Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic35 + Corrupted executable file + Can not Open WLM


  • This topic is locked This topic is locked
43 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 01 April 2014 - 08:34 AM

My computer Dell Diemension 2350 WXP was not operating correctly and I scaned with MBAM, Spy Bot

 

and AVG, there were some problems including Trojan Horses found by AVG, . . .

 

now having some problems with connections, example; the icons on tray show red cross over connection icon although I am connected, . .

 

Also I can not open Windows Live Mail ;

 

Windows Live Mail could not be started.
Closing Windows Live Mail. Your calender contains corrupt data that is forcing
Windows Live Mail to close (0x80070002)

 

Some details of these occurrences are listed in Am I infected and include

services are not showing dependencies.;

 

http://www.bleepingcomputer.com/forums/t/528980/windows-live-mail-could-not-be-started-0x80070002/#entry3330577

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Jople at 9:14:57 on 2014-04-01
#Option MBR scan  is disabled.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\hkcmd.exe
F:\Program Files\Canon\MyPrinter\BJMyPrt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\NETGEAR\WNA1100\WNA1100.exe
F:\WINDOWS\system32\pctspk.exe
F:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
F:\WINDOWS\system32\svchost.exe -k rpcss
F:\WINDOWS\system32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k NetworkService
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\svchost.exe -k LocalService
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.mysearchdial.com/?f=1&a=aw_14_14_ff&cd=2XzuyEtN2Y1L1Qzuzy0C0DtAyC0DtDyByBtBtAzzyCzzyD0CtN0D0Tzu0SzztBtCtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtD0D0AtA0D0FtCtGtCyBzzyBtGtCyC0FzztG0A0C0CtBtGyEtAtDyCtDzztC0FyDzzzy0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDzztDtD0DtBtBtGtByC0B0CtG0DyE0CtAtGyEtCtAyDtGyEyDyD0D0A0E0CtDyE0D0E0F2Q&cr=46332031&ir=
mStart Page = hxxp://start.mysearchdial.com/?f=1&a=aw_14_14_ff&cd=2XzuyEtN2Y1L1Qzuzy0C0DtAyC0DtDyByBtBtAzzyCzzyD0CtN0D0Tzu0SzztBtCtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtD0D0AtA0D0FtCtGtCyBzzyBtGtCyC0FzztG0A0C0CtBtGyEtAtDyCtDzztC0FyDzzzy0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDzztDtD0DtBtBtGtByC0B0CtG0DyE0CtAtGyEtCtAyDtGyEyDyD0D0A0E0CtDyE0D0E0F2Q&cr=46332031&ir=
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\spybot - search & destroy\SDHelper.dll
BHO: EWPBrowseObject Class: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - f:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: mysearchdial Helper Object: {EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} - f:\program files\mysearchdial\1.8.29.0\bh\mysearchdial.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - f:\program files\canon\easy-webprint\Toolband.dll
TB: mysearchdial Toolbar: {3004627E-F8E9-4E8B-909D-316753CBA923} - f:\program files\mysearchdial\1.8.29.0\mysearchdialTlbr.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [OM2_Monitor] "c:\ext drive\MMonitor.exe" -NoStart
uRun: [Skype] "f:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [HotKeysCmds] f:\windows\system32\hkcmd.exe
mRun: [AVG_UI] "f:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [CanonMyPrinter] f:\program files\canon\myprinter\BJMyPrt.exe /logon
StartupFolder: f:\docume~1\jople\startm~1\programs\startup\mypcba~1.lnk - f:\program files\mypc backup\DEL_MyPC Backup.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - f:\program files\netgear\wna1100\WNA1100.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\shortc~1\target.lnk - f:\documents and settings\all users\start menu\programs\Startup
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Easy-WebPrint Add To Print List - f:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - f:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1367570027921
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{AC30923C-3EE1-4D50-BF6F-AB1E357343C5} : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs=  
Hosts: 127.0.0.1    www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2014-03-31 22:23:49    --------    d-----w-    f:\documents and settings\jople\application data\mysearchdial
2014-03-31 22:23:48    --------    d-----w-    f:\program files\Mysearchdial
2014-03-31 22:23:27    --------    d-----w-    f:\program files\MyPC Backup
2014-03-31 22:06:59    --------    d-----w-    f:\program files\InstallConverter bundle uninstaller
2014-03-31 21:53:48    --------    d-----w-    f:\program files\SearchProtect
2014-03-31 21:53:48    --------    d-----w-    f:\documents and settings\jople\local settings\application data\SearchProtect
.
==================== Find3M  ====================
.
2014-03-12 05:21:50    71048    ----a-w-    f:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 05:21:50    692616    ----a-w-    f:\windows\system32\FlashPlayerApp.exe
2014-02-05 23:26:52    920064    ----a-w-    f:\windows\system32\wininet.dll
2014-02-05 23:26:43    43520    ----a-w-    f:\windows\system32\licmgr10.dll
2014-02-05 23:26:42    1469440    ----a-w-    f:\windows\system32\inetcpl.cpl
2014-02-05 23:26:37    18944    ----a-w-    f:\windows\system32\corpol.dll
2014-02-05 22:24:05    385024    ----a-w-    f:\windows\system32\html.iec
2014-01-04 03:13:05    420864    ----a-w-    f:\windows\system32\vbscript.dll
.
============= FINISH:  9:16:23.92 ===============
 

 

Attached Files


Edited by Jove, 01 April 2014 - 08:38 AM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 01 April 2014 - 09:45 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Edited by TB-Psychotic, 01 April 2014 - 09:45 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 06 April 2014 - 07:27 PM

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-04-06 20:26:08
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD600BB-75CAA0 rev.16.06V16 55.88GB
Running: queygfl7.exe; Driver: F:\DOCUME~1\Jople\LOCALS~1\Temp\pflyykoc.sys


---- System - GMER 2.1 ----

SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwNotifyChangeKey [0xF7C245D0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwNotifyChangeMultipleKeys [0xF7C24700]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwOpenProcess [0xF7C24010]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwSuspendProcess [0xF7C24300]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwSuspendThread [0xF7C243E0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwTerminateProcess [0xF7C24120]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwTerminateThread [0xF7C24210]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwWriteVirtualMemory [0xF7C244D0]

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                      avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                     avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                     avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                   avgtdix.sys
AttachedDevice  \FileSystem\Fastfat \Fat                      fltMgr.sys

---- EOF - GMER 2.1 ----
 


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 07 April 2014 - 05:01 AM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 07 April 2014 - 12:43 PM

ComboFix 14-04-06.01 - Jople 04/07/2014  12:22:41.2.1 - x86
Running from: c:\my documents\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\windows\winhelp.ini
G:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-07 to 2014-04-07  )))))))))))))))))))))))))))))))
.
.
2014-04-02 23:52 . 2014-04-02 23:52    --------    d-----w-    f:\windows\ERUNT
2014-03-31 22:24 . 2014-03-31 22:27    --------    d---a-w-    f:\documents and settings\All Users\Application Data\TEMP
2014-03-31 22:06 . 2014-03-31 22:06    --------    d-----w-    f:\program files\InstallConverter bundle uninstaller
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 05:21 . 2013-05-03 15:38    71048    ----a-w-    f:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 05:21 . 2013-05-03 15:38    692616    ----a-w-    f:\windows\system32\FlashPlayerApp.exe
2014-02-05 23:26 . 2008-04-13 23:00    920064    ----a-w-    f:\windows\system32\wininet.dll
2014-02-05 23:26 . 2008-04-13 23:00    43520    ----a-w-    f:\windows\system32\licmgr10.dll
2014-02-05 23:26 . 2008-04-13 23:00    1469440    ----a-w-    f:\windows\system32\inetcpl.cpl
2014-02-05 23:26 . 2008-04-13 23:00    18944    ----a-w-    f:\windows\system32\corpol.dll
2014-02-05 22:24 . 2008-04-13 23:00    385024    ----a-w-    f:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\ext drive\MMonitor.exe" [2007-02-09 95800]
"Skype"="f:\program files\Skype\Phone\Skype.exe" [2013-01-08 18705664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"AVG_UI"="f:\program files\AVG\AVG2013\avgui.exe" [2013-11-20 4411952]
"CanonMyPrinter"="f:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
.
f:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA1100 Genie.lnk - f:\program files\NETGEAR\WNA1100\WNA1100.exe [2013-11-13 8247264]
.
f:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to Startup\
target.lnk - f:\documents and settings\All Users\Start Menu\Programs\Startup [2012-12-8] [Folder]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0f:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
backup=f:\windows\pss\Corel Desktop Application Director 8.LNKCommon Startup
.
[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=f:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06    958576    ----a-w-    f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2013-05-08 21:20    41056    -c--a-w-    f:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 16:55    155648    ----a-w-    f:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07    2260480    --sha-r-    c:\spybot - search & destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MBAMService"=3 (0x3)
"MBAMScheduler"=2 (0x2)
"BITS"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"f:\\WINDOWS\\system32\\sessmgr.exe"=
"f:\\Program Files\\NETGEAR\\WNA1100\\WNA1100.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"f:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"f:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 cerc6;cerc6; [x]
R2 AVGIDSAgent;AVGIDSAgent;f:\program files\AVG\AVG2013\avgidsagent.exe [2013-07-04 4939312]
R3 jswpsapi;JumpStart Wi-Fi Protected Setup;f:\program files\NETGEAR\WNA1100\jswpsapi.exe [2009-11-05 360529]
R3 PSI;PSI;f:\windows\system32\DRIVERS\psi_mf_x86.sys [2013-04-18 16024]
R4 Secunia PSI Agent;Secunia PSI Agent;f:\program files\Secunia\PSI\PSIA.exe [x]
R4 Secunia Update Agent;Secunia Update Agent;f:\program files\Secunia\PSI\sua.exe [x]
R4 SkypeUpdate;Skype Updater;f:\program files\Skype\Updater\Updater.exe [2013-01-08 161536]
S0 AVGIDSHX;AVGIDSHX;f:\windows\system32\DRIVERS\avgidshx.sys [2013-07-20 60216]
S0 Avglogx;AVG Logging Driver;f:\windows\system32\DRIVERS\avglogx.sys [2013-07-20 246072]
S0 Avgrkx86;AVG Anti-Rootkit Driver;f:\windows\system32\DRIVERS\avgrkx86.sys [2013-10-23 39224]
S1 AVGIDSDriver;AVGIDSDriver;f:\windows\system32\DRIVERS\avgidsdriverx.sys [2013-11-25 208184]
S1 AVGIDSShim;AVGIDSShim;f:\windows\system32\DRIVERS\avgidsshimx.sys [2013-10-23 22328]
S1 Avgldx86;AVG AVI Loader Driver;f:\windows\system32\DRIVERS\avgldx86.sys [2013-07-20 171320]
S1 Avgtdix;AVG TDI Driver;f:\windows\system32\DRIVERS\avgtdix.sys [2013-03-21 182072]
S2 avgwd;AVG WatchDog;f:\program files\AVG\AVG2013\avgwdsvc.exe [2013-11-20 283136]
S2 WSWNA1100;WSWNA1100;f:\program files\NETGEAR\WNA1100\WifiSvc.exe [2011-07-28 297440]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;f:\windows\system32\DRIVERS\athuw.sys [2010-10-01 1759584]
S3 JSWSCIMD;jswscimd Service;f:\windows\system32\DRIVERS\jswscimd.sys [2008-09-25 57440]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PFLYYKOC
*Deregistered* - pflyykoc
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-07 f:\windows\Tasks\Adobe Flash Player Updater.job
- f:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-03 05:21]
.
2014-04-07 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2013-05-03 04:03]
.
2014-04-07 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2013-05-03 04:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Easy-WebPrint Add To Print List - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
f:\documents and settings\Jople\Start Menu\Programs\Startup\MyPC Backup.lnk - f:\program files\MyPC Backup\DEL_MyPC Backup.exe
MSConfigStartUp-Facebook Update - f:\documents and settings\Jople\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
MSConfigStartUp-OpwareSE4 - C:\OpwareSE4.exe
MSConfigStartUp-SSBkgdUpdate - f:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-04-07 12:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1214440339-1604221776-842925246-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1064)
f:\windows\system32\athgina.dll
.
Completion time: 2014-04-07  13:02:11
ComboFix-quarantined-files.txt  2014-04-07 17:02
.
Pre-Run: 628,031,488 bytes free
Post-Run: 1,080,270,848 bytes free
.
- - End Of File - - 213185E208527D70B090EF258F10D96D
8F558EB6672622401DA993E1E865C861
 


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 08 April 2014 - 08:17 AM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 08 April 2014 - 11:28 AM

I'm getting
mbam-setup-2.0.1004.exe

from the click-on

mb3-setup-1878.1878-3.5.1.2522.exe


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#8 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 08 April 2014 - 02:10 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.04.08.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jople :: BOING-417332229 [administrator]

4/8/2014 11:28:33 AM
mbam-log-2014-04-08 (11-28-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235387
Time elapsed: 20 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\mysearchdial.com (PUP.Optional.MySearchDial.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

///////////////////////////////////////////////////

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.04.08.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jople :: BOING-417332229 [administrator]

4/8/2014 11:28:33 AM
MBAM-log-2014-04-08 (11-57-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235387
Time elapsed: 20 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\mysearchdial.com (PUP.Optional.MySearchDial.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#9 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 08 April 2014 - 02:54 PM

C:\CF- Folder\Unused DT-040313\spsetup122.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\DELL\drivers\cbsidlm-tr1_9-CommunicationsBroadcom_V92_Soft_Modem_Data_Fax_Voice_Driver_Version_A07-SEO2-108377(1).exe    Win32/DownloadAdmin.G potentially unwanted application
 


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#10 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 08 April 2014 - 05:11 PM

My fine man

I can not wait to see what you

will do now, . . . .

 

My last restart created several screen top flickers, that seem to have originated from at fist a star like light followed by

a screen flicker,

 

I am sure that we still have some interferences that may not belong.

 

Also I still have a rather strange Home page after I clicked FF by default.

 

It is one with box logo's such as ebay, utube, facebook, tumblr, etc.

 

My Search Dial is listed in the small search window at the top right but the header on the page still retains the FF logo, etc.


Edited by Jove, 08 April 2014 - 05:44 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 09 April 2014 - 03:32 AM

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 09 April 2014 - 04:19 AM

I downloaded it (64 bit) and upon running it it promts that it is not a valid file, etc.?

 

 

Please advise, . . . . I got the 32 bit to run thanks


Edited by Jove, 09 April 2014 - 04:23 AM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#13 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 09 April 2014 - 04:34 AM

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-03-2014  01
Ran by Jople at 2014-04-09 05:28:09
Running from C:\My Documents
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: AVG AntiVirus Free Edition 2013 (Disabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

==================== Installed Programs ======================

Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
AVG 2013 (HKLM\...\AVG) (Version: 2013.0.3462 - AVG Technologies)
AVG 2013 (Version: 13.0.3462 - AVG Technologies) Hidden
AVG 2013 (Version: 13.0.3722 - AVG Technologies) Hidden
Broadcom 440x 10/100 Integrated Controller (HKLM\...\InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}) (Version: 3.29 - Broadcom)
Broadcom 440x 10/100 Integrated Controller (Version: 3.29 - Broadcom) Hidden
Canon MP Navigator 3.0 (HKLM\...\MP Navigator 3.0) (Version:  - )
Canon MP160 (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160) (Version:  - )
Canon MP160 User Registration (HKLM\...\Canon MP160 User Registration) (Version:  - )
Canon My Printer (HKLM\...\CanonMyPrinter) (Version:  - )
Compaq 7500 INF and ICM software (HKLM\...\{9449C1CF-2A3B-4008-9621-0358F984FCEE}) (Version:  - )
Corel WordPerfect Suite 8 (HKLM\...\Corel WordPerfect Suite 8) (Version:  - )
Easy-WebPrint (HKLM\...\Easy-WebPrint) (Version:  - )
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
Google Update Helper (Version: 1.3.23.9 - Google Inc.) Hidden
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
Junk Mail filter update (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework Client Profile (HKLM\...\Microsoft.Net.Client.3.5) (Version: 3.5 - )
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Choice Guard (Version: 2.0.48.0 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 28.0 (x86 en-US) (HKLM\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 28.0 - Mozilla)
MSVCRT (Version: 14.0.1468.721 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
NETGEAR WNA1100 N150 Wireless USB Adapter (HKLM\...\{A2AE9709-283B-4B48-AA34-729C070A62FB}) (Version: 1.0.0.133 - NETGEAR)
OLYMPUS Master 2 (HKLM\...\{CB49B376-1136-44B4-83FA-036334B59937}) (Version: 1.0.2 - OLYMPUS IMAGING CORP.)
Paint.NET v3.5.11 (HKLM\...\{72EF03F5-0507-4861-9A44-D99FD4C41417}) (Version: 3.61.0 - dotPDN LLC)
PrimoPDF -- brought to you by Nitro PDF Software (HKLM\...\PrimoPDF) (Version: 5 - Nitro PDF Software)
Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden
Skype™ 6.1 (HKLM\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.1.129 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Hidden
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live Communications Platform (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live Essentials (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live Mail (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Live Sign-in Assistant (HKLM\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.
 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01 (ATTENTION: ====> FRST version is 27 days old and could be outdated)
Ran by Jople (administrator) on BOING-417332229 on 09-04-2014 05:24:28
Running from C:\My Documents
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) F:\PROGRA~1\AVG\AVG2013\avgrsx.exe
(AVG Technologies CZ, s.r.o.) F:\Program Files\AVG\AVG2013\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) F:\Program Files\AVG\AVG2013\avgidsagent.exe
(Intel Corporation) F:\WINDOWS\system32\hkcmd.exe
(AVG Technologies CZ, s.r.o.) F:\Program Files\AVG\AVG2013\avgui.exe
(AVG Technologies CZ, s.r.o.) F:\Program Files\AVG\AVG2013\avgwdsvc.exe
(CANON INC.) F:\Program Files\Canon\MyPrinter\BJMyPrt.exe
(PCtel, Inc.) F:\WINDOWS\system32\pctspk.exe
(AVG Technologies CZ, s.r.o.) F:\Program Files\AVG\AVG2013\avgnsx.exe
(AVG Technologies CZ, s.r.o.) F:\Program Files\AVG\AVG2013\avgemcx.exe
(Microsoft Corporation) F:\WINDOWS\system32\wuauclt.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Skype Technologies S.A.) F:\Program Files\Skype\Phone\Skype.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AVG_UI] - F:\Program Files\AVG\AVG2013\avgui.exe [4411952 2013-11-20] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [CanonMyPrinter] - F:\Program Files\Canon\MyPrinter\BJMyPrt.exe [1191936 2006-03-21] (CANON INC.)
Winlogon\Notify\igfxcui: F:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\S-1-5-21-1214440339-1604221776-842925246-1003\...\Run: [OM2_Monitor] - C:\Ext Drive\MMonitor.exe [95800 2007-02-08] (OLYMPUS IMAGING CORP.)
HKU\S-1-5-21-1214440339-1604221776-842925246-1003\...\Run: [Skype] - F:\Program Files\Skype\Phone\Skype.exe [18705664 2013-01-08] (Skype Technologies S.A.)
Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA1100 Genie.lnk
ShortcutTarget: NETGEAR WNA1100 Genie.lnk -> F:\Program Files\NETGEAR\WNA1100\WNA1100.exe ()
Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to Startup ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL =
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKCU - DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL =
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
Toolbar: HKLM - Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - F:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: F:\Documents and Settings\Jople\Application Data\Mozilla\Firefox\Profiles\e3fwf1ja.default-1371134306531
FF user.js: detected! => F:\Documents and Settings\Jople\Application Data\Mozilla\Firefox\Profiles\e3fwf1ja.default-1371134306531\user.js
FF DefaultSearchEngine: Mysearchdial
FF SearchEngineOrder.1: Mysearchdial
FF SelectedSearchEngine: Mysearchdial
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer - F:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 - F:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - F:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - F:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - F:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - F:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: F:\Documents and Settings\Jople\Application Data\Mozilla\Firefox\Profiles\e3fwf1ja.default-1371134306531\searchplugins\Mysearchdial.xml
FF Extension: mysearchdial.com - F:\Documents and Settings\Jople\Application Data\Mozilla\Firefox\Profiles\e3fwf1ja.default-1371134306531\Extensions\ffxtlbr@mysearchdial.com [2014-03-31]
FF Extension: FireFox Tweak - F:\Documents and Settings\Jople\Application Data\Mozilla\Firefox\Profiles\e3fwf1ja.default-1371134306531\Extensions\firefoxtweak@pribic.am [2013-06-23]
FF Extension: MySearchDial - F:\Documents and Settings\Jople\Application Data\Mozilla\Firefox\Profiles\e3fwf1ja.default-1371134306531\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi [2014-03-31]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - F:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - F:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox\firefox.exe

========================== Services (Whitelisted) =================

R2 AVGIDSAgent; F:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; F:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
R2 Pctspk; F:\WINDOWS\system32\pctspk.exe [86016 2001-08-17] (PCtel, Inc.)
S4 ACDaemon; F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S4 Secunia PSI Agent; "F:\Program Files\Secunia\PSI\PSIA.exe" --start-service [X]
S4 Secunia Update Agent; "F:\Program Files\Secunia\PSI\sua.exe" --start-service [X]

==================== Drivers (Whitelisted) ====================

R3 Afc; F:\WINDOWS\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
R3 AR9271; F:\WINDOWS\System32\DRIVERS\athuw.sys [1759584 2010-09-30] (Atheros Communications, Inc.)
R1 AVGIDSDriver; F:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [208184 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; F:\WINDOWS\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; F:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [22328 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; F:\WINDOWS\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; F:\WINDOWS\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; F:\WINDOWS\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; F:\WINDOWS\System32\DRIVERS\avgrkx86.sys [39224 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; F:\WINDOWS\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
S3 BCMModem; F:\WINDOWS\System32\DRIVERS\BCMDM.sys [871388 2001-08-17] (BCM)
S3 CCDECODE; F:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S3 NdisIP; F:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S3 PSI; F:\WINDOWS\System32\DRIVERS\psi_mf_x86.sys [16024 2013-04-18] (Secunia)
R3 Ptserlp; F:\WINDOWS\System32\DRIVERS\ptserlp.sys [112574 2001-08-17] (PCTEL, INC.)
R0 Vmodem; F:\WINDOWS\System32\DRIVERS\vmodem.sys [604253 2001-08-17] (PCTEL, INC.)
R0 Vpctcom; F:\WINDOWS\System32\DRIVERS\vpctcom.sys [397502 2001-08-17] (PCtel, Inc.)
R0 Vvoice; F:\WINDOWS\System32\DRIVERS\vvoice.sys [64605 2001-08-17] (PCtel, Inc.)
S3 catchme; \??\F:\DOCUME~1\Jople\LOCALS~1\Temp\catchme.sys [X]
S0 cerc6; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-09 05:23 - 2014-04-09 05:24 - 00000000 ____D () F:\FRST
2014-04-08 19:25 - 2014-04-08 19:34 - 00002420 _____ () F:\WINDOWS\wmsetup.log
2014-04-08 15:19 - 2014-04-08 15:19 - 00000000 ____D () F:\Program Files\ESET
2014-04-07 13:02 - 2014-04-07 13:02 - 00009092 _____ () F:\ComboFix.txt
2014-04-07 12:17 - 2011-06-26 02:45 - 00256000 _____ () F:\WINDOWS\PEV.exe
2014-04-07 12:17 - 2010-11-07 13:20 - 00208896 _____ () F:\WINDOWS\MBR.exe
2014-04-07 12:17 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) F:\WINDOWS\NIRCMD.exe
2014-04-07 12:17 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) F:\WINDOWS\SWREG.exe
2014-04-07 12:17 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) F:\WINDOWS\SWSC.exe
2014-04-07 12:17 - 2000-08-30 20:00 - 00212480 _____ (SteelWerX) F:\WINDOWS\SWXCACLS.exe
2014-04-07 12:17 - 2000-08-30 20:00 - 00098816 _____ () F:\WINDOWS\sed.exe
2014-04-07 12:17 - 2000-08-30 20:00 - 00080412 _____ () F:\WINDOWS\grep.exe
2014-04-07 12:17 - 2000-08-30 20:00 - 00068096 _____ () F:\WINDOWS\zip.exe
2014-04-07 12:16 - 2014-04-07 13:02 - 00000000 ____D () F:\Qoobox
2014-04-06 19:45 - 2014-04-06 19:45 - 00000794 _____ () F:\Documents and Settings\Jople\Desktop\Inv Doc 040514.txt
2014-04-06 19:40 - 2014-04-08 17:41 - 00000000 ____D () F:\Documents and Settings\Jople\Desktop\Scan Reports (old)
2014-04-02 19:52 - 2014-04-02 19:52 - 00000000 ____D () F:\WINDOWS\ERUNT
2014-04-01 18:26 - 2014-04-01 18:26 - 00000047 _____ () F:\Documents and Settings\NetworkService\Application Data\WB.CFG
2014-03-31 18:20 - 2014-03-31 18:17 - 00508240 _____ (Microsoft Corporation) F:\Documents and Settings\Jople\Downloads\ie6setupOe.exe

==================== One Month Modified Files and Folders =======

2014-04-09 05:24 - 2014-04-09 05:23 - 00000000 ____D () F:\FRST
2014-04-09 05:23 - 2014-01-07 08:26 - 00000000 ____D () F:\Documents and Settings\Jople\Application Data\Skype
2014-04-09 05:21 - 2013-05-03 11:38 - 00000830 _____ () F:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-04-09 05:13 - 2013-05-03 00:03 - 00000884 _____ () F:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-09 02:45 - 2012-12-08 14:53 - 01284376 _____ () F:\WINDOWS\WindowsUpdate.log
2014-04-08 21:12 - 2013-05-03 00:03 - 00000880 _____ () F:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-08 19:51 - 2014-01-07 20:55 - 00002265 _____ () F:\Documents and Settings\All Users\Desktop\Skype.lnk
2014-04-08 19:34 - 2014-04-08 19:25 - 00002420 _____ () F:\WINDOWS\wmsetup.log
2014-04-08 17:41 - 2014-04-06 19:40 - 00000000 ____D () F:\Documents and Settings\Jople\Desktop\Scan Reports (old)
2014-04-08 17:39 - 2013-05-26 06:52 - 00000048 _____ () F:\WINDOWS\wiaservc.log
2014-04-08 17:39 - 2012-12-08 09:46 - 00000159 _____ () F:\WINDOWS\wiadebug.log
2014-04-08 17:38 - 2012-12-08 15:00 - 00000006 ____H () F:\WINDOWS\Tasks\SA.DAT
2014-04-08 17:38 - 2008-04-13 19:00 - 00002278 _____ () F:\WINDOWS\system32\wpa.dbl
2014-04-08 17:34 - 2013-11-17 12:45 - 00032632 _____ () F:\WINDOWS\SchedLgU.Txt
2014-04-08 17:34 - 2012-12-08 23:01 - 00000000 ____D () F:\Documents and Settings\All Users\Application Data\MFAData
2014-04-08 17:33 - 2013-05-02 19:46 - 00000178 ___SH () F:\Documents and Settings\Jople\ntuser.ini
2014-04-08 15:19 - 2014-04-08 15:19 - 00000000 ____D () F:\Program Files\ESET
2014-04-08 14:44 - 2014-03-02 06:34 - 00024179 _____ () F:\WINDOWS\setupapi.log
2014-04-07 16:41 - 2013-05-15 23:26 - 00000000 ____D () F:\Documents and Settings\Jople\Local Settings\Application Data\Paint.NET
2014-04-07 13:02 - 2014-04-07 13:02 - 00009092 _____ () F:\ComboFix.txt
2014-04-07 13:02 - 2014-04-07 12:16 - 00000000 ____D () F:\Qoobox
2014-04-07 13:02 - 2012-12-08 15:00 - 00000000 __SHD () F:\Documents and Settings\LocalService
2014-04-07 12:56 - 2008-04-13 19:00 - 00000227 _____ () F:\WINDOWS\system.ini
2014-04-07 12:14 - 2013-06-02 14:43 - 00000000 ____D () F:\WINDOWS\erdnt
2014-04-06 19:45 - 2014-04-06 19:45 - 00000794 _____ () F:\Documents and Settings\Jople\Desktop\Inv Doc 040514.txt
2014-04-02 19:52 - 2014-04-02 19:52 - 00000000 ____D () F:\WINDOWS\ERUNT
2014-04-02 18:14 - 2014-01-07 08:05 - 00000000 ___HD () F:\WINDOWS\PIF
2014-04-02 16:21 - 2014-01-22 09:41 - 00000970 _____ () F:\Documents and Settings\Jople\Desktop\012214.txt
2014-04-01 18:26 - 2014-04-01 18:26 - 00000047 _____ () F:\Documents and Settings\NetworkService\Application Data\WB.CFG
2014-04-01 12:14 - 2013-05-07 10:48 - 00024064 _____ () F:\Documents and Settings\Jople\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-04-01 09:01 - 2013-06-18 10:18 - 00000754 _____ () F:\WINDOWS\wordpad.INI
2014-03-31 18:17 - 2014-03-31 18:20 - 00508240 _____ (Microsoft Corporation) F:\Documents and Settings\Jople\Downloads\ie6setupOe.exe
2014-03-31 09:17 - 2013-11-16 22:47 - 00000135 _____ () F:\WINDOWS\setupact.log
2014-03-31 09:01 - 2013-05-15 13:33 - 00000000 ____D () F:\Program Files\Mozilla Maintenance Service
2014-03-12 01:21 - 2013-05-03 11:38 - 00692616 _____ (Adobe Systems Incorporated) F:\WINDOWS\system32\FlashPlayerApp.exe
2014-03-12 01:21 - 2013-05-03 11:38 - 00071048 _____ (Adobe Systems Incorporated) F:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-03-11 13:17 - 2008-04-13 19:00 - 00000610 _____ () F:\WINDOWS\win.ini

Some content of TEMP:
====================
F:\Documents and Settings\Jople\Local Settings\temp\setup_wm.exe


==================== Bamital & volsnap Check =================

F:\WINDOWS\explorer.exe => MD5 is legit
F:\WINDOWS\system32\winlogon.exe => MD5 is legit
F:\WINDOWS\system32\svchost.exe => MD5 is legit
F:\WINDOWS\system32\services.exe => MD5 is legit
F:\WINDOWS\system32\User32.dll => MD5 is legit
F:\WINDOWS\system32\userinit.exe => MD5 is legit
F:\WINDOWS\system32\rpcss.dll => MD5 is legit
F:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#14 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:47 AM

Posted 09 April 2014 - 04:36 AM

 still experience flashing in screen !


When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 09 April 2014 - 05:51 AM

One after the other! :)

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users