Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Glitchy ads heard in background, nothing running.


  • This topic is locked This topic is locked
15 replies to this topic

#1 Vincont

Vincont

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 23 April 2014 - 10:30 PM

Mod Edit: Moved to proper forum ~~ boopme

Trying to fix my parents computer.  I think this thing is buried deep.  Appreciate the help.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521  BrowserJavaVersion: 1.6.0_30
Run by Home at 20:25:20 on 2014-04-23
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3797.2307 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_182.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_182.exe
svchost.exe
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
c:\program files (x86)\teamviewer\version9\TeamViewer_Desktop.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.141\McAfeeMSS_IE.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
mRun: [emsisoft anti-malware] "C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe" /d=60
dRunOnce: [osk.exe] osk.exe
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-System: EnableLUA = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E51D89D6-4520-444F-A679-D3B5C63BAEA1} : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://www.google.com
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\cq44f5ni.default-1388250676722\
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMSS.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_182.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-8-16 79488]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-8-16 40064]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2014-4-1 26176]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2012-3-19 89536]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-11-24 283064]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 wStLibG64;wStLibG64;C:\Windows\System32\drivers\wStLibG64.sys [2014-3-25 61120]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 a2AntiMalware;Emsisoft Anti-Malware 8.0 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2014-4-1 4163584]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-8-16 204288]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 Garmin Core Update Service;Garmin Core Update Service;C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-9-19 250200]
R2 GREGService;GREGService;C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe [2011-5-29 36456]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2011-8-16 244624]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-3-29 598312]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 TeamViewer9;TeamViewer 9;C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [2013-11-8 5305696]
R2 WDDMService;WD SmartWare Drive Manager Service;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-10-14 116224]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2011-10-20 87168]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2011-10-20 188544]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-8-16 231440]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-8-16 533096]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2014-4-1 71472]
S3 cleanhlp;cleanhlp;C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [2014-4-1 57024]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-12 111616]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [2014-1-15 289256]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-23 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2009-2-13 14464]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-04-24 02:57:23    10651704    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3A36301D-1C26-41DB-9C97-C2864688715E}\mpengine.dll
2014-04-23 14:58:59    --------    d-----w-    C:\_OTL
2014-04-23 14:43:46    108968    ----a-w-    C:\Windows\System32\WindowsAccessBridge-64.dll
2014-04-23 14:42:49    --------    d-----w-    C:\ProgramData\Oracle
2014-04-23 05:11:44    --------    d-----w-    C:\Program Files (x86)\ESET
2014-04-23 04:41:05    --------    d-----w-    C:\$RECYCLE.BIN
2014-04-23 04:23:01    --------    d-----w-    C:\ComboFix
2014-04-23 04:11:40    --------    d-----w-    C:\Windows\System32\catroot2
2014-04-23 00:52:49    1031560    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D2062CB9-7783-40AD-AFE5-DE8BF205C7C3}\gapaengine.dll
2014-04-23 00:52:25    10651704    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-02 03:49:24    --------    d-----w-    C:\Program Files (x86)\Emsisoft Anti-Malware
2014-04-02 03:46:31    --------    d-----w-    C:\AdwCleaner
2014-04-02 03:13:09    119512    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-04-02 03:12:39    88280    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-04-02 03:12:39    63192    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-04-02 03:12:39    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-03-30 16:44:04    --------    d-----w-    C:\Users\Home\AppData\Local\Daring_Development_Inc
2014-03-28 03:00:09    --------    d-----w-    C:\Users\Home\AppData\Local\{D5CAEC92-6D6B-47E6-99A4-8736E0290C38}
2014-03-26 01:15:45    --------    d-----w-    C:\Users\Home\AppData\Local\{EB6F58B6-F453-41FA-BB6E-291EA18E59A9}
2014-03-25 07:09:18    61120    ----a-w-    C:\Windows\System32\drivers\wStLibG64.sys
.
==================== Find3M  ====================
.
2014-04-23 14:43:48    70832    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-23 14:43:48    692400    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-05 16:32:16    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-03-01 05:17:02    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59    708608    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33    5768704    ----a-w-    C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35    553472    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11    2041856    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15    4244480    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28    2334208    ----a-w-    C:\Windows\System32\wininet.dll
2014-03-01 03:00:08    1964032    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16    1820160    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30    3156480    ----a-w-    C:\Windows\System32\win32k.sys
2014-02-04 02:32:22    1424384    ----a-w-    C:\Windows\System32\WindowsCodecs.dll
2014-02-04 02:32:12    624128    ----a-w-    C:\Windows\System32\qedit.dll
2014-02-04 02:04:22    1230336    ----a-w-    C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04:11    509440    ----a-w-    C:\Windows\SysWow64\qedit.dll
2014-01-29 02:32:18    484864    ----a-w-    C:\Windows\System32\wer.dll
2014-01-29 02:06:47    381440    ----a-w-    C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46    228864    ----a-w-    C:\Windows\System32\wwansvc.dll
.
============= FINISH: 20:25:31.87 ===============

Attached Files


Edited by boopme, 23 April 2014 - 11:13 PM.


BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 24 April 2014 - 04:36 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Please post up C:\combofix.txt...:rolleyes:


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 24 April 2014 - 09:52 PM

Hello, thank you for the quick reply as well as the clear instructions.  I really appreciate the attention and help.  Sorry I couldn't get back to you sooner, very busy day.

 

ComboFix 14-04-20.01 - Home 04/24/2014   8:24.5.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3797.2683 [GMT -7:00]
Running from: c:\users\Home\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
Infected copy of c:\windows\SysWow64\kernel32.dll was found and disinfected
Restored copy from - c:\windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.22436_none_fcae77f5ba77fe97\kernel32.dll
.
--------
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-24 to 2014-04-24  )))))))))))))))))))))))))))))))
.
.
2014-04-24 15:35 . 2014-04-24 15:35    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-04-24 15:35 . 2014-04-24 15:35    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-04-24 02:57 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3A36301D-1C26-41DB-9C97-C2864688715E}\mpengine.dll
2014-04-23 14:58 . 2014-04-23 14:58    --------    d-----w-    C:\_OTL
2014-04-23 14:43 . 2014-04-23 14:45    108968    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2014-04-23 14:43 . 2014-04-23 14:43    189352    ----a-w-    c:\windows\system32\javaw.exe
2014-04-23 14:43 . 2014-04-23 14:43    189352    ----a-w-    c:\windows\system32\java.exe
2014-04-23 14:43 . 2014-04-23 14:43    --------    d-----w-    c:\program files\Java
2014-04-23 14:42 . 2014-04-23 14:45    --------    d-----w-    c:\programdata\Oracle
2014-04-23 05:11 . 2014-04-23 05:11    --------    d-----w-    c:\program files (x86)\ESET
2014-04-23 04:11 . 2014-04-23 04:43    --------    d-----w-    c:\windows\system32\catroot2
2014-04-23 00:52 . 2014-02-20 14:41    1031560    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D2062CB9-7783-40AD-AFE5-DE8BF205C7C3}\gapaengine.dll
2014-04-23 00:52 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-02 03:49 . 2014-04-23 15:23    --------    d-----w-    c:\program files (x86)\Emsisoft Anti-Malware
2014-04-02 03:46 . 2014-04-02 03:47    --------    d-----w-    C:\AdwCleaner
2014-04-02 03:13 . 2014-04-02 03:13    119512    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-02 03:12 . 2014-04-02 03:12    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-04-02 03:12 . 2014-03-05 16:32    63192    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-02 03:12 . 2014-03-05 16:32    88280    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-03-30 16:44 . 2014-03-30 16:44    --------    d-----w-    c:\users\Home\AppData\Local\Daring_Development_Inc
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-23 14:43 . 2012-05-07 18:16    692400    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-04-23 14:43 . 2011-08-17 04:29    70832    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-23 04:08 . 2013-05-06 21:05    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-03-25 07:09 . 2014-03-25 07:09    61120    ----a-w-    c:\windows\system32\drivers\wStLibG64.sys
2014-03-19 10:00 . 2014-02-07 00:49    90015360    ----a-w-    c:\windows\system32\MRT.exe
2014-03-11 16:52 . 2013-09-27 17:53    133928    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-05 16:32 . 2012-01-16 03:50    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-01 06:05 . 2014-03-12 13:28    23133696    ----a-w-    c:\windows\system32\mshtml.dll
2014-03-01 05:17 . 2014-03-12 13:28    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-03-01 05:16 . 2014-03-12 13:28    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-01 04:58 . 2014-03-12 13:28    2765824    ----a-w-    c:\windows\system32\iertutil.dll
2014-03-01 04:52 . 2014-03-12 13:28    66048    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-01 04:51 . 2014-03-12 13:28    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-01 04:42 . 2014-03-12 13:28    53760    ----a-w-    c:\windows\system32\jsproxy.dll
2014-03-01 04:40 . 2014-03-12 13:28    33792    ----a-w-    c:\windows\system32\iernonce.dll
2014-03-01 04:37 . 2014-03-12 13:28    574976    ----a-w-    c:\windows\system32\ieui.dll
2014-03-01 04:33 . 2014-03-12 13:28    139264    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-01 04:33 . 2014-03-12 13:28    111616    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-01 04:32 . 2014-03-12 13:28    708608    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-01 04:23 . 2014-03-12 13:28    940032    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 04:17 . 2014-03-12 13:28    218624    ----a-w-    c:\windows\system32\ie4uinit.exe
2014-03-01 04:11 . 2014-03-12 13:28    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2014-03-01 04:02 . 2014-03-12 13:28    195584    ----a-w-    c:\windows\system32\msrating.dll
2014-03-01 03:54 . 2014-03-12 13:28    5768704    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-01 03:52 . 2014-03-12 13:28    61952    ----a-w-    c:\windows\SysWow64\iesetup.dll
2014-03-01 03:51 . 2014-03-12 13:28    51200    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:42 . 2014-03-12 13:28    627200    ----a-w-    c:\windows\system32\msfeeds.dll
2014-03-01 03:38 . 2014-03-12 13:28    112128    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-03-01 03:37 . 2014-03-12 13:28    553472    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2014-03-01 03:35 . 2014-03-12 13:28    2041856    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-01 03:18 . 2014-03-12 13:28    13051904    ----a-w-    c:\windows\system32\ieframe.dll
2014-03-01 03:14 . 2014-03-12 13:28    4244480    ----a-w-    c:\windows\SysWow64\jscript9.dll
2014-03-01 03:10 . 2014-03-12 13:28    2334208    ----a-w-    c:\windows\system32\wininet.dll
2014-03-01 03:00 . 2014-03-12 13:28    1964032    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2014-03-01 02:38 . 2014-03-12 13:28    1393664    ----a-w-    c:\windows\system32\urlmon.dll
2014-03-01 02:32 . 2014-03-12 13:28    1820160    ----a-w-    c:\windows\SysWow64\wininet.dll
2014-03-01 02:25 . 2014-03-12 13:28    817664    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-02-20 14:41 . 2014-01-23 06:21    1031560    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-02-07 01:23 . 2014-03-12 13:28    3156480    ----a-w-    c:\windows\system32\win32k.sys
2014-02-04 02:32 . 2014-03-12 13:28    1424384    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:32 . 2014-03-12 13:28    624128    ----a-w-    c:\windows\system32\qedit.dll
2014-02-04 02:04 . 2014-03-12 13:28    1230336    ----a-w-    c:\windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-12 13:28    509440    ----a-w-    c:\windows\SysWow64\qedit.dll
2014-01-29 02:32 . 2014-03-12 13:28    484864    ----a-w-    c:\windows\system32\wer.dll
2014-01-29 02:06 . 2014-03-12 13:28    381440    ----a-w-    c:\windows\SysWow64\wer.dll
2014-01-28 02:32 . 2014-03-12 13:28    228864    ----a-w-    c:\windows\system32\wwansvc.dll
2014-01-25 08:19 . 2014-01-25 08:19    268512    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . 5C627D1B1138676C0A7AB2C2C190D123 . 512000 . . [6.1.7601.17514] .. c:\windows\erdnt\cache64\rpcss.dll
[7] 2010-11-21 . 5C627D1B1138676C0A7AB2C2C190D123 . 512000 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[-] 2010-11-21 . 5BD9B64F4709EB5C1869F037D3FD0AD3 . 513536 . . [6.1.7601.17514] .. c:\windows\system32\rpcss.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"emsisoft anti-malware"="c:\program files (x86)\Emsisoft Anti-Malware\a2guard.exe" [2014-04-02 4330432]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"osk.exe"="osk.exe" [2009-07-14 646144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 datyvcgn;datyvcgn;c:\windows\system32\drivers\datyvcgn.sys;c:\windows\SYSNATIVE\drivers\datyvcgn.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x]
R3 cleanhlp;cleanhlp;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S1 wStLibG64;wStLibG64;c:\windows\system32\drivers\wStLibG64.sys;c:\windows\SYSNATIVE\drivers\wStLibG64.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 a2AntiMalware;Emsisoft Anti-Malware 8.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
S2 Live Updater Service;Live Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S2 WDDMService;WD SmartWare Drive Manager Service;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [x]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [x]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys;c:\windows\SYSNATIVE\DRIVERS\amdhub30.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys;c:\windows\SYSNATIVE\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPFILTER
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-23 00:42    1077576    ----a-w-    c:\program files (x86)\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 14:43]
.
2014-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-22 03:32]
.
2014-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-22 03:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\cq44f5ni.default-1388250676722\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-{10CD364B-FFCC-48BE-B469-B9622A033075} - c:\programdata\{A3A26C56-02C3-4F76-A033-12EE2FB52AE6}\Fences.exe
AddRemove-e55b814e55744b76 - c:\programdata\Best Buy pc app\ClickOnceUninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-04-24  08:49:23
ComboFix-quarantined-files.txt  2014-04-24 15:49
ComboFix2.txt  2013-05-07 13:17
.
Pre-Run: 726,079,156,224 bytes free
Post-Run: 725,375,213,568 bytes free
.
- - End Of File - - 4AA140D764F865A327C598B4E9790688
A36C5E4F47E84449FF07ED3517B43A31
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 25 April 2014 - 05:03 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is saved to.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 25 April 2014 - 11:36 AM

ComboFix 14-04-20.01 - Home 04/25/2014   7:58.6.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3797.2283 [GMT -7:00]
Running from: c:\users\Home\Downloads\ComboFix.exe
Command switches used :: c:\users\Home\Downloads\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
FILE ::
"c:\windows\Tasks\PC Optimizer Pro Idle.job"
"c:\windows\Tasks\PC Optimizer Pro Updates.job"
"c:\windows\Tasks\PC Optimizer Pro64 Scan.job"
"c:\windows\Tasks\PC Optimizer Pro64 startups.job"
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-25 to 2014-04-25  )))))))))))))))))))))))))))))))
.
.
2014-04-25 15:08 . 2014-04-25 15:08    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-04-25 15:08 . 2014-04-25 15:08    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-04-25 03:00 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AA64BA56-04C8-417F-B959-437C40046F2B}\mpengine.dll
2014-04-24 02:57 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-23 14:58 . 2014-04-23 14:58    --------    d-----w-    C:\_OTL
2014-04-23 14:43 . 2014-04-23 14:45    108968    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2014-04-23 14:43 . 2014-04-23 14:43    189352    ----a-w-    c:\windows\system32\javaw.exe
2014-04-23 14:43 . 2014-04-23 14:43    189352    ----a-w-    c:\windows\system32\java.exe
2014-04-23 14:43 . 2014-04-23 14:43    --------    d-----w-    c:\program files\Java
2014-04-23 14:42 . 2014-04-23 14:45    --------    d-----w-    c:\programdata\Oracle
2014-04-23 05:11 . 2014-04-23 05:11    --------    d-----w-    c:\program files (x86)\ESET
2014-04-23 04:11 . 2014-04-23 04:43    --------    d-----w-    c:\windows\system32\catroot2
2014-04-23 00:52 . 2014-02-20 14:41    1031560    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D2062CB9-7783-40AD-AFE5-DE8BF205C7C3}\gapaengine.dll
2014-04-02 03:49 . 2014-04-23 15:23    --------    d-----w-    c:\program files (x86)\Emsisoft Anti-Malware
2014-04-02 03:46 . 2014-04-02 03:47    --------    d-----w-    C:\AdwCleaner
2014-04-02 03:13 . 2014-04-02 03:13    119512    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-02 03:12 . 2014-04-02 03:12    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-04-02 03:12 . 2014-03-05 16:32    63192    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-02 03:12 . 2014-03-05 16:32    88280    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-03-30 16:44 . 2014-03-30 16:44    --------    d-----w-    c:\users\Home\AppData\Local\Daring_Development_Inc
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-23 14:43 . 2012-05-07 18:16    692400    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-04-23 14:43 . 2011-08-17 04:29    70832    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-23 04:08 . 2013-05-06 21:05    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-03-25 07:09 . 2014-03-25 07:09    61120    ----a-w-    c:\windows\system32\drivers\wStLibG64.sys
2014-03-19 10:00 . 2014-02-07 00:49    90015360    ----a-w-    c:\windows\system32\MRT.exe
2014-03-11 16:52 . 2013-09-27 17:53    133928    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-05 16:32 . 2012-01-16 03:50    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-01 06:05 . 2014-03-12 13:28    23133696    ----a-w-    c:\windows\system32\mshtml.dll
2014-03-01 05:17 . 2014-03-12 13:28    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-03-01 05:16 . 2014-03-12 13:28    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-01 04:58 . 2014-03-12 13:28    2765824    ----a-w-    c:\windows\system32\iertutil.dll
2014-03-01 04:52 . 2014-03-12 13:28    66048    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-01 04:51 . 2014-03-12 13:28    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-01 04:42 . 2014-03-12 13:28    53760    ----a-w-    c:\windows\system32\jsproxy.dll
2014-03-01 04:40 . 2014-03-12 13:28    33792    ----a-w-    c:\windows\system32\iernonce.dll
2014-03-01 04:37 . 2014-03-12 13:28    574976    ----a-w-    c:\windows\system32\ieui.dll
2014-03-01 04:33 . 2014-03-12 13:28    139264    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-01 04:33 . 2014-03-12 13:28    111616    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-01 04:32 . 2014-03-12 13:28    708608    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-01 04:23 . 2014-03-12 13:28    940032    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 04:17 . 2014-03-12 13:28    218624    ----a-w-    c:\windows\system32\ie4uinit.exe
2014-03-01 04:11 . 2014-03-12 13:28    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2014-03-01 04:02 . 2014-03-12 13:28    195584    ----a-w-    c:\windows\system32\msrating.dll
2014-03-01 03:54 . 2014-03-12 13:28    5768704    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-01 03:52 . 2014-03-12 13:28    61952    ----a-w-    c:\windows\SysWow64\iesetup.dll
2014-03-01 03:51 . 2014-03-12 13:28    51200    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:42 . 2014-03-12 13:28    627200    ----a-w-    c:\windows\system32\msfeeds.dll
2014-03-01 03:38 . 2014-03-12 13:28    112128    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-03-01 03:37 . 2014-03-12 13:28    553472    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2014-03-01 03:35 . 2014-03-12 13:28    2041856    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-01 03:18 . 2014-03-12 13:28    13051904    ----a-w-    c:\windows\system32\ieframe.dll
2014-03-01 03:14 . 2014-03-12 13:28    4244480    ----a-w-    c:\windows\SysWow64\jscript9.dll
2014-03-01 03:10 . 2014-03-12 13:28    2334208    ----a-w-    c:\windows\system32\wininet.dll
2014-03-01 03:00 . 2014-03-12 13:28    1964032    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2014-03-01 02:38 . 2014-03-12 13:28    1393664    ----a-w-    c:\windows\system32\urlmon.dll
2014-03-01 02:32 . 2014-03-12 13:28    1820160    ----a-w-    c:\windows\SysWow64\wininet.dll
2014-03-01 02:25 . 2014-03-12 13:28    817664    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-02-20 14:41 . 2014-01-23 06:21    1031560    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-02-07 01:23 . 2014-03-12 13:28    3156480    ----a-w-    c:\windows\system32\win32k.sys
2014-02-04 02:32 . 2014-03-12 13:28    1424384    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:32 . 2014-03-12 13:28    624128    ----a-w-    c:\windows\system32\qedit.dll
2014-02-04 02:04 . 2014-03-12 13:28    1230336    ----a-w-    c:\windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-12 13:28    509440    ----a-w-    c:\windows\SysWow64\qedit.dll
2014-01-29 02:32 . 2014-03-12 13:28    484864    ----a-w-    c:\windows\system32\wer.dll
2014-01-29 02:06 . 2014-03-12 13:28    381440    ----a-w-    c:\windows\SysWow64\wer.dll
2014-01-28 02:32 . 2014-03-12 13:28    228864    ----a-w-    c:\windows\system32\wwansvc.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . 5C627D1B1138676C0A7AB2C2C190D123 . 512000 . . [6.1.7601.17514] .. c:\windows\erdnt\cache64\rpcss.dll
[7] 2010-11-21 . 5C627D1B1138676C0A7AB2C2C190D123 . 512000 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[-] 2010-11-21 . 5BD9B64F4709EB5C1869F037D3FD0AD3 . 513536 . . [6.1.7601.17514] .. c:\windows\system32\rpcss.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54    131248    ----a-w-    c:\users\Home\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"emsisoft anti-malware"="c:\program files (x86)\Emsisoft Anti-Malware\a2guard.exe" [2014-04-02 4330432]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"osk.exe"="osk.exe" [2009-07-14 646144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 datyvcgn;datyvcgn;c:\windows\system32\drivers\datyvcgn.sys;c:\windows\SYSNATIVE\drivers\datyvcgn.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x]
R3 cleanhlp;cleanhlp;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S1 wStLibG64;wStLibG64;c:\windows\system32\drivers\wStLibG64.sys;c:\windows\SYSNATIVE\drivers\wStLibG64.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 a2AntiMalware;Emsisoft Anti-Malware 8.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
S2 Live Updater Service;Live Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S2 WDDMService;WD SmartWare Drive Manager Service;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [x]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [x]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys;c:\windows\SYSNATIVE\DRIVERS\amdhub30.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys;c:\windows\SYSNATIVE\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPFILTER
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-23 00:42    1077576    ----a-w-    c:\program files (x86)\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 14:43]
.
2014-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-22 03:32]
.
2014-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-22 03:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\cq44f5ni.default-1388250676722\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-{10CD364B-FFCC-48BE-B469-B9622A033075} - c:\programdata\{A3A26C56-02C3-4F76-A033-12EE2FB52AE6}\Fences.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-04-25  08:24:27
ComboFix-quarantined-files.txt  2014-04-25 15:24
ComboFix2.txt  2014-04-24 15:49
ComboFix3.txt  2013-05-07 13:17
.
Pre-Run: 725,113,405,440 bytes free
Post-Run: 724,888,973,312 bytes free
.
- - End Of File - - BDC9F6C8CD84673E361FD8FD176B77BB
A36C5E4F47E84449FF07ED3517B43A31
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 28 April 2014 - 06:43 AM

Seems we need a bigger gun here:

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 28 April 2014 - 08:47 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-04-2014
Ran by SYSTEM on MININT-S5L74R8 on 28-04-2014 18:40:01
Running from I:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [emsisoft anti-malware] => C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe [4330432 2014-04-01] (Emsisoft GmbH)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [154144 2010-07-29] ()
HKU\Home\...\Policies\system: [EnableLUA] 0

==================== Services (Whitelisted) =================

S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672 2012-07-11] (SUPERAntiSpyware.com)
S2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [4163584 2014-04-01] (Emsisoft GmbH)
S2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [250200 2013-09-19] (Garmin Ltd or its subsidiaries)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [289256 2014-01-15] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-04-01] (Emsisoft GmbH)
S1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 cleanhlp; C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2013-11-24] (Disc Soft Ltd)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 wStLibG64; C:\Windows\System32\drivers\wStLibG64.sys [61120 2014-03-24] (StdLib)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 datyvcgn; \??\C:\Windows\system32\drivers\datyvcgn.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-28 18:39 - 2014-04-28 18:40 - 00000000 ____D () C:\FRST
2014-04-25 07:24 - 2014-04-25 07:24 - 00020171 _____ () C:\ComboFix.txt
2014-04-25 06:56 - 2014-04-25 07:25 - 00000000 ____D () C:\ComboFix
2014-04-23 19:31 - 2014-04-25 08:34 - 00000000 ____D () C:\Users\Home\Desktop\Fix Puter
2014-04-23 19:01 - 2014-04-23 19:27 - 00018897 _____ () C:\Users\Home\Desktop\attach.txt
2014-04-23 19:01 - 2014-04-23 19:26 - 00020959 _____ () C:\Users\Home\Desktop\dds.txt
2014-04-23 19:00 - 2014-04-23 19:00 - 00688992 _____ (Swearware) C:\Users\Home\Downloads\dds(1).com
2014-04-23 18:59 - 2014-04-23 18:59 - 00688992 ____R (Swearware) C:\Users\Home\Downloads\dds.com
2014-04-23 18:54 - 2014-04-23 18:54 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Home\Downloads\rkill.com
2014-04-23 18:48 - 2014-04-23 18:48 - 00001250 _____ () C:\Users\Home\Desktop\On-Screen Keyboard.lnk
2014-04-23 06:58 - 2014-04-23 06:58 - 00000000 ____D () C:\_OTL
2014-04-23 06:55 - 2014-04-23 06:55 - 00082402 _____ () C:\Users\Home\Downloads\Extras.Txt
2014-04-23 06:54 - 2014-04-23 06:54 - 00096214 _____ () C:\Users\Home\Downloads\OTL.Txt
2014-04-23 06:46 - 2014-04-23 06:46 - 00602112 _____ (OldTimer Tools) C:\Users\Home\Downloads\OTL.exe
2014-04-23 06:43 - 2014-04-23 06:45 - 00108968 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2014-04-23 06:43 - 2014-04-23 06:43 - 00189352 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe
2014-04-23 06:43 - 2014-04-23 06:43 - 00189352 _____ (Oracle Corporation) C:\Windows\System32\java.exe
2014-04-23 06:43 - 2014-04-23 06:43 - 00000000 ____D () C:\Program Files\Java
2014-04-23 06:42 - 2014-04-23 06:45 - 00000000 ____D () C:\ProgramData\Oracle
2014-04-23 06:41 - 2014-04-23 06:42 - 30818216 _____ (Oracle Corporation) C:\Users\Home\Downloads\jre-7u55-windows-x64(1).exe
2014-04-23 06:41 - 2014-04-23 06:41 - 30818216 _____ (Oracle Corporation) C:\Users\Home\Downloads\jre-7u55-windows-x64.exe
2014-04-22 21:11 - 2014-04-22 21:11 - 02347384 _____ (ESET) C:\Users\Home\Downloads\esetsmartinstaller_enu.exe
2014-04-22 21:11 - 2014-04-22 21:11 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-04-22 20:22 - 2014-04-22 20:22 - 05196870 ____R (Swearware) C:\Users\Home\Downloads\ComboFix.exe
2014-04-22 20:06 - 2014-04-22 20:06 - 00003160 _____ () C:\Windows\System32\Tasks\SidebarExecute
2014-04-22 19:20 - 2014-04-28 17:32 - 00001446 _____ () C:\Windows\setupact.log
2014-04-22 19:20 - 2014-04-28 07:14 - 00003804 _____ () C:\Windows\PFRO.log
2014-04-22 19:20 - 2014-04-22 19:20 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-22 16:32 - 2014-04-22 16:32 - 00006640 ____N () C:\bootsqm.dat
2014-04-01 19:50 - 2014-04-01 19:50 - 00001102 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2014-04-01 19:49 - 2014-04-28 17:33 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-04-01 19:49 - 2014-04-01 19:49 - 00000000 ____D () C:\Users\Home\Documents\Anti-Malware
2014-04-01 19:46 - 2014-04-01 19:47 - 00000000 ____D () C:\AdwCleaner
2014-04-01 19:46 - 2014-04-01 19:46 - 01426178 _____ () C:\Users\Home\Downloads\AdwCleaner(1).exe
2014-04-01 19:43 - 2014-04-01 19:46 - 224608616 _____ (Emsisoft GmbH ) C:\Users\Home\Downloads\EmsisoftAntiMalwareSetup.exe
2014-04-01 19:13 - 2014-04-01 19:13 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-04-01 19:12 - 2014-04-01 19:12 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-01 19:12 - 2014-04-01 19:12 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-01 19:12 - 2014-03-05 08:32 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-04-01 19:12 - 2014-03-05 08:32 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2014-04-01 19:10 - 2014-04-23 18:55 - 00009436 _____ () C:\Users\Home\Desktop\Rkill.txt
2014-04-01 19:10 - 2014-04-01 19:10 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Home\Downloads\rkill(1).exe
2014-04-01 19:09 - 2014-04-01 19:09 - 17523520 _____ (Malwarebytes Corporation ) C:\Users\Home\Downloads\mbam-setup.exe
2014-04-01 19:08 - 2014-04-01 19:08 - 00007612 _____ () C:\Users\Home\AppData\Local\Resmon.ResmonCfg
2014-04-01 07:54 - 2014-04-25 08:48 - 00000086 _____ () C:\Windows\System32\hswygm.iym
2014-04-01 07:38 - 2014-04-01 07:38 - 00000064 _____ () C:\Windows\System32\jozt.xte
2014-04-01 07:38 - 2014-04-01 07:38 - 00000000 _____ () C:\Windows\System32\vjyqgl.lbk
2014-04-01 07:22 - 2014-04-01 07:22 - 00299344 ____S () C:\Windows\System32\acsjzi.moi
2014-03-30 08:44 - 2014-03-30 08:44 - 00000000 ____D () C:\Users\Home\AppData\Local\Daring_Development_Inc

==================== One Month Modified Files and Folders =======

2014-04-28 18:40 - 2014-04-28 18:39 - 00000000 ____D () C:\FRST
2014-04-28 17:33 - 2014-04-01 19:49 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-04-28 17:32 - 2014-04-22 19:20 - 00001446 _____ () C:\Windows\setupact.log
2014-04-28 17:32 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-28 07:17 - 2013-05-06 12:46 - 01078818 _____ () C:\Windows\WindowsUpdate.log
2014-04-28 07:17 - 2009-07-13 20:45 - 00016976 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-28 07:17 - 2009-07-13 20:45 - 00016976 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-28 07:14 - 2014-04-22 19:20 - 00003804 _____ () C:\Windows\PFRO.log
2014-04-25 08:48 - 2014-04-01 07:54 - 00000086 _____ () C:\Windows\System32\hswygm.iym
2014-04-25 08:34 - 2014-04-23 19:31 - 00000000 ____D () C:\Users\Home\Desktop\Fix Puter
2014-04-25 07:26 - 2013-12-20 19:43 - 00002190 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-04-25 07:25 - 2014-04-25 06:56 - 00000000 ____D () C:\ComboFix
2014-04-25 07:25 - 2013-05-07 04:51 - 00000000 ____D () C:\Qoobox
2014-04-25 07:25 - 2011-12-29 14:58 - 00000000 ____D () C:\Users\Home\AppData\Local\Apps\2.0
2014-04-25 07:24 - 2014-04-25 07:24 - 00020171 _____ () C:\ComboFix.txt
2014-04-25 07:08 - 2009-07-13 18:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-25 06:58 - 2009-07-13 21:13 - 00783440 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-24 02:01 - 2013-12-20 19:02 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-04-24 02:01 - 2013-12-20 19:02 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-24 02:01 - 2013-12-20 19:02 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-04-23 20:23 - 2013-11-08 18:45 - 00001097 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-04-23 19:27 - 2014-04-23 19:01 - 00018897 _____ () C:\Users\Home\Desktop\attach.txt
2014-04-23 19:26 - 2014-04-23 19:01 - 00020959 _____ () C:\Users\Home\Desktop\dds.txt
2014-04-23 19:00 - 2014-04-23 19:00 - 00688992 _____ (Swearware) C:\Users\Home\Downloads\dds(1).com
2014-04-23 18:59 - 2014-04-23 18:59 - 00688992 ____R (Swearware) C:\Users\Home\Downloads\dds.com
2014-04-23 18:55 - 2014-04-01 19:10 - 00009436 _____ () C:\Users\Home\Desktop\Rkill.txt
2014-04-23 18:54 - 2014-04-23 18:54 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Home\Downloads\rkill.com
2014-04-23 18:48 - 2014-04-23 18:48 - 00001250 _____ () C:\Users\Home\Desktop\On-Screen Keyboard.lnk
2014-04-23 07:24 - 2012-10-28 13:18 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-23 06:58 - 2014-04-23 06:58 - 00000000 ____D () C:\_OTL
2014-04-23 06:55 - 2014-04-23 06:55 - 00082402 _____ () C:\Users\Home\Downloads\Extras.Txt
2014-04-23 06:54 - 2014-04-23 06:54 - 00096214 _____ () C:\Users\Home\Downloads\OTL.Txt
2014-04-23 06:46 - 2014-04-23 06:46 - 00602112 _____ (OldTimer Tools) C:\Users\Home\Downloads\OTL.exe
2014-04-23 06:45 - 2014-04-23 06:43 - 00108968 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2014-04-23 06:45 - 2014-04-23 06:42 - 00000000 ____D () C:\ProgramData\Oracle
2014-04-23 06:44 - 2012-10-28 13:18 - 00003770 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-04-23 06:44 - 2011-12-29 15:01 - 00000000 ____D () C:\Users\Home\AppData\Local\Adobe
2014-04-23 06:43 - 2014-04-23 06:43 - 00189352 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe
2014-04-23 06:43 - 2014-04-23 06:43 - 00189352 _____ (Oracle Corporation) C:\Windows\System32\java.exe
2014-04-23 06:43 - 2014-04-23 06:43 - 00000000 ____D () C:\Program Files\Java
2014-04-23 06:43 - 2012-05-07 10:16 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-04-23 06:43 - 2011-08-16 20:29 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-04-23 06:42 - 2014-04-23 06:41 - 30818216 _____ (Oracle Corporation) C:\Users\Home\Downloads\jre-7u55-windows-x64(1).exe
2014-04-23 06:41 - 2014-04-23 06:41 - 30818216 _____ (Oracle Corporation) C:\Users\Home\Downloads\jre-7u55-windows-x64.exe
2014-04-23 01:59 - 2013-04-28 08:15 - 00000000 ____D () C:\Users\Home\Downloads\Stuff
2014-04-22 21:11 - 2014-04-22 21:11 - 02347384 _____ (ESET) C:\Users\Home\Downloads\esetsmartinstaller_enu.exe
2014-04-22 21:11 - 2014-04-22 21:11 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-04-22 20:41 - 2013-05-07 04:51 - 00000000 ____D () C:\Windows\erdnt
2014-04-22 20:22 - 2014-04-22 20:22 - 05196870 ____R (Swearware) C:\Users\Home\Downloads\ComboFix.exe
2014-04-22 20:22 - 2011-12-29 14:56 - 00059176 _____ () C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2014-04-22 20:09 - 2009-07-13 20:45 - 00270952 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-04-22 20:08 - 2013-05-06 13:05 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE
2014-04-22 20:06 - 2014-04-22 20:06 - 00003160 _____ () C:\Windows\System32\Tasks\SidebarExecute
2014-04-22 20:03 - 2009-07-13 18:34 - 00000576 _____ () C:\Windows\win.ini
2014-04-22 20:02 - 2012-01-10 16:02 - 00783440 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-04-22 19:20 - 2014-04-22 19:20 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-22 19:19 - 2013-11-24 14:50 - 00000000 ____D () C:\Users\Home\AppData\Roaming\DAEMON Tools Lite
2014-04-22 19:19 - 2013-08-02 11:59 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-04-22 19:18 - 2012-01-15 19:43 - 00000000 ____D () C:\Users\Home\AppData\Local\CrashDumps
2014-04-22 19:18 - 2007-07-11 17:49 - 00000000 ____D () C:\Windows\Panther
2014-04-22 18:25 - 2009-07-13 18:34 - 00000027 _____ () C:\Windows\System32\Drivers\etc\hosts_bak_925
2014-04-22 16:38 - 2009-07-13 21:08 - 00032646 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-22 16:32 - 2014-04-22 16:32 - 00006640 ____N () C:\bootsqm.dat
2014-04-01 21:52 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\Vss
2014-04-01 21:29 - 2012-06-03 19:27 - 00000000 ____D () C:\Users\Home\AppData\Local\Facebook
2014-04-01 19:50 - 2014-04-01 19:50 - 00001102 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2014-04-01 19:49 - 2014-04-01 19:49 - 00000000 ____D () C:\Users\Home\Documents\Anti-Malware
2014-04-01 19:47 - 2014-04-01 19:46 - 00000000 ____D () C:\AdwCleaner
2014-04-01 19:46 - 2014-04-01 19:46 - 01426178 _____ () C:\Users\Home\Downloads\AdwCleaner(1).exe
2014-04-01 19:46 - 2014-04-01 19:43 - 224608616 _____ (Emsisoft GmbH ) C:\Users\Home\Downloads\EmsisoftAntiMalwareSetup.exe
2014-04-01 19:16 - 2012-08-09 18:14 - 00000000 ____D () C:\Users\Home\AppData\Local\Google
2014-04-01 19:13 - 2014-04-01 19:13 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-04-01 19:12 - 2014-04-01 19:12 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-01 19:12 - 2014-04-01 19:12 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-01 19:12 - 2012-01-15 19:50 - 00000000 ____D () C:\Users\Home\AppData\Roaming\Malwarebytes
2014-04-01 19:12 - 2012-01-15 19:50 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-01 19:10 - 2014-04-01 19:10 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Home\Downloads\rkill(1).exe
2014-04-01 19:09 - 2014-04-01 19:09 - 17523520 _____ (Malwarebytes Corporation ) C:\Users\Home\Downloads\mbam-setup.exe
2014-04-01 19:08 - 2014-04-01 19:08 - 00007612 _____ () C:\Users\Home\AppData\Local\Resmon.ResmonCfg
2014-04-01 18:59 - 2011-12-29 16:46 - 00000000 ____D () C:\Users\Home\AppData\Roaming\Mozilla
2014-04-01 18:53 - 2012-06-22 13:19 - 00000000 ____D () C:\Windows\pss
2014-04-01 18:48 - 2012-09-19 21:03 - 00000000 ___RD () C:\Users\Home\Dropbox
2014-04-01 18:48 - 2012-09-19 20:58 - 00000000 ____D () C:\Users\Home\AppData\Roaming\Dropbox
2014-04-01 07:38 - 2014-04-01 07:38 - 00000064 _____ () C:\Windows\System32\jozt.xte
2014-04-01 07:38 - 2014-04-01 07:38 - 00000000 _____ () C:\Windows\System32\vjyqgl.lbk
2014-04-01 07:38 - 2012-09-21 19:32 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-01 07:38 - 2012-09-21 19:32 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-01 07:22 - 2014-04-01 07:22 - 00299344 ____S () C:\Windows\System32\acsjzi.moi
2014-04-01 07:22 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\sysprep
2014-04-01 05:56 - 2012-01-05 19:16 - 00000000 ____D () C:\Users\Home\AppData\Roaming\Pharaohs Secret
2014-03-30 23:15 - 2014-03-20 21:15 - 00000064 _____ () C:\Users\Home\AppData\Roaming\WB.CFG
2014-03-30 10:02 - 2014-03-28 14:37 - 00000000 ____D () C:\Users\Home\Desktop\Minecraft
2014-03-30 08:44 - 2014-03-30 08:44 - 00000000 ____D () C:\Users\Home\AppData\Local\Daring_Development_Inc
2014-03-30 08:31 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\Resources

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0513536 ____A (Microsoft Corporation) 5BD9B64F4709EB5C1869F037D3FD0AD3

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-04-01 05:51:02
Restore point made on: 2014-04-01 18:34:53
Restore point made on: 2014-04-01 18:59:00
Restore point made on: 2014-04-22 16:52:09
Restore point made on: 2014-04-22 19:43:49
Restore point made on: 2014-04-22 19:44:14
Restore point made on: 2014-04-23 06:43:29
Restore point made on: 2014-04-23 06:44:55
Restore point made on: 2014-04-23 06:48:28
Restore point made on: 2014-04-24 02:00:37

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3796.93 MB
Available physical RAM: 3107.44 MB
Total Pagefile: 3795.13 MB
Available Pagefile: 3095.21 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:917.41 GB) (Free:677.74 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:14 GB) (Free:5.19 GB) NTFS
Drive i: () (Removable) (Total:3.73 GB) (Free:3.72 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 29C08B4E)
Partition 1: (Not Active) - (Size=14 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=917 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (Size: 4 GB) (Disk ID: 8437D6A1)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-03-31 08:33

==================== End Of Log ============================



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 29 April 2014 - 10:51 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    Replace: c:\windows\erdnt\cache64\rpcss.dll c:\windows\system32\rpcss.dll
    
    S1 datyvcgn; \??\C:\Windows\system32\drivers\datyvcgn.sys [X]
    
    C:\Windows\system32\drivers\datyvcgn.sys
    2014-04-01 07:54 - 2014-04-25 08:48 - 00000086 _____ () C:\Windows\System32\hswygm.iym
    2014-04-01 07:38 - 2014-04-01 07:38 - 00000064 _____ () C:\Windows\System32\jozt.xte
    2014-04-01 07:38 - 2014-04-01 07:38 - 00000000 _____ () C:\Windows\System32\vjyqgl.lbk
    2014-04-01 07:22 - 2014-04-01 07:22 - 00299344 ____S () C:\Windows\System32\acsjzi.moi
    
    Reboot:

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 29 April 2014 - 08:55 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-04-2014
Ran by SYSTEM at 2014-04-29 18:53:31 Run:1
Running from I:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Replace: c:\windows\erdnt\cache64\rpcss.dll c:\windows\system32\rpcss.dll

S1 datyvcgn; \??\C:\Windows\system32\drivers\datyvcgn.sys [X]

C:\Windows\system32\drivers\datyvcgn.sys
2014-04-01 07:54 - 2014-04-25 08:48 - 00000086 _____ () C:\Windows\System32\hswygm.iym
2014-04-01 07:38 - 2014-04-01 07:38 - 00000064 _____ () C:\Windows\System32\jozt.xte
2014-04-01 07:38 - 2014-04-01 07:38 - 00000000 _____ () C:\Windows\System32\vjyqgl.lbk
2014-04-01 07:22 - 2014-04-01 07:22 - 00299344 ____S () C:\Windows\System32\acsjzi.moi

Reboot:
*****************

c:\windows\system32\rpcss.dll => Moved successfully.
c:\windows\erdnt\cache64\rpcss.dll copied successfully to c:\windows\system32\rpcss.dll
datyvcgn => Service deleted successfully.
"C:\Windows\system32\drivers\datyvcgn.sys" => File/Directory not found.
C:\Windows\System32\hswygm.iym => Moved successfully.
C:\Windows\System32\jozt.xte => Moved successfully.
C:\Windows\System32\vjyqgl.lbk => Moved successfully.
C:\Windows\System32\acsjzi.moi => Moved successfully.
Reboot: => Error: The entry should be fixed outside recovery mode.

==== End of Fixlog ====



#10 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 29 April 2014 - 09:07 PM

I'm curious about this line on the fixlog ("C:\Windows\system32\drivers\datyvcgn.sys" => File/Directory not found.)  I wonder if that has anything to do with how the malware seemed to function.  What I am refering to is this, I noticed that if I left the Volume Mixer, for WIndows, open--an "unknown" audio source wound appear everytime the strange background sounds started.  I could close and open it again when the audio stopped and there would be no "unknown" entries.  If I left the Mixer open the enteries would remain.  I think I saw 3 or 4 at one point.


Edited by Vincont, 29 April 2014 - 09:08 PM.


#11 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 01 May 2014 - 09:18 PM

I haven't heard back from you in a while...



#12 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 02 May 2014 - 08:38 PM

Well it has been three days since I heard from you last, which was the alotted time for me to respond so I'm going to assume that I have to take responsibility to further repair this computer myself, or find other means.  I appreciate the time, only wish there was some kind of closure to our conversation.

 

With more to say...



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 08 May 2014 - 04:08 PM

I greatly apologize for the late reply - I was ill and not able to work.

Do you still hear those ads?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 Vincont

Vincont
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 08 May 2014 - 08:14 PM

I'm so sorry to hear that you weren't feeling well.  I was concerned.  I hope you are doing better. 

 

As for the computer, I gave it back to my parents and they said that it seems to be fine.  I probably wont have access to their computer for another week from tomorrow.

 

Thanks for getting back to me, I really appreciate it.



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 10 May 2014 - 07:10 AM

We should have get rid of it.

Let´s check for remainings next time you´re there:

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.3.1.2183.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users