Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.DNSchanger-codec & (possibly) win32.dll issues/trojanpatched?


  • This topic is locked This topic is locked
12 replies to this topic

#1 coult

coult

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:03:25 AM

Posted 08 July 2016 - 09:21 AM

Full disclosure - before registering/joining, I ran Mbam, SuperAntiSpyware, JRT, AdwCleaner, FSS and MiniToolBox on my own: In safe mode I checked Mbam PUP/PUM-treat as malware, and ran threat scan... no malware found. Then ran SuperAntiSpy which found and removed Trojan.DNSchanger-codec. Restart and ran JunkRemovalTool and AdwCleaner in safe mode. Then, after running FSS and MTB, I ran a HitmanPro scan (unable to connect to any on-line scanner - DNS still jacked up) which revealed threat "user32.dllWRP"... BUT I did NOT take ANY action. Messing with Win32 is over my head, besides I believe HitmanPro is known for false-positives... I also scanned (BUT did NOT execute) TDSS & RogueKiller... again, NO action taken but I could forward snap-shots of resulting TDSS & Rkill scan detections.

 

I've always resolved past infections/issues on my own and never thought I'd be on here... so I apologize in advance for opening up the hood before asking for help:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-07-2016
Ran by Coult (administrator) on COULT-PC (08-07-2016 09:02:44)
Running from C:\Users\Coult\Desktop\Security Tools
Loaded Profiles: Coult (Available Profiles: Coult)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [118784 2007-06-08] (Alps Electric Co., Ltd.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
Winlogon\Notify\VESWinlogon: C:\Windows\system32\VESWinlogon.dll [2007-07-24] (Sony Corporation)
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6602152 2015-11-16] (Piriform Ltd)
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\...\Policies\system: [RunLogonScriptSync] 0
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\...\Policies\Explorer: [DisableThumbnailsOnNetworkFolders] 1
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\...\MountPoints2: {4604742a-0143-11dd-8614-001a8049fa0a} - G:\LapNetWizard.exe
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\..\Interfaces\{00225D52-4952-4785-A3BC-A28E22B0D9AA}: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\..\Interfaces\{F3190096-33E1-494F-8233-2FE9ECE13E18}: [DhcpNameServer] 209.18.47.62 209.18.47.61

Internet Explorer:
==================
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://my.yahoo.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.sony.com/vaiopeople
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.co
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://my.yahoo.com/
URLSearchHook: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 - (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 -> {53BFF0E7-22E5-408D-9A10-3166A02BDDBB} URL = hxxp://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 -> {8035D3B3-D05C-4EF8-B8D8-0428E1AA43D0} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 -> {E063D3E4-FE6B-43B6-AF5A-DEE483A52368} URL = hxxp://asp.usatoday.com/search/yahoo/search.aspx?qt=both&nr=5&kw={searchTerms}
SearchScopes: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 -> {E866323A-6D8D-4DA2-B823-2C000A7527C1} URL = hxxp://search.about.com/fullsearch.htm?terms={searchTerms}
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2012-01-03] (Adobe Systems Incorporated)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-11] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-11] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-11] (Adobe Systems Incorporated)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}

FireFox:
========
FF ProfilePath: C:\Users\Coult\AppData\Roaming\Mozilla\Firefox\Profiles\tmrv06ad.default-1429694410702
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://www.google.com/
hxxps://www.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-12] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin HKU\S-1-5-21-2928429055-1840525401-3513896323-1002: @citrixonline.com/appdetectorplugin -> C:\Users\Coult\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-05-02] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Extension: Flashblock - C:\Users\Coult\AppData\Roaming\Mozilla\Firefox\Profiles\tmrv06ad.default-1429694410702\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-06-30]
FF Extension: NoScript - C:\Users\Coult\AppData\Roaming\Mozilla\Firefox\Profiles\tmrv06ad.default-1429694410702\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-06-30]
FF Extension: Adblock Plus - C:\Users\Coult\AppData\Roaming\Mozilla\Firefox\Profiles\tmrv06ad.default-1429694410702\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]
FF Extension: Bitdefender QuickScan - C:\Users\Coult\AppData\Roaming\Mozilla\Firefox\Profiles\tmrv06ad.default-1429694410702\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-06-29]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2016-07-05] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-07-01] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3647384 2016-04-21] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [336152 2016-04-21] (AVG Technologies CZ, s.r.o.)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2008-07-28] (Macrovision Europe Ltd.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S2 KjsUpdateService2; C:\Program Files\Common Files\AppLifeUpdateService2\kjsausvc.exe [12800 2011-08-02] (Kinetic Jump Software, LLC) [File not signed]
S3 MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [45056 2006-12-14] (Sony Corporation) [File not signed]
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2008-07-18] (Hewlett-Packard) [File not signed]
S3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [57344 2006-12-14] () [File not signed]
S3 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2008-07-18] (Hewlett-Packard) [File not signed]
S2 rsEngineSvc; C:\Program Files\Reason\Security\rsEngineSvc.exe [80144 2015-08-12] (Reason Software Company Inc.)
S3 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2011-06-01] (Memeo)
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69632 2006-12-14] (Sony Corporation) [File not signed]
S2 STacSV; C:\Windows\system32\stacsv.exe [94208 2007-06-12] (SigmaTel, Inc.)
S2 VAIO Event Service; C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [182392 2007-07-24] (Sony Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [132576 2015-03-11] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [252336 2015-12-16] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [223152 2016-01-13] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-25] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [234416 2015-12-16] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [193456 2016-01-22] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [230832 2015-08-04] (AVG Technologies CZ, s.r.o.)
R1 Cdr4_xp; C:\Windows\system32\Drivers\Cdr4_xp.sys [9336 2007-06-14] (Sonic Solutions)
R1 Cdralw2k; C:\Windows\system32\Drivers\Cdralw2k.sys [9464 2007-06-14] (Sonic Solutions)
S3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2008-01-19] (Microsoft Corporation)
S3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [9344 2007-06-20] (Hewlett Packard)
S3 reparse; C:\Windows\System32\DRIVERS\cbreparse.sys [444968 2011-10-25] (COMODO Security Solutions Inc.)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SonyImgF; C:\Windows\System32\DRIVERS\SonyImgF.sys [31104 2007-04-05] (Sony Corporation) [File not signed]
S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [326656 2007-06-12] (SigmaTel, Inc.)
S3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [812544 2007-06-05] (Texas Instruments)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-07-07] ()
S4 blbdrive; no ImagePath
S3 btwaudio; no ImagePath
S3 btwavdt; no ImagePath
S3 btwl2cap; no ImagePath
S3 btwrchid; no ImagePath
S3 HTCAND32; System32\Drivers\ANDROIDUSB.sys [X]
S3 IpInIp; no ImagePath
S3 NwlnkFlt; no ImagePath
S3 NwlnkFwd; no ImagePath
S4 UIUSys; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-08 09:02 - 2016-07-08 09:02 - 00000000 ____D C:\FRST
2016-07-07 03:27 - 2016-07-07 03:27 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-07-07 03:26 - 2016-07-07 03:26 - 00000000 ____D C:\ProgramData\RogueKiller
2016-07-07 03:19 - 2016-07-08 01:23 - 00403314 _____ C:\TDSSKiller.3.1.0.9_07.07.2016_03.19.08_log.txt
2016-07-07 03:18 - 2016-07-07 03:19 - 00005300 _____ C:\TDSSKiller.3.1.0.9_07.07.2016_03.18.51_log.txt
2016-07-07 00:58 - 2016-07-07 00:59 - 00001248 _____ C:\Users\Coult\Desktop\FixExec.txt
2016-07-07 00:20 - 2016-07-08 09:02 - 00000000 ____D C:\Users\Coult\Desktop\Security Tools
2016-07-06 23:29 - 2016-07-06 23:29 - 00000000 ____D C:\Program Files\CCleaner
2016-07-06 22:45 - 2016-07-06 22:45 - 00001171 _____ C:\Users\Coult\Desktop\JRT.txt
2016-07-06 22:31 - 2016-07-06 22:31 - 00000388 _____ C:\Windows\Tasks\ReasonSecurityScheduledScan.job
2016-07-06 22:29 - 2016-07-06 22:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reason Core Security
2016-07-06 22:29 - 2016-07-06 22:29 - 00000000 ____D C:\Program Files\Reason
2016-07-06 22:28 - 2016-07-06 22:28 - 00000000 ____D C:\Users\Coult\AppData\Local\Zemana
2016-07-06 22:05 - 2016-07-06 22:05 - 00000000 ____D C:\ProgramData\Panda Security
2016-07-06 22:05 - 2016-07-06 22:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security
2016-07-06 22:05 - 2016-07-06 22:05 - 00000000 ____D C:\Program Files\Panda USB Vaccine
2016-07-06 03:52 - 2016-07-06 03:52 - 00000000 ____D C:\Windows\ERDNT
2016-07-06 03:50 - 2016-07-06 03:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2016-07-06 03:50 - 2016-07-06 03:50 - 00000000 ____D C:\Program Files\ERUNT
2016-07-06 03:37 - 2016-07-06 03:43 - 00005002 _____ C:\Users\Coult\Desktop\Rkill.txt
2016-07-06 02:52 - 2016-07-06 02:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-07-06 02:52 - 2016-07-06 02:52 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-07-05 22:59 - 2016-07-06 00:22 - 00000000 ____D C:\Users\Coult\Downloads\wsusoffline
2016-07-05 22:37 - 2016-07-05 22:37 - 00000000 ____D C:\Users\Coult\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-07-05 21:19 - 2016-07-05 21:20 - 00000000 ____D C:\Program Files\Mozilla Firefox(18)
2016-07-05 21:17 - 2016-07-05 21:17 - 00313366 _____ C:\Users\Coult\Downloads\amazon.diagcab
2016-07-05 21:13 - 2016-07-05 21:13 - 00313366 _____ C:\Users\Coult\Downloads\WindowsUpdateDiagnostic.diagcab
2016-07-03 04:47 - 2016-07-03 04:47 - 00000000 ____D C:\Users\Coult\AppData\Roaming\Avira
2016-07-03 04:35 - 2016-07-03 04:45 - 00000000 ____D C:\ProgramData\Avira
2016-07-03 04:35 - 2016-07-03 04:41 - 00000000 ____D C:\Program Files\Avira
2016-07-03 02:18 - 2016-07-03 02:20 - 00201180 _____ C:\TDSSKiller.3.1.0.9_03.07.2016_02.18.56_log.txt
2016-07-03 01:01 - 2016-07-03 04:59 - 00001024 _____ C:\.rnd
2016-07-03 01:00 - 2016-07-03 01:00 - 00000000 ____D C:\ProgramData\Tenable
2016-07-03 01:00 - 2016-07-03 01:00 - 00000000 ____D C:\Program Files\Tenable
2016-07-03 00:58 - 2016-07-03 00:58 - 04755708 _____ C:\Users\Coult\Documents\AvgInstallLog.cab
2016-06-29 20:43 - 2016-06-29 20:43 - 00000000 ____D C:\Users\Coult\AppData\Roaming\SUPERAntiSpyware.com
2016-06-29 20:42 - 2016-06-29 20:42 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-06-29 20:37 - 2016-06-29 20:37 - 00000000 ____D C:\ProgramData\NortonInstaller
2016-06-29 20:34 - 2016-07-03 02:34 - 00000000 ____D C:\Users\Coult\AppData\Roaming\QuickScan
2016-06-29 20:17 - 2016-06-29 20:17 - 00000000 ____D C:\Program Files\WinPcap
2016-06-29 20:08 - 2016-06-29 20:08 - 01063815 _____ C:\Users\Coult\AppData\Local\ars.cache
2016-06-29 20:08 - 2016-06-29 20:08 - 00561518 _____ C:\Users\Coult\AppData\Local\census.cache
2016-06-29 10:15 - 2016-06-29 10:15 - 00000010 _____ C:\Users\Coult\AppData\Local\sponge.last.runtime.cache
2016-06-29 10:06 - 2016-06-29 10:06 - 00000000 ____D C:\Windows\Trend Micro
2016-06-29 10:06 - 2016-06-29 10:06 - 00000000 ____D C:\ProgramData\Trend Micro
2016-06-29 10:04 - 2016-06-29 10:04 - 00000036 _____ C:\Users\Coult\AppData\Local\housecall.guid.cache
2016-06-25 14:18 - 2016-06-25 14:18 - 00000000 ____D C:\Users\Coult\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox(131)
2016-06-15 22:20 - 2016-06-15 22:20 - 00000000 ____D C:\ProgramData\LogiShrd
2016-06-15 22:20 - 2016-06-15 22:20 - 00000000 ____D C:\Program Files\Common Files\LogiShrd

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-08 09:00 - 2015-03-17 01:08 - 02308172 _____ C:\Windows\ntbtlog.txt
2016-07-08 01:23 - 2008-03-14 15:21 - 00000000 ____D C:\Users\Coult\Documents\- Temp
2016-07-08 01:22 - 2009-10-10 11:51 - 00000000 ____D C:\Program Files\MWSnap
2016-07-07 22:24 - 2012-04-05 00:32 - 00000680 _____ C:\Users\Coult\AppData\Local\d3d9caps.dat
2016-07-07 00:46 - 2010-11-28 21:37 - 00000000 ____D C:\ProgramData\MFAData
2016-07-06 23:55 - 2014-05-21 22:33 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-07-06 23:31 - 2016-05-02 10:04 - 00000000 ____D C:\Users\Coult\AppData\Local\Citrix
2016-07-06 23:13 - 2015-03-17 03:42 - 00000000 ____D C:\AdwCleaner
2016-07-06 21:57 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\inf
2016-07-06 21:57 - 2006-11-02 05:33 - 00816602 _____ C:\Windows\system32\PerfStringBackup.INI
2016-07-05 22:39 - 2007-08-01 21:03 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-07-05 22:39 - 2006-11-02 08:01 - 00032558 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-07-05 22:39 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-07-05 22:39 - 2006-11-02 07:47 - 00003296 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-07-05 22:39 - 2006-11-02 07:47 - 00003296 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-07-05 22:37 - 2016-05-03 05:25 - 00000918 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2928429055-1840525401-3513896323-1002UA.job
2016-07-05 22:37 - 2014-08-17 19:06 - 00000000 ____D C:\Users\Coult\AppData\Roaming\Dropbox
2016-07-05 22:22 - 2015-11-23 01:11 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-05 22:08 - 2015-06-09 05:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\H&R Block 2013
2016-07-05 22:08 - 2013-11-25 02:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\H&R Block 2012
2016-07-05 22:08 - 2008-03-09 23:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\French Spelling Settings
2016-07-05 22:07 - 2008-03-09 18:34 - 00000000 ____D C:\Users\Coult
2016-07-05 22:07 - 2006-11-02 05:22 - 67895296 _____ C:\Windows\system32\config\software_previous
2016-07-05 22:07 - 2006-11-02 05:22 - 51118080 _____ C:\Windows\system32\config\components_previous
2016-07-05 22:07 - 2006-11-02 05:22 - 25427968 _____ C:\Windows\system32\config\system_previous
2016-07-05 22:07 - 2006-11-02 05:22 - 00524288 _____ C:\Windows\system32\config\default_previous
2016-07-05 22:07 - 2006-11-02 05:22 - 00098304 _____ C:\Windows\system32\config\sam_previous
2016-07-05 22:07 - 2006-11-02 05:22 - 00024576 _____ C:\Windows\system32\config\security_previous
2016-07-05 22:05 - 2016-05-23 23:25 - 00000000 ___RD C:\Users\Coult\Google Drive
2016-07-05 22:05 - 2016-05-05 17:58 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-07-05 22:05 - 2016-05-02 14:30 - 00000000 ____D C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2016-07-05 22:05 - 2015-06-09 05:58 - 00000000 ____D C:\Program Files\PDF995
2016-07-05 22:05 - 2015-06-09 05:58 - 00000000 ____D C:\Program Files\HRBlock2013
2016-07-05 22:05 - 2015-04-22 04:26 - 00000000 ____D C:\Program Files\HitmanPro
2016-07-05 22:05 - 2015-03-22 22:27 - 00000000 ____D C:\ProgramData\FLEXnet
2016-07-05 22:05 - 2014-10-13 13:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-07-05 22:05 - 2014-10-13 13:22 - 00000000 ____D C:\ProgramData\AVG2015
2016-07-05 22:05 - 2013-11-25 02:55 - 00000000 ____D C:\Program Files\HRBlock2012
2016-07-05 22:05 - 2013-08-27 01:15 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-07-05 22:05 - 2012-03-20 14:50 - 00000000 ____D C:\Program Files\MALWAREBYTES ANTI-MALWARE
2016-07-05 22:05 - 2012-01-02 00:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\H&R Block 2010
2016-07-05 22:05 - 2012-01-02 00:06 - 00000000 ____D C:\Program Files\HRBlock2010
2016-07-05 22:05 - 2010-10-16 21:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\H&R Block 2009
2016-07-05 22:05 - 2010-10-16 21:46 - 00000000 ____D C:\Program Files\HRBlock2009
2016-07-05 22:05 - 2008-05-24 13:49 - 00000000 ____D C:\Program Files\AVG
2016-07-05 22:05 - 2008-03-18 01:05 - 00000000 ___SD C:\Users\Coult\Documents\My Data Sources
2016-07-05 22:05 - 2008-03-10 01:15 - 00000000 ____D C:\Users\Coult\AppData\Local\Microsoft Help
2016-07-05 22:05 - 2008-03-09 23:16 - 00000000 ____D C:\Program Files\FrRefEng
2016-07-05 22:05 - 2006-11-02 07:37 - 00000000 ____D C:\Program Files\Windows Sidebar
2016-07-05 22:05 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\spool
2016-07-05 22:05 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\Msdtc
2016-07-05 22:05 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\inetsrv
2016-07-05 22:05 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\registration
2016-07-05 22:04 - 2016-03-30 11:27 - 00000000 ____D C:\Program Files\VS Revo Group
2016-07-03 04:22 - 2010-11-29 00:59 - 00000000 ____D C:\ProgramData\AVG
2016-07-03 04:21 - 2015-12-25 03:53 - 00000000 ____D C:\Users\Coult\AppData\Local\AvgSetupLog
2016-07-03 03:44 - 2008-03-14 15:35 - 00000000 ____D C:\Users\Coult\Documents\- My Docs
2016-06-30 01:02 - 2007-06-11 14:33 - 00000000 ____D C:\Windows\Panther
2016-06-30 01:00 - 2009-10-08 00:54 - 00000000 _____ C:\Users\Coult\AppData\LocalLow\prvlcl.dat
2016-06-28 23:24 - 2015-09-04 02:08 - 00000000 ____D C:\Users\Coult\AppData\Local\BA6A0438-280C-4929-96A7-E2F4654DFFCB.aplzod
2016-06-16 02:12 - 2009-03-08 03:16 - 00000000 ____D C:\Users\Coult\Documents\Austin
2016-06-15 22:34 - 2014-08-17 19:08 - 00000000 ___RD C:\Users\Coult\Dropbox
2016-06-13 03:38 - 2016-01-27 18:43 - 00000917 _____ C:\Windows\Tasks\EPSON XP-420 Series Update {A5D91C27-D75C-45B1-B885-B590A3902163}.job
2016-06-13 03:38 - 2015-11-23 01:11 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-13 03:38 - 2014-07-06 23:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-12 23:19 - 2016-05-03 05:25 - 00000866 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2928429055-1840525401-3513896323-1002Core.job

==================== Files in the root of some directories =======

2013-06-26 07:53 - 2014-06-22 22:20 - 0003728 _____ () C:\Program Files\Mozilla Firefoxavg-secure-search.xml
2011-11-17 00:02 - 2013-07-19 02:23 - 0022976 _____ () C:\Users\Coult\AppData\Roaming\Comma Separated Values (DOS).ADR
2012-03-04 16:17 - 2013-01-13 21:47 - 0010735 _____ () C:\Users\Coult\AppData\Roaming\Comma Separated Values (DOS).CAL
2010-09-06 01:25 - 2012-01-05 21:38 - 0037848 _____ () C:\Users\Coult\AppData\Roaming\Comma Separated Values (Windows).ADR
2009-09-07 22:14 - 2013-01-13 21:59 - 0010729 _____ () C:\Users\Coult\AppData\Roaming\Comma Separated Values (Windows).CAL
2011-12-03 17:41 - 2011-12-03 17:42 - 0011770 _____ () C:\Users\Coult\AppData\Roaming\Tab Separated Values (DOS).CAL
2008-03-10 20:09 - 2008-03-10 20:09 - 0000000 _____ () C:\Users\Coult\AppData\Roaming\wklnhst.dat
2016-06-29 20:08 - 2016-06-29 20:08 - 1063815 _____ () C:\Users\Coult\AppData\Local\ars.cache
2016-06-29 20:08 - 2016-06-29 20:08 - 0561518 _____ () C:\Users\Coult\AppData\Local\census.cache
2012-04-05 00:32 - 2016-07-07 22:24 - 0000680 _____ () C:\Users\Coult\AppData\Local\d3d9caps.dat
2008-03-10 20:15 - 2012-08-23 23:34 - 0033280 _____ () C:\Users\Coult\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-06-29 10:04 - 2016-06-29 10:04 - 0000036 _____ () C:\Users\Coult\AppData\Local\housecall.guid.cache
2009-07-05 20:16 - 2009-07-05 20:16 - 0004096 _____ () C:\Users\Coult\AppData\Local\keyfile3.drm
2016-06-29 10:15 - 2016-06-29 10:15 - 0000010 _____ () C:\Users\Coult\AppData\Local\sponge.last.runtime.cache
2009-07-13 01:14 - 2009-07-13 01:14 - 0000056 _____ () C:\ProgramData\ezsidmv.dat
2007-08-17 20:02 - 2007-08-17 20:02 - 1132112 _____ () C:\ProgramData\pswi_preloaded.exe

Files to move or delete:
====================
C:\ProgramData\pswi_preloaded.exe


Some files in TEMP:
====================
C:\Users\Coult\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-07-07 23:34

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:25 AM

Posted 09 July 2016 - 07:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 - (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
S4 blbdrive; no ImagePath
S3 btwaudio; no ImagePath
S3 btwavdt; no ImagePath
S3 btwl2cap; no ImagePath
S3 btwrchid; no ImagePath
S3 HTCAND32; System32\Drivers\ANDROIDUSB.sys [X]
S3 IpInIp; no ImagePath
S3 NwlnkFlt; no ImagePath
S3 NwlnkFwd; no ImagePath
S4 UIUSys; no ImagePath
Shortcut: C:\Users\Coult\AppData\Roaming\Microsoft\Windows\Network Shortcuts\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.com (No File)
AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4 [286]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [115]
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

Please post the logs and let me know what problem persists.

#3 coult

coult
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:03:25 AM

Posted 09 July 2016 - 07:25 PM

Thanks for the quick response Nasdaq! I didn't expect a reply so soon based on indicated turn-times when I registered...

 

Please see Fixlog.txt and C:\ComboFix.txt below:

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 09-07-2016
Ran by Coult (2016-07-09 18:20:23) Run:1
Running from C:\Users\Coult\Desktop\Security Tools
Loaded Profiles: Coult (Available Profiles: Coult)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-2928429055-1840525401-3513896323-1002 - (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
S4 blbdrive; no ImagePath
S3 btwaudio; no ImagePath
S3 btwavdt; no ImagePath
S3 btwl2cap; no ImagePath
S3 btwrchid; no ImagePath
S3 HTCAND32; System32\Drivers\ANDROIDUSB.sys [X]
S3 IpInIp; no ImagePath
S3 NwlnkFlt; no ImagePath
S3 NwlnkFwd; no ImagePath
S4 UIUSys; no ImagePath
Shortcut: C:\Users\Coult\AppData\Roaming\Microsoft\Windows\Network Shortcuts\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.com (No File)
AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4 [286]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [115]
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
"HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} => value removed successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}" => key removed successfully.
HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}" => key removed successfully.
HKCR\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}" => key removed successfully.
HKCR\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" => key removed successfully.
HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} => key not found.
blbdrive => service removed successfully.
btwaudio => service removed successfully.
btwavdt => service removed successfully.
btwl2cap => service removed successfully.
btwrchid => service removed successfully.
HTCAND32 => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
UIUSys => service removed successfully.
Shortcut: C:\Users\Coult\AppData\Roaming\Microsoft\Windows\Network Shortcuts\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.com (No File) => Error: No automatic fix found for this entry.
C:\ProgramData\TEMP => ":0B4227B4" ADS removed successfully..
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully..

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  IPCONFIG /release =========


Windows IP Configuration

No operation can be performed on Local Area Connection while it has its media disconnected.

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2605:6000:f3a4:9600:246c:d0f1:6b33:3c75
   Temporary IPv6 Address. . . . . . : 2605:6000:f3a4:9600:c423:845b:cbec:9bdf
   Link-local IPv6 Address . . . . . : fe80::246c:d0f1:6b33:3c75%9
   Default Gateway . . . . . . . . . : fe80::8e09:f4ff:fe05:7a67%9

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


=========  IPCONFIG /renew =========


Windows IP Configuration

No operation can be performed on Local Area Connection while it has its media disconnected.

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2605:6000:f3a4:9600:246c:d0f1:6b33:3c75
   Temporary IPv6 Address. . . . . . : 2605:6000:f3a4:9600:c423:845b:cbec:9bdf
   Link-local IPv6 Address . . . . . : fe80::246c:d0f1:6b33:3c75%9
   IPv4 Address. . . . . . . . . . . : 192.168.0.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::8e09:f4ff:fe05:7a67%9
                                       192.168.0.1

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 3267999 B
Java, Flash, Steam htmlcache => 658 B
Windows/system/drivers => 16863147 B
Edge => 0 B
Chrome => 0 B
Firefox => 29342604 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 49442 B
Public => 0 B
ProgramData => 0 B
systemprofile => 83323 B
LocalService => 33326 B
NetworkService => 33058 B
Coult => 68042806 B

RecycleBin => 6628020 B
EmptyTemp: => 126.6 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:24:00 ====

 

 

************************************************************************************************************************************************

 

 

ComboFix 16-06-30.01 - Coult 07/09/2016  18:45:34.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3062.1181 [GMT -5:00]
Running from: c:\users\Coult\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {4D41356F-32AD-7C42-C820-63775EE4F413}
SP: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {F620D48B-1497-73CC-F290-58052563BEAE}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\WinPCap
c:\program files\WinPCap\LICENSE
c:\programdata\ntuser.pol
c:\programdata\pswi_preloaded.exe
c:\users\Coult\AppData\Local\Temp\d9df132a68724718a474391ddd9ee01c\filesys.dll
c:\users\Coult\AppData\Local\Temp\d9df132a68724718a474391ddd9ee01c\http.dll
c:\windows\~GLC0000.TMP
c:\windows\~GLH0000.TMP
c:\windows\system32\AdobePDF.dll
.
.
(((((((((((((((((((((((((   Files Created from 2016-06-10 to 2016-07-10  )))))))))))))))))))))))))))))))
.
.
2016-07-09 23:56 . 2016-07-10 00:01    --------    d-----w-    c:\users\Coult\AppData\Local\temp
2016-07-09 23:56 . 2016-07-09 23:56    --------    d-----w-    c:\users\TEMP\AppData\Local\temp
2016-07-09 23:56 . 2016-07-09 23:56    --------    d-----w-    c:\users\Default\AppData\Local\temp
2016-07-09 23:06 . 2016-06-24 02:21    892976    ----a-w-    c:\program files\Mozilla Firefox\uninstall\helper.exe
2016-07-08 14:02 . 2016-07-09 23:37    --------    d-----w-    C:\FRST
2016-07-07 08:27 . 2016-07-07 08:27    24688    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2016-07-07 08:26 . 2016-07-07 08:26    --------    d-----w-    c:\programdata\RogueKiller
2016-07-07 04:29 . 2016-07-07 04:29    --------    d-----w-    c:\program files\CCleaner
2016-07-07 03:29 . 2016-07-07 03:29    --------    d-----w-    c:\program files\Reason
2016-07-07 03:28 . 2016-07-07 03:28    --------    d-----w-    c:\users\Coult\AppData\Local\Zemana
2016-07-07 03:05 . 2016-07-07 03:05    --------    d-----w-    c:\programdata\Panda Security
2016-07-07 03:05 . 2016-07-07 03:05    --------    d-----w-    c:\program files\Panda USB Vaccine
2016-07-06 08:50 . 2016-07-06 08:50    --------    d-----w-    c:\program files\ERUNT
2016-07-06 07:52 . 2016-07-06 07:52    --------    d-----w-    c:\program files\SUPERAntiSpyware
2016-07-06 02:19 . 2016-07-06 02:20    --------    d-----w-    c:\program files\Mozilla Firefox(18)
2016-07-03 09:47 . 2016-07-03 09:47    --------    d-----w-    c:\users\Coult\AppData\Roaming\Avira
2016-07-03 09:35 . 2016-07-03 09:41    --------    d-----w-    c:\program files\Avira
2016-07-03 09:35 . 2016-07-03 09:45    --------    d-----w-    c:\programdata\Avira
2016-07-03 06:00 . 2016-07-03 06:00    --------    d-----w-    c:\programdata\Tenable
2016-07-03 06:00 . 2016-07-03 06:00    --------    d-----w-    c:\program files\Tenable
2016-06-30 01:43 . 2016-06-30 01:43    --------    d-----w-    c:\users\Coult\AppData\Roaming\SUPERAntiSpyware.com
2016-06-30 01:42 . 2016-06-30 01:42    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2016-06-30 01:37 . 2016-06-30 01:37    --------    d-----w-    c:\programdata\NortonInstaller
2016-06-30 01:34 . 2016-07-03 07:34    --------    d-----w-    c:\users\Coult\AppData\Roaming\QuickScan
2016-06-29 15:06 . 2016-06-29 15:06    --------    d-----w-    c:\programdata\Trend Micro
2016-06-29 15:06 . 2016-06-29 15:06    --------    d-----w-    c:\windows\Trend Micro
2016-06-16 03:20 . 2016-06-16 03:20    --------    d-----w-    c:\programdata\LogiShrd
2016-06-16 03:20 . 2016-06-16 03:20    --------    d-----w-    c:\program files\Common Files\LogiShrd
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-07-07 04:55 . 2014-05-22 03:33    170200    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-05-12 20:13 . 2012-04-05 05:45    797376    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2016-05-12 20:13 . 2011-05-23 09:32    142528    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2016-04-23 17:03 . 2016-05-17 13:22    367616    ----a-w-    c:\windows\system32\html.iec
2016-04-23 17:00 . 2016-05-17 13:22    1831424    ----a-w-    c:\windows\system32\jscript9.dll
2016-04-23 17:00 . 2016-05-17 13:22    1436160    ----a-w-    c:\windows\system32\inetcpl.cpl
2016-04-23 17:00 . 2016-05-17 13:22    1089024    ----a-w-    c:\windows\system32\wininet.dll
2016-04-23 17:00 . 2016-05-17 13:22    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2016-04-23 16:59 . 2016-05-17 13:22    414208    ----a-w-    c:\windows\system32\vbscript.dll
2016-04-23 16:59 . 2016-05-17 13:22    11776    ----a-w-    c:\windows\system32\mshta.exe
2016-04-23 16:59 . 2016-05-17 13:22    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveBlacklisted]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2016-05-17 18:26    576408    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveSynced]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2016-05-17 18:26    576408    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveSyncing]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2016-05-17 18:26    576408    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2016-06-13 20:10    211264    ----a-w-    c:\users\Coult\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-11-16 6602152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-29 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-29 154136]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-08 118784]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableThumbnailsOnNetworkFolders"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-07-25 02:26    98304    ----a-w-    c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=c:\windows\pss\eFax 4.3.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Coult^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Coult\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Coult^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\users\Coult\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Coult^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Coult\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Coult^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PaperMaster Live Menu 7.0.lnk]
path=c:\users\Coult\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaperMaster Live Menu 7.0.lnk
backup=c:\windows\pss\PaperMaster Live Menu 7.0.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Coult^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PaperMaster Tray Menu 7.0.lnk]
path=c:\users\Coult\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaperMaster Tray Menu 7.0.lnk
backup=c:\windows\pss\PaperMaster Tray Menu 7.0.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 05:46    624248    ----a-w-    c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_UI]
2016-05-11 18:47    25496    ----a-w-    c:\program files\AVG\AVG2015\avuirunnerx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COS]
2011-10-25 05:45    3526472    ----a-w-    c:\program files\COMODO\COMODO Online Storage\COSCLIENT.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dropbox Update]
2016-05-03 10:25    143144    ----atw-    c:\users\Coult\AppData\Local\Dropbox\Update\DropboxUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
c:\program files\eFax Messenger 4.4\J2GDllCmd.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33    125952    ----a-w-    c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2016-05-17 18:26    23496872    ----a-w-    c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-02-18 19:49    49208    ----a-w-    c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iCloudServices]
2013-10-31 19:47    59720    ----a-w-    c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2007-06-12 01:27    317560    ----a-w-    c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2014-10-15 11:42    157480    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-29 12:56    133656    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinterProDesktop]
2015-12-24 14:02    4056064    ----a-w-    c:\program files\Printer Pro Desktop\PrinterProDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Report]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2011-06-01 23:06    79112    ----a-w-    c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2016-05-31 17:43    6825888    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Center Access Bar]
2007-06-21 23:54    53248    ----a-w-    c:\program files\Sony\VAIO Center Access Bar\VCAB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]
2007-07-12 18:31    45056    ----a-w-    c:\program files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 16:21    648072    ----a-w-    c:\windows\WindowsMobile\wmdcBase.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33    202240    ----a-w-    c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"iCloudServices"=c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2928429055-1840525401-3513896323-1002]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2014-07-22 142648]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs    REG_MULTI_SZ       BthServ
WindowsMobile    REG_MULTI_SZ       wcescomm rapimgr
LocalServiceRestricted    REG_MULTI_SZ       WcesComm RapiMgr
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2016-07-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 20:13]
.
2016-06-13 c:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2928429055-1840525401-3513896323-1002Core.job
- c:\users\Coult\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2016-05-03 10:25]
.
2016-07-09 c:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2928429055-1840525401-3513896323-1002UA.job
- c:\users\Coult\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2016-05-03 10:25]
.
2016-07-09 c:\windows\Tasks\EPSON XP-420 Series Update {A5D91C27-D75C-45B1-B885-B590A3902163}.job
- c:\windows\system32\spool\DRIVERS\W32X86\3\E_TTSNAE.EXE [2016-01-27 07:30]
.
2016-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-11-23 06:11]
.
2016-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-11-23 06:11]
.
2016-07-07 c:\windows\Tasks\ReasonSecurityScheduledScan.job
- c:\program files\Reason\Security\rsUI.exe [2015-08-13 03:18]
.
2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{D2E30A2D-2BEB-4030-8DA3-2CE24B5621A4}.job
- c:\windows\system32\msfeedssync.exe [2016-05-17 16:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://my.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aetna.com\member
Trusted Zone: salesforce.com\na4
Trusted Zone: usps.com\sss-web
Trusted Zone: verizonwireless.com\ebillpay
Trusted Zone: wellsfargo.com\online
Trusted Zone: zortal.com\ltya
TCP: DhcpNameServer = 209.18.47.62 209.18.47.61
FF - ProfilePath - c:\users\Coult\AppData\Roaming\Mozilla\Firefox\Profiles\tmrv06ad.default-1429694410702\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/|https://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire\Corel PhotoDownloader.exe
MSConfigStartUp-eFax 4 - c:\program files\eFax Messenger 4.3\J2GDllCmd.exe
MSConfigStartUp-HP Scanjet Assistance - c:\program files\HP\HP Scanjet Software\HPScanjetTray.exe
MSConfigStartUp-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
MSConfigStartUp-Hudl Mercury - c:\program files\Hudl Mercury\HudlMercury.exe
MSConfigStartUp-Mobile Connectivity Suite - c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-TP CfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe
MSConfigStartUp-VAIOSurvey - c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe
MSConfigStartUp-Windows Mobile Device Center - c:\windows\WindowsMobile\wmdc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-07-09 19:03
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\Common Files\AppLifeUpdateService2\kjsausvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\locator.exe
c:\program files\Reason\Security\rsEngineSvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Sony\VAIO Service Utility\VAIO-SUTOOL.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2016-07-09  19:09:06 - machine was rebooted
ComboFix-quarantined-files.txt  2016-07-10 00:09
.
Pre-Run: 139,879,784,448 bytes free
Post-Run: 139,585,089,536 bytes free
.
- - End Of File - - 901D665346937EC3F893A3B4BB716769
5C616939100B85E558DA92B899A0FC36
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:25 AM

Posted 10 July 2016 - 07:00 AM

Any remaining issues after this cleanup?

#5 coult

coult
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:03:25 AM

Posted 10 July 2016 - 03:02 PM

Machine does seem more responsive again. However I'm still having a couple of issues:

~ Windows Updates not working. Says it's downloading 13 updates but it never completes.

~ Security Center reports AVG is turned off... unable to turn back on. Tried running AVG as admin via program files and "local" folder - unable to open program at all.

~ Also tried to download Avira (been wanting to switch AV's). But when I try to open or "Run" download I get the message "Directory name is invalid".



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:25 AM

Posted 11 July 2016 - 06:28 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

A number of issues can cause Windows updates to freeze.
Some suggestions are recommended on this page. Try them.
http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-updates-not-completing/26789ffe-c870-e011-8dfc-68b599b31bf5?auth=1

Other possiblilities.
http://pcsupport.about.com/od/findbysymptom/a/windows-update-frozen.htm
===

Reinstall AVG and see if the problem persists.

#7 coult

coult
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:03:25 AM

Posted 11 July 2016 - 08:42 PM

Windows Updates is now working; all updates have been completed - thanks!

 

Trouble removing AVG. Will try AVG Remover Tool and send you update.

 

I've noticed old programs that have come back which I've deleted in the past (alot of orig vaio bloatware)

 

Vaio Sutool has been removed by RogueKiller. I do not recognize the PUM Proxy's below... Can I remove these???

 

 

RogueKiller V12.3.8.0 [Jul 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Coult [Administrator]
Started from : C:\Users\Coult\Desktop\RogueKiller.exe
Mode : Scan -- Date : 07/11/2016 16:29:58

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected|Proc.RunPE|VT.Troj.Psw.Bancos!c] VAIO-SUTOOL.exe(3112) -- C:\Program Files\Sony\VAIO Service Utility\VAIO-SUTOOL.exe[7] -> Found

¤¤¤ Registry : 22 ¤¤¤
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-23-69-a2-94-2c -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{262326BA-0B2A-4E81-B5D8-E097887220C5} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3951B2F8-F8C8-4D78-8666-269F0E054304} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F283850-9759-4DE7-BC69-22AC6B58755F} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{72DF77BB-C585-4E1D-933A-0F92C3764170} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7E95BF41-D652-4368-9DC7-A1AF7E56447C} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8E9EB939-236D-4B8A-A6D1-26B2BEE8D871} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A9498F63-FCCB-48DA-95BD-FBB6533BF5D6} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9C64635-EF13-4051-968F-10345E4FA4E9} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CCD7D2CA-04D7-4B49-B6A6-AC435DD13631} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D0244263-3C70-478D-B334-5D4B3B70163E} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D40D484F-2268-43B0-BB72-A53B5208EA81} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DD7904C2-45C6-4830-89BF-F77A748D9BAB} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DEB70D0C-0352-4B15-A906-FEDBA0636FA8} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2F6FAFE-1AF6-4E62-8253-1995B4D6CB54} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E3C827B0-A4FB-453B-A32F-661B3A65C706} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8C1169F-4497-4FD5-8CE3-24735A30D332} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECD81938-F6D7-4151-9235-A6B503F04F55} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9B54A77-9C15-43D5-84FC-A2C530EF056B} -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | WpadLastNetwork : {D0244263-3C70-478D-B334-5D4B3B70163E}  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2928429055-1840525401-3513896323-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHX2250BT +++++
--- User ---
[MBR] 10687cd21dc10323b1b1826a75e4587d
[BSP] 0b4f67a0084ebf9ff5d7fcb56e05d92d : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 7621 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 15609856 | Size: 230852 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: MemoryStick0 Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([1] Incorrect function. )
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: SD1 Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([1] Incorrect function. )
Error reading LL2 MBR! ([1] Incorrect function. )
 



#8 coult

coult
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:03:25 AM

Posted 12 July 2016 - 12:34 AM

Update - AVG uninstalled with revo-uninstaller.  Avira free AV successfully installed!

 

Thoughts on RougeKiller registry above?



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:25 AM

Posted 12 July 2016 - 07:33 AM


Thoughts on RougeKiller registry above?



Web Proxy Auto-Discovery Protocol (WPAD)
https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

your DHCP is https://who.is/whois-ip/ip-address/209.18.47.62 Time Warner.
TCP: DhcpNameServer = 209.18.47.62 209.18.47.61

If no problems with internet I would leave it alone.

#10 coult

coult
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:03:25 AM

Posted 13 July 2016 - 01:58 AM

You're right, my machine is definitely back up to speed.... thank you! 

 

Mbam, Eset and HitmanPro all came up empty.  Just need to uninstall ComboFix et al, and will probably run CCleaner.

 

Let me know if you have any other suggestions.  Otherwise, thanks again for helping me out!



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:25 AM

Posted 13 July 2016 - 10:17 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#12 coult

coult
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:03:25 AM

Posted 14 July 2016 - 07:04 PM

Got it... thanks!



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:25 AM

Posted 15 July 2016 - 07:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users