Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crowti.A - Win32/Crowti - Ransomware


  • This topic is locked This topic is locked
32 replies to this topic

#1 ericc92069

ericc92069

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 19 September 2015 - 01:28 PM

Hello. My computer appears to be infected with the Win32/Crowti virus and possibly other variations of it. Malwarebytes picked up nothing during a scan. Microsoft Security Essentials (MSE) removed it but on an infrequent basis it comes back and MSE will quarantine it prior to me removing it. I am running Windows 7. I have not tried other removal tools other than Malwarebytes and MSE and just scanned the registry (I am a layman) and it seems to look okay. Files on my computers desktop were corrupted (i.e. word, excel, PDF, etc.) and I have them saved in a single folder which I plan to discard. I also found 855 instances of Decrypt.txt and Decrypt.png files on my hard drive that I deleted. Computer seems to be running okay but I am not sold that the virus/malware is removed.

 

Your help would be greatly appreciated. Thanks.

 

Eric

 

FRST Log is below and I have attached the Addition File

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:15-09-2015
Ran by dweis (administrator) on DAN-PC (19-09-2015 11:20:44)
Running from C:\Users\dweis\Desktop\Fix
Loaded Profiles: dweis (Available Profiles: dweis & tjacquay & Administrator & dsiren)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Windows\System32\srvany.exe
() C:\Windows\KMService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.28.15\GoogleCrashHandler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(AMD) C:\Windows\System32\atieclxx.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Google Inc.) C:\Users\dweis\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\dweis\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\dweis\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\dweis\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [BrMfcWnd] => C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] => C:\Program Files\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-06-11] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [AMD AVT] => C:\Program Files\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [981688 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [2010-09-15] (UPEK Inc.)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-2105829065-2458452796-1885057702-1138\...\Run: [Google Update] => C:\Users\dweis\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-29] (Google Inc.)
Lsa: [Authentication Packages] msv1_0 wvauth
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2011-03-30] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\dweis\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\dweis\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\dweis\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2010-10-16] (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2010-10-16] (Wave Systems Corp.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864 2011-04-06] (Apple Inc.)
Hosts: 178.162.173.114 google.com
Tcpip\..\Interfaces\{2584D92E-05A4-4E93-95F9-D4F850D762FF}: [NameServer] 192.168.0.252
 
Internet Explorer:
==================
HKU\S-1-5-21-2105829065-2458452796-1885057702-1138\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USREL/1
SearchScopes: HKLM -> DefaultScope {58C6AC1C-47C7-41B2-B004-BDDE3B0B9026} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {58C6AC1C-47C7-41B2-B004-BDDE3B0B9026} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2105829065-2458452796-1885057702-1138 -> DefaultScope {58C6AC1C-47C7-41B2-B004-BDDE3B0B9026} URL = 
SearchScopes: HKU\S-1-5-21-2105829065-2458452796-1885057702-1138 -> {58C6AC1C-47C7-41B2-B004-BDDE3B0B9026} URL = 
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll [2010-03-09] (Trend Micro Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-02-22] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-22] (Oracle Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-2105829065-2458452796-1885057702-1138 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} hxxp://mls.realist.com/mapviewer/mapviewer.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1007
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll [2010-03-09] (Trend Micro Inc.)
 
FireFox:
========
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-22] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-22] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2105829065-2458452796-1885057702-1138: @citrixonline.com/appdetectorplugin -> C:\Users\dweis\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-09-09] (Citrix Online)
FF Plugin HKU\S-1-5-21-2105829065-2458452796-1885057702-1138: @tools.google.com/Google Update;version=3 -> C:\Users\dweis\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin HKU\S-1-5-21-2105829065-2458452796-1885057702-1138: @tools.google.com/Google Update;version=9 -> C:\Users\dweis\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
FF Extension: Trend Micro NSC Firefox Extension - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension [2011-03-17]
 
Chrome: 
=======
CHR Plugin: (Native Client) - C:\Users\dweis\AppData\Local\Google\Chrome\Application\45.0.2454.93\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\dweis\AppData\Local\Google\Chrome\Application\45.0.2454.93\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\NPAPIFlash\gcswf32.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll => No File
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
CHR Profile: C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-02-08]
CHR Extension: (Adblock Plus) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-12-04]
CHR Extension: (Google Search) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-02-08]
CHR Extension: (Qualys BrowserCheck for Windows) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejhnkognlohdkpjkjongioociddgoibk [2015-06-07]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-14]
CHR Extension: (Chrome Web Store Payments) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-21]
CHR Extension: (LogMeIn) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\omkjapkpkiciphacnalicgmmcelfolon [2013-07-25]
CHR Extension: (Gmail) - C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-02-08]
StartMenuInternet: Google Chrome - C:\Users\dsiren\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2011-05-04] (Macrovision Europe Ltd.) [File not signed]
R2 KMService; C:\Windows\system32\srvany.exe [8192 2015-03-09] () [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2015-04-30] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [284504 2015-04-30] (Microsoft Corporation)
S4 ntrtscan; c:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe [1323912 2010-06-22] (Trend Micro Inc.)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-11-25] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-11-25] (Sonic Solutions)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1477632 2010-11-03] (Wave Systems Corp.) [File not signed]
S4 svcGenericHost; c:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [45056 2010-07-05] (Trend Micro Inc.) [File not signed]
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] () [File not signed]
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2336104 2010-10-16] (Wave Systems Corp.)
S4 tmlisten; c:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [1358160 2010-06-22] (Trend Micro Inc.)
S4 TmPfw; c:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe [497008 2009-07-15] (Trend Micro Inc.)
S4 TmProxy; c:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe [689416 2009-07-15] (Trend Micro Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [245096 2015-03-04] (Microsoft Corporation)
R1 MpKsle1259cdc; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8AB1A45C-64E6-4E0A-8038-374028B501BE}\MpKsle1259cdc.sys [39168 2015-09-19] (Microsoft Corporation)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-02] (Intel Corporation )
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [158224 2009-07-06] (Trend Micro Inc.)
R2 TmFilter; c:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [230928 2010-05-10] (Trend Micro Inc.)
R1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [146448 2009-07-15] (Trend Micro Inc.)
R2 TmPreFilter; c:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [36368 2010-05-10] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [89872 2009-07-15] (Trend Micro Inc.)
R2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [283152 2009-07-15] (Trend Micro Inc.)
R2 VSApiNt; c:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys [1322808 2010-05-10] (Trend Micro Inc.)
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-19 11:20 - 2015-09-19 11:20 - 00000000 ____D C:\Users\dweis\Desktop\Fix
2015-09-19 11:20 - 2015-09-19 11:20 - 00000000 ____D C:\FRST
2015-09-19 09:10 - 2015-09-19 09:10 - 00009932 _____ C:\Users\dweis\Documents\cc_20150919_091016.reg
2015-09-19 08:36 - 2015-09-19 08:37 - 00000000 ____D C:\Users\dweis\Desktop\bleeped
2015-09-18 13:52 - 2015-09-18 16:26 - 00000168 _____ C:\Windows\setupact.log
2015-09-18 13:52 - 2015-09-18 13:52 - 00000000 _____ C:\Windows\setuperr.log
2015-09-18 13:19 - 2015-09-18 13:58 - 00000000 ___HD C:\4a61582f
2015-09-18 13:18 - 2015-09-18 13:18 - 00000000 ____D C:\Users\dweis\AppData\Roaming\Firewall
2015-09-18 09:42 - 2015-09-18 09:42 - 00248672 _____ C:\Users\dweis\Downloads\HERO_Soil-Gas_Screening_Model_March2014 (17).xlsm
2015-09-17 12:54 - 2015-09-17 12:54 - 00052512 _____ C:\Users\dweis\Downloads\MCLs-DLRs-PHGs (5).xls
2015-09-14 14:18 - 2015-09-14 14:18 - 00248672 _____ C:\Users\dweis\Downloads\HERO_Soil-Gas_Screening_Model_March2014 (16).xlsm
2015-09-09 10:24 - 2015-09-19 11:14 - 00000562 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2105829065-2458452796-1885057702-1138.job
2015-09-09 10:24 - 2015-09-19 10:12 - 00000658 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-2105829065-2458452796-1885057702-1138.job
2015-09-09 10:24 - 2015-09-19 06:42 - 00000000 ____D C:\Users\dweis\AppData\Local\Citrix
2015-08-31 20:44 - 2009-08-19 23:50 - 00022872 ____R (Adobe Systems Inc.) C:\Windows\system32\AdobePDFUI.dll
2015-08-31 13:20 - 2015-08-31 13:20 - 00248672 _____ C:\Users\dweis\Downloads\HERO_Soil-Gas_Screening_Model_March2014 (15).xlsm
2015-08-27 09:02 - 2015-08-27 09:02 - 00001066 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-08-27 09:00 - 2015-08-27 09:00 - 00238904 _____ C:\Users\dweis\Documents\cc_20150827_090021.reg
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-19 11:21 - 2012-02-08 17:16 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2105829065-2458452796-1885057702-1138UA.job
2015-09-19 11:15 - 2011-04-25 09:47 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-19 11:06 - 2011-03-25 06:50 - 00000419 _____ C:\Windows\BRWMARK.INI
2015-09-19 11:06 - 2011-03-25 06:50 - 00000027 _____ C:\Windows\BRPP2KA.INI
2015-09-19 11:06 - 2009-07-13 21:55 - 01299377 _____ C:\Windows\WindowsUpdate.log
2015-09-19 11:06 - 2009-07-13 21:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-09-19 10:58 - 2011-05-03 09:13 - 3891938304 _____ C:\Users\dweis\Documents\Outlook.pst
2015-09-19 10:58 - 2011-05-03 08:37 - 447087616 _____ C:\Users\dweis\Documents\archive.pst
2015-09-19 10:51 - 2011-03-24 17:04 - 00000112 _____ C:\Windows\system32\config\netlogon.ftl
2015-09-19 10:37 - 2011-03-28 08:27 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2219463878-2490369369-3247035464-1000UA.job
2015-09-19 09:10 - 2014-10-09 11:15 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-09-19 09:08 - 2011-03-25 06:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-09-19 09:08 - 2011-03-25 06:45 - 00000000 ____D C:\Program Files\CCleaner
2015-09-19 09:03 - 2011-04-25 09:47 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-19 06:42 - 2014-04-26 20:08 - 00000000 ____D C:\Users\dweis\AppData\Roaming\TeamViewer
2015-09-19 06:42 - 2014-02-04 13:41 - 00000000 ____D C:\Users\dweis\AppData\Local\LogMeIn Client
2015-09-19 06:42 - 2013-01-28 11:31 - 00000000 ___SD C:\Users\dweis\Documents\My Data Sources
2015-09-19 06:42 - 2012-02-08 17:16 - 00000000 ____D C:\Users\dweis\AppData\Local\Google
2015-09-19 06:42 - 2011-12-16 10:58 - 00000000 ____D C:\ProgramData\WebEx
2015-09-19 06:42 - 2011-11-03 21:04 - 00000000 ____D C:\Users\dweis\AppData\Local\Akamai
2015-09-19 06:42 - 2011-08-09 16:05 - 00000000 ___RD C:\Users\dweis\Dropbox
2015-09-19 06:42 - 2011-08-09 16:02 - 00000000 ____D C:\Users\dweis\AppData\Roaming\Dropbox
2015-09-19 06:42 - 2011-07-11 10:10 - 00000000 ____D C:\Users\dweis\AppData\Local\Apple Computer
2015-09-19 06:42 - 2011-05-05 12:11 - 00000000 ____D C:\Users\dweis\AppData\Local\MicroVision Applications
2015-09-19 06:42 - 2011-05-04 12:58 - 00000000 ____D C:\ProgramData\FLEXnet
2015-09-19 06:42 - 2011-05-03 20:47 - 00000000 ____D C:\Users\dweis\AppData\Roaming\Autodesk
2015-09-19 06:42 - 2011-05-03 10:02 - 00000000 ____D C:\Users\dweis\AppData\Roaming\Adobe
2015-09-19 06:42 - 2011-05-03 10:02 - 00000000 ____D C:\Users\dweis\AppData\Local\VirtualStore
2015-09-19 06:42 - 2011-05-03 10:02 - 00000000 ____D C:\Users\dweis\AppData\Local\Adobe
2015-09-19 06:42 - 2011-05-03 10:02 - 00000000 ____D C:\Users\dweis
2015-09-19 06:42 - 2011-03-25 06:39 - 00000000 ____D C:\Users\administrator\Desktop\Adobe Acrobat 6.0 Standard
2015-09-19 06:42 - 2011-03-24 17:32 - 00000000 ____D C:\Users\administrator\Desktop\MS Office 2003
2015-09-19 06:42 - 2011-03-24 17:25 - 00000000 ____D C:\Users\administrator
2015-09-19 06:42 - 2011-03-17 08:07 - 00000000 ____D C:\ProgramData\Sonic
2015-09-18 19:17 - 2013-09-13 22:32 - 00000436 __RSH C:\Users\dweis\ntuser.pol
2015-09-18 18:37 - 2011-03-28 08:27 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2219463878-2490369369-3247035464-1000Core.job
2015-09-18 16:32 - 2009-07-13 21:34 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-18 16:32 - 2009-07-13 21:34 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-18 16:30 - 2011-03-17 07:55 - 00830166 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-18 16:26 - 2009-07-13 21:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-18 12:21 - 2012-02-08 17:16 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2105829065-2458452796-1885057702-1138Core.job
2015-08-31 20:44 - 2013-10-24 09:09 - 00002465 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Distiller 9.lnk
2015-08-31 20:44 - 2011-05-04 12:57 - 00002507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat 9 Standard.lnk
2015-08-27 09:02 - 2014-10-09 11:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-27 09:02 - 2014-10-09 11:14 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-27 08:59 - 2011-03-25 07:06 - 00000000 ____D C:\Program Files\Common Files\Adobe
2015-08-27 08:59 - 2011-03-25 07:06 - 00000000 ____D C:\Program Files\Adobe
2015-08-24 07:24 - 2012-06-21 11:56 - 00002008 ____H C:\Users\dweis\Documents\Default.rdp
 
==================== Files in the root of some directories =======
 
2011-11-16 22:22 - 2013-11-05 12:08 - 0004096 ____H () C:\Users\dweis\AppData\Local\keyfile3.drm
2012-08-16 14:01 - 2012-08-16 14:02 - 0000072 _____ () C:\Users\dweis\AppData\Local\xobni_installer_updater.log
 
Some files in TEMP:
====================
C:\Users\administrator\AppData\Local\Temp\ApplnchConfig.exe
C:\Users\administrator\AppData\Local\Temp\MSN9CEC.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-09-11 00:27
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 19 September 2015 - 03:29 PM

Hello ericc92069 and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
   
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

 

if any, unfortunately any encrypted files are likely not salvageable. :rolleyes:

 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 19 September 2015 - 04:16 PM

Ok thank you Yılmaz. I will await your next response. 



#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 19 September 2015 - 04:25 PM

Hello ericc92069,

 

Before starting the operations, This is important.
 
Ran by dweis (2015-09-19 11:21:14)

 

Administrator (S-1-5-21-2219463878-2490369369-3247035464-500 - Administrator - Enabled)
dsiren (S-1-5-21-2219463878-2490369369-3247035464-1000 - Limited - Enabled) => C:\Users\dsiren
Guest (S-1-5-21-2219463878-2490369369-3247035464-501 - Limited - Disabled)

 

You must be an administrator on the computer. Are you an Administrator on the computer?

 

Edit: Sorry.  OK. No problem.

Loaded Profiles: dweis (Available Profiles: dweis & tjacquay & Administrator & dsiren)

 
Next >>>
 

AV: Trend Micro Client/Server Security Agent Antivirus (Disabled - Up to date) {68F968AC-2AA0-091D-848C-803E83E35902}
AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Trend Micro Client/Server Security Agent Anti-spyware (Disabled - Up to date) {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall (Disabled) {70A91CD9-303D-A217-A80E-6DEE136EDB2B}

Please Trend Micro Client/Server Security Agent Antivirus Uninstall:
http://esupport.trendmicro.com.au/Pages/Manually-Uninstalling-Worry-Free-Business-Security-Agent-Using-the-Uninstall-Tool.aspx
 
Download the security agent Uninstall Tool.

 

Please restart.

 

Let me know when you get that done


Edited by olgun52, 19 September 2015 - 04:30 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 19 September 2015 - 04:39 PM

Thanks. That is now done.



#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 19 September 2015 - 05:10 PM

Nice. Thank you.

 

Step 1:

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2:

  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe

2. rkill.com

3. rkill.scr

4. WiNlOgOn.exe

5. uSeRiNiT.exe

 

next....

 

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 3:

ComboFix run:
 
* IMPORTANT : 1   Place ComboFix.exe on your Desktop
* IMPORTANT : 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Edited by olgun52, 19 September 2015 - 05:11 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 19 September 2015 - 06:17 PM

Ok I did all four of these. Here are the logs in order:

 

AdwCleaner

 

# AdwCleaner v5.008 - Logfile created 19/09/2015 at 15:22:48
# Updated 18/09/2015 by Xplode
# Database : 2015-09-17.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x86)
# Username : dweis - DAN-PC
# Running from : C:\Users\dweis\Desktop\Fix\adwcleaner_5.008.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
[-] File Deleted : C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
[-] File Deleted : C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
[-] File Deleted : C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
 
***** [ Web browsers ] *****
 
[-] [C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\dweis\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
 
*************************
 
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1524 bytes] ##########
 
Rkill
 
Rkill 2.8.2 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 09/19/2015 03:27:24 PM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\system32\srvany.exe (PID: 436) [WD-HEUR]
 * C:\Windows\KMService.exe (PID: 2784) [WD-HEUR]
 
2 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  178.162.173.114 google.com
 
Program finished at: 09/19/2015 03:28:41 PM
Execution time: 0 hours(s), 1 minute(s), and 16 seconds(s)
 
MBAM
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/19/2015
Scan Time: 3:30 PM
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.09.19.06
Rootkit Database: v2015.09.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: dweis
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 409295
Time Elapsed: 10 min, 32 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
Combofix
 
ComboFix 15-09-07.01 - dweis 09/19/2015  15:48:06.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3582.2428 [GMT -7:00]
Running from: c:\users\dweis\Desktop\Fix\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Microsoft Security Essentials *Disabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
c:\windows\system32\AdobePDF.dll
c:\windows\system32\SET9585.tmp
c:\windows\system32\SETA1AA.tmp
c:\windows\system32\SETC0BD.tmp
c:\windows\system32\SETC136.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2015-08-19 to 2015-09-19  )))))))))))))))))))))))))))))))
.
.
2015-09-19 22:53 . 2015-09-19 23:10 -------- d-----w- c:\users\dweis\AppData\Local\temp
2015-09-19 22:53 . 2015-09-19 22:53 -------- d-----w- c:\users\tjacquay\AppData\Local\temp
2015-09-19 22:53 . 2015-09-19 22:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-09-19 22:53 . 2015-09-19 22:53 -------- d-----w- c:\users\administrator\AppData\Local\temp
2015-09-19 22:44 . 2015-09-19 22:44 39168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AB1A45C-64E6-4E0A-8038-374028B501BE}\MpKsl6b379023.sys
2015-09-19 22:18 . 2015-09-19 22:22 -------- d-----w- C:\AdwCleaner
2015-09-19 18:20 . 2015-09-19 18:21 -------- d-----w- C:\FRST
2015-09-19 14:00 . 2015-08-31 23:05 8884144 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AB1A45C-64E6-4E0A-8038-374028B501BE}\mpengine.dll
2015-09-18 23:28 . 2015-08-31 23:05 8884144 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-09-18 20:19 . 2015-09-18 20:58 -------- d-----w- C:\4a61582f
2015-09-18 20:18 . 2015-09-18 20:18 -------- d-----w- c:\users\dweis\AppData\Roaming\Firewall
2015-09-18 20:10 . 2015-07-01 22:12 912000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{72829B96-A288-4FC4-BB71-AF6F866B9F50}\gapaengine.dll
2015-09-09 17:24 . 2015-09-19 13:42 -------- d-----w- c:\users\dweis\AppData\Local\Citrix
2015-09-01 03:44 . 2009-08-20 06:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-09-19 22:41 . 2014-10-09 18:15 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-07-05 10:11 . 2011-03-24 16:08 246952 ------w- c:\windows\system32\MpSigStub.exe
2015-07-04 17:48 . 2015-07-15 17:42 1414656 ----a-w- c:\windows\system32\ole32.dll
2015-07-03 17:57 . 2015-07-15 17:43 26624 ----a-w- c:\windows\system32\lpk.dll
2015-07-03 17:56 . 2015-07-15 17:43 70656 ----a-w- c:\windows\system32\fontsub.dll
2015-07-03 17:56 . 2015-07-15 17:43 10240 ----a-w- c:\windows\system32\dciman32.dll
2015-07-03 17:56 . 2015-07-15 17:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2015-07-03 16:42 . 2015-07-15 17:43 299008 ----a-w- c:\windows\system32\atmfd.dll
2015-07-02 21:08 . 2015-07-15 17:43 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2015-07-01 22:12 . 2013-03-26 15:42 912000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2015-07-01 20:46 . 2015-07-15 17:43 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2015-07-01 20:46 . 2015-07-15 17:43 137664 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2015-07-01 20:30 . 2015-07-15 17:43 172032 ----a-w- c:\windows\system32\wdigest.dll
2015-07-01 20:30 . 2015-07-15 17:43 65536 ----a-w- c:\windows\system32\TSpkg.dll
2015-07-01 20:30 . 2015-07-15 17:43 100352 ----a-w- c:\windows\system32\sspicli.dll
2015-07-01 20:30 . 2015-07-15 17:43 15872 ----a-w- c:\windows\system32\sspisrv.dll
2015-07-01 20:30 . 2015-07-15 17:43 248832 ----a-w- c:\windows\system32\schannel.dll
2015-07-01 20:30 . 2015-07-15 17:43 22016 ----a-w- c:\windows\system32\secur32.dll
2015-07-01 20:30 . 2015-07-15 17:43 655360 ----a-w- c:\windows\system32\rpcrt4.dll
2015-07-01 20:30 . 2015-07-15 17:43 221184 ----a-w- c:\windows\system32\ncrypt.dll
2015-07-01 20:30 . 2015-07-15 17:43 259584 ----a-w- c:\windows\system32\msv1_0.dll
2015-07-01 20:30 . 2015-07-15 17:43 1061376 ----a-w- c:\windows\system32\lsasrv.dll
2015-07-01 20:30 . 2015-07-15 17:43 552960 ----a-w- c:\windows\system32\kerberos.dll
2015-07-01 20:30 . 2015-07-15 17:43 36864 ----a-w- c:\windows\system32\cryptbase.dll
2015-07-01 20:30 . 2015-07-15 17:43 17408 ----a-w- c:\windows\system32\credssp.dll
2015-07-01 20:29 . 2015-07-15 17:43 22528 ----a-w- c:\windows\system32\lsass.exe
2015-07-01 20:29 . 2015-07-15 17:43 50176 ----a-w- c:\windows\system32\auditpol.exe
2015-07-01 20:27 . 2015-07-15 17:43 60416 ----a-w- c:\windows\system32\msobjs.dll
2015-07-01 20:26 . 2015-07-15 17:43 146432 ----a-w- c:\windows\system32\msaudite.dll
2015-07-01 20:24 . 2015-07-15 17:43 686080 ----a-w- c:\windows\system32\adtschema.dll
2015-07-01 19:18 . 2015-07-15 17:43 225792 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2015-07-01 19:18 . 2015-07-15 17:43 98304 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2015-07-01 19:18 . 2015-07-15 17:43 124416 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2015-06-27 01:58 . 2015-07-15 17:40 620032 ----a-w- c:\windows\system32\jscript9diag.dll
2015-06-27 01:39 . 2015-07-15 17:40 4520448 ----a-w- c:\windows\system32\jscript9.dll
2015-06-25 08:46 . 2015-07-15 17:41 2383872 ----a-w- c:\windows\system32\win32k.sys
2015-06-24 08:29 . 2015-06-24 08:29 1217192 ----a-w- c:\windows\system32\FM20.DLL
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\dweis\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\dweis\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2015-02-11 01:12 152544 ----a-w- c:\users\dweis\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-31 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-31 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-31 172568]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-04-30 981688]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-14 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-10-02 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 16:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2013-06-05 08:01 4489472 ----a-w- c:\users\dweis\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DBRMTray]
2010-02-04 23:22 7168 ----a-w- c:\dell\DBRM\Reminder\TrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Disc Tool]
2010-11-17 15:35 514544 ----a-w- c:\program files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
2010-06-25 18:13 1099088 ----a-w- c:\program files\Trend Micro\Client Server Security Agent\PccNTMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD9LanguageShortcut]
2010-04-29 15:33 50472 ------w- c:\program files\CyberLink\PowerDVD9\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-07-06 19:22 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2010-11-25 10:33 240112 ----a-w- c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2009-06-22 22:57 1314816 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2015-06-18 1133880]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2015-06-19 102912]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2015-06-18 51928]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2015-03-05 95408]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2015-04-30 284504]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-16 1343400]
R4 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2010-07-05 45056]
R4 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\Client Server Security Agent\TmPfw.exe [2009-07-15 497008]
R4 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [2009-07-15 689416]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 MpKsl6b379023;MpKsl6b379023;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AB1A45C-64E6-4E0A-8038-374028B501BE}\MpKsl6b379023.sys [2015-09-19 39168]
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-07-15 146448]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-06-11 217600]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2015-03-09 8192]
S2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [2015-04-09 5261584]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2010-05-11 230928]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2010-05-11 36368]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-07-15 283152]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-02-23 86544]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-06 224424]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-06-18 23256]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2015-09-19 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2105829065-2458452796-1885057702-1138.job
- c:\users\dweis\AppData\Local\Citrix\GoToMeeting\3499\g2mupdate.exe [2015-09-19 20:14]
.
2015-09-19 c:\windows\Tasks\G2MUploadTask-S-1-5-21-2105829065-2458452796-1885057702-1138.job
- c:\users\dweis\AppData\Local\Citrix\GoToMeeting\3499\g2mupload.exe [2015-09-19 20:14]
.
2015-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 08:03]
.
2015-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 08:03]
.
2015-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2105829065-2458452796-1885057702-1138Core.job
- c:\users\dweis\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-09 14:28]
.
2015-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2105829065-2458452796-1885057702-1138UA.job
- c:\users\dweis\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-09 14:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: Interfaces\{2584D92E-05A4-4E93-95F9-D4F850D762FF}: NameServer = 192.168.0.252
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://mls.realist.com/mapviewer/mapviewer.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(568)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(4044)
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\KMService.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\SPBA\upeksvr.exe
c:\program files\Google\Update\1.3.28.15\GoogleCrashHandler.exe
c:\program files\TeamViewer\Version9\TeamViewer.exe
c:\windows\system32\taskhost.exe
c:\program files\TeamViewer\Version9\tv_w32.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2015-09-19  16:12:11 - machine was rebooted
ComboFix-quarantined-files.txt  2015-09-19 23:12
.
Pre-Run: 820,807,602,176 bytes free
Post-Run: 820,793,155,584 bytes free
.
- - End Of File - - 477314E9A1B43625BDDC9DF52C866402
CDB4DE4BBD714F152979DA2DCBEF57EB
 


#8 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 20 September 2015 - 09:39 AM

How did these logs look?



#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 21 September 2015 - 06:25 AM

How did these logs look?

 

As it does not appear to have worked,  did you run Trend Micro security agent Uninstall Tool.?

 

========================

 

uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

 

Do you use a proxy and did you make this proxy settings?


Edited by olgun52, 21 September 2015 - 06:36 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 21 September 2015 - 08:22 AM

I thought it worked the first time but I guess it didn't. When I ran it the first time the tool started right away and I restarted. When I ran as administrator this time, a folder called SA_Uninstall appears and I do not know how to start it manually. Can you advise?

 

 

I have no idea what proxy settings are. I did not make it, but maybe our IT guy did. Would you like me to get an answer to this question?



#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 21 September 2015 - 08:40 AM

I thought it worked the first time but I guess it didn't. When I ran it the first time the tool started right away and I restarted. When I ran as administrator this time, a folder called SA_Uninstall appears and I do not know how to start it manually. Can you advise?

 

Yes, you must also. please uninstall.
 

I have no idea what proxy settings are. I did not make it, but maybe our IT guy did. Would you like me to get an answer to this question?

Yes please. Otherwise I will go.

 

If you did not set this proxy remove it. ( Check with your Internet Provider is not sure)
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:9421 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 21 September 2015 - 08:40 AM

Oops. Sorry. I found it. Ran uninstall.bat as admin. Rebooted the PC. Checking on the other item now


Edited by ericc92069, 21 September 2015 - 08:43 AM.


#13 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 21 September 2015 - 08:45 AM

Ok I re-ran it. I went to Internet Explorer and it was checked "Automatically detect settings." The proxy server setting was not checked. I do not run Firefox, normally Google Chrome.


Edited by ericc92069, 21 September 2015 - 08:50 AM.


#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 21 September 2015 - 09:08 AM

Nice, thank you.

 

Now restart and;

 

Please rerun combofix and post the Log


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 ericc92069

ericc92069
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 21 September 2015 - 10:55 AM

Will do. I cannot run it until later today but will get it done soon and post the log.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users