Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZLOB.Mediacodec infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 BillH1971

BillH1971

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 08 July 2014 - 11:00 AM

For the past few weeks Spy Bot has been detecting this ZLOB trojan and I have removed it only to have it show up again the next time I run Spy Bot.  While on the internet I get random full screens that pop up.  Some I can x out of and others have no way to leave the page other than restarting my computer.  Examples of these screens are: full red screen that says this site is a web forgery; how to fix Windows 7 errors with PC Keeper; Call Yogi for help (with whatever I happen to be searching the internet for).  I  have used Windows Explorer to search for files linked to ZLOB and found none.  Also checked my register for entries linked to ZLOB and found none.  In addition to SPY Bot I have tried AVG, Adaware, Hitman Pro, Glary Utilities, C Cleaner, Malwarebyes Antimalware, and a few others with no success.

I don't know what to do and would very much appreciate any help you could give me.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17126
Run by Bill at 23:33:07 on 2014-07-07
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.2047.361 [GMT -4:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
SP: Ad-Aware Antivirus *Disabled/Outdated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
.
============== Running Processes ================
.
c:\PROGRA~1\AVG\AVG2014\avgrsx.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2014\avgidsagent.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Fitbit Connect\FitbitConnectService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
C:\Program Files\AVG\AVG2014\avgnsx.exe
C:\Program Files\AVG\AVG2014\avgemcx.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareTray.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Glary Utilities 5\Integrator.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_14_0_0_125.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = about:blank
uProxyOverride = <-loopback>
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\lavasoft\adaware securesearch toolbar\adawareDx.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\lavasoft\adaware securesearch toolbar\adawareDx.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
uRun: [GoogleChromeAutoLaunch_D7F8A353CC6ED011209C1472171116E7] "c:\program files\google\chrome\application\chrome.exe" --no-startup-window
uRun: [GUDelayStartup] "c:\program files\glary utilities 5\StartupManager.exe" -delayrun
uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [AdAwareTray] "c:\program files\lavasoft\ad-aware antivirus\ad-aware antivirus\11.2.5952.0\AdAwareTray.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRunOnce: [1] c:\program files\malwarebytes anti-malware\chameleon\windows\mbam-chameleon.exe /r /p
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.10.1
TCP: Interfaces\{9F6579CA-6787-4D45-BC21-AA6B4E839AB1} : DHCPNameServer = 192.168.10.1
TCP: Interfaces\{9F6579CA-6787-4D45-BC21-AA6B4E839AB1}\C696E6B6379737 : DHCPNameServer = 209.18.47.61 209.18.47.62
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\35.0.1916.153\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bill\appdata\roaming\mozilla\firefox\profiles\rrqaj89f.default-1385333118702\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_14_0_0_125.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2014-6-17 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2014-6-17 241944]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2014-6-17 98584]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2014-6-17 27416]
R0 BootDefragDriver;BootDefragDriver;c:\windows\system32\drivers\BootDefragDriver.sys [2014-7-5 16064]
R0 GUBootStartup;GUBootStartup;c:\windows\system32\drivers\GUBootStartup.sys [2014-7-5 17088]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-6-17 121624]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2014-6-17 199960]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2014-6-17 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2014-6-17 188696]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2014-6-17 197400]
R1 netfilter;netfilter;c:\windows\system32\drivers\netfilter.sys [2014-6-12 31744]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2014-6-27 3241488]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2014-6-17 289328]
R2 Fitbit Connect;Fitbit Connect Service;c:\program files\fitbit connect\FitbitConnectService.exe [2014-1-10 1435680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2014-7-3 106248]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 LavasoftAdAwareService11;Ad-Aware Service 11;c:\program files\lavasoft\ad-aware antivirus\ad-aware antivirus\11.2.5952.0\AdAwareService.exe [2014-6-3 655352]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-7-6 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-7-6 860472]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2014-7-3 1738168]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2014-7-3 2088408]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2014-7-3 171928]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2014-1-9 770432]
R2 vToolbarUpdater18.1.5;vToolbarUpdater18.1.5;c:\program files\common files\avg secure search\vtoolbarupdater\18.1.5\ToolbarUpdater.exe [2014-5-11 1801752]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2013-9-7 1564160]
R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2014-1-7 15384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-7-6 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-7-6 110296]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-7-6 51928]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
R4 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-7-6 74456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [2012-6-22 19984]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-6-12 108032]
S3 massfilter_hs;HS HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2014-6-5 9216]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-9-6 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-9-7 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-9-7 1343400]
S3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\drivers\zghsdiag.sys [2011-1-13 106752]
.
=============== Created Last 30 ================
.
2014-07-07 01:36:05    110080    ----a-r-    c:\users\bill\appdata\roaming\microsoft\installer\{af549236-6258-4ac6-a043-5b5b89c6eb61}\IconF7A21AF7.exe
2014-07-07 01:36:05    110080    ----a-r-    c:\users\bill\appdata\roaming\microsoft\installer\{af549236-6258-4ac6-a043-5b5b89c6eb61}\IconD7F16134.exe
2014-07-07 01:36:05    110080    ----a-r-    c:\users\bill\appdata\roaming\microsoft\installer\{af549236-6258-4ac6-a043-5b5b89c6eb61}\IconCF33A0CE.exe
2014-07-07 01:36:04    --------    d-----w-    C:\sh4ldr
2014-07-07 01:36:04    --------    d-----w-    c:\program files\Enigma Software Group
2014-07-07 01:34:44    --------    d-----w-    c:\windows\AF54923662584AC6A0435B5B89C6EB61.TMP
2014-07-07 00:10:50    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-07-07 00:07:54    98816    ----a-w-    c:\windows\sed.exe
2014-07-07 00:07:54    256000    ----a-w-    c:\windows\PEV.exe
2014-07-07 00:07:54    208896    ----a-w-    c:\windows\MBR.exe
2014-07-07 00:07:36    --------    d-s---w-    C:\ComboFix
2014-07-06 23:51:39    35152    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-07-06 23:51:33    --------    d-----w-    c:\programdata\RogueKiller
2014-07-06 22:23:55    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-06 22:23:19    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-07-06 22:23:19    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-07-06 22:23:19    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-07-06 22:23:19    --------    d-----w-    c:\programdata\Malwarebytes
2014-07-06 22:23:19    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-07-06 01:46:12    --------    d-----w-    c:\program files\CCleaner
2014-07-06 00:50:53    --------    d-----w-    c:\program files\VS Revo Group
2014-07-06 00:14:44    17088    ----a-w-    c:\windows\system32\drivers\GUBootStartup.sys
2014-07-06 00:14:41    16064    ----a-w-    c:\windows\system32\drivers\BootDefragDriver.sys
2014-07-06 00:14:41    101664    ----a-w-    c:\windows\system32\BootDefrag.exe
2014-07-06 00:14:41    --------    d-----w-    c:\users\bill\appdata\roaming\DiskDefrag
2014-07-06 00:14:40    --------    d-----w-    c:\users\bill\appdata\roaming\GlarySoft
2014-07-06 00:14:32    --------    d-----w-    c:\program files\Glary Utilities 5
2014-07-04 02:50:27    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-04 02:50:27    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-07-04 02:28:29    18968    ----a-w-    c:\windows\system32\sdnclean.exe
2014-07-04 02:02:15    --------    d-----w-    c:\program files\HitmanPro
2014-07-04 02:00:36    --------    d-----w-    c:\programdata\HitmanPro
2014-07-03 23:29:19    --------    d-----w-    c:\users\bill\appdata\local\Adobe
2014-07-03 20:46:52    --------    d-----w-    c:\users\bill\appdata\roaming\SparkTrust
2014-07-03 20:46:52    --------    d-----w-    c:\users\bill\appdata\roaming\DriverCure
2014-07-03 19:54:35    --------    d-----w-    c:\programdata\SparkTrust
2014-07-03 04:10:58    --------    d-----w-    c:\users\bill\appdata\local\Downloadius_S.A.R.L
2014-07-03 04:10:33    --------    d-sh--w-    c:\windows\system32\AI_RecycleBin
2014-07-03 04:09:21    --------    d-----w-    c:\programdata\pastaleads
2014-07-03 04:09:07    --------    d-----w-    c:\users\bill\appdata\roaming\Downloadius S.A.R.L
2014-07-03 03:02:03    --------    d-----w-    c:\program files\common files\Symantec Shared
2014-07-03 02:44:04    --------    d-----w-    c:\programdata\Norton
2014-07-03 02:44:01    --------    d-----w-    c:\programdata\NortonInstaller
2014-07-03 02:11:49    --------    d-----w-    c:\users\bill\appdata\roaming\LavasoftStatistics
2014-07-03 02:09:38    --------    d-----w-    c:\users\bill\appdata\local\adawarebp
2014-07-03 02:09:36    --------    d-----w-    c:\programdata\Ad-Aware Browsing Protection
2014-07-03 02:09:26    --------    d-----w-    c:\program files\Toolbar Cleaner
2014-07-03 02:09:07    --------    d-----w-    c:\program files\Lavasoft
2014-07-03 02:06:57    --------    d-----w-    c:\program files\common files\Lavasoft
2014-07-03 01:36:44    --------    d-----w-    c:\users\bill\appdata\roaming\Windows Codec
2014-07-03 01:36:38    --------    d-----w-    c:\users\bill\appdata\roaming\Windows Essentials Codec Pack
2014-06-26 22:12:08    --------    d-----w-    c:\program files\6E6B36EB-9156-411B-B951-C735F4747DCF
2014-06-21 11:43:40    404992    ----a-w-    c:\windows\system32\CommonDlg.dll
2014-06-17 20:22:02    188696    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2014-06-17 20:21:22    197400    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2014-06-17 20:18:00    241944    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2014-06-17 20:17:58    147736    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2014-06-17 20:06:40    199960    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2014-06-17 20:06:38    121624    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2014-06-17 20:06:22    27416    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2014-06-17 20:06:20    21272    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2014-06-12 19:05:34    31744    ----a-w-    c:\windows\system32\drivers\netfilter.sys
2014-06-12 13:37:59    1068032    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2014-06-12 13:37:58    752640    ----a-w-    c:\program files\common files\microsoft shared\vgx\VGX.dll
2014-06-12 13:37:58    592896    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-06-12 13:37:56    455168    ----a-w-    c:\windows\system32\vbscript.dll
2014-06-12 13:37:56    4244992    ----a-w-    c:\windows\system32\jscript9.dll
2014-06-12 13:36:16    2048    ----a-w-    c:\windows\system32\msxml6r.dll
2014-06-12 13:36:16    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-06-12 13:36:16    1389056    ----a-w-    c:\windows\system32\msxml6.dll
2014-06-12 13:36:16    1237504    ----a-w-    c:\windows\system32\msxml3.dll
2014-06-12 13:36:12    187840    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2014-06-12 13:36:12    1294272    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2014-06-12 13:36:10    391680    ----a-w-    c:\windows\system32\aepdu.dll
2014-06-12 13:36:10    302592    ----a-w-    c:\windows\system32\aeinv.dll
2014-06-12 13:36:08    626688    ----a-w-    c:\windows\system32\usp10.dll
2014-06-12 13:36:07    919040    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-06-11 20:47:11    --------    d--h--w-    c:\programdata\CanonIJScan
.
==================== Find3M  ====================
.
2014-06-05 23:52:10    9216    ----a-w-    c:\windows\system32\drivers\massfilter_hs.sys
2014-05-30 09:02:39    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-05-30 09:02:03    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-05-30 08:43:06    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-05-30 08:42:16    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-05-30 08:28:33    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-05-30 08:28:30    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-05-30 08:21:36    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-05-30 08:10:46    32256    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-05-30 07:49:38    1964544    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-05-30 07:21:10    1790976    ----a-w-    c:\windows\system32\wininet.dll
2014-04-22 21:29:24    360376    ----a-w-    c:\windows\system32\drivers\Trufos.sys
2014-04-12 02:15:13    67520    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:15:13    136640    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:12:09    15872    ----a-w-    c:\windows\system32\sspisrv.dll
2014-04-12 02:12:09    100352    ----a-w-    c:\windows\system32\sspicli.dll
2014-04-12 02:12:06    22016    ----a-w-    c:\windows\system32\secur32.dll
2014-04-12 02:11:58    1059840    ----a-w-    c:\windows\system32\lsasrv.dll
2014-04-12 02:11:22    22528    ----a-w-    c:\windows\system32\lsass.exe
.
============= FINISH: 23:35:19.31 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 08 July 2014 - 11:27 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Multiple Antivirus Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either AVG or AdAware.

 

 

Please post up C:\combofix.txt.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 08 July 2014 - 03:53 PM

Hello Marius

 

Thank you for answering my post.

I have uninstalled the AdAware as you requested.

Below is the Combofix.txt

 

ComboFix 14-07-03.01 - Bill 07/06/2014  20:10:43.1.2 - x86
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.2047.570 [GMT -4:00]
Running from: C:\Users\Bill\Downloads\ComboFix.exe
AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
SP: Ad-Aware Antivirus *Disabled/Outdated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 

Bill



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 09 July 2014 - 03:44 PM

The log is incomplete - please post the whole content of C:\combofix.txt


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 09 July 2014 - 07:52 PM

I ran combofix again and here is the new log.  Hope it has everything you neen.

 

Bill

 

ComboFix 14-07-08.01 - Bill 07/09/2014  20:21:47.2.2 - x86
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.2047.937 [GMT -4:00]
Running from: c:\users\Bill\Downloads\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Bill\AppData\Local\Temp\_MEI31482\_ctypes.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\_elementtree.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\_hashlib.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\_multiprocessing.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\_socket.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\_ssl.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\hashobjs_ext.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\pyexpat.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\pysqlite2._sqlite.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\python27.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\pythoncom27.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\PyWinTypes27.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\select.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\unicodedata.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32api.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32com.shell.shell.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32crypt.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32event.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32file.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32gui.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32inet.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32pdh.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32pipe.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32process.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32profile.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32security.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\win32ts.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\windows._lib_cacheinvalidation.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._animate.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._controls_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._core_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._gdi_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._html2.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._misc_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._windows_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wx._wizard.pyd
c:\users\Bill\AppData\Local\Temp\_MEI31482\wxbase294u_net_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\wxbase294u_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\wxmsw294u_adv_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\wxmsw294u_core_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\wxmsw294u_html_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI31482\wxmsw294u_webview_vc90.dll
.
---- Previous Run -------
.
c:\users\Bill\AppData\Local\Temp\_MEI59002\_ctypes.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\_elementtree.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\_hashlib.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\_multiprocessing.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\_socket.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\_ssl.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\hashobjs_ext.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\pyexpat.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\pysqlite2._sqlite.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\python27.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\pythoncom27.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\PyWinTypes27.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\select.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\unicodedata.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32api.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32com.shell.shell.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32crypt.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32event.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32file.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32gui.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32inet.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32pdh.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32pipe.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32process.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32profile.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32security.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\win32ts.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\windows._lib_cacheinvalidation.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._animate.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._controls_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._core_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._gdi_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._html2.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._misc_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._windows_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wx._wizard.pyd
c:\users\Bill\AppData\Local\Temp\_MEI59002\wxbase294u_net_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\wxbase294u_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\wxmsw294u_adv_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\wxmsw294u_core_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\wxmsw294u_html_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI59002\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-10 to 2014-07-10  )))))))))))))))))))))))))))))))
.
.
2014-07-10 00:33 . 2014-07-10 00:33    30976    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2014-07-10 00:30 . 2014-07-10 00:30    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-07-09 23:44 . 2014-07-09 23:44    16    ----a-w-    c:\windows\system32\SetPath.bat
2014-07-09 02:40 . 2014-07-09 02:40    5659136    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-07-08 23:35 . 2014-06-18 01:52    868864    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\tipskins.dll
2014-07-07 01:36 . 2014-07-07 01:36    110080    ----a-r-    c:\users\Bill\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconF7A21AF7.exe
2014-07-07 01:36 . 2014-07-07 01:36    110080    ----a-r-    c:\users\Bill\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconD7F16134.exe
2014-07-07 01:36 . 2014-07-07 01:36    110080    ----a-r-    c:\users\Bill\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconCF33A0CE.exe
2014-07-07 01:36 . 2014-07-07 01:36    --------    d-----w-    C:\sh4ldr
2014-07-07 01:36 . 2014-07-07 01:36    --------    d-----w-    c:\program files\Enigma Software Group
2014-07-07 01:34 . 2014-07-07 01:36    --------    d-----w-    c:\windows\AF54923662584AC6A0435B5B89C6EB61.TMP
2014-07-06 23:51 . 2014-07-06 23:51    35152    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-07-06 23:51 . 2014-07-06 23:51    --------    d-----w-    c:\programdata\RogueKiller
2014-07-06 22:23 . 2014-07-10 00:33    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-06 22:23 . 2014-07-08 01:51    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-07-06 22:23 . 2014-07-06 22:23    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-07-06 22:23 . 2014-07-06 22:23    --------    d-----w-    c:\programdata\Malwarebytes
2014-07-06 22:23 . 2014-05-12 11:26    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-07-06 22:23 . 2014-05-12 11:25    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-07-06 01:46 . 2014-07-06 01:46    --------    d-----w-    c:\program files\CCleaner
2014-07-06 00:50 . 2014-07-06 00:50    --------    d-----w-    c:\program files\VS Revo Group
2014-07-06 00:14 . 2014-07-06 00:14    17088    ----a-w-    c:\windows\system32\drivers\GUBootStartup.sys
2014-07-06 00:14 . 2014-07-06 00:18    --------    d-----w-    c:\users\Bill\AppData\Roaming\DiskDefrag
2014-07-06 00:14 . 2014-07-02 09:10    101664    ----a-w-    c:\windows\system32\BootDefrag.exe
2014-07-06 00:14 . 2014-07-01 07:52    16064    ----a-w-    c:\windows\system32\drivers\BootDefragDriver.sys
2014-07-06 00:14 . 2014-07-06 00:14    --------    d-----w-    c:\users\Bill\AppData\Roaming\GlarySoft
2014-07-06 00:14 . 2014-07-09 23:48    --------    d-----w-    c:\program files\Glary Utilities 5
2014-07-04 02:50 . 2014-07-09 17:01    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-04 02:50 . 2014-07-09 17:01    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-07-04 02:28 . 2013-09-20 14:49    18968    ----a-w-    c:\windows\system32\sdnclean.exe
2014-07-04 02:02 . 2014-07-04 02:02    --------    d-----w-    c:\program files\HitmanPro
2014-07-04 02:00 . 2014-07-04 02:14    --------    d-----w-    c:\programdata\HitmanPro
2014-07-03 23:29 . 2014-07-03 23:29    --------    d-----w-    c:\users\Bill\AppData\Local\Adobe
2014-07-03 20:46 . 2014-07-03 20:46    --------    d-----w-    c:\users\Bill\AppData\Roaming\SparkTrust
2014-07-03 20:46 . 2014-07-03 20:46    --------    d-----w-    c:\users\Bill\AppData\Roaming\DriverCure
2014-07-03 19:54 . 2014-07-03 21:08    --------    d-----w-    c:\programdata\SparkTrust
2014-07-03 04:10 . 2014-07-03 04:10    --------    d-----w-    c:\users\Bill\AppData\Local\Downloadius_S.A.R.L
2014-07-03 04:10 . 2014-07-03 13:55    --------    d-sh--w-    c:\windows\system32\AI_RecycleBin
2014-07-03 04:09 . 2014-07-03 04:16    --------    d-----w-    c:\programdata\pastaleads
2014-07-03 04:09 . 2014-07-03 04:09    --------    d-----w-    c:\users\Bill\AppData\Roaming\Downloadius S.A.R.L
2014-07-03 03:02 . 2014-07-03 20:38    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2014-07-03 02:44 . 2014-07-03 20:38    --------    d-----w-    c:\programdata\Norton
2014-07-03 02:40 . 2014-07-03 02:40    --------    d-----w-    c:\users\Bill\AppData\Roaming\Lavasoft
2014-07-03 02:09 . 2014-07-03 02:09    --------    d-----w-    c:\users\Bill\AppData\Local\adawarebp
2014-07-03 02:09 . 2014-07-08 20:19    --------    d-----w-    c:\programdata\Ad-Aware Browsing Protection
2014-07-03 02:09 . 2014-07-08 20:21    --------    d-----w-    c:\program files\Lavasoft
2014-07-03 02:06 . 2014-07-03 02:06    --------    d-----w-    c:\programdata\Lavasoft
2014-07-03 01:36 . 2014-07-03 01:36    --------    d-----w-    c:\users\Bill\AppData\Roaming\Windows Codec
2014-07-03 01:36 . 2014-07-03 01:36    --------    d-----w-    c:\users\Bill\AppData\Roaming\Windows Essentials Codec Pack
2014-06-26 22:12 . 2014-07-06 23:21    --------    d-----w-    c:\program files\6E6B36EB-9156-411B-B951-C735F4747DCF
2014-06-21 11:43 . 2014-06-21 11:43    404992    ----a-w-    c:\windows\system32\CommonDlg.dll
2014-06-17 20:22 . 2014-06-17 20:22    188696    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2014-06-17 20:21 . 2014-06-17 20:21    197400    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2014-06-17 20:18 . 2014-06-17 20:18    241944    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2014-06-17 20:17 . 2014-06-17 20:17    147736    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2014-06-17 20:06 . 2014-06-17 20:06    199960    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2014-06-17 20:06 . 2014-06-17 20:06    121624    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2014-06-17 20:06 . 2014-06-17 20:06    98584    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2014-06-17 20:06 . 2014-06-17 20:06    27416    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2014-06-17 20:06 . 2014-06-17 20:06    21272    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2014-06-13 17:18 . 2014-06-14 15:06    --------    d-----w-    c:\program files\Mozilla Thunderbird
2014-06-12 19:05 . 2014-06-12 19:05    31744    ----a-w-    c:\windows\system32\drivers\netfilter.sys
2014-06-12 13:36 . 2014-03-26 14:27    1389056    ----a-w-    c:\windows\system32\msxml6.dll
2014-06-12 13:36 . 2014-03-26 14:27    1237504    ----a-w-    c:\windows\system32\msxml3.dll
2014-06-12 13:36 . 2014-03-26 14:25    2048    ----a-w-    c:\windows\system32\msxml6r.dll
2014-06-12 13:36 . 2014-03-26 14:25    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-06-12 13:36 . 2014-04-05 02:25    1294272    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2014-06-12 13:36 . 2014-04-05 02:24    187840    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2014-06-12 13:36 . 2014-04-25 02:06    626688    ----a-w-    c:\windows\system32\usp10.dll
2014-06-12 13:36 . 2014-05-08 09:06    919040    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-06-11 20:47 . 2014-06-11 20:47    --------    d--h--w-    c:\programdata\CanonIJScan
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-05 23:52 . 2014-06-05 23:52    9216    ----a-w-    c:\windows\system32\drivers\massfilter_hs.sys
2014-04-12 02:15 . 2014-05-15 15:20    67520    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:15 . 2014-05-15 15:20    136640    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:12 . 2014-05-15 15:20    15872    ----a-w-    c:\windows\system32\sspisrv.dll
2014-04-12 02:12 . 2014-05-15 15:20    100352    ----a-w-    c:\windows\system32\sspicli.dll
2014-04-12 02:12 . 2014-05-15 15:20    22016    ----a-w-    c:\windows\system32\secur32.dll
2014-04-12 02:11 . 2014-05-15 15:20    22528    ----a-w-    c:\windows\system32\lsass.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2014-06-27 24477056]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]
"GoogleChromeAutoLaunch_D7F8A353CC6ED011209C1472171116E7"="c:\program files\Google\Chrome\Application\chrome.exe" [2014-06-05 860488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-01-17 421888]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2014-06-17 5179408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-05-26 152392]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-09-08 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk * \0BootDefrag.exe\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp]
reg.exe delete HKCU\Software\AppDataLow\Software\adawarebp [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp_DATA_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp_INSTALL_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fitbit Connect]
2014-01-10 19:06    3362336    ----a-r-    c:\program files\Fitbit Connect\Fitbit Connect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleChromeAutoLaunch_D7F8A353CC6ED011209C1472171116E7]
2014-06-05 13:58    860488    ----a-w-    c:\program files\Google\Chrome\Application\chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GUDelayStartup]
2014-07-02 09:09    37152    ----a-w-    c:\program files\Glary Utilities 5\StartupManager.exe
.
R1 netfilter2;netfilter2;c:\windows\system32\drivers\netfilter2.sys [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2014-01-07 15384]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys [2012-06-22 19984]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-06-18 108032]
R3 massfilter_hs;HS HandSet Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter_hs.sys [2014-06-05 9216]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-09-07 1343400]
R3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys [2011-01-13 106752]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2014-06-17 147736]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2014-06-17 241944]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2014-06-17 27416]
S0 BootDefragDriver;BootDefragDriver;c:\windows\System32\drivers\BootDefragDriver.sys [2014-07-01 16064]
S0 GUBootStartup;GUBootStartup;c:\windows\System32\drivers\GUBootStartup.sys [2014-07-06 17088]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2014-06-17 121624]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2014-06-17 199960]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2014-06-17 21272]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2014-06-17 188696]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2014-06-17 197400]
S1 netfilter;netfilter;c:\windows\system32\drivers\netfilter.sys [2014-06-12 31744]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [2014-06-27 3241488]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [2014-06-17 289328]
S2 Fitbit Connect;Fitbit Connect Service;c:\program files\Fitbit Connect\FitbitConnectService.exe [2014-01-10 1435680]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2014-07-04 106248]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-06-28 14624]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-06-24 1738168]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-06-27 2088408]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-04-25 171928]
S2 vToolbarUpdater18.1.5;vToolbarUpdater18.1.5;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe [2014-05-11 1801752]
S3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athur.sys [2010-10-11 1564160]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-07-10 110296]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO37
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - hitmanpro37
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-13 21:47    1091912    ----a-w-    c:\program files\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-04 17:01]
.
2014-07-10 c:\windows\Tasks\GlaryInitialize 5.job
- c:\program files\Glary Utilities 5\Initialize.exe [2014-07-02 09:08]
.
2014-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-09 19:11]
.
2014-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-09 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = <-loopback>
TCP: DhcpNameServer = 192.168.10.1
FF - ProfilePath - c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\rrqaj89f.default-1385333118702\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
WebBrowser-{41564952-412D-5637-00A7-7A786E7484D7} - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2014\avgrsx.exe
c:\program files\AVG\AVG2014\avgcsrvx.exe
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\taskhost.exe
c:\program files\Malwarebytes Anti-Malware\mbam.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\AVG\AVG2014\avgnsx.exe
c:\program files\AVG\AVG2014\avgemcx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\program files\Microsoft Mouse and Keyboard Center\itype.exe
c:\program files\Enigma Software Group\SpyHunter\Spyhunter4.exe
c:\windows\system32\conhost.exe
c:\program files\Glary Utilities 5\Integrator.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2014-07-09  20:40:37 - machine was rebooted
ComboFix-quarantined-files.txt  2014-07-10 00:40
.
Pre-Run: 253,880,098,816 bytes free
Post-Run: 253,532,336,128 bytes free
.
- - End Of File - - 105CB6E70D300A384D748E395D759012
A36C5E4F47E84449FF07ED3517B43A31
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 13 July 2014 - 12:23 PM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 13 July 2014 - 09:48 PM

Hello Marius;

 

I ran the Malwarebytes scan and the log is included below.

The ESET program would not let me scan without downloading the trial version.  So I downloaded and ran ESET.  The log did not show any infections.  I appreciate your help.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/13/2014
Scan Time: 4:28:17 PM
Logfile: MalwarebytesSunday.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.13.05
Rootkit Database: v2014.07.09.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Bill

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 286387
Time Elapsed: 6 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.Conduit.A, C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (   "homepage": "http://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPA9DD4FA4-9D78-4D00-8855-228D16B69661&SSPV=",), Replaced,[5aaf009f146763d335c900cdce3649b7]
PUP.Optional.Conduit.A, C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPA9DD4FA4-9D78-4D00-8855-228D16B69661&SSPV=", "http://feed.helperbar.com/?p=mKO_AwFzXIpYRbPPq_NcKDZkQXPy4TZR44LspvC9sb99JtP_8ppO11zBlE0vS10jcbk152optgyEl7qRYCkW2Pl1bkew5QMxDK8Ycnd5eG1D00L0zUYiF4GsLAelGj5wiCrGvHU7Lw1bRchVrhmP5L3BbJEbgYLWzI2r9XGH1gVm_bD7qGIQoEq2QT5u", "http://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP33744CFA-2601-496C-BA59-C0E96A41D0A3&SSPV=" ],), Replaced,[b851d6c9007b89ad98987b5347bd45bb]

Physical Sectors: 0
(No malicious items detected)


(end)



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 14 July 2014 - 09:59 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 14 July 2014 - 01:45 PM

Hi Marius;

 

I downloaded and ran AdwCleaner, Junkware Removal Tool and Security Check.  The logs are below.

One issue that still concerns me is after finishing the above listed scans and fixes, I ran SpyBot and it still shows the Zlob.mediacodec

trojan present in

the scan results.  It shows it in location User settings at HKUS\S-1-5-21-957429503-3. Under type infection it says Registry Key.  I am not seeing the malware pop ups and fake screens suddenly come up like I did before contacting you.  Computer seems to run normally but I don't understand why everytime I run SpyBot it still finds it present. Thanks for your help.

 

Bill

 

 Results of screen317's Security Check version 0.99.85  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG AntiVirus Free Edition 2014   
ESET NOD32 Antivirus 7.0          
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SpyHunter     
 Spybot - Search & Destroy
 CCleaner     
 Adobe Flash Player     14.0.0.145  
 Mozilla Firefox (30.0)
 Mozilla Thunderbird (24.6.0)
 Google Chrome 35.0.1916.114  
 Google Chrome 35.0.1916.153  
````````Process Check: objlist.exe by Laurent````````  
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
 Spybot Teatimer.exe is disabled!
 AVG avgwdsvc.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Enterprise x86
Ran by Bill on Mon 07/14/2014 at 12:36:53.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\sparktrust
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sparktrust



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\sparktrust"
Successfully deleted: [Folder] "C:\Users\Bill\AppData\Roaming\sparktrust"
Successfully deleted: [Folder] "C:\Users\Bill\Local Settings\Application Data\adawarebp"
Successfully deleted: [Folder] "C:\Program Files\video download converter"
Successfully deleted: [Folder] "C:\Windows\system32\ai_recyclebin"



~~~ FireFox

Successfully deleted the following from C:\Users\Bill\AppData\Roaming\mozilla\firefox\profiles\rrqaj89f.default-1385333118702\prefs.js

user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-
Emptied folder: C:\Users\Bill\AppData\Roaming\mozilla\firefox\profiles\rrqaj89f.default-1385333118702\minidumps [106 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 07/14/2014 at 12:40:42.11
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

# AdwCleaner v3.215 - Report created 14/07/2014 at 12:18:15
# Updated 09/07/2014 by Xplode
# Operating System : Windows 7 Enterprise Service Pack 1 (32 bits)
# Username : Bill - BILL-PC
# Running from : C:\Users\Bill\Downloads\adwcleaner_3.215.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Bill\AppData\LocalLow\AVG SafeGuard toolbar
Folder Deleted : C:\Users\Bill\AppData\LocalLow\weDownload Manager Pro
Folder Deleted : C:\Users\Bill\AppData\Roaming\DriverCure
File Deleted : C:\END
File Deleted : C:\Users\Bill\AppData\Roaming\aps.uninstall.scan.results
File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml
File Deleted : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\rrqaj89f.default-1385333118702\user.js
File Deleted : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\{DefaultProfilesFolder}\user.js
File Deleted : C:\Windows\System32\Tasks\LaunchApp

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{805E513D-707A-4E8A-9434-E424F3BD8DC8}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{805E513D-707A-4E8A-9434-E424F3BD8DC8}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1EC9510D-A439-4950-9399-B6399EDF9EA7}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyPC Backup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyPC Backup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Psteeyahhpsdhs_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Psteeyahhpsdhs_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamInternetEnhancer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamInternetEnhancer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\weDownload Manager Pro-codedownloader_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\weDownload Manager Pro-codedownloader_RASMANCS
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\AnyProtect
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKLM\Software\AVG SafeGuard toolbar
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17207


-\\ Mozilla Firefox v30.0 (en-US)

[ File : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\rrqaj89f.default-1385333118702\prefs.js ]

Line Deleted : user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-page-button\",\"print-but[...]
Line Deleted : user_pref("extensions.helperbar.DockingPositionDown", true);
Line Deleted : user_pref("extensions.helperbar.SmartbarDisabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.BUTTON_STRUCTURE", "[{\"b\":220923973,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":220923974,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.firstKnownVersion", "5.79.3.20534");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installKeysSource", "Cookies");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installType", "XPI");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installation.installDate", "2014012209");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installation.partnerId", "^UX^xdm025^S08347^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installation.partnerSubId", "250652_new-maps-ADDD");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installation.pixelUrl", "hxxp://free.mapsgalaxy.com/install_pixels.jhtml?partner=^UX^xdm025^S08347^us&coId=08d274d645574f83921adeae2caba9c8");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.installation.toolbarId", "3EF24803-2617-4D30-A3A4-CC9D60785B0E");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.isCompliantUninstallImplementation", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.lastActivePing", "1400463588140");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.lastKnownVersion", "5.79.3.20534");
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.partnerPixelFired", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.searchHistory", "settings||google.com||215 Central Ave Suite 100Louisville, KY 40208||ed tv||sandra koontz hockman||Aaron Jones||how to forward emai[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.toolbarCollapsed", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._39Members_.weather.location", "47150");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.BUTTON_STRUCTURE", "[{\"b\":220749065,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":220749066,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.firstKnownVersion", "5.75.2.64293");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installKeysSource", "LocalStorage");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installType", "XPI");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.installDate", "2014011910");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.partnerId", "^ZJ^xpt239^S07867^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.partnerSubId", "begin-download");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.pixelUrl", "hxxp://zwinky.dl.tb.ask.com/install_pixels.jhtml?partner=^ZJ^xpt239^S07867^us&coId=3e94b695308645d7af1efd65c88f5228");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.toolbarId", "41501347-5129-45D7-83A8-38D5E58216A0");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.isCompliantUninstallImplementation", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.lastActivePing", "1400463587902");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.lastKnownVersion", "5.75.2.64293");
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.partnerPixelFired", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.toolbarCollapsed", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._5qMembers_.weather.location", "47150");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.BUTTON_STRUCTURE", "[{\"b\":221351975,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221351976,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.defaultenginename.savedPrev", "true");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.defaultenginename.tb", "Ask Web Search");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.selectedEngine.savedPrev", "true");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.selectedEngine.tb", "Ask Web Search");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.homepage.savedPrev", "true");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.page.savedPrev", 1);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.page.tb", 1);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.competitorDNS", "{\"comment\":\"refresh every 1 week (7*24*60*60*1000)\",\"refreshPeriod\":604800000,\"list\":[{\"url\":\"hxxp://www.dnsrsearch.com/[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.firstKnownVersion", "6.52.4.5235");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.hp.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.hp.user.defined", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installKeysSource", "LocalStorage");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installType", "XPI");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.installDate", "2014060908");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerId", "^BBQ^xdm105^YYA^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerSubId", "314029");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.pixelUrl", "hxxp://internetspeedtracker.dl.tb.ask.com/install_pixels.jhtml?partner=^BBQ^xdm105^YYA^us&coId=669a704f5830461093d29383d92c[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.toolbarId", "66836671-AA0C-457F-9B3B-72C032140EBB");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.isCompliantUninstallImplementation", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.lastActivePing", "1404666543144");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.lastKnownVersion", "6.52.4.5235");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.options.defaultSearch", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.options.homePageEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.options.keywordEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.options.tabEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.partnerPixelFired", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.searchHistory", "bank of america||port a number to republic||wrt54g");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.successUrl", "hxxp://www.rinternetspeedassistant.com/success.html");
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.toolbarCollapsed", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._9tMembers_.weather.location", "47150");
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "internetspeedtracker@mindspark.com");
Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "internetspeedtracker@mindspark.com");

[ File : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\{DefaultProfilesFolder}\prefs.js ]


-\\ Google Chrome v35.0.1916.153

[ File : C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://feed.helperbar.com/?p=mKO_AwFzXIpYRbPPq_NcKDZkQXPy4TZR44LspvC9sb99JtP_8ppO11zBlE0vS10jcbk152optgyEl7qRYCkW2Pl1bkew5QMxDK8Ycnd5eG1D00L0zUYiF4GsLAelGjJ6pqioN37mdZnr2CPZ0Pv-ei-q2yn1NY5Ppfj1hS96VoSLtiEmj0YZ3wPypZaW&q={searchTerms}
Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?ctid=CT3317458&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPA9DD4FA4-9D78-4D00-8855-228D16B69661&q={searchTerms}&SSPV=
Deleted [Startup_urls] : hxxp://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPA9DD4FA4-9D78-4D00-8855-228D16B69661&SSPV=
Deleted [Startup_urls] : hxxp://feed.helperbar.com/?p=mKO_AwFzXIpYRbPPq_NcKDZkQXPy4TZR44LspvC9sb99JtP_8ppO11zBlE0vS10jcbk152optgyEl7qRYCkW2Pl1bkew5QMxDK8Ycnd5eG1D00L0zUYiF4GsLAelGj5wiCrGvHU7Lw1bRchVrhmP5L3BbJEbgYLWzI2r9XGH1gVm_bD7qGIQoEq2QT5u
Deleted [Startup_urls] : hxxp://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP33744CFA-2601-496C-BA59-C0E96A41D0A3&SSPV=
Deleted [Homepage] : hxxp://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPA9DD4FA4-9D78-4D00-8855-228D16B69661&SSPV=
Deleted [Extension] : cmclajginlihohopoeofghddnhpplhom

*************************

AdwCleaner[R0].txt - [15364 octets] - [14/07/2014 12:16:08]
AdwCleaner[S0].txt - [16183 octets] - [14/07/2014 12:18:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [16244 octets] ##########
 

 

# AdwCleaner v3.215 - Report created 14/07/2014 at 12:16:08
# Updated 09/07/2014 by Xplode
# Operating System : Windows 7 Enterprise Service Pack 1 (32 bits)
# Username : Bill - BILL-PC
# Running from : C:\Users\Bill\Downloads\adwcleaner_3.215.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\END
File Found : C:\Program Files\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml
File Found : C:\Users\Bill\AppData\Roaming\aps.uninstall.scan.results
File Found : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\{DefaultProfilesFolder}\user.js
File Found : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\rrqaj89f.default-1385333118702\user.js
File Found : C:\Windows\System32\Tasks\LaunchApp
Folder Found : C:\Program Files\Common Files\AVG Secure Search
Folder Found : C:\ProgramData\AVG Secure Search
Folder Found : C:\Users\Bill\AppData\LocalLow\AVG SafeGuard toolbar
Folder Found : C:\Users\Bill\AppData\LocalLow\weDownload Manager Pro
Folder Found : C:\Users\Bill\AppData\Roaming\DriverCure

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AnyProtect
Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKCU\Software\AVG SafeGuard toolbar
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKLM\Software\AVG SafeGuard toolbar
Key Found : HKLM\Software\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyPC Backup_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyPC Backup_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Psteeyahhpsdhs_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Psteeyahhpsdhs_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamInternetEnhancer_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamInternetEnhancer_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\weDownload Manager Pro-codedownloader_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\weDownload Manager Pro-codedownloader_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{805E513D-707A-4E8A-9434-E424F3BD8DC8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1EC9510D-A439-4950-9399-B6399EDF9EA7}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{805E513D-707A-4E8A-9434-E424F3BD8DC8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17207


-\\ Mozilla Firefox v30.0 (en-US)

[ File : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\rrqaj89f.default-1385333118702\prefs.js ]

Line Found : user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-page-button\",\"print-but[...]
Line Found : user_pref("extensions.helperbar.DockingPositionDown", true);
Line Found : user_pref("extensions.helperbar.SmartbarDisabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.BUTTON_STRUCTURE", "[{\"b\":220923973,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":220923974,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.firstKnownVersion", "5.79.3.20534");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.initialized", true);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installKeysSource", "Cookies");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installType", "XPI");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.contextKey", "");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.installDate", "2014012209");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.partnerId", "^UX^xdm025^S08347^us");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.partnerSubId", "250652_new-maps-ADDD");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.pixelUrl", "hxxp://free.mapsgalaxy.com/install_pixels.jhtml?partner=^UX^xdm025^S08347^us&coId=08d274d645574f83921adeae2caba9c8");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.success", true);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.toolbarId", "3EF24803-2617-4D30-A3A4-CC9D60785B0E");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.isCompliantUninstallImplementation", true);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.lastActivePing", "1400463588140");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.lastKnownVersion", "5.79.3.20534");
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.defaultSearch", false);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.homePageEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.keywordEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.tabEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.partnerPixelFired", true);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.searchHistory", "settings||google.com||215 Central Ave Suite 100Louisville, KY 40208||ed tv||sandra koontz hockman||Aaron Jones||how to forward emai[...]
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.toolbarCollapsed", false);
Line Found : user_pref("extensions.toolbar.mindspark._39Members_.weather.location", "47150");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.BUTTON_STRUCTURE", "[{\"b\":220749065,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":220749066,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.firstKnownVersion", "5.75.2.64293");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.initialized", true);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installKeysSource", "LocalStorage");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installType", "XPI");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.contextKey", "");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.installDate", "2014011910");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.partnerId", "^ZJ^xpt239^S07867^us");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.partnerSubId", "begin-download");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.pixelUrl", "hxxp://zwinky.dl.tb.ask.com/install_pixels.jhtml?partner=^ZJ^xpt239^S07867^us&coId=3e94b695308645d7af1efd65c88f5228");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.success", true);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.installation.toolbarId", "41501347-5129-45D7-83A8-38D5E58216A0");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.isCompliantUninstallImplementation", true);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.lastActivePing", "1400463587902");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.lastKnownVersion", "5.75.2.64293");
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.options.defaultSearch", false);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.options.homePageEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.options.keywordEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.options.tabEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.partnerPixelFired", true);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.toolbarCollapsed", true);
Line Found : user_pref("extensions.toolbar.mindspark._5qMembers_.weather.location", "47150");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.BUTTON_STRUCTURE", "[{\"b\":221351975,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221351976,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.defaultenginename.savedPrev", "true");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.defaultenginename.tb", "Ask Web Search");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.selectedEngine.savedPrev", "true");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.search.selectedEngine.tb", "Ask Web Search");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.homepage.savedPrev", "true");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.page.savedPrev", 1);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.page.tb", 1);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.competitorDNS", "{\"comment\":\"refresh every 1 week (7*24*60*60*1000)\",\"refreshPeriod\":604800000,\"list\":[{\"url\":\"hxxp://www.dnsrsearch.com/[...]
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.firstKnownVersion", "6.52.4.5235");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.hp.enabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.hp.user.defined", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.initialized", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installKeysSource", "LocalStorage");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installType", "XPI");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.contextKey", "");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.installDate", "2014060908");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerId", "^BBQ^xdm105^YYA^us");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerSubId", "314029");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.pixelUrl", "hxxp://internetspeedtracker.dl.tb.ask.com/install_pixels.jhtml?partner=^BBQ^xdm105^YYA^us&coId=669a704f5830461093d29383d92c[...]
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.success", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.toolbarId", "66836671-AA0C-457F-9B3B-72C032140EBB");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.isCompliantUninstallImplementation", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.lastActivePing", "1404666543144");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.lastKnownVersion", "6.52.4.5235");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.defaultSearch", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.homePageEnabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.keywordEnabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.tabEnabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.partnerPixelFired", true);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.searchHistory", "bank of america||port a number to republic||wrt54g");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.successUrl", "hxxp://www.rinternetspeedassistant.com/success.html");
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.toolbarCollapsed", false);
Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.weather.location", "47150");
Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "internetspeedtracker@mindspark.com");
Line Found : user_pref("extensions.toolbar.mindspark.lastInstalled", "internetspeedtracker@mindspark.com");

[ File : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\{DefaultProfilesFolder}\prefs.js ]


-\\ Google Chrome v35.0.1916.153

[ File : C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Startup_urls] : hxxp://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPA9DD4FA4-9D78-4D00-8855-228D16B69661&SSPV=
Found [Startup_urls] : hxxp://feed.helperbar.com/?p=mKO_AwFzXIpYRbPPq_NcKDZkQXPy4TZR44LspvC9sb99JtP_8ppO11zBlE0vS10jcbk152optgyEl7qRYCkW2Pl1bkew5QMxDK8Ycnd5eG1D00L0zUYiF4GsLAelGj5wiCrGvHU7Lw1bRchVrhmP5L3BbJEbgYLWzI2r9XGH1gVm_bD7qGIQoEq2QT5u
Found [Startup_urls] : hxxp://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP33744CFA-2601-496C-BA59-C0E96A41D0A3&SSPV=
Found [Homepage] : hxxp://search.conduit.com/?ctid=CT3318665&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPA9DD4FA4-9D78-4D00-8855-228D16B69661&SSPV=
Found [Extension] : cmclajginlihohopoeofghddnhpplhom

*************************

AdwCleaner[R0].txt - [15222 octets] - [14/07/2014 12:16:08]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [15283 octets] ##########
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 15 July 2014 - 06:29 AM

Please show me the Spybot log.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 15 July 2014 - 10:11 AM

Hello Marius;

 

Here is the SpyBot log I ran yesterday after the cleansing programs were run.

 

Search results from Spybot - Search & Destroy

7/14/2014 1:32:03 PM
Scan took 00:23:55.
19 items found.

Zlob.Mediacodec: [SBI $6F9E2932] User settings (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-957429503-3825791257-716250047-1005\Software\Mediacodec

DoubleClick: [SBI $4E2AF2AC] Tracking cookie (Internet Explorer (User): Bill) (Browser: Cookie, nothing done)
 

DoubleClick: [SBI $4E2AF2AC] Tracking cookie (Firefox: PE_C_USER (default-1385333118702)) (Browser: Cookie, nothing done)
 

DoubleClick: [SBI $4E2AF2AC] Tracking cookie (Firefox: PE_C_USER (default-1385333118702)) (Browser: Cookie, nothing done)
 

MediaPlex: [SBI $4E2AF2AC] Tracking cookie (Firefox: PE_C_USER (default-1385333118702)) (Browser: Cookie, nothing done)
 

MediaPlex: [SBI $4E2AF2AC] Tracking cookie (Firefox: PE_C_USER (default-1385333118702)) (Browser: Cookie, nothing done)
 

MediaPlex: [SBI $4E2AF2AC] Tracking cookie (Firefox: PE_C_USER (default-1385333118702)) (Browser: Cookie, nothing done)
 

DoubleClick: [SBI $4E2AF2AC] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done)
 

MS Management Console: [SBI $ECD50EAD] Recent command list (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-957429503-3825791257-716250047-1005\Software\Microsoft\Microsoft Management Console\Recent File List

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-957429503-3825791257-716250047-1005\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-957429503-3825791257-716250047-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-957429503-3825791257-716250047-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: [SBI $49804B54] Browser: Cookie (20) (Browser: Cookie, nothing done)
 

Cache: [SBI $49804B54] Browser: Cache (28) (Browser: Cache, nothing done)
 

History: [SBI $49804B54] Browser: History (16) (Browser: History, nothing done)
 

Cookie: [SBI $49804B54] Browser: Cookie (586) (Browser: Cookie, nothing done)
 

Cookie: [SBI $49804B54] Browser: Cookie (2) (Browser: Cookie, nothing done)
 

Cookie: [SBI $49804B54] Browser: Cookie (35) (Browser: Cookie, nothing done)
 


--- Spybot - Search & Destroy version: 2.4.40.131  DLL (build: 20140425) ---

2014-06-24 blindman.exe (2.4.40.151)
2014-06-24 explorer.exe (2.4.40.181)
2014-06-24 SDBootCD.exe (2.4.40.109)
2014-06-24 SDCleaner.exe (2.4.40.110)
2014-06-24 SDDelFile.exe (2.4.40.94)
2013-06-18 SDDisableProxy.exe
2014-06-24 SDFiles.exe (2.4.40.135)
2014-06-24 SDFileScanHelper.exe (2.4.40.1)
2014-06-24 SDFSSvc.exe (2.4.40.217)
2014-06-24 SDHelp.exe (2.4.40.1)
2014-04-25 SDHookHelper.exe (2.3.39.2)
2014-04-25 SDHookInst32.exe (2.3.39.2)
2014-06-24 SDImmunize.exe (2.4.40.130)
2014-06-24 SDLogReport.exe (2.4.40.107)
2014-06-24 SDOnAccess.exe (2.4.40.11)
2014-06-24 SDPESetup.exe (2.4.40.3)
2014-06-24 SDPEStart.exe (2.4.40.86)
2014-06-24 SDPhoneScan.exe (2.4.40.28)
2014-06-24 SDPRE.exe (2.4.40.22)
2014-06-24 SDPrepPos.exe (2.4.40.15)
2014-06-24 SDQuarantine.exe (2.4.40.103)
2014-06-24 SDRootAlyzer.exe (2.4.40.116)
2014-06-24 SDSBIEdit.exe (2.4.40.39)
2014-06-24 SDScan.exe (2.4.40.181)
2014-06-24 SDScript.exe (2.4.40.54)
2014-06-24 SDSettings.exe (2.4.40.139)
2014-06-24 SDShell.exe (2.4.40.2)
2014-06-24 SDShred.exe (2.4.40.108)
2014-06-24 SDSysRepair.exe (2.4.40.102)
2014-06-24 SDTools.exe (2.4.40.157)
2014-06-24 SDTray.exe (2.4.40.129)
2014-06-27 SDUpdate.exe (2.4.40.94)
2014-06-27 SDUpdSvc.exe (2.4.40.77)
2014-06-24 SDWelcome.exe (2.4.40.130)
2014-04-25 SDWSCSvc.exe (2.3.39.2)
2014-05-20 spybotsd2-install-bdcore-update.exe (2.3.39.0)
2013-06-19 spybotsd2-translation-frx.exe
2014-07-03 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2014-04-25 NotificationSpreader.dll
2014-06-24 SDAdvancedCheckLibrary.dll (2.4.40.98)
2014-04-25 SDAV.dll
2014-06-24 SDECon32.dll (2.4.40.114)
2014-06-24 SDEvents.dll (2.4.40.2)
2014-06-24 SDFileScanLibrary.dll (2.4.40.14)
2014-04-25 SDHook32.dll (2.3.39.2)
2014-06-24 SDImmunizeLibrary.dll (2.4.40.2)
2014-06-24 SDLicense.dll (2.4.40.0)
2014-06-24 SDLists.dll (2.4.40.4)
2014-06-24 SDResources.dll (2.4.40.7)
2014-06-24 SDScanLibrary.dll (2.4.40.131)
2014-06-24 SDTasks.dll (2.4.40.15)
2014-06-24 SDWinLogon.dll (2.4.40.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2014-06-24 Tools.dll (2.4.40.36)
2014-03-05 Includes\Adware-000.sbi (*)
2014-01-08 Includes\Adware-001.sbi (*)
2014-07-09 Includes\Adware-C.sbi (*)
2014-01-13 Includes\Adware.sbi (*)
2014-01-13 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2014-01-08 Includes\Dialer-000.sbi (*)
2014-01-08 Includes\Dialer-001.sbi (*)
2014-01-08 Includes\Dialer-C.sbi (*)
2014-01-13 Includes\Dialer.sbi (*)
2014-01-13 Includes\DialerC.sbi (*)
2014-01-09 Includes\Fraud-000.sbi (*)
2014-01-09 Includes\Fraud-001.sbi (*)
2014-03-31 Includes\Fraud-002.sbi (*)
2014-01-09 Includes\Fraud-003.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2014-01-08 Includes\Hijackers-000.sbi (*)
2014-01-08 Includes\Hijackers-001.sbi (*)
2014-01-08 Includes\Hijackers-C.sbi (*)
2014-01-13 Includes\Hijackers.sbi (*)
2014-01-13 Includes\HijackersC.sbi (*)
2014-01-08 Includes\iPhone-000.sbi (*)
2014-01-08 Includes\iPhone.sbi (*)
2014-01-08 Includes\Keyloggers-000.sbi (*)
2014-03-19 Includes\Keyloggers-C.sbi (*)
2014-01-13 Includes\Keyloggers.sbi (*)
2014-01-13 Includes\KeyloggersC.sbi (*)
2014-01-09 Includes\Malware-001.sbi (*)
2014-01-09 Includes\Malware-002.sbi (*)
2014-02-05 Includes\Malware-003.sbi (*)
2014-01-28 Includes\Malware-004.sbi (*)
2014-04-15 Includes\Malware-005.sbi (*)
2014-02-26 Includes\Malware-006.sbi (*)
2014-01-09 Includes\Malware-007.sbi (*)
2014-07-09 Includes\Malware-C.sbi (*)
2014-01-13 Includes\Malware.sbi (*)
2013-12-23 Includes\MalwareC.sbi (*)
2014-01-15 Includes\PUPS-000.sbi (*)
2014-01-15 Includes\PUPS-001.sbi (*)
2014-01-15 Includes\PUPS-002.sbi (*)
2014-07-09 Includes\PUPS-C.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2014-01-07 Includes\PUPSC.sbi (*)
2014-01-08 Includes\Security-000.sbi (*)
2014-01-08 Includes\Security-C.sbi (*)
2014-01-21 Includes\Security.sbi (*)
2014-01-21 Includes\SecurityC.sbi (*)
2014-01-08 Includes\Spyware-000.sbi (*)
2014-01-08 Includes\Spyware-001.sbi (*)
2014-01-08 Includes\Spyware-C.sbi (*)
2014-01-21 Includes\Spyware.sbi (*)
2014-01-21 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2012-11-19 Includes\Tracks.uti (*)
2014-01-15 Includes\Trojans-000.sbi (*)
2014-01-15 Includes\Trojans-001.sbi (*)
2014-01-15 Includes\Trojans-002.sbi (*)
2014-01-15 Includes\Trojans-003.sbi (*)
2014-01-15 Includes\Trojans-004.sbi (*)
2014-03-19 Includes\Trojans-005.sbi (*)
2014-07-09 Includes\Trojans-006.sbi (*)
2014-01-15 Includes\Trojans-007.sbi (*)
2014-07-09 Includes\Trojans-008.sbi (*)
2014-07-09 Includes\Trojans-009.sbi (*)
2014-07-09 Includes\Trojans-C.sbi (*)
2014-01-15 Includes\Trojans-OG-000.sbi (*)
2014-01-15 Includes\Trojans-TD-000.sbi (*)
2014-01-15 Includes\Trojans-VM-000.sbi (*)
2014-01-15 Includes\Trojans-VM-001.sbi (*)
2014-01-15 Includes\Trojans-VM-002.sbi (*)
2014-01-15 Includes\Trojans-VM-003.sbi (*)
2014-01-15 Includes\Trojans-VM-004.sbi (*)
2014-01-15 Includes\Trojans-VM-005.sbi (*)
2014-01-15 Includes\Trojans-VM-006.sbi (*)
2014-01-15 Includes\Trojans-VM-007.sbi (*)
2014-01-15 Includes\Trojans-VM-008.sbi (*)
2014-01-15 Includes\Trojans-VM-009.sbi (*)
2014-01-15 Includes\Trojans-VM-010.sbi (*)
2014-01-15 Includes\Trojans-VM-011.sbi (*)
2014-01-15 Includes\Trojans-VM-012.sbi (*)
2014-01-15 Includes\Trojans-VM-013.sbi (*)
2014-01-15 Includes\Trojans-VM-014.sbi (*)
2014-01-15 Includes\Trojans-VM-015.sbi (*)
2014-01-15 Includes\Trojans-VM-016.sbi (*)
2014-01-15 Includes\Trojans-VM-017.sbi (*)
2014-01-15 Includes\Trojans-VM-018.sbi (*)
2014-01-15 Includes\Trojans-VM-019.sbi (*)
2014-01-15 Includes\Trojans-VM-020.sbi (*)
2014-01-15 Includes\Trojans-VM-021.sbi (*)
2014-01-15 Includes\Trojans-VM-022.sbi (*)
2014-01-15 Includes\Trojans-VM-023.sbi (*)
2014-01-15 Includes\Trojans-VM-024.sbi (*)
2014-01-15 Includes\Trojans-ZB-000.sbi (*)
2014-01-15 Includes\Trojans-ZL-000.sbi (*)
2014-01-09 Includes\Trojans.sbi (*)
2014-01-16 Includes\TrojansC-01.sbi (*)
2014-01-16 Includes\TrojansC-02.sbi (*)
2014-01-16 Includes\TrojansC-03.sbi (*)
2014-01-16 Includes\TrojansC-04.sbi (*)
2014-01-16 Includes\TrojansC-05.sbi (*)
2014-01-09 Includes\TrojansC.sbi (*)
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 15 July 2014 - 10:26 AM

This is just a remaining which is harmless without the files (that we took out already).

I´ll habd you over the removal script.

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is saved to.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

When finished, have a look if the problem is still detected.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 15 July 2014 - 04:34 PM

Hello Marius;

 

I am having trouble getting the CFS  script.  I have my Windows Explorer open to the location holding Combofix but when I mouse click on the CFS script in the picture to drag it then my Windows Explorer window closes.  So there is nowhere to drag it to.

What am I doing wrong?

 

Bill



#14 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 15 July 2014 - 07:00 PM

Marius;

 

Disreguard my previous post.  I just found your attachment of the CFS script.

 

Bill



#15 BillH1971

BillH1971
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floyds Knobs, In.
  • Local time:06:14 PM

Posted 15 July 2014 - 09:50 PM

Hi Marius;

 

I ran Combofix with the CFS script included and the log is shown below.  SpyBot no longer shows the ZLOB in a scan, so everything looks great now.

 

 

ComboFix 14-07-08.01 - Bill 07/15/2014  19:30:22.3.2 - x86
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.2047.1004 [GMT -4:00]
Running from: c:\users\Bill\Downloads\ComboFix.exe
Command switches used :: c:\users\Bill\Downloads\CFScript.txt
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Bill\AppData\Local\Temp\_MEI20522\_ctypes.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\_elementtree.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\_hashlib.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\_multiprocessing.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\_socket.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\_ssl.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\hashobjs_ext.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\pyexpat.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\pysqlite2._sqlite.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\python27.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\pythoncom27.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\PyWinTypes27.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\select.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\unicodedata.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32api.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32com.shell.shell.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32crypt.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32event.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32file.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32gui.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32inet.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32pdh.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32pipe.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32process.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32profile.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32security.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\win32ts.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\windows._lib_cacheinvalidation.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._animate.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._controls_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._core_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._gdi_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._html2.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._misc_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._windows_.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wx._wizard.pyd
c:\users\Bill\AppData\Local\Temp\_MEI20522\wxbase294u_net_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\wxbase294u_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\wxmsw294u_adv_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\wxmsw294u_core_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\wxmsw294u_html_vc90.dll
c:\users\Bill\AppData\Local\Temp\_MEI20522\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-15 to 2014-07-15  )))))))))))))))))))))))))))))))
.
.
2014-07-15 23:38 . 2014-07-15 23:38    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-07-14 16:36 . 2014-07-14 16:36    --------    d-----w-    c:\windows\ERUNT
2014-07-14 16:16 . 2010-08-30 12:34    536576    ----a-w-    c:\windows\system32\sqlite3.dll
2014-07-14 16:15 . 2014-07-14 16:18    --------    d-----w-    C:\AdwCleaner
2014-07-14 01:43 . 2014-07-14 02:35    --------    d-----w-    c:\users\Bill\AppData\Local\CrashDumps
2014-07-09 23:44 . 2014-07-09 23:44    16    ----a-w-    c:\windows\system32\SetPath.bat
2014-07-09 02:40 . 2014-07-09 02:40    5659136    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-07-08 23:35 . 2014-06-18 01:52    868864    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\tipskins.dll
2014-07-07 01:36 . 2014-07-07 01:36    110080    ----a-r-    c:\users\Bill\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconF7A21AF7.exe
2014-07-07 01:36 . 2014-07-07 01:36    110080    ----a-r-    c:\users\Bill\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconD7F16134.exe
2014-07-07 01:36 . 2014-07-07 01:36    110080    ----a-r-    c:\users\Bill\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconCF33A0CE.exe
2014-07-07 01:36 . 2014-07-07 01:36    --------    d-----w-    C:\sh4ldr
2014-07-07 01:36 . 2014-07-07 01:36    --------    d-----w-    c:\program files\Enigma Software Group
2014-07-07 01:34 . 2014-07-07 01:36    --------    d-----w-    c:\windows\AF54923662584AC6A0435B5B89C6EB61.TMP
2014-07-06 23:51 . 2014-07-06 23:51    35152    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-07-06 23:51 . 2014-07-06 23:51    --------    d-----w-    c:\programdata\RogueKiller
2014-07-06 22:23 . 2014-07-13 23:43    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-06 22:23 . 2014-07-08 01:51    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-07-06 22:23 . 2014-07-06 22:23    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-07-06 22:23 . 2014-07-06 22:23    --------    d-----w-    c:\programdata\Malwarebytes
2014-07-06 22:23 . 2014-05-12 11:26    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-07-06 22:23 . 2014-05-12 11:25    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-07-06 01:46 . 2014-07-06 01:46    --------    d-----w-    c:\program files\CCleaner
2014-07-06 00:50 . 2014-07-06 00:50    --------    d-----w-    c:\program files\VS Revo Group
2014-07-06 00:14 . 2014-07-06 00:14    17088    ----a-w-    c:\windows\system32\drivers\GUBootStartup.sys
2014-07-06 00:14 . 2014-07-14 15:57    --------    d-----w-    c:\users\Bill\AppData\Roaming\DiskDefrag
2014-07-06 00:14 . 2014-07-02 09:10    101664    ----a-w-    c:\windows\system32\BootDefrag.exe
2014-07-06 00:14 . 2014-07-01 07:52    16064    ----a-w-    c:\windows\system32\drivers\BootDefragDriver.sys
2014-07-06 00:14 . 2014-07-06 00:14    --------    d-----w-    c:\users\Bill\AppData\Roaming\GlarySoft
2014-07-06 00:14 . 2014-07-15 21:02    --------    d-----w-    c:\program files\Glary Utilities 5
2014-07-04 02:50 . 2014-07-09 17:01    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-04 02:50 . 2014-07-09 17:01    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-07-04 02:28 . 2013-09-20 14:49    18968    ----a-w-    c:\windows\system32\sdnclean.exe
2014-07-04 02:02 . 2014-07-04 02:02    --------    d-----w-    c:\program files\HitmanPro
2014-07-04 02:00 . 2014-07-04 02:14    --------    d-----w-    c:\programdata\HitmanPro
2014-07-03 23:29 . 2014-07-03 23:29    --------    d-----w-    c:\users\Bill\AppData\Local\Adobe
2014-07-03 04:10 . 2014-07-03 04:10    --------    d-----w-    c:\users\Bill\AppData\Local\Downloadius_S.A.R.L
2014-07-03 04:09 . 2014-07-03 04:16    --------    d-----w-    c:\programdata\pastaleads
2014-07-03 04:09 . 2014-07-03 04:09    --------    d-----w-    c:\users\Bill\AppData\Roaming\Downloadius S.A.R.L
2014-07-03 03:02 . 2014-07-03 20:38    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2014-07-03 02:44 . 2014-07-03 20:38    --------    d-----w-    c:\programdata\Norton
2014-07-03 02:40 . 2014-07-03 02:40    --------    d-----w-    c:\users\Bill\AppData\Roaming\Lavasoft
2014-07-03 02:09 . 2014-07-08 20:19    --------    d-----w-    c:\programdata\Ad-Aware Browsing Protection
2014-07-03 02:09 . 2014-07-08 20:21    --------    d-----w-    c:\program files\Lavasoft
2014-07-03 02:06 . 2014-07-03 02:06    --------    d-----w-    c:\programdata\Lavasoft
2014-07-03 01:36 . 2014-07-03 01:36    --------    d-----w-    c:\users\Bill\AppData\Roaming\Windows Codec
2014-07-03 01:36 . 2014-07-03 01:36    --------    d-----w-    c:\users\Bill\AppData\Roaming\Windows Essentials Codec Pack
2014-06-26 22:12 . 2014-07-06 23:21    --------    d-----w-    c:\program files\6E6B36EB-9156-411B-B951-C735F4747DCF
2014-06-21 11:43 . 2014-06-21 11:43    404992    ----a-w-    c:\windows\system32\CommonDlg.dll
2014-06-17 20:22 . 2014-06-17 20:22    188696    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2014-06-17 20:21 . 2014-06-17 20:21    197400    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2014-06-17 20:18 . 2014-06-17 20:18    241944    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2014-06-17 20:17 . 2014-06-17 20:17    147736    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2014-06-17 20:06 . 2014-06-17 20:06    199960    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2014-06-17 20:06 . 2014-06-17 20:06    121624    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2014-06-17 20:06 . 2014-06-17 20:06    98584    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2014-06-17 20:06 . 2014-06-17 20:06    27416    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2014-06-17 20:06 . 2014-06-17 20:06    21272    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-12 19:05 . 2014-06-12 19:05    31744    ----a-w-    c:\windows\system32\drivers\netfilter.sys
2014-06-05 23:52 . 2014-06-05 23:52    9216    ----a-w-    c:\windows\system32\drivers\massfilter_hs.sys
2014-05-08 09:06 . 2014-06-12 13:36    919040    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-04-25 02:06 . 2014-06-12 13:36    626688    ----a-w-    c:\windows\system32\usp10.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-06-27 18:20    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2014-06-27 24477056]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]
"GoogleChromeAutoLaunch_D7F8A353CC6ED011209C1472171116E7"="c:\program files\Google\Chrome\Application\chrome.exe" [2014-06-05 860488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-01-17 421888]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2014-06-17 5179408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-05-26 152392]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-09-08 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk * \0BootDefrag.exe\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp]
reg.exe delete HKCU\Software\AppDataLow\Software\adawarebp [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp_DATA_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp_INSTALL_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fitbit Connect]
2014-01-10 19:06    3362336    ----a-r-    c:\program files\Fitbit Connect\Fitbit Connect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleChromeAutoLaunch_D7F8A353CC6ED011209C1472171116E7]
2014-06-05 13:58    860488    ----a-w-    c:\program files\Google\Chrome\Application\chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GUDelayStartup]
2014-07-02 09:09    37152    ----a-w-    c:\program files\Glary Utilities 5\StartupManager.exe
.
R1 netfilter2;netfilter2;c:\windows\system32\drivers\netfilter2.sys [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
R2 vToolbarUpdater18.1.5;vToolbarUpdater18.1.5;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2014-01-07 15384]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys [2012-06-22 19984]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-06-18 108032]
R3 massfilter_hs;HS HandSet Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter_hs.sys [2014-06-05 9216]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-06-24 1738168]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-06-27 2088408]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-04-25 171928]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-09-07 1343400]
R3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys [2011-01-13 106752]
R4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2014-06-17 147736]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2014-06-17 241944]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2014-06-17 27416]
S0 BootDefragDriver;BootDefragDriver;c:\windows\System32\drivers\BootDefragDriver.sys [2014-07-01 16064]
S0 GUBootStartup;GUBootStartup;c:\windows\System32\drivers\GUBootStartup.sys [2014-07-06 17088]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2014-06-17 121624]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2014-06-17 199960]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2014-06-17 21272]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2014-06-17 188696]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2014-06-17 197400]
S1 netfilter;netfilter;c:\windows\system32\drivers\netfilter.sys [2014-06-12 31744]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [2014-06-27 3241488]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [2014-06-17 289328]
S2 Fitbit Connect;Fitbit Connect Service;c:\program files\Fitbit Connect\FitbitConnectService.exe [2014-01-10 1435680]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2014-07-04 106248]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-06-28 14624]
S3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athur.sys [2010-10-11 1564160]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2014-07-15 30976]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO37
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-13 21:47    1091912    ----a-w-    c:\program files\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-04 17:01]
.
2014-07-15 c:\windows\Tasks\GlaryInitialize 5.job
- c:\program files\Glary Utilities 5\Initialize.exe [2014-07-02 09:08]
.
2014-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-09 19:11]
.
2014-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-09 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = <-loopback>
TCP: DhcpNameServer = 192.168.10.1
FF - ProfilePath - c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\rrqaj89f.default-1385333118702\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-VDC_is1 - c:\program files\Video Download Converter\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2014\avgrsx.exe
c:\program files\AVG\AVG2014\avgcsrvx.exe
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\AVG\AVG2014\avgnsx.exe
c:\program files\AVG\AVG2014\avgemcx.exe
c:\windows\system32\taskhost.exe
c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\program files\Microsoft Mouse and Keyboard Center\itype.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Glary Utilities 5\Integrator.exe
.
**************************************************************************
.
Completion time: 2014-07-15  19:52:42 - machine was rebooted
ComboFix-quarantined-files.txt  2014-07-15 23:52
ComboFix2.txt  2014-07-10 00:40
.
Pre-Run: 250,176,114,688 bytes free
Post-Run: 250,129,629,184 bytes free
.
- - End Of File - - 90070B82F8DE2454FDC94E4099D37390
A36C5E4F47E84449FF07ED3517B43A31
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users