Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix log report


  • This topic is locked This topic is locked
20 replies to this topic

#1 monetary1995

monetary1995

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 13 August 2015 - 11:08 AM

Mod Edit:
Moved to MalwaeRemova Logs forum
. ~~ boopme

I got an infections and ran the rkill, MalwareBytes, JunkRemoval and AdwCleaner and still having issues with the browser.  When I click a link a popup advertisement comes up.  I have reset the browser but still exist.
I ran combofix and saw where it said the system file was infected sysWow64/dnsapil.dll
Combofix didn't resolve this issue either.
 
Please advise
 
Below is the Combofix log
 
ComboFix 15-08-08.01 - Donna L. White 08/12/2015  12:22:56.5.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.7873.4706 [GMT -4:00]
Running from: c:\users\Donna L. White\Desktop\ComboFix.exe
AV: Avira Antivirus *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Antivirus *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\dnsapi.dll . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2015-07-12 to 2015-08-12  )))))))))))))))))))))))))))))))
.
.
2015-08-12 16:53 . 2015-08-12 16:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2015-08-12 16:53 . 2015-08-12 16:53 -------- d-----w- c:\users\HomeGroupUser$\AppData\Local\temp
2015-08-12 16:53 . 2015-08-12 16:53 -------- d-----w- c:\users\Guest\AppData\Local\temp
2015-08-12 16:53 . 2015-08-12 16:53 -------- d-----w- c:\users\DONNAL~1WHI\AppData\Local\temp
2015-08-12 16:53 . 2015-08-12 16:53 -------- d-----w- c:\users\DONNAL~1~WHI\AppData\Local\temp
2015-08-12 16:53 . 2015-08-12 16:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-08-12 16:53 . 2015-08-12 16:53 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2015-08-12 10:42 . 2015-08-12 10:42 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{219C466C-A663-43A5-BC8F-DD115FEF5637}\offreg.2300.dll
2015-08-12 07:40 . 2015-07-30 13:13 103120 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-08-12 07:40 . 2015-07-30 13:13 124624 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-08-12 02:30 . 2015-08-12 02:34 -------- d-----w- c:\program files (x86)\Fighters
2015-08-12 02:30 . 2015-08-12 02:34 -------- d-----w- c:\programdata\Fighters
2015-08-12 02:30 . 2015-08-12 02:31 -------- d-----w- c:\users\Donna L. White\AppData\Roaming\Fighters
2015-08-12 00:45 . 2015-07-15 03:19 52736 ----a-w- c:\windows\system32\basesrv.dll
2015-08-12 00:44 . 2015-07-21 00:39 293072 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2015-08-11 10:52 . 2015-07-21 11:25 12222168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{219C466C-A663-43A5-BC8F-DD115FEF5637}\mpengine.dll
2015-08-10 22:44 . 2015-08-10 22:44 -------- d-----w- c:\users\Donna L. White\dwhelper
2015-08-10 16:58 . 2015-08-10 17:37 43664 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2015-08-10 16:57 . 2015-08-10 17:29 -------- d-----w- c:\programdata\HitmanPro
2015-08-09 08:54 . 2015-08-09 08:54 -------- d-----w- c:\users\Donna L. White\AppData\Roaming\Avira
2015-08-09 08:45 . 2015-07-15 12:37 44088 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2015-08-09 08:45 . 2015-07-15 12:37 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2015-08-09 08:45 . 2015-07-15 12:37 141416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2015-08-09 08:45 . 2015-07-15 12:37 162528 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2015-08-08 16:02 . 2015-08-08 16:03 -------- d-----w- C:\AdwCleaner
2015-08-08 03:12 . 2015-08-08 03:12 79064 ----a-w- c:\windows\system32\drivers\ewfvkugs.sys
2015-08-08 01:07 . 2015-08-10 18:39 113880 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-08-08 01:07 . 2015-06-18 13:48 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-08-08 01:07 . 2015-06-18 13:47 109272 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-08-08 01:07 . 2015-06-18 13:47 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-08-08 01:07 . 2015-08-08 01:07 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-08-08 00:39 . 2015-08-08 00:40 -------- d--h--w- c:\programdata\erf
2015-08-08 00:26 . 2015-08-08 00:26 -------- d-----w- c:\windows\system32\omat
2015-07-28 03:48 . 2015-07-28 03:48 79064 ----a-w- c:\windows\system32\drivers\lgmktyl.sys
2015-07-27 22:36 . 2015-07-27 22:36 -------- d-----w- c:\program files (x86)\FreeCodecPack
2015-07-23 21:33 . 2015-07-23 21:33 -------- d-----w- c:\program files (x86)\Free Codec Pack
2015-07-23 21:33 . 2015-07-27 22:37 -------- d-----w- c:\program files (x86)\DVDVideoSoft
2015-07-23 21:33 . 2015-07-27 22:36 -------- d-----w- c:\program files (x86)\Common Files\DVDVideoSoft
2015-07-23 17:00 . 2015-03-14 03:21 82944 ----a-w- c:\windows\system32\dwmapi.dll
2015-07-23 17:00 . 2015-03-14 03:21 1632768 ----a-w- c:\windows\system32\dwmcore.dll
2015-07-23 17:00 . 2015-03-14 03:04 67584 ----a-w- c:\windows\SysWow64\dwmapi.dll
2015-07-23 17:00 . 2015-03-14 03:04 1372160 ----a-w- c:\windows\SysWow64\dwmcore.dll
2015-07-23 17:00 . 2015-05-09 18:26 493504 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2015-07-22 17:04 . 2015-07-22 17:04 17318592 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
2015-07-22 00:57 . 2015-07-22 00:57 1917080 ----a-w- c:\program files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
2015-07-22 00:57 . 2015-07-22 00:57 1375896 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
2015-07-21 08:36 . 2015-07-21 08:36 82432 ----a-w- c:\users\Donna L. White\AppData\Roaming\Microsoft\MSXML2\msxml4r.dll
2015-07-21 08:36 . 2015-07-21 08:36 44544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Microsoft\MSXML2\msxml4a.dll
2015-07-21 08:36 . 2015-07-21 08:36 1275392 ----a-w- c:\users\Donna L. White\AppData\Roaming\Microsoft\MSXML2\msxml4.dll
2015-07-15 04:39 . 2015-06-02 00:07 254976 ----a-w- c:\windows\system32\cewmdm.dll
2015-07-15 04:39 . 2015-06-01 23:47 210432 ----a-w- c:\windows\SysWow64\cewmdm.dll
2015-07-15 04:39 . 2015-06-09 18:03 3180544 ----a-w- c:\windows\system32\rdpcorets.dll
2015-07-15 04:39 . 2015-06-09 18:03 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2015-07-15 04:38 . 2015-06-17 17:47 404992 ----a-w- c:\windows\system32\gdi32.dll
2015-07-15 04:38 . 2015-06-17 17:37 312320 ----a-w- c:\windows\SysWow64\gdi32.dll
2015-07-15 04:38 . 2015-07-04 18:07 2087424 ----a-w- c:\windows\system32\ole32.dll
2015-07-15 04:38 . 2015-07-04 17:48 1414656 ----a-w- c:\windows\SysWow64\ole32.dll
2015-07-15 04:38 . 2015-04-27 19:23 229376 ----a-w- c:\windows\system32\wintrust.dll
2015-07-15 04:38 . 2015-04-27 19:23 188416 ----a-w- c:\windows\system32\cryptsvc.dll
2015-07-15 04:38 . 2015-04-27 19:23 1480192 ----a-w- c:\windows\system32\crypt32.dll
2015-07-15 04:38 . 2015-04-27 19:05 179200 ----a-w- c:\windows\SysWow64\wintrust.dll
2015-07-15 04:38 . 2015-04-27 19:04 143872 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2015-07-15 04:38 . 2015-04-27 19:04 1174528 ----a-w- c:\windows\SysWow64\crypt32.dll
2015-07-15 04:38 . 2015-04-27 19:23 140288 ----a-w- c:\windows\system32\cryptnet.dll
2015-07-15 04:38 . 2015-04-27 19:04 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2015-07-15 04:37 . 2015-06-15 21:45 3242496 ----a-w- c:\windows\system32\msi.dll
2015-07-15 04:37 . 2015-06-15 21:45 1941504 ----a-w- c:\windows\system32\authui.dll
2015-07-15 04:37 . 2015-06-15 21:43 2364416 ----a-w- c:\windows\SysWow64\msi.dll
2015-07-15 04:37 . 2015-06-15 21:43 1805824 ----a-w- c:\windows\SysWow64\authui.dll
2015-07-15 04:37 . 2015-06-15 21:50 112064 ----a-w- c:\windows\system32\consent.exe
2015-07-15 04:37 . 2015-06-15 21:44 128000 ----a-w- c:\windows\system32\msiexec.exe
2015-07-15 04:37 . 2015-06-15 21:45 504320 ----a-w- c:\windows\system32\msihnd.dll
2015-07-15 04:37 . 2015-06-15 21:45 70656 ----a-w- c:\windows\system32\appinfo.dll
2015-07-15 04:37 . 2015-06-15 21:43 337408 ----a-w- c:\windows\SysWow64\msihnd.dll
2015-07-15 04:37 . 2015-06-15 21:42 73216 ----a-w- c:\windows\SysWow64\msiexec.exe
2015-07-15 04:37 . 2015-06-15 21:42 25088 ----a-w- c:\windows\system32\msimsg.dll
2015-07-15 04:37 . 2015-06-15 21:37 25088 ----a-w- c:\windows\SysWow64\msimsg.dll
2015-07-14 22:20 . 2015-07-14 22:20 756376 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
2015-07-14 03:14 . 2015-07-14 03:14 -------- d-----w- c:\program files\iPod
2015-07-14 03:14 . 2015-07-14 03:14 -------- d-----w- c:\program files (x86)\iTunes
2015-07-14 03:14 . 2015-07-14 03:16 -------- d-----w- c:\program files\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-08-12 07:01 . 2013-12-29 03:46 132483416 ----a-w- c:\windows\system32\MRT.exe
2015-08-11 19:10 . 2013-11-16 07:40 778440 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-08-11 19:10 . 2013-11-16 07:40 142536 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-08-08 00:27 . 2013-11-15 20:36 357888 ----a-w- c:\windows\system32\dnsapi.dll
2015-07-15 17:54 . 2015-08-12 00:47 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2015-06-23 17:30 . 2013-11-15 20:11 300704 ------w- c:\windows\system32\MpSigStub.exe
2015-06-17 05:01 . 2015-06-17 05:01 1202856 ----a-w- c:\windows\SysWow64\FM20.DLL
2015-06-17 04:23 . 2015-06-17 04:23 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2015-06-17 04:23 . 2015-06-17 04:23 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2015-06-11 03:08 . 2015-06-11 03:08 6112072 ----a-w- c:\windows\system32\usbaaplrc.dll
2015-06-11 03:08 . 2015-06-11 03:08 54784 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2015-05-25 18:19 . 2015-06-10 06:07 1255424 ----a-w- c:\windows\system32\diagtrack.dll
2015-05-25 18:19 . 2015-06-10 06:07 879104 ----a-w- c:\windows\system32\tdh.dll
2015-05-25 18:19 . 2015-06-10 06:07 113664 ----a-w- c:\windows\system32\sechost.dll
2015-05-25 18:18 . 2015-06-10 06:07 879104 ----a-w- c:\windows\system32\advapi32.dll
2015-05-25 18:18 . 2015-06-10 06:07 404992 ----a-w- c:\windows\system32\tracerpt.exe
2015-05-25 18:18 . 2015-06-10 06:07 47104 ----a-w- c:\windows\system32\typeperf.exe
2015-05-25 18:18 . 2015-06-10 06:07 43008 ----a-w- c:\windows\system32\relog.exe
2015-05-25 18:18 . 2015-06-10 06:07 104448 ----a-w- c:\windows\system32\logman.exe
2015-05-25 18:18 . 2015-06-10 06:07 19456 ----a-w- c:\windows\system32\diskperf.exe
2015-05-25 18:01 . 2015-06-10 06:07 635392 ----a-w- c:\windows\SysWow64\tdh.dll
2015-05-25 18:01 . 2015-06-10 06:07 92160 ----a-w- c:\windows\SysWow64\sechost.dll
2015-05-25 18:01 . 2015-06-10 06:07 641536 ----a-w- c:\windows\SysWow64\advapi32.dll
2015-05-25 18:00 . 2015-06-10 06:07 40448 ----a-w- c:\windows\SysWow64\typeperf.exe
2015-05-25 18:00 . 2015-06-10 06:07 364544 ----a-w- c:\windows\SysWow64\tracerpt.exe
2015-05-25 18:00 . 2015-06-10 06:07 37888 ----a-w- c:\windows\SysWow64\relog.exe
2015-05-25 18:00 . 2015-06-10 06:07 82944 ----a-w- c:\windows\SysWow64\logman.exe
2015-05-25 18:00 . 2015-06-10 06:07 17408 ----a-w- c:\windows\SysWow64\diskperf.exe
2015-05-25 17:00 . 2015-06-10 06:07 36864 ----a-w- c:\windows\system32\UtcResources.dll
2015-05-21 13:19 . 2015-06-10 06:08 193536 ----a-w- c:\windows\system32\aepic.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Officejet Pro 8500 A910 (NET)"="c:\program files\HP\HP Officejet Pro 8500 A910\Bin\ScanToPCActivationApp.exe" [2012-10-17 2573416]
"IDriveE Startup"="c:\idrive\IDrvieEStartup.exe" [2011-06-24 185800]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"MSGTAG"="c:\program files (x86)\MSGTAG Status\MSGTAGStatus.exe" [2007-07-11 1820160]
"Amazon Music"="c:\users\Donna L. White\AppData\Local\Amazon Music\Amazon Music Helper.exe" [2014-10-15 6281024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-20 291648]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-05-15 60712]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-07 2771832]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2014-10-02 296520]
"Aimersoft Helper Compact.exe"="c:\program files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe" [2014-08-05 2014720]
"Adobe Creative Cloud"="c:\program files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" [2015-05-08 2584240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2015-06-17 421888]
"avgnt"="c:\program files (x86)\Avira\Antivirus\avgnt.exe" [2015-07-15 782008]
.
c:\users\Donna L. White\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ePrompter.lnk - c:\program files (x86)\ePrompter\ePrompter.exe [2004-12-2 782336]
IDrive Tray.lnk - c:\idrive\IDriveEReg2ini.exe 2 [2013-11-20 311296]
Monitor Ink Alerts - HP Officejet Pro 8500 A910 (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Officejet Pro 8500 A910\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN0AMAK1Z4;CONNECTION=NW;MONITOR=1; [2009-7-13 45568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-2-1 1155912]
RealPlayer Cloud Service UI.lnk - c:\program files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe [2014-10-2 1022048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 AntiVirMailService;Avira Mail Protection;c:\program files (x86)\Avira\Antivirus\avmailc7.exe;c:\program files (x86)\Avira\Antivirus\avmailc7.exe [x]
R2 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\Antivirus\avwebg7.exe;c:\program files (x86)\Avira\Antivirus\avwebg7.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 RealPlayerUpdateSvc;RealPlayer Update Service;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 iscFlash;iscFlash;c:\swsetup\sp48895\iscflashx64.sys;c:\swsetup\sp48895\iscflashx64.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys;c:\windows\SYSNATIVE\DRIVERS\asahci64.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\Antivirus\sched.exe;c:\program files (x86)\Avira\Antivirus\sched.exe [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 avnetflt;avnetflt;c:\windows\system32\DRIVERS\avnetflt.sys;c:\windows\SYSNATIVE\DRIVERS\avnetflt.sys [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 IDriveE Service;IDriveE Service;c:\idrive\IDriveE Service.exe;c:\idrive\IDriveE Service.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 RealPlayer Cloud Service;RealPlayer Cloud Service;c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe;c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [x]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 17:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
Contents of the 'Scheduled Tasks' folder
.
2015-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-11-16 19:10]
.
2015-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-21 20:11]
.
2015-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-21 20:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco1]
@="{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}"
[HKEY_CLASSES_ROOT\CLSID\{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}]
2015-04-16 21:42 997536 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco2]
@="{853B7E05-C47D-4985-909A-D0DC5C6D7303}"
[HKEY_CLASSES_ROOT\CLSID\{853B7E05-C47D-4985-909A-D0DC5C6D7303}]
2015-04-16 21:42 997536 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco3]
@="{42D38F2E-98E9-4382-B546-E24E4D6D04BB}"
[HKEY_CLASSES_ROOT\CLSID\{42D38F2E-98E9-4382-B546-E24E4D6D04BB}]
2015-04-16 21:42 997536 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 185824 ----a-w- c:\users\Donna L. White\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2015-03-30 500936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-07-11 170280]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mDefault_Search_URL = about:blank
mDefault_Page_URL = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = about:blank
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Toolbar-Locked - (no file)
AddRemove-SPAMfighter - c:\program files (x86)\Fighters\SPAMfighter\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_18_0_0_232_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_18_0_0_232_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.18"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-08-12  12:54:47
ComboFix-quarantined-files.txt  2015-08-12 16:54
ComboFix2.txt  2015-08-10 04:20
ComboFix3.txt  2014-03-13 22:10
.
Pre-Run: 419,764,535,296 bytes free
Post-Run: 420,144,152,576 bytes free
.
- - End Of File - - 2F1918232B0BE2F36816263095613555
A36C5E4F47E84449FF07ED3517B43A31


Edited by boopme, 13 August 2015 - 11:59 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 14 August 2015 - 08:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


From the Combofix log.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\dnsapi.dll . . . is infected!


===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please run the Farbar Recovery Scan Tool one more time. Enter dnsapi.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply

Wait for further instructions.

#3 monetary1995

monetary1995
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 14 August 2015 - 12:48 PM

Thanks for the reply.  I have ran both scans an attached the txt files.

 

Sorry the attachments are in the next post...


Edited by monetary1995, 14 August 2015 - 01:00 PM.


#4 monetary1995

monetary1995
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 14 August 2015 - 12:54 PM

Thanks for the reply!

 

I have ran all the scans and attached the txt files...

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 15 August 2015 - 07:44 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2999482364-1664440285-2268239492-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
Task: {01B517C5-CDFC-4D84-A9A7-B0B1A670E99A} - \WordSurfer Auto Updater 1.10.0.19 Pending Update -> No File <==== ATTENTION
Task: {1A8A70D3-EAB8-4241-BF7D-C7FF02F688E2} - \Optimizer Pro Schedule -> No File <==== ATTENTION
Task: {1BEAB024-204B-4012-90BA-1BEC6D7B7D70} - \One System Care Monitor -> No File <==== ATTENTION
Task: {3015AB41-95BD-435F-8F81-6AFBA61AB5C8} - \PhraseProfessor Auto Updater 1.10.0.21 Core -> No File <==== ATTENTION
Task: {47584684-5B7E-4233-AB81-BA9860CC8A90} - \WordSurfer Auto Updater 1.10.0.19 Core -> No File <==== ATTENTION
Task: {49DBF0C5-EC64-43AE-B2BA-EB97D0463BB1} - \PhraseProfessor Auto Updater 1.10.0.21 Pending Update -> No File <==== ATTENTION
Task: {5A3BB23C-E1FA-490A-9AF1-7CE2D9DB2205} - \Selection Tools Update -> No File <==== ATTENTION
Task: {9DBE2DA1-757A-4D3C-98B8-A7C9EDFDD79F} - \Super Optimizer Schedule -> No File <==== ATTENTION
Task: {B431513B-040D-4FB0-8F55-7A1A32766BDA} - \WebBarLaunchTask -> No File <==== ATTENTION
Task: {BB0A9D29-32CD-403D-AD96-40D1D14F10C6} - \One System Care Run Delay -> No File <==== ATTENTION
Task: {BCA74F41-2A31-4355-915D-F371CD6EDA90} - \WindApp Update -> No File <==== ATTENTION
Task: {C0584DFD-B77F-408B-BA22-2C1FA6BCD558} - \Superclean -> No File <==== ATTENTION
Task: {C6ABFB12-479C-4C11-884F-8C836CD14BCA} - \One System CareStartUp -> No File <==== ATTENTION
Task: {C755F080-3131-45AA-B735-C3E92F213A5E} - \One System CarePeriod -> No File <==== ATTENTION
Task: {D4D72716-2909-40B0-8158-906545F05BC0} - \bvxvyxvec -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:D6585142
C:\Windows\System32\stqqslw.dll
cmd: ipconfig /flushdns

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

The Search.txt file you attached is the same as the FRST.TXT file.

If the problem persists please repeat these instructions.
Please run the Farbar Recovery Scan Tool one more time. Enter dnsapi.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply

How is the computer running now?

#6 monetary1995

monetary1995
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 15 August 2015 - 01:50 PM

Thanks for you reply!

 

I have completed your instructions and attached the Fixlog.txt and the search.txt

 

The problem still exist...

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 16 August 2015 - 07:33 AM


I'm not sure that the file dnsapi.dll is corrupted.

Please go to Virus Total and scan both files (different folder)
https://www.virustotal.com/

C:\Windows\SysWOW64\dnsapi.dll
C:\Windows\System32\dnsapi.dll

Post the results for my review.

===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
---

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

Please post the logs for my review.

#8 monetary1995

monetary1995
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 17 August 2015 - 10:31 AM

Thanks for the reply...

 

I have completed your instructions and attached the files requested

 

I didn't see where the VirusTotal would allow to export the report so I typed it in a notepad file.

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 17 August 2015 - 01:07 PM

This report may be a false positive.

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000


With the fix I submitted a Restore point was created.

Please ensure that the Restore function is ON.

Turn System Restore on or off - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===

All reports are looking good.
How is the computer running now?

#10 monetary1995

monetary1995
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 17 August 2015 - 07:00 PM

  1. This issue is still the same, every time I get on the web and click a link popups come up opening another web site advertising something


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 18 August 2015 - 06:58 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#12 monetary1995

monetary1995
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 19 August 2015 - 12:45 AM

Thanks for the reply!

 

I have followed your insturctions and attached the zoek-results.log.

 

The system is still having the same issue....

 

 

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 19 August 2015 - 07:19 AM

Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

#14 monetary1995

monetary1995
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 19 August 2015 - 09:58 AM

I ran the jrt.exe and have attached the file. 

 

Sorry but the browser is still having the same issue...   This has been really hard to remove.  Do you think is a hijack?

Attached Files

  • Attached File  JRT.txt   1.43KB   1 downloads


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 19 August 2015 - 12:50 PM

Can you tell me where these popups come from.

Anything that can help identify the origin.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users