Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Radio ads, unsolicited cookies, internet does not load


  • This topic is locked This topic is locked
22 replies to this topic

#1 Jupiter34

Jupiter34

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 25 June 2014 - 09:33 PM

Hello,

 

I have been having what sounds like random radio ads playing on my computer whenever I am connected to the internet. My cookie setting prompt to allow or block when a new website requests to save a cookie, and I am being barraged with requests to save cookies from websites I've never visited or heard of.  Now when I type an address into my browser it says the site is loading but it takes 4-5 minutes to load or even doesn't load at all.

 

Also, McAfee has blocked about 25 executions of svchost.exe as mass mailing worms. I can upload that log file if needed.


Please help me get rid of the malware on my computer, and adjust my settings to increase security and prevent future infections. The DDS log follows.

Thank you!

 
==================
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17126
Run by Chris at 14:34:32 on 2014-06-25
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2942.1406 [GMT -10:00]
.
AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Ad-Aware Antivirus *Disabled/Outdated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\Ant.com\IE add-on\AntUpdaterService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareTray.exe
C:\Program Files (x86)\hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcconsol.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Presario&pf=cndt
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Ant.com browser helper (video detector): {346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} - C:\Program Files (x86)\Ant.com\IE add-on\Download.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
TB: Ant.com Video Downloader toolbar: {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Program Files (x86)\Ant.com\IE add-on\anttoolbar.dll
TB: Ant.com Video Downloader toolbar: {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Program Files (x86)\Ant.com\IE add-on\anttoolbar.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
mRun: [Corel Registration] "C:\Program Files (x86)\Corel\WordPerfect Office 2002\Register\NAVBrowser.exe" /r /i "C:\Program Files (x86)\Corel\WordPerfect Office 2002\Register\NavLoad.ini"
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
dRun: [phtermn] rundll32 "C:\Windows\System32\config\systemprofile\AppData\Local\phtermn.dll",phtermn
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\hp\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WG111T Configuration Utility\wlan111t.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~2.LNK - C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - {70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - C:\Program Files (x86)\Ant.com\IE add-on\Download.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
TCP: NameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{2857F9FB-0BE9-4DC2-9ABA-26CC7EAE1559} : DHCPNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{2857F9FB-0BE9-4DC2-9ABA-26CC7EAE1559}\E4544574541425 : DHCPNameServer = 192.168.1.1
Notify: phtermn - C:\Windows\System32\config\systemprofile\AppData\Local\phtermn.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = about:blank
x64-BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx64.dll
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
x64-TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx64.dll
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [AdAwareTray] "C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareTray.exe"
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qjsikfvb.default\
FF - prefs.js: keyword.URL - hxxp://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_9&idate=__installtime__&hsimp=yhs-lavasoft&ent=bs&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\2.0.31005.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2014-06-13 23:28; {87934c42-161d-45bc-8cef-ef18abe2a30c}; C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qjsikfvb.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
.
============= SERVICES / DRIVERS ===============
.
P2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2009-8-31 178920]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2010-10-2 469144]
R2 AntUpdaterService;Ant Toolbar updater service;C:\Program Files (x86)\Ant.com\IE add-on\AntUpdaterService.exe [2011-6-29 520216]
R2 LavasoftAdAwareService11;Ad-Aware Service 11;C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe [2014-6-3 706864]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2009-8-31 19720]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-1-16 103744]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2010-10-2 79504]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2010-10-2 119968]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;C:\Windows\System32\drivers\wg111v3.sys [2010-9-25 446976]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-6-23 111616]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2010-10-2 77104]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-1 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-26 1255736]
.
=============== Created Last 60 ================
.
2014-06-25 13:16:32 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6FB64E9C-2B7A-4380-8D77-A60DDC4AB69B}\offreg.dll
2014-06-24 21:58:03 -------- d-----w- C:\Windows\rescache
2014-06-24 13:32:43 10779000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6FB64E9C-2B7A-4380-8D77-A60DDC4AB69B}\mpengine.dll
2014-06-24 11:37:37 -------- d-----w- C:\TDSSKiller_Quarantine
2014-06-24 01:42:54 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-06-24 01:42:54 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-06-24 01:42:54 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-24 01:41:53 -------- d-----w- C:\Users\Chris\AppData\Local\Programs
2014-06-23 22:19:43 -------- d-----w- C:\ProgramData\Malwarebytes
2014-06-23 22:19:21 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-06-23 22:19:16 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-06-23 22:17:59 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-06-23 22:16:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes
2014-06-18 22:55:26 288192 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2014-06-18 22:55:26 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2014-06-18 22:55:25 376768 ----a-w- C:\Windows\System32\drivers\netio.sys
2014-06-18 22:54:06 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2014-06-18 22:54:06 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2014-06-18 22:54:06 1389056 ----a-w- C:\Windows\SysWow64\msxml6.dll
2014-06-18 22:54:05 2048 ----a-w- C:\Windows\SysWow64\msxml6r.dll
2014-06-18 22:54:05 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-06-18 22:54:04 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2014-06-18 22:54:04 2048 ----a-w- C:\Windows\System32\msxml6r.dll
2014-06-18 22:54:03 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-06-18 21:17:50 801280 ----a-w- C:\Windows\System32\usp10.dll
2014-06-18 21:17:49 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2014-06-14 09:30:42 -------- d-----w- C:\Users\Chris\AppData\Roaming\LavasoftStatistics
2014-06-14 09:29:22 -------- d-----w- C:\Program Files\Lavasoft
2014-06-14 09:28:52 -------- d-----w- C:\Users\Chris\AppData\Local\adawarebp
2014-06-14 09:28:47 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection
2014-06-14 09:28:41 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner
2014-06-14 09:28:00 -------- d-----w- C:\Program Files (x86)\Lavasoft
2014-06-14 09:26:15 -------- d-----w- C:\Program Files\Common Files\Lavasoft
2014-06-14 03:23:47 -------- d-----w- C:\Users\Chris\AppData\Roaming\Yxuz
2014-06-14 03:23:47 -------- d-----w- C:\Users\Chris\AppData\Roaming\Qaecx
2014-05-14 14:05:59 35328 ----a-w- C:\Windows\SysWow64\wincredprovider.dll
2014-05-14 14:05:59 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-05-14 14:05:58 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-05-14 14:05:58 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-05-14 14:05:58 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2014-05-14 14:05:57 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-05-14 14:05:57 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-05-14 14:05:57 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
.
==================== Find6M  ====================
.
2014-06-24 11:39:24 512000 ----a-w- C:\Windows\System32\rpcss.dll
2014-05-30 10:02:37 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-30 10:02:09 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-05-30 09:39:43 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-05-30 09:39:23 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-05-30 09:38:29 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-05-30 09:21:23 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-05-30 09:21:05 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-05-30 09:20:36 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-05-30 09:11:24 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-05-30 09:08:22 5782528 ----a-w- C:\Windows\System32\jscript9.dll
2014-05-30 09:02:39 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-30 08:55:36 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-05-30 08:44:28 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-05-30 08:43:06 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-05-30 08:42:16 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-05-30 08:28:33 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-05-30 08:27:56 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-05-30 08:24:19 1249280 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-05-30 08:23:22 2040832 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-05-30 08:10:46 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-05-30 07:56:56 2266112 ----a-w- C:\Windows\System32\wininet.dll
2014-05-30 07:56:50 4244992 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-05-30 07:50:09 1068032 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-05-30 07:49:38 1964544 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-05-30 07:21:10 1790976 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-04-23 03:29:20 389240 ----a-w- C:\Windows\System32\drivers\Trufos.sys
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-03-31 19:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-03-04 09:47:01 5550016 ----a-w- C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20 39936 ----a-w- C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06 340992 ----a-w- C:\Windows\System32\schannel.dll
2014-03-04 09:44:03 722944 ----a-w- C:\Windows\System32\objsel.dll
2014-03-04 09:44:03 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56 57344 ----a-w- C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56 52736 ----a-w- C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56 44544 ----a-w- C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:55 56832 ----a-w- C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55 53760 ----a-w- C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50 455168 ----a-w- C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11 3969984 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2003-02-26 02:49:24 65536 ----a-w- C:\Program Files\Command.dll
2003-02-26 02:49:16 77824 ----a-w- C:\Program Files\Transfer.dll
2002-02-04 19:34:42 8960 ----a-w- C:\Program Files\USBBC.sys
2002-01-24 23:43:12 516096 ----a-w- C:\Program Files\Mdi.exe
2000-07-26 20:35:34 200704 ----a-w- C:\Program Files\DrvUninstaller.exe
.
============= FINISH: 14:37:30.41 ===============
 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 26 June 2014 - 04:57 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Please post the attach.txt.

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Jupiter34

Jupiter34
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 26 June 2014 - 09:27 PM

Hi Marius,

 

Thank you I really appreciate your help. Here are the attach.txt and aswMBR log files:

 

attach.txt

===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 11/14/2009 11:41:10 AM
System Uptime: 6/24/2014 1:34:22 PM (25 hours ago)
.
Motherboard: PEGATRON CORPORATION |  | NARRA5
Processor: AMD Athlon™ II X2 215 Processor | Socket AM2  | 2700/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 455 GiB total, 4.144 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.992 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart Prem C410 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart Prem C410 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service: 
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart Prem C410 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart Prem C410 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
64 Bit HP CIO Components Installer
ActiveCheck component for HP Active Support Library
Ad-Aware Antivirus
Ad-Aware Security Toolbar
AdAwareInstaller
AdAwareUpdater
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.6
Amazon MP3 Downloader 1.0.10
AnswerWorks 5.0 English Runtime
Ant.com IE add-on
AntimalwareEngine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
C410
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.8
CyberLink DVD Suite Deluxe
Destinations
DeviceDiscovery
DirectX for Managed Code Update (Summer 2004)
DocProc
Fax
FLV Player 2.0 (build 25)
Free RAR Extract Frog
GIMP 2.6.11
GPBaseService2
Hardware Diagnostic Tools
HP Customer Experience Enhancements
HP Games
HP Imaging Device Functions 14.0
HP Odometer
HP Photosmart Prem C410 All-In-One Driver Software 14.0 Rel. 7
HP Remote Solution
HP Setup
HP Solution Center 14.0
HP Support Assistant
HP Support Information
HP Update
HPAppStudio
HPAsset component for HP Active Support Library
HPPhotoGadget
HPProductAssistant
IMM4 VCM Codec 1.0.0.10
iTunes
Java™ 7 Update 2 (64-bit)
Java™ SE Development Kit 7 Update 2 (64-bit)
JavaFX 2.0.2 (64-bit)
JavaFX 2.0.2 SDK (64-bit)
jGRASP
LabelPrint
LightScribe System Software
LogicWorks 5
LSI PCI-SV92EX Soft Modem
Malwarebytes Anti-Malware version 2.0.2.1012
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 60 day trial
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox 25.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NETGEAR WG111T Smart Wizard Wireless Utility
NETGEAR WG111v3 wireless USB 2.0 adapter
Network64
NVIDIA Drivers
NVIDIA PhysX
OCR Software by I.R.I.S. 14.0
PC-Linq
PictureMover
Pod to PC 4.004
Power2Go
PowerDirector
PowerRecover
PS_AIO_07_C410_SW_Min
Quicken 2011
QuickTime
QuickTransfer
Realtek High Definition Audio Driver
RemoteAgent
Scan
SolutionCenter
SSH Secure Shell
Status
System Requirements Lab CYRI
The Witcher Enhanced Edition
Toolbox
TrayApp
WebReg
.
==== Event Viewer Messages From Past Week ========
.
6/25/2014 1:39:34 AM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
6/24/2014 6:01:05 AM, Error: Microsoft-Windows-HAL [12]  - The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.
6/24/2014 3:25:28 AM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
6/24/2014 3:24:23 AM, Error: Service Control Manager [7000]  - The atksgt service failed to start due to the following error:  This driver has been blocked from loading
6/24/2014 3:24:23 AM, Error: Application Popup [875]  - Driver atksgt.sys has been blocked from loading.
6/24/2014 1:38:35 AM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:26:36 AM, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:24:56 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
6/24/2014 1:24:56 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/24/2014 1:24:56 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
6/24/2014 1:24:56 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
6/24/2014 1:24:54 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/24/2014 1:24:48 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/24/2014 1:24:37 AM, Error: Service Control Manager [7023]  - The Power service terminated with the following error:  The WMI request could not be completed and should be retried.
6/24/2014 1:24:36 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD DfsC discache mfehidk mfetdik NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
6/24/2014 1:24:36 AM, Error: Service Control Manager [7001]  - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error:  A device attached to the system is not functioning.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
6/24/2014 1:24:35 AM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
6/24/2014 1:11:30 AM, Error: Service Control Manager [7023]  - The HP Network Devices Support service terminated with the following error:  %%-2147467243
6/24/2014 1:11:25 AM, Error: Service Control Manager [7038]  - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
6/24/2014 1:11:25 AM, Error: Service Control Manager [7038]  - The netprofm service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
6/24/2014 1:11:25 AM, Error: Service Control Manager [7000]  - The Network List Service service failed to start due to the following error:  The service did not start due to a logon failure.
6/24/2014 1:11:25 AM, Error: Service Control Manager [7000]  - The Diagnostic Service Host service failed to start due to the following error:  The service did not start due to a logon failure.
6/24/2014 1:11:25 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1069" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
6/24/2014 1:09:50 AM, Error: Service Control Manager [7038]  - The lmhosts service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
6/24/2014 1:09:50 AM, Error: Service Control Manager [7000]  - The TCP/IP NetBIOS Helper service failed to start due to the following error:  The service did not start due to a logon failure.
6/23/2014 2:46:09 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LavasoftAdAwareService11 service.
6/20/2014 3:21:51 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80004005: Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2957689).
.
==== End Of File ===========================
 
 
 
aswMBR logfile
======================
aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-06-26 13:54:10
-----------------------------
13:54:10.646    OS Version: Windows x64 6.1.7601 Service Pack 1
13:54:10.646    Number of processors: 2 586 0x602
13:54:10.646    ComputerName: PAR-1  UserName: Chris
13:55:06.938    Initialze error C000010E - driver not loaded
13:56:13.797    AVAST engine download error: 0
13:57:02.473    Service scanning
13:57:31.737    Modules scanning
13:57:31.737    Disk 0 trace - called modules:
13:57:31.737    
13:57:31.747    Scan finished successfully
13:57:57.344    The log file has been saved successfully to "C:\Users\Chris\Desktop\aswMBR.txt"
 
 
aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-06-26 13:59:13
-----------------------------
13:59:13.938    OS Version: Windows x64 6.1.7601 Service Pack 1
13:59:13.938    Number of processors: 2 586 0x602
13:59:13.938    ComputerName: PAR-1  UserName: Chris
13:59:15.881    Initialze error C000010E - driver not loaded
14:00:00.991    AVAST engine download error: 0
14:02:01.869    The log file has been saved successfully to "C:\Users\Chris\Desktop\aswMBR.txt"
 
 
aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-06-26 13:53:02
-----------------------------
13:53:02.930    OS Version: Windows x64 6.1.7601 Service Pack 1
13:53:02.930    Number of processors: 2 586 0x602
13:53:02.930    ComputerName: PAR-1  UserName: Chris
13:55:06.768    Initialize success
13:55:07.060    VM: initialized successfully
13:55:07.166    VM: Amd CPU BiosDisabled 
14:05:36.373    VM: supported disk I/O storport.sys
14:06:49.417    AVAST engine download error: 0
14:07:51.336    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
14:07:51.346    Disk 0 Vendor: Hitachi_ GM4O Size: 476940MB BusType: 3
14:07:51.456    Disk 0 MBR read successfully
14:07:51.456    Disk 0 MBR scan
14:07:51.456    Disk 0 unknown MBR code
14:07:51.516    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
14:07:51.516    Disk 0 Boot: NTFS     code=1
14:07:51.566    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       465672 MB offset 206848
14:07:51.596    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        11166 MB offset 953903104
14:07:51.646    Disk 0 scanning C:\Windows\system32\drivers
14:08:06.686    Service scanning
14:08:24.958    Modules scanning
14:08:24.958    Disk 0 trace - called modules:
14:08:24.978    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys 
14:08:24.988    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80031d8060]
14:08:24.988    3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80022eee40]
14:08:24.998    5 ACPI.sys[fffff88000f317a1] -> nt!IofCallDriver -> \Device\0000005d[0xfffffa8002d069c0]
14:08:25.008    Scan finished successfully
14:08:41.278    Disk 0 MBR has been saved successfully to "C:\Users\Chris\Desktop\MBR.dat"
14:08:41.288    The log file has been saved successfully to "C:\Users\Chris\Desktop\aswMBR.txt"
 
 


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 30 June 2014 - 04:15 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Jupiter34

Jupiter34
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 30 June 2014 - 02:41 PM

Hi Marius,

 

Here are the results of the ComboFix run:

 

=====================

ComboFix 14-06-30.01 - Chris 06/30/2014   9:20.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2942.1431 [GMT -10:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
SP: Ad-Aware Antivirus *Disabled/Outdated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Chris\Documents\~WRD3465.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-05-28 to 2014-06-30  )))))))))))))))))))))))))))))))
.
.
2014-06-30 19:31 . 2014-06-30 19:31    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-06-30 19:31 . 2014-06-30 19:31    --------    d-----w-    c:\users\Sandi\AppData\Local\temp
2014-06-30 19:31 . 2014-06-30 19:31    --------    d-----w-    c:\users\Don\AppData\Local\temp
2014-06-25 13:16 . 2014-06-25 13:16    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{6FB64E9C-2B7A-4380-8D77-A60DDC4AB69B}\offreg.dll
2014-06-24 21:58 . 2014-06-24 23:25    --------    d-----w-    c:\windows\rescache
2014-06-24 13:32 . 2014-06-05 10:54    10779000    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{6FB64E9C-2B7A-4380-8D77-A60DDC4AB69B}\mpengine.dll
2014-06-24 11:37 . 2014-06-24 11:37    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-06-24 01:42 . 2014-06-24 01:42    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-06-24 01:42 . 2014-05-12 17:26    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-06-24 01:42 . 2014-05-12 17:25    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-06-24 01:41 . 2014-06-24 01:41    --------    d-----w-    c:\users\Chris\AppData\Local\Programs
2014-06-23 22:19 . 2014-06-24 01:42    --------    d-----w-    c:\programdata\Malwarebytes
2014-06-23 22:19 . 2014-06-24 11:10    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-06-23 22:19 . 2014-06-30 19:03    122584    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-06-23 22:17 . 2014-05-12 17:26    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-06-23 22:16 . 2014-06-23 22:17    --------    d-----w-    c:\program files (x86)\Malwarebytes
2014-06-18 22:55 . 2014-04-05 02:47    1903552    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2014-06-18 22:55 . 2014-04-05 02:47    288192    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2014-06-18 22:55 . 2013-11-26 11:40    376768    ----a-w-    c:\windows\system32\drivers\netio.sys
2014-06-18 22:54 . 2014-03-26 14:44    2002432    ----a-w-    c:\windows\system32\msxml6.dll
2014-06-18 22:54 . 2014-03-26 14:44    1882112    ----a-w-    c:\windows\system32\msxml3.dll
2014-06-18 22:54 . 2014-03-26 14:27    1389056    ----a-w-    c:\windows\SysWow64\msxml6.dll
2014-06-18 22:54 . 2014-03-26 14:27    1237504    ----a-w-    c:\windows\SysWow64\msxml3.dll
2014-06-18 22:54 . 2014-03-26 14:25    2048    ----a-w-    c:\windows\SysWow64\msxml6r.dll
2014-06-18 22:54 . 2014-03-26 14:41    2048    ----a-w-    c:\windows\system32\msxml6r.dll
2014-06-18 22:54 . 2014-03-26 14:25    2048    ----a-w-    c:\windows\SysWow64\msxml3r.dll
2014-06-18 22:54 . 2014-03-26 14:41    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-06-18 21:17 . 2014-04-25 02:34    801280    ----a-w-    c:\windows\system32\usp10.dll
2014-06-18 21:17 . 2014-04-25 02:06    626688    ----a-w-    c:\windows\SysWow64\usp10.dll
2014-06-14 09:53 . 2014-06-14 09:53    --------    d-----w-    c:\users\Chris\AppData\Roaming\Lavasoft
2014-06-14 09:29 . 2014-06-14 09:29    --------    d-----w-    c:\program files\Lavasoft
2014-06-14 09:28 . 2014-06-14 09:29    --------    d-----w-    c:\users\Chris\AppData\Local\adawarebp
2014-06-14 09:28 . 2014-06-14 09:53    --------    d-----w-    c:\programdata\Ad-Aware Browsing Protection
2014-06-14 09:28 . 2014-06-14 09:28    --------    d-----w-    c:\program files (x86)\Toolbar Cleaner
2014-06-14 09:28 . 2014-06-14 09:28    --------    d-----w-    c:\program files (x86)\Lavasoft
2014-06-14 09:26 . 2014-06-14 09:26    --------    d-----w-    c:\program files\Common Files\Lavasoft
2014-06-14 09:24 . 2014-06-14 09:24    --------    d-----w-    c:\programdata\Lavasoft
2014-06-14 03:23 . 2014-06-14 09:52    --------    d-----w-    c:\users\Chris\AppData\Roaming\Yxuz
2014-06-14 03:23 . 2014-06-14 09:00    --------    d-----w-    c:\users\Chris\AppData\Roaming\Qaecx
2014-06-14 03:22 . 2014-06-14 03:22    --------    d-----w-    c:\windows\Sun
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-24 11:39 . 2011-07-01 12:01    512000    ----a-w-    c:\windows\system32\rpcss.dll
2014-06-13 13:01 . 2010-11-27 01:56    95414520    ----a-w-    c:\windows\system32\MRT.exe
2014-04-23 03:29 . 2014-04-23 03:29    389240    ----a-w-    c:\windows\system32\drivers\Trufos.sys
2014-04-12 02:22 . 2014-05-14 14:06    155072    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:22 . 2014-05-14 14:06    95680    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:19 . 2014-05-14 14:06    136192    ----a-w-    c:\windows\system32\sspicli.dll
2014-04-12 02:19 . 2014-05-14 14:05    29184    ----a-w-    c:\windows\system32\sspisrv.dll
2014-04-12 02:19 . 2014-05-14 14:05    28160    ----a-w-    c:\windows\system32\secur32.dll
2014-04-12 02:19 . 2014-05-14 14:06    1460736    ----a-w-    c:\windows\system32\lsasrv.dll
2014-04-12 02:19 . 2014-05-14 14:05    31232    ----a-w-    c:\windows\system32\lsass.exe
2014-04-12 02:12 . 2014-05-14 14:05    22016    ----a-w-    c:\windows\SysWow64\secur32.dll
2014-04-12 02:10 . 2014-05-14 14:05    96768    ----a-w-    c:\windows\SysWow64\sspicli.dll
2003-02-26 02:49 . 2009-11-15 21:47    65536    ----a-w-    c:\program files\Command.dll
2003-02-26 02:49 . 2009-11-15 21:47    77824    ----a-w-    c:\program files\Transfer.dll
2002-02-04 19:34 . 2009-11-15 21:47    8960    ----a-w-    c:\program files\USBBC.sys
2002-01-24 23:43 . 2009-11-15 21:47    516096    ----a-w-    c:\program files\Mdi.exe
2000-07-26 20:35 . 2009-11-15 21:47    200704    ----a-w-    c:\program files\DrvUninstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2014-06-04 19:44    116248    ----a-w-    c:\program files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll" [2014-06-04 116248]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-05-26 656896]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2009-01-17 136512]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-09-27 559696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
NETGEAR WG111T Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2009-11-26 483412]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111v3\WG111v3.exe [2009-11-6 2469888]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 AntUpdaterService;Ant Toolbar updater service;c:\program files (x86)\Ant.com\IE add-on\AntUpdaterService.exe;c:\program files (x86)\Ant.com\IE add-on\AntUpdaterService.exe [x]
S2 LavasoftAdAwareService11;Ad-Aware Service 11;c:\program files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe;c:\program files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;c:\windows\system32\DRIVERS\wg111v3.sys;c:\windows\SYSNATIVE\DRIVERS\wg111v3.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - ASWVMM
*Deregistered* - aswMBR
*Deregistered* - aswVmm
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-31 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-06-10 11:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2014-06-04 19:44    132264    ----a-w-    c:\program files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx64.dll" [2014-06-04 132264]
.
[HKEY_CLASSES_ROOT\CLSID\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-29 16333856]
"AdAwareTray"="c:\program files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareTray.exe" [2014-06-04 7715160]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qjsikfvb.default\
FF - prefs.js: keyword.URL - hxxp://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_9&idate=__installtime__&hsimp=yhs-lavasoft&ent=bs&q=
FF - ExtSQL: 2014-06-13 23:28; {87934c42-161d-45bc-8cef-ef18abe2a30c}; c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qjsikfvb.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-HPADVISOR - c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-Corel Registration - c:\program files (x86)\Corel\WordPerfect Office 2002\Register\NAVBrowser.exe
Wow6432Node-HKU-Default-Run-phtermn - c:\windows\system32\config\systemprofile\AppData\Local\phtermn.dll
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
Notify-phtermn - c:\windows\system32\config\systemprofile\AppData\Local\phtermn.dll
SafeBoot-56309864.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,26,5b,f5,8e,fd,62,4a,97,65,b2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,26,5b,f5,8e,fd,62,4a,97,65,b2,\
.
[HKEY_USERS\S-1-5-21-2644382056-3485273496-36482877-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]
@Allowed: (B 1 4 5 6) (S-1-5-5-0-135511)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-06-30  09:34:23
ComboFix-quarantined-files.txt  2014-06-30 19:34
.
Pre-Run: 3,916,873,728 bytes free
Post-Run: 4,721,885,184 bytes free
.
- - End Of File - - 958A8531FA102B5FAB64735D2824F4D4
7E1D3387E53690CA4C2D2535296BB5C1
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 02 July 2014 - 06:50 AM

Multiple Antivirus Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either AdAware or McAfee.

 

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is saved to.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Jupiter34

Jupiter34
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 03 July 2014 - 01:13 AM

Hi Marius,

 

I ran the ComboFix script and then Malwarebytes.  Here are the logs:

 

==================

ComboFix 14-06-30.01 - Chris 07/02/2014  19:17:57.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2942.1056 [GMT -10:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Chris\AppData\Roaming\Qaecx
c:\users\Chris\AppData\Roaming\Yxuz
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-03 to 2014-07-03  )))))))))))))))))))))))))))))))
.
.
2014-07-03 05:28 . 2014-07-03 05:28    --------    d-----w-    c:\users\Sandi\AppData\Local\temp
2014-07-03 05:28 . 2014-07-03 05:28    --------    d-----w-    c:\users\Don\AppData\Local\temp
2014-07-03 05:28 . 2014-07-03 05:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-07-02 18:06 . 2014-06-05 10:54    10779000    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{E92FA0B7-233B-409A-80CC-20B8D087A2C8}\mpengine.dll
2014-06-24 21:58 . 2014-06-24 23:25    --------    d-----w-    c:\windows\rescache
2014-06-24 11:37 . 2014-06-24 11:37    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-06-24 01:42 . 2014-06-24 01:42    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-06-24 01:42 . 2014-05-12 17:26    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-06-24 01:42 . 2014-05-12 17:25    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-06-24 01:41 . 2014-06-24 01:41    --------    d-----w-    c:\users\Chris\AppData\Local\Programs
2014-06-23 22:19 . 2014-06-24 01:42    --------    d-----w-    c:\programdata\Malwarebytes
2014-06-23 22:19 . 2014-06-24 11:10    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-06-23 22:19 . 2014-06-30 19:03    122584    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-06-23 22:17 . 2014-05-12 17:26    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-06-23 22:16 . 2014-06-23 22:17    --------    d-----w-    c:\program files (x86)\Malwarebytes
2014-06-18 22:55 . 2014-04-05 02:47    1903552    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2014-06-18 22:55 . 2014-04-05 02:47    288192    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2014-06-18 22:55 . 2013-11-26 11:40    376768    ----a-w-    c:\windows\system32\drivers\netio.sys
2014-06-18 22:54 . 2014-03-26 14:44    2002432    ----a-w-    c:\windows\system32\msxml6.dll
2014-06-18 22:54 . 2014-03-26 14:44    1882112    ----a-w-    c:\windows\system32\msxml3.dll
2014-06-18 22:54 . 2014-03-26 14:27    1389056    ----a-w-    c:\windows\SysWow64\msxml6.dll
2014-06-18 22:54 . 2014-03-26 14:27    1237504    ----a-w-    c:\windows\SysWow64\msxml3.dll
2014-06-18 22:54 . 2014-03-26 14:25    2048    ----a-w-    c:\windows\SysWow64\msxml6r.dll
2014-06-18 22:54 . 2014-03-26 14:41    2048    ----a-w-    c:\windows\system32\msxml6r.dll
2014-06-18 22:54 . 2014-03-26 14:25    2048    ----a-w-    c:\windows\SysWow64\msxml3r.dll
2014-06-18 22:54 . 2014-03-26 14:41    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-06-18 21:17 . 2014-04-25 02:34    801280    ----a-w-    c:\windows\system32\usp10.dll
2014-06-18 21:17 . 2014-04-25 02:06    626688    ----a-w-    c:\windows\SysWow64\usp10.dll
2014-06-14 09:53 . 2014-07-03 05:13    --------    d-----w-    c:\users\Chris\AppData\Roaming\Lavasoft
2014-06-14 09:29 . 2014-06-14 09:29    --------    d-----w-    c:\program files\Lavasoft
2014-06-14 09:28 . 2014-06-14 09:29    --------    d-----w-    c:\users\Chris\AppData\Local\adawarebp
2014-06-14 09:28 . 2014-07-01 22:18    --------    d-----w-    c:\programdata\Ad-Aware Browsing Protection
2014-06-14 09:28 . 2014-07-03 05:14    --------    d-----w-    c:\program files (x86)\Lavasoft
2014-06-14 09:24 . 2014-06-14 09:24    --------    d-----w-    c:\programdata\Lavasoft
2014-06-14 03:22 . 2014-06-14 03:22    --------    d-----w-    c:\windows\Sun
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-24 11:39 . 2011-07-01 12:01    512000    ----a-w-    c:\windows\system32\rpcss.dll
2014-06-13 13:01 . 2010-11-27 01:56    95414520    ----a-w-    c:\windows\system32\MRT.exe
2014-04-12 02:22 . 2014-05-14 14:06    155072    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:22 . 2014-05-14 14:06    95680    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:19 . 2014-05-14 14:06    136192    ----a-w-    c:\windows\system32\sspicli.dll
2014-04-12 02:19 . 2014-05-14 14:05    29184    ----a-w-    c:\windows\system32\sspisrv.dll
2014-04-12 02:19 . 2014-05-14 14:05    28160    ----a-w-    c:\windows\system32\secur32.dll
2014-04-12 02:19 . 2014-05-14 14:06    1460736    ----a-w-    c:\windows\system32\lsasrv.dll
2014-04-12 02:19 . 2014-05-14 14:05    31232    ----a-w-    c:\windows\system32\lsass.exe
2014-04-12 02:12 . 2014-05-14 14:05    22016    ----a-w-    c:\windows\SysWow64\secur32.dll
2014-04-12 02:10 . 2014-05-14 14:05    96768    ----a-w-    c:\windows\SysWow64\sspicli.dll
2003-02-26 02:49 . 2009-11-15 21:47    65536    ----a-w-    c:\program files\Command.dll
2003-02-26 02:49 . 2009-11-15 21:47    77824    ----a-w-    c:\program files\Transfer.dll
2002-02-04 19:34 . 2009-11-15 21:47    8960    ----a-w-    c:\program files\USBBC.sys
2002-01-24 23:43 . 2009-11-15 21:47    516096    ----a-w-    c:\program files\Mdi.exe
2000-07-26 20:35 . 2009-11-15 21:47    200704    ----a-w-    c:\program files\DrvUninstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-05-26 656896]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2009-01-17 136512]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
NETGEAR WG111T Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2009-11-26 483412]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111v3\WG111v3.exe [2009-11-6 2469888]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 AntUpdaterService;Ant Toolbar updater service;c:\program files (x86)\Ant.com\IE add-on\AntUpdaterService.exe;c:\program files (x86)\Ant.com\IE add-on\AntUpdaterService.exe [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;c:\windows\system32\DRIVERS\wg111v3.sys;c:\windows\SYSNATIVE\DRIVERS\wg111v3.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-06-10 11:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-29 16333856]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qjsikfvb.default\
FF - prefs.js: keyword.URL - hxxp://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_9&idate=__installtime__&hsimp=yhs-lavasoft&ent=bs&q=
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-phtermn - c:\windows\system32\config\systemprofile\AppData\Local\phtermn.dll
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2644382056-3485273496-36482877-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]
@Allowed: (B 1 4 5 6) (S-1-5-5-0-135511)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-07-02  19:31:52
ComboFix-quarantined-files.txt  2014-07-03 05:31
ComboFix2.txt  2014-06-30 19:34
.
Pre-Run: 6,020,870,144 bytes free
Post-Run: 5,952,499,712 bytes free
.
- - End Of File - - 2C573371A574BDE6D5DB81CA005C67DB
7E1D3387E53690CA4C2D2535296BB5C1
 

 

 

==================

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/2/2014
Scan Time: 7:56:34 PM
Logfile: mbam-scanlog 2014-02-07.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.02.08
Rootkit Database: v2014.06.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Chris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 356634
Time Elapsed: 12 min, 26 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 03 July 2014 - 01:19 AM

Looks good! :)

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Jupiter34

Jupiter34
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 03 July 2014 - 01:44 PM

Hi Marius,

 

I ran the ESET online scan and it found two threats:

 

C:\TDSSKiller_Quarantine\24.06.2014_01.36.42\rtkt0000\svc0000\tsk0000.dta Win64/Patched.I trojan
C:\TDSSKiller_Quarantine\24.06.2014_01.36.42\rtkt0001\svc0000\tsk0000.dta Win64/Patched.I trojan



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 04 July 2014 - 05:16 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Jupiter34

Jupiter34
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 04 July 2014 - 05:24 PM

Hi Marius,

 

Do I need to do anything about the two threats found by the ESET scan?

 

I ran adwCleaner, Junkware Removal Tool, and Security Check.  Here are the resulting logs:

 

 

======================

# AdwCleaner v3.214 - Report created 04/07/2014 at 11:39:19
# Updated 29/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Chris - PAR-1
# Running from : F:\adwcleaner_3.214.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FLV Player
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qjsikfvb.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1555 octets] - [04/07/2014 11:36:27]
AdwCleaner[S0].txt - [1486 octets] - [04/07/2014 11:39:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1546 octets] ##########
 

 

 

 

=======================

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Chris on Fri 07/04/2014 at 11:55:19.95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msntask_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msntask_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\msntask_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\msntask_RASMANCS



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Chris\AppData\Roaming\mozilla\firefox\profiles\qjsikfvb.default\prefs.js

user_pref("keyword.URL", "hxxp://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_9&idate=__installtime__&hsimp=yhs-lavasoft&ent=bs&q=");
Emptied folder: C:\Users\Chris\AppData\Roaming\mozilla\firefox\profiles\qjsikfvb.default\minidumps [7 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 07/04/2014 at 12:02:38.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

===============

 Results of screen317's Security Check version 0.99.85  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
McAfee VirusScan Enterprise   
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
  Adobe Flash Player 11.9.900.170 Flash Player out of Date!  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox 25.0.1 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 McAfee VirusScan Enterprise shstat.exe  
 McAfee VirusScan Enterprise x64 engineserver.exe
 McAfee VirusScan Enterprise vstskmgr.exe  
 McAfee VirusScan Enterprise x64 mcshield.exe
 McAfee VirusScan Enterprise x64 mfeann.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 07 July 2014 - 02:43 AM

The two files are quarantined already and will be deleted soon.

Your system is clean now! :)


Adobe Flash Player out of date

Your Adobe flash player is outdated. We will fix this.
  • Get the actual player from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.


Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.



Mozilla Firefox out of date

Your Firefox browser is outdated. Please follow these instructions to update it:
  • Get the actual firefox from here.
  • Run setup and follow the instructions on your monitor.
  • Report any problems you have with the update.



Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.



Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.



Recommendations: How to protect yourself
  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.
  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:
  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Jupiter34

Jupiter34
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 09 July 2014 - 11:22 PM

Hi Marius,

I don't think my computer is clean yet. I reinstalled the most recent versions of Adobe Reader and Flash Player and Mozilla Firefox, ran Delfix, and deleted all old System Restore points. The radio ads are gone (thank you!).

I'm still being prompted to accept cookies from sites I've never visited or heard of, and both Firefox and IE take 4-5 minutes to load a page or time out. The most recent example is a request from "com.org," which when I refused the cookies and disconnected from the internet gave me a browser search-like result saying "www.www.adobe.com.org was not found on our servers. Showing com.org below. Only the best links...Com.org" and a "Web Directory" with Vacation, Technology, Health & Beauty links etc.

Could this be a browser hijack?

#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 13 July 2014 - 12:24 PM

This is odd...in which browser is that happening?

Only in one or did you try another one, too?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Jupiter34

Jupiter34
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 14 July 2014 - 05:36 AM

Both browsers are slow, really slow. The unsolicited cookie requests are only happening in IE. Firefox has the default settings which I think just accept all cookies automatically, so I wouldn't have been prompted for them.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users