Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with possible root kit. Can't open firefox. Various permissions issues.


  • Please log in to reply
16 replies to this topic

#1 blahfacemcgee

blahfacemcgee

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 May 2016 - 12:47 PM

Hi guys, as the title says I think i've got some nasty infection. It started when I booted my machine. I'm pretty sure there was a "fake" startup screen. It had a logo along the lines of "American Megatrends". I've never seen it before. My firefox profile seems to be gone and I can't access a lot of folders/files. Some help would be greatly appreciated. Thanks.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-05-2016
Ran by Administrator (administrator) on PC1 (07-05-2016 18:38:04)
Running from C:\Users\Administrator\Maintenance
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

==================== Registry (Whitelisted) ===========================

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{B8373335-FFC5-4EC0-9845-18A9B89B511E}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3063522253-3434549171-3434806113-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ie
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ie
HKU\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3063522253-3434549171-3434806113-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab

FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default
FF DefaultSearchEngine: Wikipedia (en)
FF Homepage: hxxps://encrypted.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-14] ()
FF Extension: No Name - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default\Extensions\firefox@ghostery.com.xpi [2016-01-26] [not signed]
FF Extension: No Name - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-23] [not signed]

==================== Services (Whitelisted) ========================

===================== Drivers (Whitelisted) ==========================

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Files in the root of some directories =======

2013-10-14 03:44 - 2013-10-14 03:44 - 2174976 _____ (Advanced Micro Devices Inc.) C:\Program Files\Common Files\atimpenc.dll
2011-09-06 19:45 - 2011-09-06 19:45 - 0000000 ____H () C:\Users\Administrator\AppData\Roaming\.6A7EF57C72B730B3.sys
2015-12-15 21:07 - 2015-12-15 21:07 - 0000033 _____ () C:\Users\Administrator\AppData\Roaming\.pgbias
2015-12-15 21:06 - 2015-12-15 21:06 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgbiasfx
2015-12-15 21:08 - 2015-12-15 21:08 - 0000033 _____ () C:\Users\Administrator\AppData\Roaming\.pgbiaspedal
2016-01-19 16:18 - 2016-01-19 16:18 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgfetcompressor
2016-01-19 16:19 - 2016-01-19 16:19 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgopticalcompressor
2016-01-19 16:19 - 2016-01-19 16:19 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgtubecompressor
2014-03-07 17:08 - 2016-05-07 18:11 - 0000016 _____ () C:\Users\Administrator\AppData\Roaming\msregsvv.dll
2015-04-08 15:51 - 2016-03-23 20:02 - 0028322 _____ () C:\Users\Administrator\AppData\Roaming\phpdesigner.xml
2013-01-29 23:10 - 2015-12-27 17:54 - 0001100 _____ () C:\Users\Administrator\AppData\Local\d3d8caps.dat
2009-06-22 18:12 - 2016-04-20 19:34 - 0002708 _____ () C:\Users\Administrator\AppData\Local\d3d9caps.dat
2009-06-22 21:08 - 2015-09-22 12:36 - 0044544 _____ () C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-12-03 16:19 - 2015-12-03 16:19 - 0000000 ___SH () C:\Users\Administrator\AppData\Local\LumaEmu
2015-02-16 19:30 - 2015-02-16 19:30 - 0000726 _____ () C:\Users\Administrator\AppData\Local\recently-used.xbel
2016-04-14 18:12 - 2016-04-14 18:15 - 0000024 _____ () C:\ProgramData\.DrumTools
2014-02-11 18:36 - 2016-05-07 18:11 - 0000016 _____ () C:\ProgramData\autobk.inc
2016-01-13 20:47 - 2016-01-13 20:47 - 0000016 _____ () C:\ProgramData\mntemp
2016-01-13 20:47 - 2016-01-13 20:47 - 0004136 _____ () C:\ProgramData\oqztiqep.adk
2016-01-13 21:26 - 2016-01-13 21:26 - 0004940 _____ () C:\ProgramData\rnoacixd.sew
2014-04-09 18:32 - 2014-04-09 18:32 - 0000004 _____ () C:\ProgramData\sysid100.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

ATTENTION: ==> Could not access BCD.

LastRegBack: 2016-05-07 18:03

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 May 2016 - 03:10 PM

So i've run ComboFix and it hasn't helped. I've scanned the system with Malwarebytes and nothing has been found. Anyone have any ideas?



#3 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 PM

Posted 07 May 2016 - 09:30 PM

Hello blahfacemcgee and Welcome to the BleepingComputer. :welcome:

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator the computer. How is open as administrator the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to get help here

Thanks
  

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

==========================================================================

How is the PC running now and any issue? is there still septoms ?

 

Have a nice day.

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 08:35 AM

Hi Yilmaz,

 

Thanks for taking the time to help me. The setup for Zemana would not complete. I get an error "Setup was unable to create the directory........" "Error 5: Access is denied".


Edited by blahfacemcgee, 08 May 2016 - 08:36 AM.


#5 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 10:00 AM

Ok so I changed the permissions for the Temp folder and the Zemana setup error is gone but it just hangs during the installation. I'm trying some other tools like AdwCleaner now.



#6 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 11:32 AM

So AdwCleaner cleaned up a few reg files and now I can run Firefox. I'm still having little permissions issues here and there though. For example, I can't make Firefox my default browser. Also, some file associations are messed up and I can't change them etc.



#7 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 PM

Posted 08 May 2016 - 01:20 PM

Hi again,

 

Step 1:
 FRST Script:
 Please download this attached Attached File  Fixlist.txt   3.52KB   1 downloads and save it in the same directory as FRST

  • Close any open browsers or any other programs that are open
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:

Please download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

Step 5:

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

Step 6:

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

=========================================================================

How is the machine running now and any issues ? Please let me know.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 01:50 PM

Hi,

 

Ok i have done step 1. Here is the log. I'm now moving onto the other steps. Thanks.

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:07-05-2016
Ran by Administrator (2016-05-08 19:43:05) Run:1
Running from C:\Users\Administrator\Maintenance\FRST
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\imageres.dll,-68 <===== ATTENTION
AlternateDataStreams: C:\Program Files\Common Files\microsoft shared:kbotXte4EPP2OMjxQb [2150]
AlternateDataStreams: C:\Program Files\Common Files\microsoft shared:n5FaSBz4xN0pojNcZL96rVRW7 [2134]
AlternateDataStreams: C:\Program Files\Common Files\System:1E5AqjMfciJapRchevGA [579]
AlternateDataStreams: C:\Program Files\Common Files\System:h1ZYBa5r7abdBfHegXp [2434]
Task: C:\Windows\Tasks\Uninstaller_SkipUac_Administrator.job => C:\Users\Administrator\Maintenance\IObit Uninstaller\IObitUninstaler.exe
ShortcutWithArgument: C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://encrypted.google.com
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3063522253-3434549171-3434806113-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3063522253-3434549171-3434806113-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default
FF DefaultSearchEngine: Wikipedia (en)
FF Homepage: hxxps://encrypted.google.com
FF NetworkProxy: "type", 0
FF Extension: No Name - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-23] [not signed]
09-06 19:45 - 2011-09-06 19:45 - 0000000 ____H () C:\Users\Administrator\AppData\Roaming\.6A7EF57C72B730B3.sys
2015-12-15 21:07 - 2015-12-15 21:07 - 0000033 _____ () C:\Users\Administrator\AppData\Roaming\.pgbias
2015-12-15 21:06 - 2015-12-15 21:06 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgbiasfx
2015-12-15 21:08 - 2015-12-15 21:08 - 0000033 _____ () C:\Users\Administrator\AppData\Roaming\.pgbiaspedal
2016-01-19 16:18 - 2016-01-19 16:18 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgfetcompressor
2016-01-19 16:19 - 2016-01-19 16:19 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgopticalcompressor
2016-01-19 16:19 - 2016-01-19 16:19 - 0000030 _____ () C:\Users\Administrator\AppData\Roaming\.pgtubecompressor
2014-03-07 17:08 - 2016-05-07 18:11 - 0000016 _____ () C:\Users\Administrator\AppData\Roaming\msregsvv.dll
2015-04-08 15:51 - 2016-03-23 20:02 - 0028322 _____ () C:\Users\Administrator\AppData\Roaming\phpdesigner.xml
2013-01-29 23:10 - 2015-12-27 17:54 - 0001100 _____ () C:\Users\Administrator\AppData\Local\d3d8caps.dat
2009-06-22 18:12 - 2016-04-20 19:34 - 0002708 _____ () C:\Users\Administrator\AppData\Local\d3d9caps.dat
2009-06-22 21:08 - 2015-09-22 12:36 - 0044544 _____ () C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-12-03 16:19 - 2015-12-03 16:19 - 0000000 ___SH () C:\Users\Administrator\AppData\Local\LumaEmu
2015-02-16 19:30 - 2015-02-16 19:30 - 0000726 _____ () C:\Users\Administrator\AppData\Local\recently-used.xbel
C:\ProgramData\oqztiqep.adk
2016-01-13 21:26 - 2016-01-13 21:26 - 0004940 _____ () C:\ProgramData\rnoacixd.sew
end







*****************

HKLM\Software\Classes\cmdfile\DefaultIcon\\Default => value restored successfully
C:\Program Files\Common Files\microsoft shared => ":kbotXte4EPP2OMjxQb" ADS removed successfully..
C:\Program Files\Common Files\microsoft shared => ":n5FaSBz4xN0pojNcZL96rVRW7" ADS removed successfully..
C:\Program Files\Common Files\System => ":1E5AqjMfciJapRchevGA" ADS removed successfully..
C:\Program Files\Common Files\System => ":h1ZYBa5r7abdBfHegXp" ADS removed successfully..
C:\Windows\Tasks\Uninstaller_SkipUac_Administrator.job => moved successfully
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk => Shortcut argument removed successfully..
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-3063522253-3434549171-3434806113-500\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-3063522253-3434549171-3434806113-500\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" => key removed successfully.
HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} => key not found.
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default => FRST is scripted not to move this directory.
Firefox DefaultSearchEngine removed successfully.
Firefox "homepage" removed successfully.
Firefox Proxy settings were reset.
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi => moved successfully
09-06 19:45 - 2011-09-06 19:45 - 0000000 ____H () C:\Users\Administrator\AppData\Roaming\.6A7EF57C72B730B3.sys => Error: No automatic fix found for this entry.
C:\Users\Administrator\AppData\Roaming\.pgbias => moved successfully
C:\Users\Administrator\AppData\Roaming\.pgbiasfx => moved successfully
C:\Users\Administrator\AppData\Roaming\.pgbiaspedal => moved successfully
C:\Users\Administrator\AppData\Roaming\.pgfetcompressor => moved successfully
C:\Users\Administrator\AppData\Roaming\.pgopticalcompressor => moved successfully
C:\Users\Administrator\AppData\Roaming\.pgtubecompressor => moved successfully
C:\Users\Administrator\AppData\Roaming\msregsvv.dll => moved successfully
C:\Users\Administrator\AppData\Roaming\phpdesigner.xml => moved successfully
C:\Users\Administrator\AppData\Local\d3d8caps.dat => moved successfully
C:\Users\Administrator\AppData\Local\d3d9caps.dat => moved successfully
C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\Administrator\AppData\Local\LumaEmu => moved successfully
C:\Users\Administrator\AppData\Local\recently-used.xbel => moved successfully
C:\ProgramData\oqztiqep.adk => moved successfully
C:\ProgramData\rnoacixd.sew => moved successfully

==== End of Fixlog 19:43:06 ====



#9 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 01:52 PM

AdwCleaner found nothing. Here's the log.


# AdwCleaner v5.115 - Logfile created 08/05/2016 at 19:50:56
# Updated 01/05/2016 by Xplode
# Database : 2016-05-08.4 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (X86)
# Username : Administrator - PC1
# Running from : C:\Users\Administrator\Maintenance\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [662 bytes] - [08/05/2016 19:50:56]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [734 bytes] ##########
 



#10 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 02:08 PM

Here is the JRT log.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows Vista ™ Home Premium x86
Ran by Administrator (Limited) on 08/05/2016 at 20:03:48.56
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\Users\Administrator\AppData\Roaming\productdata (Folder)



Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 08/05/2016 at 20:06:42.82
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#11 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 02:20 PM

Here is the ZHPcleaner log.

 

 

~ ZHPCleaner v2016.5.6.63 by Nicolas Coolman (2016/05/06)
~ Run by Administrator (Administrator)  (08/05/2016 20:18:32)
~ Site : http://www.nicolascoolman.com
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\Administrator\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\Administrator\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Deactivate
~ Boot Mode : Normal (Normal boot)
Windows VISTA, 32-bit Service Pack 2 (Build 6002)


---\\  Services (0)
~ No malicious or unnecessary items found.


---\\  Browser internet (0)
~ No malicious or unnecessary items found.


---\\  Hosts file (1)
~ The hosts file is legitimate (1)


---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.


---\\  Explorer ( File, Folder) (0)
~ No malicious or unnecessary items found.


---\\  Registry ( Key, Value, Data) (1)
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} [C:\Program Files\Ask.com\ (Not File)]  =>Toolbar.Ask


---\\  Summary of the elements found (1)



---\\  Other deletions. (2)
~ Registry Keys Tracing deleted (2)
~ Remove the old reports ZHPCleaner. (0)


---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Google Chrome)


---\\ Statistics
~ Items scanned : 650
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 1


~ End of clean in 00h00mn15s
~====================
ZHPCleaner-[R]-08052016-20_18_47.txt
ZHPCleaner-[S]-08052016-20_17_40.txt
 



#12 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 02:23 PM

The EEK needs Windows 7 or higher.



#13 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 PM

Posted 08 May 2016 - 02:56 PM

The EEK needs Windows 7 or higher.

Instead, you can run ComboFix.

 

ComboFix run:

Please be sure to run our tools with administrator rights.

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 04:15 PM

Just waiting on the ESET scan. It's taking a long time.



#15 blahfacemcgee

blahfacemcgee
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 May 2016 - 05:42 PM

Ok here is the ESET log.

 

 

C:\Program Files\uTorrent\uTorrent.exe    a variant of Win32/Bunndle potentially unsafe application
 

 

And here is the ComboFix log.

 

 

 

ComboFix 16-04-29.01 - Administrator 08/05/2016  23:16:14.1.4 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.353.1033.18.3070.2579 [GMT 1:00]
Running from: C:\Users\Administrator\Desktop\ComboFix.exe
 * Created a new restore point

    /wow section - STAGE 48

    /wow section - STAGE 50


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Windows\system32\msvcsv60.dll


(((((((((((((((((((((((((   Files Created from 2016-04-08 to 2016-05-08  )))))))))))))))))))))))))))))))


2016-05-08 22:28:26 . 2016-05-08 22:28:26    --------    d-----w-    C:\Users\Administrator\AppData\Local\Temp
2016-05-08 22:25:29 . 2016-05-08 22:25:29    --------    d-----w-    C:\Users\Public\AppData\Local\temp
2016-05-08 22:25:29 . 2016-05-08 22:25:29    --------    d-----w-    C:\Users\Default\AppData\Local\temp
2016-05-08 19:24:05 . 2016-05-08 19:24:05    --------    d-----w-    C:\Users\Administrator\AppData\Roaming\ProductData
2016-05-08 19:23:54 . 2016-05-08 19:23:55    --------    d-----w-    C:\ProgramData\ProductData
2016-05-08 19:09:30 . 2016-05-08 19:18:47    --------    d-----w-    C:\Users\Administrator\AppData\Roaming\ZHP
2016-05-08 18:53:07 . 2016-05-08 18:53:07    --------    d-----w-    C:\Windows\Installer
2016-05-08 18:42:52 . 2016-05-08 18:43:06    --------    d-----w-    C:\FRST
2016-05-08 17:07:55 . 2016-05-08 17:07:55    --------    d-----w-    C:\Program Files\ESET
2016-05-07 15:33:01 . 2016-05-07 17:17:18    24688    ----a-w-    C:\Windows\system32\drivers\TrueSight.sys
2016-05-04 18:04:10 . 2016-05-04 18:04:10    --------    d-----w-    C:\ProgramData\Freemake
2016-05-04 16:24:42 . 2016-05-04 16:37:38    --------    d-----w-    C:\Users\Administrator\AppData\Roaming\ssd_sampler
2016-05-04 16:19:50 . 2016-05-04 16:19:50    --------    d-----w-    C:\ProgramData\Steven Slate Drums
2016-05-01 17:21:45 . 2016-05-01 17:21:45    --------    d-----w-    C:\Program Files\AIR Music Technology
2016-05-01 17:17:24 . 2016-05-03 22:30:06    --------    d-----w-    C:\ProgramData\SONiVOX
2016-04-10 22:56:03 . 2016-04-24 17:31:26    --------    d-----w-    C:\ProgramData\Package Cache
.


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2016-05-08 19:08:58 . 2013-06-17 12:47:53    89680    ----a-w-    C:\Users\Administrator\MSSSerif120.fon
2016-05-08 14:12:15 . 2016-02-10 17:37:16    170200    ----a-w-    C:\Windows\system32\drivers\MBAMSwissArmy.sys
2016-04-14 15:35:22 . 2015-10-01 19:34:26    797376    ----a-w-    C:\Windows\system32\FlashPlayerApp.exe
2016-04-14 15:35:22 . 2015-10-01 19:34:25    142528    ----a-w-    C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-04-02 14:32:09 . 2013-08-08 15:04:56    95808    ----a-w-    C:\Windows\system32\WindowsAccessBridge.dll
2013-10-14 02:44:12 . 2013-10-14 02:44:12    2174976    ----a-w-    C:\Program Files\Common Files\atimpenc.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Users\Administrator\Maintenance\HiJack This\HijackThis.exe" [2016-03-12 17:10:01 388608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi10"=vmcmidiport.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0OODBS\0sdnclean.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3063522253-3434549171-3434806113-1000]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3063522253-3434549171-3434806113-500]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache

Contents of the 'Scheduled Tasks' folder

2016-05-08 C:\Windows\Tasks\Uninstaller_SkipUac_Administrator.job
- C:\Users\Administrator\Maintenance\IObit Uninstaller\IObitUninstaler.exe [2015-12-09 18:08:23 . 2015-10-20 17:29:58]


------- Supplementary Scan -------

uStart Page = hxxp://www.google.ie
mStart Page = hxxp://www.google.ie
Trusted Zone: localhost
Trusted Zone: premierleague.com\fantasy
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0s8lfp3f.default\
FF - prefs.js: browser.startup.homepage - hxxps://encrypted.google.com/

- - - - ORPHANS REMOVED - - - -

SafeBoot-MBAMSwissArmy
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-05-08 23:30:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:75,c8,cc,be,00,c0,cc,01

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d8,32,44,81,c2,46,ab,47,89,19,82,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,60,f5,27,5f,5e,89,49,a6,2e,77,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,60,f5,27,5f,5e,89,49,a6,2e,77,\

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ac3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\smplayer.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ape\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ARFFDataFile"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bin\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Paint.Picture"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cbr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\cdisplayex.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\smplayer.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.css\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Notepad.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cue\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dvr-ms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.f4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FLAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdmov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.java\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\eclipse.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jc!\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\smplayer.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\phpDesigner.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M4A\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\smplayer.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOV\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mqv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nfo\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nsv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.odt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="LibreOffice.WriterDocument.1"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.OGG\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.php\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\phpDesigner.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ra\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ram\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rec\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmvb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shn\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\smplayer.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tgz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WinRAR"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.umx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Audition.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vfw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.VOB\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vp8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPlayerFileVideo"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9AE6504D-80D9-46BF-AA9F-7219B8C0C0B4}*]
"jamifghnenklmablecjj"=hex:68,62,6d,69,6d,66,70,6a,67,70,6d,63,62,64,6e,6b,6f,
   63,67,67,69,6e,69,6f,67,63,6e,61,61,68,65,6e,6c,67,61,6f,70,6d,6f,66,6c,65,\
"jamifgnnhjdafkklehfe"=hex:65,61,63,65,66,66,68,67,66,6c,00,00

[HKEY_USERS\S-1-5-21-3063522253-3434549171-3434806113-500\Software\SecuROM\License information*]
"datasecu"=hex:5d,22,22,38,00,20,f1,4e,f8,e3,78,98,6c,c2,d7,b6,8d,c6,97,fb,15,
   e6,af,8c,ec,e1,66,fc,48,8a,59,6e,85,7c,90,65,ae,fa,18,3f,7f,34,c3,d8,dd,d5,\
"rkeysecu"=hex:79,9e,c4,01,ea,46,1f,3a,a5,1f,b2,61,cb,17,c8,69

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG14.00.00.01PROFESSIONAL"="6F3F8C266197FE338F33F2F1BCBB3A39CD92D172A57AEEC99D814D0C884EE168712FB7270D138D939454199575696AD112FAD04089665989A9A135A919A194A354A2D93B0880AE0B607250EA6CDF2A7492AA0BA6408918EF5E6A3E971C724AD92F7EE4B188551C10385FC3945B963CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98088EDD5E5BE2F6E667A6171C11EC38DE3DA2D97226D213B5559F0140020BE7FDC655EF863A09AEC6D1B3D5E823AE5D1C8C540C58FB11C2CB4426483E6A9B08AFF31F74F58AE80A921546151D857AC9E3840FC0AD3EB76BB9727D23698CBAC32C6623189B03F2757051644E1F5117A1D7AF10823E2664A6893C4D3E5F302FECA0B1CEB680A6C1448BA1DBAF856192583F512DEE4F063BA7BFAC0FC8B0C3D115734CDFB1A31A068B448653E85A348F229A91102A1857736319B4137662D790173B8C6B6E7627FEA3B05F43B19D6D47F998FAB5594635DB9682A8F900ECA06B8DC1B2D8D3DEBC852A9774F7C14354031FA0FCF028F75F52401E41BB9FBD777858885E63CF37EB8101F5709158B0D3A412CBEB67C4C1B8CB24439AA315B659E01CC3161C524D6BF1CA7D5F8736C1F81D19667E13E1AC4B5048FC3550A4ABE762C1D7C2E5D0E2146A7311369FA1C5F7F33F74CFC137B2C1FD7809F43316E6664E74633278422EE41127C9CAF7637EA7C4D129E093FDC66C8243DA241534233E89A4341560255A7E1E57F4D6814AA303BFE3EF130175C93FA3FC96EC0F50937C0C064F01FC7983A761B791F880A761A9A6CBE3AFD1DF1652B93C996111BBDD53E4916AEF01C3BD4A3DC356B38D50D4DCD122D8DFA4847660B05B71F35DCF19953583F13E760D8DF3A736296D161F12052CC6D235E92D2B4A89F95FFE0B6852BD325B852E37E1ECD72A12A870DA7020AB355A0D21E9A9699456FCDB3E04E38B68A45C78E4F3D24AC9E39BA4EA7027F9817F4473FCBB4B5765C20810518727B8D46990D2EB2FF38845885D21F0BFA70ED734ADA7034FE912090889DBBDA998C4E973C3CFB0C2DE7C66DBA1D77684DCC0A60C85805365DFA971F72FD0EB4E240CB04605DD05D82FEFF138FB34D6D134E607587E8670148B2231756BB427B3BA5D54FBA9221DF186A24A0E41D6D10A9ECEB9FA0DF6424550727EFAF60421664F012741C97493E10A44FC5D0A95076792B3A16B6CC394B593883813CC6B6D4958AD9DD840DD645060FDB53FB377007688CBC4B69A139578C0C25C5EAA4E0493D2125016AD20F239376646DADE39A4967FBB4E79D93DD97247F58F1294C3C250BE4D7C6377AD04EAC08DA5EE714CC47E78210EE82F51585E186A99F5D295E8DD1EF6033EC42FBE0BAEF4EB5015549237F88775CBE68E6C492A5AE4E4ED429B6F"

------------------------ Other Running Processes ------------------------

C:\\?\C:\Windows\system32\wbem\WMIADAP.EXE

**************************************************************************

Completion time: 2016-05-08  23:35:43 - machine was rebooted
ComboFix-quarantined-files.txt  2016-05-08 22:35:40

Pre-Run: 169,290,727,424 bytes free
Post-Run: 169,237,024,768 bytes free

- - End Of File - - 6EE868ED5C293917762D8B71828D1913
5C616939100B85E558DA92B899A0FC36
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users