Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: Zen_Sorcere on May 20, 2013, 10:39:40 PM
-
I've been noticing it for a little while now, but wasn't always sure it was a problem. Sometimes, I'd be gone for a few days and come home and notice my computer was off or had restarted. As this sometimes happens at work with software updates, I didn't pay it much attention. However, there have been a couple of times where I'd be asleep and wake to a bright light and notice my computer restarted itself, after being in sleep mode for a few hours.
Earlier this evening, I woke my computer up to look up an address, and while writing something down, my computer monitor went black, then bluescreened, then restarted. At that point I came here and went through the beginning processes located here: http://www.computerhope.com/forum/index.php/topic,46313.0.html
Now the end of that page is a little contradictory about copy/pasting logs or attaching them, so I'm not sure what method you'd prefer. I'm going to attach them for now. I apologize if I misread the instructions.
[recovering disk space, attachment deleted by admin]
-
Is there some reason you suspect malware? If not, please follow the instructions below and I'll move this to a more appropriate area on the forum. And by the way, we do prefer cut and paste to attachments - thanks:
Download BlueScreenView:
http://www.nirsoft.net/utils/blue_screen_view.html
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************
Remove the Adware:
- Please close all open programs and internet browsers.
- Double click on adwcleaner.exe to run the tool.
- Click on Delete.
- Confirm each time with OK
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile in your reply.
- You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
******************************************
I noticed that you have two AV's on your computer. Just make sure that only one AV is enabled at any time.
Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.
•Warning! Once the scan is complete JRT will shut down your browser with NO warning.
•Shut down your protection software now to avoid potential conflicts.
•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this (http://www.bleepingcomputer.com/forums/topic114351.html) link to see a list of security programs that should be disabled and how to disable them.
•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete depending on your system's specifications.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Copy and Paste the JRT.txt log into your next message.
-
thank you for your assistance. I'm closing a theater show this weekend, so I apologize for not responding with the corresponding logs yet. Rest assured, I'm grateful for your help. I will be tackling your request saturday morning, and will post again then.
-
No rush, whenever you're ready.
-
Here are the logs, as requested:
ADWCLEANER
-----------------
# AdwCleaner v2.303 - Logfile created 06/09/2013 at 14:32:06
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Mike - ZEN_SORCERE
# Boot Mode : Normal
# Running from : C:\Users\Mike\Downloads\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : C:\ProgramData\DeviceVM
Folder Deleted : C:\Users\Mike\AppData\Roaming\DeviceVM
***** [Registry] *****
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16483
[OK] Registry is clean.
-\\ Mozilla Firefox v21.0 (en-US)
File : C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\mlyyf6es.default\prefs.js
[OK] File is clean.
-\\ Google Chrome v27.0.1453.110
File : C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R2].txt - [1032 octets] - [09/06/2013 14:30:08]
AdwCleaner[S1].txt - [969 octets] - [09/06/2013 14:32:06]
########## EOF - C:\AdwCleaner[S1].txt - [1028 octets] ##########
-------------
JUNKWARE REMOVAL TOOL:
(This one did not restart my computer, however, so I may have done something wrong. I did manage to get Avast turned off, though)
-------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Professional x64
Ran by Mike on Sun 06/09/2013 at 14:54:06.02
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/09/2013 at 14:57:42.72
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
This could be a software or hardware problem but we'll know after a few more scans.
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
******************************************
Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
To prevent your anti-virus application interfering with ComboFix we need to disable it. See here (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.
- Close any open windows and double click ComboFix.exe to run it.
You will see the following image:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)
Click I Agree to start the program.
ComboFix will then extract the necessary files and you will see this:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
-
I should have taken care of this in the winter when I was less busy. At any rate, here are the latest Malware Bytes and ComboFix logs:
Mbam log:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.06.22.05
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
Mike :: ZEN_SORCERE [administrator]
6/22/2013 10:17:29 AM
mbam-log-2013-06-22 (10-17-29).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 300104
Time elapsed: 18 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-------------------------------------------
ComboxFix log:
ComboFix 13-06-22.01 - Mike 06/22/2013 10:45:27.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8175.6417 [GMT -7:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\programdata\ntuser.dat
c:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-05-22 to 2013-06-22 )))))))))))))))))))))))))))))))
.
.
2013-06-22 17:48 . 2013-06-22 17:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-22 17:16 . 2013-06-22 17:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-06-22 17:16 . 2013-04-04 21:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-14 08:57 . 2013-05-08 06:39 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-09 21:40 . 2013-06-09 21:40 -------- d-----w- c:\windows\ERUNT
2013-06-09 21:40 . 2013-06-09 21:53 -------- d-----w- C:\JRT
2013-05-25 22:09 . 2013-05-25 22:09 74136 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-05-25 22:09 . 2013-05-25 22:09 262552 ----a-w- c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-05-25 22:09 . 2013-05-25 22:09 26520 ----a-w- c:\program files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-05-25 22:09 . 2013-05-25 22:09 96664 ----a-w- c:\program files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-05-25 22:09 . 2013-05-25 22:09 170232 ----a-w- c:\program files (x86)\Mozilla Firefox\webapp-uninstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-22 16:48 . 2012-07-13 08:02 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-22 16:48 . 2012-07-13 08:02 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-14 10:00 . 2012-07-13 07:11 75825640 ----a-w- c:\windows\system32\MRT.exe
2013-04-13 05:49 . 2013-05-16 07:18 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 07:18 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 07:18 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 07:18 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 07:18 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 07:18 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-24 07:47 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 06:01 . 2013-05-16 07:18 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 06:01 . 2013-05-16 07:18 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 03:30 . 2013-05-16 07:17 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-03-29 02:37 . 2013-03-29 02:37 78432 ----a-w- c:\windows\system32\atimpc64.dll
2013-03-29 02:37 . 2013-03-29 02:37 78432 ----a-w- c:\windows\system32\amdpcom64.dll
2013-03-29 02:37 . 2013-03-29 02:37 71704 ----a-w- c:\windows\SysWow64\atimpc32.dll
2013-03-29 02:37 . 2013-03-29 02:37 71704 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2013-03-29 02:37 . 2012-02-01 02:12 139696 ----a-w- c:\windows\system32\atiuxp64.dll
2013-03-29 02:37 . 2013-03-29 02:37 118584 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2013-03-29 02:37 . 2013-03-29 02:37 112440 ----a-w- c:\windows\system32\atiu9p64.dll
2013-03-29 02:37 . 2012-07-28 01:13 92304 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2013-03-29 02:37 . 2012-02-01 03:17 1155264 ----a-w- c:\windows\system32\aticfx64.dll
2013-03-29 02:37 . 2013-03-29 02:37 970912 ----a-w- c:\windows\SysWow64\aticfx32.dll
2013-03-29 02:36 . 2012-06-11 17:01 8272136 ----a-w- c:\windows\system32\atidxx64.dll
2013-03-29 02:36 . 2013-03-29 02:36 7233336 ----a-w- c:\windows\SysWow64\atidxx32.dll
2013-03-29 02:36 . 2013-03-29 02:36 4450264 ----a-w- c:\windows\SysWow64\atiumdva.dll
2013-03-29 02:36 . 2013-03-29 02:36 5944264 ----a-w- c:\windows\SysWow64\atiumdag.dll
2013-03-29 02:36 . 2013-03-29 02:36 5000320 ----a-w- c:\windows\system32\atiumd6a.dll
2013-03-29 02:36 . 2013-03-29 02:36 6985624 ----a-w- c:\windows\system32\atiumd64.dll
2013-03-29 02:35 . 2013-03-29 02:35 11658752 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2013-03-29 02:13 . 2013-03-29 02:13 222720 ----a-w- c:\windows\system32\clinfo.exe
2013-03-29 02:13 . 2013-03-29 02:13 798734 ----a-w- c:\windows\SysWow64\amdocl_ld32.exe
2013-03-29 02:13 . 2013-03-29 02:13 1187342 ----a-w- c:\windows\system32\amdocl_as64.exe
2013-03-29 02:13 . 2013-03-29 02:13 1061902 ----a-w- c:\windows\system32\amdocl_ld64.exe
2013-03-29 02:13 . 2013-03-29 02:13 995342 ----a-w- c:\windows\SysWow64\amdocl_as32.exe
2013-03-29 02:13 . 2013-03-29 02:13 76288 ----a-w- c:\windows\system32\OpenVideo64.dll
2013-03-29 02:13 . 2013-03-29 02:13 65536 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2013-03-29 02:13 . 2013-03-29 02:13 64000 ----a-w- c:\windows\system32\OVDecode64.dll
2013-03-29 02:12 . 2013-03-29 02:12 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2013-03-29 02:12 . 2013-03-29 02:12 29150720 ----a-w- c:\windows\system32\amdocl64.dll
2013-03-29 02:10 . 2013-03-29 02:10 23810560 ----a-w- c:\windows\SysWow64\amdocl.dll
2013-03-29 02:09 . 2013-03-29 02:09 54784 ----a-w- c:\windows\system32\OpenCL.dll
2013-03-29 02:09 . 2013-03-29 02:09 50176 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-03-29 02:04 . 2013-03-29 02:04 24229376 ----a-w- c:\windows\system32\atio6axx.dll
2013-03-29 02:00 . 2013-03-29 02:00 76800 ----a-w- c:\windows\system32\coinst_12.104.dll
2013-03-29 01:57 . 2013-03-29 01:57 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2013-03-29 01:55 . 2013-03-29 01:55 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2013-03-29 01:55 . 2013-03-29 01:55 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2013-03-29 01:55 . 2013-03-29 01:55 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2013-03-29 01:55 . 2013-03-29 01:55 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2013-03-29 01:55 . 2013-03-29 01:55 16082944 ----a-w- c:\windows\system32\aticaldd64.dll
2013-03-29 01:51 . 2013-03-29 01:51 13703168 ----a-w- c:\windows\SysWow64\aticaldd.dll
2013-03-29 01:48 . 2013-03-29 01:48 19870720 ----a-w- c:\windows\SysWow64\atioglxx.dll
2013-03-29 01:35 . 2013-03-29 01:35 442368 ----a-w- c:\windows\system32\atidemgy.dll
2013-03-29 01:35 . 2013-03-29 01:35 562688 ----a-w- c:\windows\system32\atieclxx.exe
2013-03-29 01:34 . 2013-03-29 01:34 241152 ----a-w- c:\windows\system32\atiesrxx.exe
2013-03-29 01:33 . 2013-03-29 01:33 120320 ----a-w- c:\windows\system32\atitmm64.dll
2013-03-29 01:32 . 2013-03-29 01:32 26112 ----a-w- c:\windows\system32\atimuixx.dll
2013-03-29 01:32 . 2013-03-29 01:32 59392 ----a-w- c:\windows\system32\atiedu64.dll
2013-03-29 01:32 . 2013-03-29 01:32 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2013-03-29 01:11 . 2013-03-29 01:11 79360 ----a-w- c:\windows\system32\amdave64.dll
2013-03-29 01:11 . 2013-03-29 01:11 78336 ----a-w- c:\windows\SysWow64\amdave32.dll
2013-03-29 01:11 . 2013-03-29 01:11 74240 ----a-w- c:\windows\system32\atisamu64.dll
2013-03-29 01:11 . 2013-03-29 01:11 71168 ----a-w- c:\windows\SysWow64\atisamu32.dll
2013-03-29 01:10 . 2013-03-29 01:10 636416 ----a-w- c:\windows\system32\atiadlxx.dll
2013-03-29 01:10 . 2013-03-29 01:10 430080 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2013-03-29 01:10 . 2013-03-29 01:10 17920 ----a-w- c:\windows\system32\atig6pxx.dll
2013-03-29 01:10 . 2013-03-29 01:10 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2013-03-29 01:10 . 2013-03-29 01:10 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2013-03-29 01:10 . 2013-03-29 01:10 44032 ----a-w- c:\windows\system32\atig6txx.dll
2013-03-29 01:09 . 2013-03-29 01:09 34816 ----a-w- c:\windows\SysWow64\atigktxx.dll
2013-03-29 01:09 . 2013-03-29 01:09 581120 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2013-03-29 01:07 . 2013-03-29 01:07 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2012-02-01 393216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"XFastUsb"="c:\program files (x86)\XFastUsb\XFastUsb.exe" [2012-07-12 4942336]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"ANIWZCS2Service"="c:\program files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Xtreme N Dual Band DWA-160 "="c:\program files (x86)\D-Link\DWA-160\AirNCFG.exe" [2008-03-21 1675264]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-03-29 642656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
S0 aswRvrt;aswRvrt;
S0 aswVmm;aswVmm;
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys;c:\windows\SYSNATIVE\DRIVERS\mv91xx.sys
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1206000.01D\SYMDS64.SYS
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1206000.01D\SYMEFA64.SYS
S1 AsrAppCharger;AsrAppCharger;c:\windows\system32\DRIVERS\AsrAppCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AsrAppCharger.sys
S1 aswSnx;aswSnx;
S1 aswSP;aswSP;
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120711.002\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120711.002\BHDrvx64.sys
S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS;c:\windows\SYSNATIVE\drivers\FNETURPX.SYS
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120713.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120713.001\IDSvia64.sys
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1206000.01D\Ironx64.SYS
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1206000.01D\SYMNETS.SYS
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe
S2 aswFsBlk;aswFsBlk;
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys;c:\windows\SYSNATIVE\Drivers\EtronHub3.sys
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys;c:\windows\SYSNATIVE\Drivers\EtronXHCI.sys
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-13 16:48]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-27 15:55]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-27 15:55]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4017287735-3721791226-3647651045-1000Core.job
- c:\users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-13 08:10]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4017287735-3721791226-3647651045-1000UA.job
- c:\users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-13 08:10]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-18 11855976]
"XFast LAN"="c:\program files\ASRock\XFast LAN\cFosSpeed.exe" [2011-07-04 1441152]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\mlyyf6es.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-ASRockXTU - (no file)
Wow6432Node-HKCU-Run-zASRockInstantBoot - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-22 10:50:00
ComboFix-quarantined-files.txt 2013-06-22 17:49
.
Pre-Run: 265,618,550,784 bytes free
Post-Run: 265,301,553,152 bytes free
.
- - End Of File - - 08E95EF2C02AED8A5159D97FF5B5A82B
D41D8CD98F00B204E9800998ECF8427E
------------------------------------------------
-
I noticed that you have two AV's on your computer; avast! Antivirus and Norton Internet Security. Make sure that only one AV is enabled at any time on your computer otherwise, it could cause lots of problems.
Please download Rooter (http://eric71.geekstogo.com/tools/Rooter.exe) and Save it to your desktop.
- Double click it to start the tool.Vista and Windows7 run as administrator.
- Click Scan.
- Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
******************************************
- Download RogueKiller (http://tigzy.geekstogo.com/Tools/RogueKiller.exe) on the desktop
- Close all the running programs
- Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
- Otherwise just double-click on RogueKiller.exe
- Pre-scan will start. Let it finish.
- Click on SCAN button.
- A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
- If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
-
Okay, so the Rooter program never seemed to do much. I attempted to run it by simply double clicking as well as starting it with "run as Administrator", and the former option got further along (Run as Admin pretty much stopped working as soon as I hit Scan. I attempted to let it sit there for a couple hours, assuming it might still be working, but no). I'll post both logs here:
Rooter/Double Click:
--------------------------------
Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows 7 . (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.10.9200.16618
Mozilla Firefox 21.0 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:299 Go - Free:248 Go )
D:\ [CD_Rom]
.
Scan : 15:51.42
Path : C:\Users\Mike\Desktop\Rooter.exe
User : Mike ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.e��??, (456)
Locked csrss.��??, (612)
Locked winini��??, (684)
Locked csrss.��??, (708)
Locked servic��??, (740)
Locked lsass.��??, (776)
Locked lsm.ex��??, (784)
Locked winlog��??, (836)
Locked svchos��??, (932)
Locked svchos��??, (1016)
Locked atiesr��??, (468)
Locked svchos��??, (712)
Locked svchos��??, (1040)
Locked svchos��??, (1076)
Locked svchos��??, (1112)
Locked svchos��??, (1380)
Locked atiecl��??, (1464)
Locked AvastS��??, (1552)
Locked spools��??, (1700)
Locked svchos��??, (1728)
Locked armsvc��??, (1908)
Locked spd.ex��??, (1952)
Locked cvpnd.��??, (1216)
Locked svchos��??, (2696)
Locked IAStor��??, (2788)
Locked Search��??, (3004)
______ ?????????? (3644)
______ ?????????? (3752)
______ ?????????? (3816)
Locked mbamsc��??, (3544)
Locked mbamse��??, (3348)
______ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (3660)
______ ?????????? (3828)
______ ?????????? (3500)
______ C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe (3936)
______ C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe (3484)
______ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (3620)
______ C:\Program Files (x86)\XFastUsb\XFastUsb.exe (4112)
______ C:\Program Files\AVAST Software\Avast\AvastUI.exe (4120)
______ C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe (4144)
______ C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe (4228)
______ ?????????? (4292)
______ ?????????? (4400)
______ ?????????? (4604)
Locked wmpnet��??, (4920)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (5428)
______ C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (11540)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe (14692)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe (14792)
Locked tasken��??, (9384)
______ C:\Users\Mike\Desktop\Rooter.exe (13112)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:104857600)
\Device\Harddisk0\Partition2 (Start_Offset:105906176 | Length:322016641024)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4017287735-3721791226-3647651045-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4017287735-3721791226-3647651045-1000UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
.
C:\Rooter$\Rooter_1.txt - (29/06/2013 | 15:51.54)
---------------------------------------------------------------
Rooter/Run as Admin:
---------------------------
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 . (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
.
C:\Rooter$\Rooter_2.txt - (29/06/2013 | 16:03.46)
-----------------------------------------------------------
Roguekiller report:
----------------------------
RogueKiller V8.6.1 [Jun 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Mike [Admin rights]
Mode : Scan -- Date : 07/09/2013 11:36:43
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 2 ¤¤¤
[FF][PROXY] mlyyf6es.default : user_pref("network.proxy.hxxp", "proxy"); -> FOUND
[FF][PROXY] mlyyf6es.default : user_pref("network.proxy.hxxp_port", 80); -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Y9A0 +++++
--- User ---
[MBR] 347cbde184b1cdfda6a1004bca07f56b
[BSP] 00d79db881b345eca8c2b5068e6217da : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 307099 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_07092013_113643.txt >>
-
Please run RogueKiller and delete those items.
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
- Leave the check mark next to Remove found threats.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
I ran Roguekiller after updating it, and deleted the files indicated.
Here is the ESET Scan report:
---------------------------------
C:\Users\Mike\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\18f35a5a-47e7a89a multiple threats cleaned by deleting - quarantined
C:\Users\Mike\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\5b0d4ce5-3b10b0e6 multiple threats cleaned by deleting - quarantined
C:\Users\Mike\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\47463afe-690f5bf3 a variant of Java/Exploit.CVE-2012-1723.DY trojan cleaned by deleting - quarantined
---------------------------------
Here is the ESET Log report, in case that is needed:
---------------------------------
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=565c3c8ccecb00468f4bffc7aa65da60
# engine=14382
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-07-13 05:28:01
# local_time=2013-07-13 10:28:01 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=774 16777213 85 91 5506291 149528353 0 0
# compatibility_mode=5893 16776574 100 94 70218608 125279931 0 0
# scanned=95782
# found=3
# cleaned=3
# scan_time=1503
sh=E4A116A23B1631392565885756D24EE6D8B7ACC2 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Mike\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\18f35a5a-47e7a89a"
sh=E35F59D7CE0DCABBD18248E1DB61680F180639F7 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Mike\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\5b0d4ce5-3b10b0e6"
sh=5BC65F52AD0938972490AAD1A1F00EB6475E0F62 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2012-1723.DY trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Mike\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\47463afe-690f5bf3"
---------------------------
-
How's your computer running now? Any other issues before we clean up?
-
Hopefully that last bit of deleted files will solve the problem. I'll keep an eye open to see if the blue screen issue returns at all.
Occasionally my computer will lock up mid mouse movement, and I have to reset it, but that seems less frequent, and I'm pretty sure isn't possibly related to potential malware.
I haven't seen the bluescreen issue happen for a couple days, so hopefully it won't be coming back.
Thanks for your assistance, and patience with my busy schedule. :)
-
Ok, let's do some cleanup.
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
******************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.
(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup2.jpg)
Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.
(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup.jpg)
This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
***************************************
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!