Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Problem, don't know how to fix it


  • This topic is locked This topic is locked
38 replies to this topic

#1 pilbiruusa

pilbiruusa

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 May 2014 - 12:06 AM

Hello, I initially started this topic in the Am I Infected? What do I do? Forum. Thanks to the help from boopme I discovered that I'm infected with a rootkit. The infection is causing my computer to slow down significantly. Here is the link to my previous thread 

 

http://www.bleepingcomputer.com/forums/t/534531/my-laptops-speed-and-response-has-reduced-drastically/#entry3373887

 

I've run DDS and here are the results:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 10.51.2
Run by Toshiba at 11:17:38 on 2014-05-21
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.62.1033.18.2766.1234 [GMT 7:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\ChgService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Toshiba\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mStart Page = about:blank
uProxyOverride = itb.ac.id;<local>;*.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\toshiba\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Facebook Update] "c:\users\toshiba\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ITSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /START
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [TWebCamera] "c:\program files\toshiba\toshiba web camera application\TWebCamera.exe" autorun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TosNC] c:\program files\toshiba\bulletinboard\TosNcCore.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
dRun: [Steam] "e:\game program files\civilization v\Steam.exe" -silent
dRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
StartupFolder: c:\users\toshiba\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\toshiba\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\toshiba\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 23.249.173.88 103.247.218.111
TCP: Interfaces\{D4BA985E-3F2D-4888-8B83-4726713C01FE} : DHCPNameServer = 23.249.173.88 103.247.218.111
TCP: Interfaces\{D4BA985E-3F2D-4888-8B83-4726713C01FE}\0477966696E29646 : DHCPNameServer = 10.232.0.4 202.134.0.155 203.130.193.74 8.8.8.8
TCP: Interfaces\{D4BA985E-3F2D-4888-8B83-4726713C01FE}\244465 : DHCPNameServer = 203.130.196.5
TCP: Interfaces\{D4BA985E-3F2D-4888-8B83-4726713C01FE}\244465D284F4453505F445 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D4BA985E-3F2D-4888-8B83-4726713C01FE}\254434D284F4453505F445 : DHCPNameServer = 222.124.204.34 203.130.193.74
TCP: Interfaces\{D4BA985E-3F2D-4888-8B83-4726713C01FE}\D6F627D6162716E616478616 : DHCPNameServer = 192.168.3.1 0.0.0.0
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= acaptuser32.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - 
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-6-1 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-6-1 180632]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2013-6-1 777488]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2013-6-1 411680]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\drivers\hssdrv6.sys [2012-7-25 35560]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-5-7 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-6-1 67824]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswstm.sys [2014-2-22 68312]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\drivers\btfilter.sys [2010-10-18 33640]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-8-3 269824]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-11-8 68208]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-8-3 41088]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-12-10 62336]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-12-10 141440]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2011-8-10 24064]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 cmusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2051;c:\windows\system32\drivers\cmusbser.sys [2013-1-6 103552]
S3 PROLiNKusbdiag;PROLiNK DataCard Diagnostic Port;c:\windows\system32\drivers\PROLiNKusbdiag.sys [2013-11-8 107648]
S3 PROLiNKusbmodem;PROLiNK DataCard Proprietary USB Driver;c:\windows\system32\drivers\PROLiNKusbmodem.sys [2013-11-8 107648]
S3 PROLiNKusbnmea;PROLiNK DataCard NMEA Port;c:\windows\system32\drivers\PROLiNKusbnmea.sys [2013-11-8 107648]
S3 PROLiNKusbvoice;PROLiNK DataCard Voice Port;c:\windows\system32\drivers\PROLiNKusbvoice.sys [2013-11-8 107648]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-8-10 197224]
S3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUVStor.sys [2011-8-10 226408]
S3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\drivers\usb80236.sys [2009-7-14 15872]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="c:\program files\adobe\adobe dreamweaver cs6\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs6\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-05-21 00:43:22 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0814e855-e282-4b0a-9ef6-793075d70781}\offreg.dll
2014-05-21 00:37:59 -------- d-----w- c:\users\toshiba\appdata\local\CrashDumps
2014-05-19 18:11:42 116648 -c----w- c:\programdata\microsoft\windows\wer\reportqueue\appcrash_svchost.exe_wind_f8541b72efbd56ef6e8f14962d14c780f295dbec_cab_12de7f90\GoogleUpdate.exe
2014-05-19 16:33:32 8050496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0814e855-e282-4b0a-9ef6-793075d70781}\mpengine.dll
2014-05-19 16:09:27 314368 -c----w- c:\programdata\microsoft\windows\wer\reportqueue\appcrash_svchost.exe_wind_d9051ea71bd643ebd8a2a6263471fb3516d77f_cab_17d292df\SndVol.exe
2014-05-19 05:21:40 254976 -c----w- c:\programdata\microsoft\windows\wer\reportqueue\appcrash_svchost.exe_wind_1c1c15dd414ed735abbedd382564380c5b6c_cab_036e106f\wsqmcons.exe
2014-05-17 10:37:25 -------- d-----w- c:\program files\ESET
2014-05-17 10:19:33 -------- d-----w- c:\windows\ERUNT
2014-05-17 06:31:43 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-05-17 06:29:24 -------- d-----w- C:\AdwCleaner
2014-05-07 07:58:55 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-05-07 07:58:49 43152 ----a-w- c:\windows\avastSS.scr
2014-05-02 01:09:56 -------- d-----w- c:\users\toshiba\appdata\roaming\DropboxMaster
2014-04-26 11:46:06 730536 ----a-w- c:\windows\Condition Zero Uninstaller.exe
.
==================== Find3M  ====================
.
2014-05-16 15:00:38 777488 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-05-16 15:00:37 68312 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-05-07 07:58:50 776976 ----a-w- c:\windows\system32\drivers\aswsnx.sys.1400252293561
2014-05-07 07:58:50 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-05-07 07:58:50 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-05-07 07:58:50 411552 ----a-w- c:\windows\system32\drivers\aswsp.sys.1400252293561
2014-05-07 07:58:50 180632 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-05-07 07:58:49 81768 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-03-31 02:35:10 231584 ------w- c:\windows\system32\MpSigStub.exe
2010-07-08 02:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe
.
============= FINISH: 11:29:18.34 ===============
 
Any help would be great. Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 24 May 2014 - 04:04 PM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 

LlJESjW.jpgMalwarebytes Anti-Rootkit
 
Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
  • If malware is found, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.

If there is no malware found, please let me know as well.
----------
 
n3uobiT.jpg  Download CKScanner by askey127 from Here & save it to your Desktop.

  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
  • ----------

Edited by jeffce, 24 May 2014 - 04:05 PM.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 pilbiruusa

pilbiruusa
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 26 May 2014 - 11:26 AM

Hi Jeff, thanks for taking the time to help me out.

I followed the instructions. Malwarebytes anti-rootkit didn't detect any malware.

 

Here's the log from CKScanner

 

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe dreamweaver cs6\configuration\taglibraries\html\keygen.vtm
hosts 127.0.0.1       adobeereg.com
hosts 127.0.0.1       www.adobeereg.com
hosts 127.0.0.1       activate.adobe.com
hosts 127.0.0.1       activate-sea.adobe.com
hosts 127.0.0.1       activate-sjc0.adobe.com
hosts 127.0.0.1       wwis-dubc1-vip60.adobe.com
scanner sequence 3.FA.11.LINAPZ
 ----- EOF ----- 
 
So far my machine is still slow.


#4 pilbiruusa

pilbiruusa
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 26 May 2014 - 11:33 AM

Oh yeah, just to note. Occasionally a dialog box would pop up in chrome asking me to save a program that I never tried to download. Here's the program: Smadav.Setup__7780_i734023593_il2.exe



#5 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 26 May 2014 - 06:25 PM

CKScanner seems to have detected unauthorized software on your system. Besides being unauthorized, it's the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of unauthorized software except for their removal.  If I were to continue helping you with unauthorized software installed, it could be construed in the eyes of the law as aiding and abetting a crime.
 
If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean.  If you wish to continue, please remove all unauthorized software from your system and then run a new scan with CKScanner and post the newly made log.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#6 pilbiruusa

pilbiruusa
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 27 May 2014 - 12:50 AM

I understand. All unauthorized software of my knowledge have been removed. I have rerun CKScanner, here are the results:

 

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
hosts 127.0.0.1       adobeereg.com
hosts 127.0.0.1       www.adobeereg.com
hosts 127.0.0.1       activate.adobe.com
hosts 127.0.0.1       activate-sea.adobe.com
hosts 127.0.0.1       activate-sjc0.adobe.com
hosts 127.0.0.1       wwis-dubc1-vip60.adobe.com
scanner sequence 3.FN.11.RWLBDA
 ----- EOF ----- 


#7 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 27 May 2014 - 06:38 AM

ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#8 pilbiruusa

pilbiruusa
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 28 May 2014 - 03:44 AM

ComboFix 14-05-27.02 - Toshiba 05/28/2014  13:39:19.1.4 - x86
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.62.1033.18.2766.1885 [GMT 7:00]
Running from: c:\users\Toshiba\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Toshiba\AppData\Local\assembly\tmp
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\CCXPButton.ocx
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-28 to 2014-05-28  )))))))))))))))))))))))))))))))
.
.
2014-05-28 07:18 . 2014-05-28 07:19 -------- d-----w- c:\users\Toshiba\AppData\Local\temp
2014-05-28 07:18 . 2014-05-28 07:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-28 07:18 . 2014-05-28 07:18 -------- d-----w- c:\users\Awthar\AppData\Local\temp
2014-05-27 11:02 . 2014-05-27 11:00 1091912 -c----w- c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_5ef84a8bfbf37149dbb9b961becf889923291957_cab_0c86d743\setup.exe
2014-05-26 13:23 . 2014-05-26 13:23 107224 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-21 00:37 . 2014-05-27 23:41 -------- d-----w- c:\users\Toshiba\AppData\Local\CrashDumps
2014-05-19 16:09 . 2009-07-14 01:14 314368 -c----w- c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_d9051ea71bd643ebd8a2a6263471fb3516d77f_cab_17d292df\SndVol.exe
2014-05-19 05:21 . 2009-07-14 01:14 254976 -c----w- c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_1c1c15dd414ed735abbedd382564380c5b6c_cab_036e106f\wsqmcons.exe
2014-05-17 10:19 . 2014-05-17 10:19 -------- d-----w- c:\windows\ERUNT
2014-05-17 06:31 . 2010-08-30 01:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-05-09 09:45 . 2014-05-09 09:45 -------- d-----w- c:\program files\Common Files\InstallShield
2014-05-07 07:58 . 2014-05-07 07:58 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-05-07 07:58 . 2014-05-07 07:58 43152 ----a-w- c:\windows\avastSS.scr
2014-05-02 01:09 . 2014-05-27 23:35 -------- d-----w- c:\users\Toshiba\AppData\Roaming\DropboxMaster
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-27 11:07 . 2014-05-27 04:32 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E653EC06-1B54-4FDC-AF3D-EC9A45EEB6C9}\offreg.dll
2014-05-26 13:21 . 2013-11-29 09:32 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-19 18:27 . 2014-05-23 04:57 8073384 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E653EC06-1B54-4FDC-AF3D-EC9A45EEB6C9}\mpengine.dll
2014-05-16 15:00 . 2013-06-01 02:06 777488 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-05-16 15:00 . 2014-02-22 04:05 68312 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-05-16 15:00 . 2013-06-01 02:06 411680 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-05-07 07:58 . 2013-06-01 02:06 411552 ----a-w- c:\windows\system32\drivers\aswsp.sys.1400252293561
2014-05-07 07:58 . 2013-06-01 02:06 776976 ----a-w- c:\windows\system32\drivers\aswsnx.sys.1400252293561
2014-05-07 07:58 . 2013-06-01 02:05 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-05-07 07:58 . 2013-06-01 02:05 180632 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-05-07 07:58 . 2013-06-01 02:05 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-05-07 07:58 . 2013-06-01 02:06 81768 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-05-07 07:58 . 2013-06-01 02:05 271264 ----a-w- c:\windows\system32\aswBoot.exe
2014-04-26 11:46 . 2014-04-26 11:46 730536 ----a-w- c:\windows\Condition Zero Uninstaller.exe
2014-03-31 02:35 . 2014-04-18 12:04 231584 ------w- c:\windows\system32\MpSigStub.exe
2010-07-08 02:37 . 2010-07-08 02:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-05-07 07:58 260976 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-10 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-10 176664]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-10 178200]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2011-01-16 2475384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2010-03-09 467816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-05-27 3888648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-04-30 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-01 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-18 17095048]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2011-1-13 2749856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^Toshiba^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Toshiba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ------w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-04-30 20:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [x]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-05-16 68312]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2009-04-03 135168]
R3 cmusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2051;c:\windows\system32\DRIVERS\cmusbser.sys [2008-09-01 103552]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 PROLiNKusbdiag;PROLiNK DataCard Diagnostic Port;c:\windows\system32\DRIVERS\PROLiNKusbdiag.sys [2011-09-19 107648]
R3 PROLiNKusbmodem;PROLiNK DataCard Proprietary USB Driver;c:\windows\system32\DRIVERS\PROLiNKusbmodem.sys [2011-09-19 107648]
R3 PROLiNKusbnmea;PROLiNK DataCard NMEA Port;c:\windows\system32\DRIVERS\PROLiNKusbnmea.sys [2011-09-19 107648]
R3 PROLiNKusbvoice;PROLiNK DataCard Voice Port;c:\windows\system32\DRIVERS\PROLiNKusbvoice.sys [2011-09-19 107648]
R3 qcusbserialser;PROLiNK PCM100 Serial Communication;c:\windows\system32\DRIVERS\CT_U_USBSER.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-12-01 197224]
R3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTSUVSTOR.sys [2010-11-30 226408]
R3 USB_BusEnum_W;EVDO Telecom USB Bus Enumerator w;c:\windows\system32\DRIVERS\USB_BusEnum_W.sys [x]
R3 USB_ETS_W;EVDO Rev A Service USB port w;c:\windows\system32\DRIVERS\USB_ETS_W.sys [x]
R3 USB_WinMux_W;EVDO Telecom USB MUX Serial Port w;c:\windows\system32\DRIVERS\USB_WinMux_W.sys [x]
R3 UsbModemDriver;EVDO Rev A USB Modem w;c:\windows\system32\DRIVERS\USB_MODEM_W.sys [x]
R3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\DRIVERS\usb80236.sys [2009-07-13 15872]
R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-09-21 691696]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-05-16 777488]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-05-16 411680]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [2012-07-24 35560]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-05-07 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-05-07 67824]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys [2010-10-18 33640]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 269824]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-11-08 68208]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 62336]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 141440]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 24064]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000Core.job
- c:\users\Toshiba\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-02-23 11:40]
.
2014-05-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000UA.job
- c:\users\Toshiba\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-02-23 11:40]
.
2014-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-31 01:50]
.
2014-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-31 01:50]
.
2014-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000Core.job
- c:\users\Toshiba\AppData\Local\Google\Update\GoogleUpdate.exe [2013-04-28 19:58]
.
2014-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000UA.job
- c:\users\Toshiba\AppData\Local\Google\Update\GoogleUpdate.exe [2013-04-28 19:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = itb.ac.id;<local>;*.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 23.249.173.88 103.247.218.111
FF - ProfilePath - 
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-Steam - e:\game program files\Civilization V\Steam.exe
MSConfigStartUp-RemoteControl8 - c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe
AddRemove-InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996} - c:\program files\InstallShield Installation Information\{5442DAB8-7177-49E1-8B22-09A049EA5996}\setup.exe
AddRemove-InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02} - c:\program files\InstallShield Installation Information\{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}\setup.exe
AddRemove-InstallShield_{B2FB7DBA-CEEC-41F1-BC23-3323D96290F6} - c:\program files\InstallShield Installation Information\{B2FB7DBA-CEEC-41F1-BC23-3323D96290F6}\setup.exe
AddRemove-{12B3A009-A080-4619-9A2A-C6DB151D8D67} - c:\program files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe
AddRemove-{3108C217-BE83-42E4-AE9E-A56A2A92E549} - c:\program files\InstallShield Installation Information\{3108C217-BE83-42E4-AE9E-A56A2A92E549}\setup.exe
AddRemove-{62BBB2F0-E220-4821-A564-730807D2C34D} - c:\program files\InstallShield Installation Information\{62BBB2F0-E220-4821-A564-730807D2C34D}\setup.exe
AddRemove-{C3A32068-8AB1-4327-BB16-BED9C6219DC7} - c:\program files\InstallShield Installation Information\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DEVICE2"="vaaur8rPygA="
"DATA2"="<settings accountStatus=\"3\" oldDevice=\"\" timeDiff=\"-1\" expireTime=\"1323442005\" productStatus=\"1\" obSize=\"2\" InstallTS=\"1289332796\" isSubsc=\"0\" authStat_ts=\"0\" version=\"14.1\" keyType=\"195\" prodId=\"1\" moduleId1=\"7\" moduleId2=\"10\" relType=\"0\" />\0a"
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):7b,80,b4,9c,f2,fa,36,b9,82,dc,6d,70,2b,e5,5d,f9,3d,68,26,5a,90,
   96,13,59,df,ec,0c,76,23,b4,4d,7e,50,46,c8,8e,06,b1,2c,02,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):fc,22,cd,d8,cc,1a,c5,9d,8a,43,8e,80,c1,57,74,e6,53,ef,20,93,ba,
   d4,e7,bd,66,41,dc,8f,2b,a5,2c,44,49,ff,e8,27,e1,5b,63,22,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{e8c6b8f8-d5f4-4107-8c48-34563ab6f266}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000152
"Therad"=dword:0000001c
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{eb8c8a40-95a6-411d-9d00-bfe671070423}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000163
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,ae,be,a2,d1,89,45,79,6f,83,c3,69,1e,d3,03,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-28  14:24:45
ComboFix-quarantined-files.txt  2014-05-28 07:24
.
Pre-Run: 4,316,336,128 bytes free
Post-Run: 8,915,615,744 bytes free
.
- - End Of File - - 67B4989048D43948592D6F783D491464
A36C5E4F47E84449FF07ED3517B43A31
 
 
There hasn't been any significant improvements after the scan.


#9 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 28 May 2014 - 04:43 PM

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\windows\Condition Zero Uninstaller.exe
 

c:\program files\Common Files\LinkInstaller.exe



Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#10 pilbiruusa

pilbiruusa
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 29 May 2014 - 03:14 AM

c:\windows\Condition Zero Uninstaller.exe
 
c:\program files\Common Files\LinkInstaller.exe


#11 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 29 May 2014 - 06:12 PM

ComboFix

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::
     
    DDS::
    uInternet Settings,ProxyOverride = itb.ac.id;<local>;*.local

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
     
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

 

Post the new log and let me know how your system is running now.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#12 pilbiruusa

pilbiruusa
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 30 May 2014 - 03:20 AM

ComboFix 14-05-29.01 - Toshiba 05/30/2014  14:40:22.3.4 - x86
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.62.1033.18.2766.1873 [GMT 7:00]
Running from: c:\users\Toshiba\Desktop\ComboFix.exe
Command switches used :: c:\users\Toshiba\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-28 to 2014-05-30  )))))))))))))))))))))))))))))))
.
.
2014-05-30 08:00 . 2014-05-30 08:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-30 08:00 . 2014-05-30 08:00 -------- d-----w- c:\users\Awthar\AppData\Local\temp
2014-05-29 16:22 . 2014-05-19 18:27 8073384 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2F3052D8-0D37-4915-A6C8-FCE56B054BC1}\mpengine.dll
2014-05-28 07:25 . 2014-05-30 08:00 -------- d-----w- c:\users\Toshiba\AppData\Local\temp
2014-05-27 11:02 . 2014-05-27 11:00 1091912 -c----w- c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_5ef84a8bfbf37149dbb9b961becf889923291957_cab_0c86d743\setup.exe
2014-05-26 13:23 . 2014-05-26 13:23 107224 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-23 04:57 . 2014-05-19 18:27 8073384 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E653EC06-1B54-4FDC-AF3D-EC9A45EEB6C9}\mpengine.dll
2014-05-21 00:37 . 2014-05-28 20:56 -------- d-----w- c:\users\Toshiba\AppData\Local\CrashDumps
2014-05-19 18:11 . 2013-01-31 01:50 116648 -c----w- c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_f8541b72efbd56ef6e8f14962d14c780f295dbec_cab_12de7f90\GoogleUpdate.exe
2014-05-19 16:09 . 2009-07-14 01:14 314368 -c----w- c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_d9051ea71bd643ebd8a2a6263471fb3516d77f_cab_17d292df\SndVol.exe
2014-05-19 05:21 . 2009-07-14 01:14 254976 -c----w- c:\programdata\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_WinD_1c1c15dd414ed735abbedd382564380c5b6c_cab_036e106f\wsqmcons.exe
2014-05-17 10:19 . 2014-05-17 10:19 -------- d-----w- c:\windows\ERUNT
2014-05-17 06:31 . 2010-08-30 01:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-05-09 09:45 . 2014-05-09 09:45 -------- d-----w- c:\program files\Common Files\InstallShield
2014-05-07 07:58 . 2014-05-07 07:58 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-05-07 07:58 . 2014-05-07 07:58 43152 ----a-w- c:\windows\avastSS.scr
2014-05-02 01:09 . 2014-05-30 01:31 -------- d-----w- c:\users\Toshiba\AppData\Roaming\DropboxMaster
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-26 13:21 . 2013-11-29 09:32 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-16 15:00 . 2013-06-01 02:06 777488 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-05-16 15:00 . 2014-02-22 04:05 68312 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-05-16 15:00 . 2013-06-01 02:06 411680 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-05-07 07:58 . 2013-06-01 02:06 411552 ----a-w- c:\windows\system32\drivers\aswsp.sys.1400252293561
2014-05-07 07:58 . 2013-06-01 02:06 776976 ----a-w- c:\windows\system32\drivers\aswsnx.sys.1400252293561
2014-05-07 07:58 . 2013-06-01 02:05 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-05-07 07:58 . 2013-06-01 02:05 180632 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-05-07 07:58 . 2013-06-01 02:05 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-05-07 07:58 . 2013-06-01 02:06 81768 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-05-07 07:58 . 2013-06-01 02:05 271264 ----a-w- c:\windows\system32\aswBoot.exe
2014-04-26 11:46 . 2014-04-26 11:46 730536 ----a-w- c:\windows\Condition Zero Uninstaller.exe
2014-03-31 02:35 . 2014-04-18 12:04 231584 ------w- c:\windows\system32\MpSigStub.exe
2010-07-08 02:37 . 2010-07-08 02:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-05-07 07:58 260976 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-04-25 03:03 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-10 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-10 176664]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-10 178200]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2011-01-16 2475384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2010-03-09 467816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-05-27 3888648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-04-30 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-01 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-18 17095048]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2011-1-13 2749856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^Toshiba^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Toshiba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ------w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-04-30 20:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [x]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-05-16 68312]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2009-04-03 135168]
R3 cmusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2051;c:\windows\system32\DRIVERS\cmusbser.sys [2008-09-01 103552]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 PROLiNKusbdiag;PROLiNK DataCard Diagnostic Port;c:\windows\system32\DRIVERS\PROLiNKusbdiag.sys [2011-09-19 107648]
R3 PROLiNKusbmodem;PROLiNK DataCard Proprietary USB Driver;c:\windows\system32\DRIVERS\PROLiNKusbmodem.sys [2011-09-19 107648]
R3 PROLiNKusbnmea;PROLiNK DataCard NMEA Port;c:\windows\system32\DRIVERS\PROLiNKusbnmea.sys [2011-09-19 107648]
R3 PROLiNKusbvoice;PROLiNK DataCard Voice Port;c:\windows\system32\DRIVERS\PROLiNKusbvoice.sys [2011-09-19 107648]
R3 qcusbserialser;PROLiNK PCM100 Serial Communication;c:\windows\system32\DRIVERS\CT_U_USBSER.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-12-01 197224]
R3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTSUVSTOR.sys [2010-11-30 226408]
R3 USB_BusEnum_W;EVDO Telecom USB Bus Enumerator w;c:\windows\system32\DRIVERS\USB_BusEnum_W.sys [x]
R3 USB_ETS_W;EVDO Rev A Service USB port w;c:\windows\system32\DRIVERS\USB_ETS_W.sys [x]
R3 USB_WinMux_W;EVDO Telecom USB MUX Serial Port w;c:\windows\system32\DRIVERS\USB_WinMux_W.sys [x]
R3 UsbModemDriver;EVDO Rev A USB Modem w;c:\windows\system32\DRIVERS\USB_MODEM_W.sys [x]
R3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\DRIVERS\usb80236.sys [2009-07-13 15872]
R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-09-21 691696]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-05-16 777488]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-05-16 411680]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [2012-07-24 35560]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-05-07 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-05-07 67824]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys [2010-10-18 33640]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 269824]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-11-08 68208]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 62336]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 141440]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 24064]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000Core.job
- c:\users\Toshiba\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-02-23 11:40]
.
2014-05-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000UA.job
- c:\users\Toshiba\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-02-23 11:40]
.
2014-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-31 01:50]
.
2014-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-31 01:50]
.
2014-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000Core.job
- c:\users\Toshiba\AppData\Local\Google\Update\GoogleUpdate.exe [2013-04-28 19:58]
.
2014-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000UA.job
- c:\users\Toshiba\AppData\Local\Google\Update\GoogleUpdate.exe [2013-04-28 19:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 23.249.173.88 103.247.218.111
FF - ProfilePath - 
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DEVICE2"="vaaur8rPygA="
"DATA2"="<settings accountStatus=\"3\" oldDevice=\"\" timeDiff=\"-1\" expireTime=\"1323442005\" productStatus=\"1\" obSize=\"2\" InstallTS=\"1289332796\" isSubsc=\"0\" authStat_ts=\"0\" version=\"14.1\" keyType=\"195\" prodId=\"1\" moduleId1=\"7\" moduleId2=\"10\" relType=\"0\" />\0a"
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):7b,80,b4,9c,f2,fa,36,b9,82,dc,6d,70,2b,e5,5d,f9,3d,68,26,5a,90,
   96,13,59,df,ec,0c,76,23,b4,4d,7e,50,46,c8,8e,06,b1,2c,02,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):fc,22,cd,d8,cc,1a,c5,9d,8a,43,8e,80,c1,57,74,e6,53,ef,20,93,ba,
   d4,e7,bd,66,41,dc,8f,2b,a5,2c,44,49,ff,e8,27,e1,5b,63,22,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{e8c6b8f8-d5f4-4107-8c48-34563ab6f266}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000152
"Therad"=dword:0000001c
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-1344602048-2015683009-3195712872-1000_Classes\CLSID\{eb8c8a40-95a6-411d-9d00-bfe671070423}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000163
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,ae,be,a2,d1,89,45,79,6f,83,c3,69,1e,d3,03,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-30  15:07:18
ComboFix-quarantined-files.txt  2014-05-30 08:07
ComboFix2.txt  2014-05-28 07:24
.
Pre-Run: 9,414,848,512 bytes free
Post-Run: 9,339,113,472 bytes free
.
- - End Of File - - 0CDE5E336EC85382066111A93B2FF30A
A36C5E4F47E84449FF07ED3517B43A31
 
It's just the same. There isn't any perceivable difference.


#13 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 30 May 2014 - 06:42 AM

N4qAiMQ.jpgFRST
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#14 pilbiruusa

pilbiruusa
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 31 May 2014 - 12:21 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:30-05-2014
Ran by Toshiba (administrator) on ZHILAL on 31-05-2014 11:54:44
Running from C:\Users\Toshiba\Desktop
Platform: Microsoft Windows 7 Ultimate  (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Windows\System32\ChgService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Dropbox, Inc.) C:\Users\Toshiba\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\chrome.exe
(Google) C:\Users\Toshiba\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [ITSecMng] => C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336 2009-07-22] (TOSHIBA CORPORATION)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2010-12-14] (Conexant systems, Inc.)
HKLM\...\Run: [TWebCamera] => C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2475384 2011-01-16] (TOSHIBA CORPORATION.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [467816 2010-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2008-06-11] (Adobe Systems Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3888648 2014-05-27] (AVAST Software)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKU\.DEFAULT\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [17095048 2011-04-18] (Skype Technologies S.A.)
HKU\S-1-5-21-1344602048-2015683009-3195712872-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1344602048-2015683009-3195712872-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
Startup: C:\Users\Toshiba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Toshiba\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Toshiba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-1344602048-2015683009-3195712872-1011\User: Group Policy restriction detected <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 23.249.173.88 103.247.218.111
 
FireFox:
========
FF ProfilePath: C:\Users\Toshiba\AppData\Roaming\Mozilla\Profiles\0mu7fd2l.Zhilal
FF NewTab: user_pref("browser.newtab.url", "");
FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");
FF NetworkProxy: "http", "122.96.59.99"
FF NetworkProxy: "http_port", 81
FF NetworkProxy: "type", 1
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Toshiba\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Toshiba\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Toshiba\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Toshiba\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Toshiba\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: ubisoft.com/uplaypc - E:\Game Program Files\hawk\orbit\npuplaypc.dll No File
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Toshiba\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Toshiba\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF Extension: SeoQuake - C:\Users\Toshiba\AppData\Roaming\Mozilla\Profiles\0mu7fd2l.Zhilal\Extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74} [2014-05-29]
FF Extension: Buffer for Firefox - C:\Users\Toshiba\AppData\Roaming\Mozilla\Profiles\0mu7fd2l.Zhilal\Extensions\jid1-zUyU7TGKwejAyA@jetpack.xpi [2013-10-28]
FF Extension: Adblock Plus - C:\Users\Toshiba\AppData\Roaming\Mozilla\Profiles\0mu7fd2l.Zhilal\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-11-30]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-06-01]
 
Chrome: 
=======
CHR HomePage: 
CHR Plugin: (Shockwave Flash) - C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\35.0.1916.114\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\35.0.1916.114\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Toshiba\AppData\Local\Google\Chrome\Application\35.0.1916.114\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (2007 Microsoft Office system) - C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.2.0\\npsitesafety.dll No File
CHR Plugin: (RIM Handheld Application Loader) - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll No File
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U15) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.150.3) - C:\Windows\system32\npDeployJava1.dll No File
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Toshiba\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-28]
CHR Extension: (Adblock Plus) - C:\Users\Toshiba\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-04-23]
CHR Extension: (Google Wallet) - C:\Users\Toshiba\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-05-07]
 
========================== Services (Whitelisted) =================
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-05-07] (AVAST Software)
R2 Change Modem Device Service; C:\Windows\system32\ChgService.exe [135168 2009-04-03] ()
 
==================== Drivers (Whitelisted) ====================
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-05-07] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-05-07] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81768 2014-05-07] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-05-07] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [777488 2014-05-16] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [411680 2014-05-16] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [68312 2014-05-16] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [180632 2014-05-07] ()
R3 BtFilter; C:\Windows\System32\DRIVERS\btfilter.sys [33640 2010-10-18] (Atheros)
S3 cmusbser; C:\Windows\System32\DRIVERS\cmusbser.sys [103552 2008-09-01] (Mobile Connector)
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [35560 2012-07-25] (AnchorFree Inc.)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-20] (Intel Corporation)
R3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [62336 2010-12-10] (Renesas Electronics Corporation)
R3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [141440 2010-12-10] (Renesas Electronics Corporation)
R3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [24064 2009-06-22] (TOSHIBA Corporation)
S3 PROLiNKusbdiag; C:\Windows\System32\DRIVERS\PROLiNKusbdiag.sys [107648 2011-09-19] (PROLINK Corporation)
S3 PROLiNKusbmodem; C:\Windows\System32\DRIVERS\PROLiNKusbmodem.sys [107648 2011-09-19] (PROLINK Corporation)
S3 PROLiNKusbnmea; C:\Windows\System32\DRIVERS\PROLiNKusbnmea.sys [107648 2011-09-19] (PROLINK Corporation)
S3 PROLiNKusbvoice; C:\Windows\System32\DRIVERS\PROLiNKusbvoice.sys [107648 2011-09-19] (PROLINK Corporation)
S3 RSUSBVSTOR; C:\Windows\System32\Drivers\RTSUVSTOR.sys [226408 2010-11-30] (Realtek Semiconductor Corp.)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2011-09-21] ()
S3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-07-25] (AnchorFree Inc)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [15872 2009-07-14] (Microsoft Corporation)
S3 xnacc; C:\Windows\System32\DRIVERS\xnacc.sys [465408 2009-07-14] (Microsoft Corporation)
U3 a0u6qsfr; C:\Windows\system32\Drivers\a0u6qsfr.sys [0 ] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Toshiba\AppData\Local\Temp\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 qcusbserialser; system32\DRIVERS\CT_U_USBSER.sys [X]
S3 UsbModemDriver; system32\DRIVERS\USB_MODEM_W.sys [X]
S3 USB_BusEnum_W; system32\DRIVERS\USB_BusEnum_W.sys [X]
S3 USB_ETS_W; system32\DRIVERS\USB_ETS_W.sys [X]
S3 USB_WinMux_W; system32\DRIVERS\USB_WinMux_W.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; \??\C:\Program Files\CyberLink\PowerDVD8\000.fcl [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-05-31 11:54 - 2014-05-31 11:56 - 00019121 _____ () C:\Users\Toshiba\Desktop\FRST.txt
2014-05-31 11:52 - 2014-05-31 11:54 - 00000000 ____D () C:\FRST
2014-05-31 11:50 - 2014-05-31 11:51 - 01056256 _____ (Farbar) C:\Users\Toshiba\Desktop\FRST.exe
2014-05-30 15:07 - 2014-05-30 15:07 - 00018689 _____ () C:\ComboFix.txt
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Public\AppData\Local\temp
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Default\AppData\Local\temp
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Default User\AppData\Local\temp
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Awthar\AppData\Local\temp
2014-05-29 15:07 - 2014-05-29 15:12 - 00000244 _____ () C:\Users\Toshiba\Desktop\Virustotal.txt
2014-05-29 03:55 - 2014-05-29 03:55 - 00687445 _____ () C:\Users\Toshiba\Downloads\5116.tmp
2014-05-29 02:47 - 2014-05-29 02:47 - 00260230 _____ () C:\Users\Toshiba\Downloads\E2B8.tmp
2014-05-29 02:16 - 2014-05-29 02:16 - 00280482 _____ () C:\Users\Toshiba\Downloads\E991.tmp
2014-05-28 14:25 - 2014-05-31 11:56 - 00000000 ____D () C:\Users\Toshiba\AppData\Local\temp
2014-05-28 13:32 - 2011-06-26 13:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-05-28 13:32 - 2010-11-08 00:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-05-28 13:32 - 2009-04-20 11:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-05-28 13:32 - 2000-08-31 07:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-05-28 13:32 - 2000-08-31 07:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-05-28 13:32 - 2000-08-31 07:00 - 00098816 _____ () C:\Windows\sed.exe
2014-05-28 13:32 - 2000-08-31 07:00 - 00080412 _____ () C:\Windows\grep.exe
2014-05-28 13:32 - 2000-08-31 07:00 - 00068096 _____ () C:\Windows\zip.exe
2014-05-28 13:31 - 2014-05-30 15:07 - 00000000 ____D () C:\Qoobox
2014-05-28 13:29 - 2014-05-30 09:08 - 05203398 ____R (Swearware) C:\Users\Toshiba\Desktop\ComboFix.exe
2014-05-28 13:16 - 2014-05-28 14:22 - 00000000 ____D () C:\Windows\erdnt
2014-05-27 12:38 - 2014-05-27 12:38 - 00000390 _____ () C:\Users\Toshiba\Desktop\ckfiles.txt
2014-05-27 11:09 - 2014-05-31 10:00 - 00002320 _____ () C:\Windows\PFRO.log
2014-05-26 20:23 - 2014-05-26 20:23 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-26 20:20 - 2014-05-26 20:20 - 00000918 _____ () C:\Users\Toshiba\Desktop\Instructions.txt
2014-05-26 20:18 - 2014-05-26 22:27 - 00000000 ____D () C:\Users\Toshiba\Desktop\mbar
2014-05-26 20:14 - 2014-05-26 20:16 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Toshiba\Desktop\mbar-1.07.0.1009.exe
2014-05-26 20:13 - 2014-05-26 20:13 - 00468480 _____ () C:\Users\Toshiba\Desktop\CKScanner.exe
2014-05-21 07:37 - 2014-05-29 03:56 - 00000000 ____D () C:\Users\Toshiba\AppData\Local\CrashDumps
2014-05-20 06:38 - 2014-05-20 06:38 - 00000000 _____ () C:\Users\Toshiba\AppData\Local\{CC9165DA-ADF1-442F-95B7-410EEC83C7F9}
2014-05-20 06:22 - 2014-05-20 06:22 - 00131072 _____ () C:\Windows\Minidump\052014-112710-01.dmp
2014-05-19 20:26 - 2014-05-31 10:35 - 00001064 _____ () C:\Windows\setupact.log
2014-05-19 20:26 - 2014-05-19 20:26 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-17 17:19 - 2014-05-17 17:19 - 00000000 ____D () C:\Windows\ERUNT
2014-05-17 13:31 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2014-05-15 23:39 - 2014-05-31 11:12 - 01144501 _____ () C:\Windows\WindowsUpdate.log
2014-05-09 16:45 - 2014-05-09 16:45 - 00000000 ____D () C:\Program Files\Common Files\InstallShield
2014-05-07 14:58 - 2014-05-07 14:58 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-05-07 14:58 - 2014-05-07 14:58 - 00024184 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-05-06 20:53 - 2014-05-06 20:53 - 00325412 _____ () C:\Users\Toshiba\Downloads\E259.tmp
2014-05-02 08:09 - 2014-05-31 10:51 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\DropboxMaster
 
==================== One Month Modified Files and Folders =======
 
2014-05-31 11:56 - 2014-05-31 11:54 - 00019121 _____ () C:\Users\Toshiba\Desktop\FRST.txt
2014-05-31 11:56 - 2014-05-28 14:25 - 00000000 ____D () C:\Users\Toshiba\AppData\Local\temp
2014-05-31 11:54 - 2014-05-31 11:52 - 00000000 ____D () C:\FRST
2014-05-31 11:52 - 2013-01-31 08:50 - 00001002 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-31 11:51 - 2014-05-31 11:50 - 01056256 _____ (Farbar) C:\Users\Toshiba\Desktop\FRST.exe
2014-05-31 11:37 - 2013-04-28 17:52 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000UA.job
2014-05-31 11:12 - 2014-05-15 23:39 - 01144501 _____ () C:\Windows\WindowsUpdate.log
2014-05-31 10:55 - 2012-03-11 09:36 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\Dropbox
2014-05-31 10:54 - 2009-07-14 11:34 - 00014192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-31 10:54 - 2009-07-14 11:34 - 00014192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-31 10:51 - 2014-05-02 08:09 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\DropboxMaster
2014-05-31 10:45 - 2013-01-31 08:50 - 00000998 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-31 10:44 - 2009-07-14 11:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-31 10:42 - 2009-07-14 11:53 - 00032558 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-05-31 10:35 - 2014-05-19 20:26 - 00001064 _____ () C:\Windows\setupact.log
2014-05-31 10:35 - 2011-11-08 22:55 - 00065536 _____ () C:\Windows\system32\Ikeext.etl
2014-05-31 10:00 - 2014-05-27 11:09 - 00002320 _____ () C:\Windows\PFRO.log
2014-05-31 00:30 - 2009-07-14 09:37 - 00000000 ____D () C:\Windows\tracing
2014-05-30 21:45 - 2014-02-23 18:40 - 00000936 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000UA.job
2014-05-30 19:36 - 2013-04-28 17:52 - 00000864 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000Core.job
2014-05-30 19:29 - 2011-08-09 21:19 - 00824096 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-30 18:45 - 2014-02-23 18:40 - 00000914 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1344602048-2015683009-3195712872-1000Core.job
2014-05-30 15:07 - 2014-05-30 15:07 - 00018689 _____ () C:\ComboFix.txt
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Public\AppData\Local\temp
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Default\AppData\Local\temp
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Default User\AppData\Local\temp
2014-05-30 15:07 - 2014-05-30 15:07 - 00000000 ____D () C:\Users\Awthar\AppData\Local\temp
2014-05-30 15:07 - 2014-05-28 13:31 - 00000000 ____D () C:\Qoobox
2014-05-30 15:01 - 2009-07-14 09:04 - 00000215 _____ () C:\Windows\system.ini
2014-05-30 09:08 - 2014-05-28 13:29 - 05203398 ____R (Swearware) C:\Users\Toshiba\Desktop\ComboFix.exe
2014-05-29 15:12 - 2014-05-29 15:07 - 00000244 _____ () C:\Users\Toshiba\Desktop\Virustotal.txt
2014-05-29 03:56 - 2014-05-21 07:37 - 00000000 ____D () C:\Users\Toshiba\AppData\Local\CrashDumps
2014-05-29 03:55 - 2014-05-29 03:55 - 00687445 _____ () C:\Users\Toshiba\Downloads\5116.tmp
2014-05-29 02:47 - 2014-05-29 02:47 - 00260230 _____ () C:\Users\Toshiba\Downloads\E2B8.tmp
2014-05-29 02:16 - 2014-05-29 02:16 - 00280482 _____ () C:\Users\Toshiba\Downloads\E991.tmp
2014-05-28 14:25 - 2009-07-14 09:37 - 00000000 ___RD () C:\Users\Public
2014-05-28 14:22 - 2014-05-28 13:16 - 00000000 ____D () C:\Windows\erdnt
2014-05-28 06:27 - 2012-07-08 12:27 - 00000632 __RSH () C:\Users\Toshiba\ntuser.pol
2014-05-28 06:27 - 2011-08-09 21:11 - 00000000 ____D () C:\Users\Toshiba
2014-05-27 12:38 - 2014-05-27 12:38 - 00000390 _____ () C:\Users\Toshiba\Desktop\ckfiles.txt
2014-05-27 11:05 - 2011-08-10 18:30 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-05-27 11:00 - 2011-08-10 19:08 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\Adobe
2014-05-27 10:58 - 2011-08-10 18:35 - 00000000 ____D () C:\ProgramData\Adobe
2014-05-27 10:58 - 2011-08-10 18:30 - 00000000 ____D () C:\Program Files\Adobe
2014-05-27 10:07 - 2011-08-10 19:19 - 00000000 ____D () C:\Users\Toshiba\AppData\Local\Adobe
2014-05-26 22:27 - 2014-05-26 20:18 - 00000000 ____D () C:\Users\Toshiba\Desktop\mbar
2014-05-26 22:27 - 2013-11-29 16:35 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-05-26 20:23 - 2014-05-26 20:23 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-26 20:21 - 2013-11-29 16:32 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-26 20:20 - 2014-05-26 20:20 - 00000918 _____ () C:\Users\Toshiba\Desktop\Instructions.txt
2014-05-26 20:16 - 2014-05-26 20:14 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Toshiba\Desktop\mbar-1.07.0.1009.exe
2014-05-26 20:13 - 2014-05-26 20:13 - 00468480 _____ () C:\Users\Toshiba\Desktop\CKScanner.exe
2014-05-26 20:09 - 2012-03-11 10:14 - 00001021 _____ () C:\Users\Toshiba\Desktop\Dropbox.lnk
2014-05-26 20:08 - 2012-03-11 10:11 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-05-23 11:45 - 2011-08-10 18:56 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\Mozilla
2014-05-20 06:38 - 2014-05-20 06:38 - 00000000 _____ () C:\Users\Toshiba\AppData\Local\{CC9165DA-ADF1-442F-95B7-410EEC83C7F9}
2014-05-20 06:22 - 2014-05-20 06:22 - 00131072 _____ () C:\Windows\Minidump\052014-112710-01.dmp
2014-05-20 06:22 - 2012-01-14 11:30 - 00000000 ____D () C:\Windows\Minidump
2014-05-19 20:26 - 2014-05-19 20:26 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-19 06:45 - 2012-11-03 21:43 - 00007620 _____ () C:\Users\Toshiba\AppData\Local\Resmon.ResmonCfg
2014-05-17 17:19 - 2014-05-17 17:19 - 00000000 ____D () C:\Windows\ERUNT
2014-05-17 13:35 - 2014-03-29 15:48 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-16 22:00 - 2014-02-22 11:05 - 00068312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2014-05-16 22:00 - 2013-06-01 09:06 - 00777488 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-05-16 22:00 - 2013-06-01 09:06 - 00411680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2014-05-15 17:41 - 2012-08-01 18:09 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\uTorrent
2014-05-15 17:19 - 2011-09-05 13:19 - 00000000 ____D () C:\Program Files\Mobile Partner
2014-05-15 15:08 - 2012-05-11 01:44 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\Media Player Classic
2014-05-15 14:31 - 2012-10-17 12:52 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\vlc
2014-05-15 07:46 - 2012-10-23 10:03 - 00029184 _____ () C:\Users\Toshiba\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-05-13 18:20 - 2014-03-17 19:32 - 00002180 _____ () C:\Users\Public\Desktop\ProModel 2011.lnk
2014-05-12 20:30 - 2011-08-10 18:48 - 00000000 ____D () C:\Users\Toshiba\AppData\Roaming\Skype
2014-05-09 16:49 - 2014-02-17 13:49 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-05-09 16:49 - 2012-09-20 20:26 - 00000000 ____D () C:\Users\Toshiba\Documents\My Games
2014-05-09 16:45 - 2014-05-09 16:45 - 00000000 ____D () C:\Program Files\Common Files\InstallShield
2014-05-09 14:08 - 2012-03-11 10:14 - 00000000 ____D () C:\Users\Toshiba\Dropbox
2014-05-08 17:14 - 2014-03-18 10:34 - 00000000 ____D () C:\ProgramData\Orbit
2014-05-07 14:59 - 2013-06-01 09:06 - 00002007 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-05-07 14:58 - 2014-05-07 14:58 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-05-07 14:58 - 2014-05-07 14:58 - 00024184 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-05-07 14:58 - 2013-06-01 09:06 - 00776976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys.1400252293561
2014-05-07 14:58 - 2013-06-01 09:06 - 00411552 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys.1400252293561
2014-05-07 14:58 - 2013-06-01 09:06 - 00081768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2014-05-07 14:58 - 2013-06-01 09:05 - 00271264 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-05-07 14:58 - 2013-06-01 09:05 - 00180632 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2014-05-07 14:58 - 2013-06-01 09:05 - 00067824 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-05-07 14:58 - 2013-06-01 09:05 - 00049944 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2014-05-06 20:53 - 2014-05-06 20:53 - 00325412 _____ () C:\Users\Toshiba\Downloads\E259.tmp
2014-05-06 20:01 - 2013-06-09 14:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
 
Some content of TEMP:
====================
C:\Users\Toshiba\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgaqjs7.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-05-09 13:39
 
==================== End Of Log ============================

Attached Files



#15 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:01 AM

Posted 31 May 2014 - 12:28 PM

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
C:\Users\Toshiba\Downloads\5116.tmp
 
C:\Users\Toshiba\Downloads\E2B8.tmp
 
C:\Users\Toshiba\Downloads\E991.tmp
 
C:\Windows\system32\Drivers\a0u6qsfr.sys


 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users