exe;c:\windows\SYSNATIVE\rundll32.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 CorsairSSDToolBox;Corsair SSD Toolbox;c:\program files (x86)\Corsair SSD Toolbox\CSSDTService.exe;c:\program files (x86)\Corsair SSD Toolbox\CSSDTService.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 17:03 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-25 01:30]
.
2014-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-25 01:30]
.
2014-03-18 c:\windows\Tasks\SW.Booster-S-990783876.job
- c:\programdata\appure\sw.booster\SW.Booster.exe [2014-03-18 23:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D362140-796B-D736-8E18-AC5903BCD024}]
2014-03-18 23:43 472064 ----a-w- c:\program files (x86)\seaafeeweB\h.x64.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C7F308F-2CC3-3D14-E6AF-2E4A51C4980F}]
c:\program files (x86)\TidyNetwork\petn64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-06-13 472984]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: vizzed.com\www
TCP: Interfaces\{DAB4EF9A-DE72-41A8-A767-796173695ED3}: NameServer = 8.8.8.8
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-03-20  09:40:05
ComboFix-quarantined-files.txt  2014-03-20 13:40
ComboFix2.txt  2014-03-20 02:22
.
Pre-Run: 77,155,422,208 bytes free
Post-Run: 76,916,740,096 bytes free
.
- - End Of File - - 23AE187FB21AD510A1C2EBDC83FD583D
A36C5E4F47E84449FF07ED3517B43A31





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users