evie5 Posted May 8, 2012 ID:549844 Share Posted May 8, 2012 Merged postHello, I've just gotten infected with Incredibar. Ran full scan of Malwarebytes but that didn't solve the problem - it did, however, remove the bundle installer.DDS.txt log:.DDS (Ver_2011-08-26.01) - NTFSx86Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31Run by JoAnne at 14:03:04 on 2012-05-08Microsoft Windows 7 Home Premium N 6.1.7601.1.1252.1.1033.18.2046.1113 [GMT -7:00].AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSc:\Program Files\Microsoft Security Client\MsMpEng.exeC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\atieclxx.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Windows\System32\svchost.exe -k AkamaiC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exeC:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\Brother\Brmfcmon\BrMfcmon.exeC:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Microsoft IntelliPoint\dpupdchk.exeC:\Program Files\Real\RealPlayer\Update\realsched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Zune\ZuneLauncher.exeC:\Program Files\Microsoft Security Client\msseces.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Users\JoAnne\AppData\Local\Akamai\netsession_win.exeC:\Users\JoAnne\AppData\Roaming\Dropbox\bin\Dropbox.exeC:\Program Files\Microsoft Office\Office14\ONENOTEM.EXEC:\Users\JoAnne\AppData\Local\Akamai\netsession_win.exeC:\Program Files\iPod\bin\iPodService.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEC:\Users\JoAnne\Downloads\OTL.exeC:\Windows\notepad.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\conhost.exe.============== Pseudo HJT Report ===============.uSearch Bar = hxxp://www.google.com/ieuSearch Page = hxxp://www.google.comuStart Page = hxxp://mystart.incredibar.com/mb143?a=6OyBggZdYG&i=26uInternet Settings,ProxyOverride = <local>;*.local;127.0.0.1:9421;uSearchURL,(Default) = hxxp://www.google.com/keyword/%smSearchAssistant = hxxp://www.google.com/ieBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dllBHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllBHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLLBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllTB: &Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\wat_en\ACCESS~1.DLLTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllTB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No FileuRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduleruRun: [googletalk] c:\users\joanne\appdata\roaming\google\google talk\googletalk.exe /autostartuRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quietuRun: [Google Update] "c:\users\joanne\appdata\local\google\update\GoogleUpdate.exe" /cuRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"uRun: [AdobeBridge]uRun: [Akamai NetSession Interface] "c:\users\joanne\appdata\local\akamai\netsession_win.exe"mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /backgroundmRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exemRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silentmRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUNmRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorunmRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServicesmRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbyloginmRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exemRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRunmRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osbootmRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"mRun: [<NO NAME>]mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkeyStartupFolder: c:\users\joanne\appdata\roaming\micros~1\windows\startm~1\programs\startup\advanc~1.lnk - c:\program files\advanced registry optimizer\ARO.exeStartupFolder: c:\users\joanne\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\joanne\appdata\roaming\dropbox\bin\Dropbox.exeStartupFolder: c:\users\joanne\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXEmPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000IE: Edit with Altova X&MLSpy - c:\program files\altova\xmlspy2011\spy.htmIE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - c:\program files\altova\xmlspy2011\spy.htmIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dllDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.1.1TCP: Interfaces\{118867A3-B578-4AC3-9664-37A1D65CD984} : DhcpNameServer = 192.168.1.1Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLLHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL.================= FIREFOX ===================.FF - ProfilePath - c:\users\joanne\appdata\roaming\mozilla\firefox\profiles\k2tlyjbb.default\FF - prefs.js: browser.search.defaulturl - hxxp://malaysia.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://mystart.incredibar.com/mb143?a=6OyBggZdYG&i=26FF - prefs.js: keyword.URL - hxxp://malaysia.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=FF - prefs.js: network.proxy.type - 4FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dllFF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dllFF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLLFF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLLFF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dllFF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dllFF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dllFF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dllFF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dllFF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dllFF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dllFF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dllFF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dllFF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dllFF - plugin: c:\program files\nos\bin\np_gp.dllFF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dllFF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dllFF - plugin: c:\users\joanne\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dllFF - plugin: c:\users\joanne\appdata\roaming\mozilla\plugins\npgoogletalk.dllFF - plugin: c:\users\joanne\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll.---- FIREFOX POLICIES ----FF - user.js: extensions.incredibar_i.newTab - falseFF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyBggZdYG&loc=IB_TB&i=26&search=FF - user.js: extensions.incredibar_i.id - 52cfa03a000000000000001fd013055cFF - user.js: extensions.incredibar_i.instlDay - 15468FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1411:55:21FF - user.js: extensions.incredibar_i.prtnrId - IncredibarFF - user.js: extensions.incredibar_i.prdct - incredibarFF - user.js: extensions.incredibar_i.aflt - orgnlFF - user.js: extensions.incredibar_i.smplGrp - noneFF - user.js: extensions.incredibar_i.tlbrId - baseFF - user.js: extensions.incredibar_i.instlRef -FF - user.js: extensions.incredibar_i.dfltLng -FF - user.js: extensions.incredibar_i.excTlbr - falseFF - user.js: extensions.incredibar_i.ms_url_id -FF - user.js: extensions.incredibar_i.upn2 - 6OyBggZdYGFF - user.js: extensions.incredibar_i.upn2n - 92261375971292222FF - user.js: extensions.incredibar_i.productid - 26FF - user.js: extensions.incredibar_i.installerproductid - 26FF - user.js: extensions.incredibar_i.did - 10643FF - user.js: extensions.incredibar_i.ppd - 1.============= SERVICES / DRIVERS ===============.R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 171064]R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-30 169408]R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-1-26 176128]R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2009-11-12 25824]R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-1-26 7566848]R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-1-26 238592]R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-11-17 101392]R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate1cac52b62dd0291;Google Update Service (gupdate1cac52b62dd0291);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 133104]S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 257696]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 133104]S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 129976]S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-23 52224]S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-19 1343400]S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2011-8-5 268512].=============== Created Last 30 ================.2012-05-08 20:41:19 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f18bdfd8-81e9-4457-bb76-d4ae07cc2dae}\offreg.dll2012-05-08 04:00:56 6734704 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f18bdfd8-81e9-4457-bb76-d4ae07cc2dae}\mpengine.dll2012-05-07 03:03:30 6734704 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll2012-04-25 08:16:54 -------- d-----w- c:\program files\Mozilla Maintenance Service2012-04-25 08:16:50 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe2012-04-25 08:16:50 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe2012-04-15 04:53:08 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll2012-04-13 07:33:39 -------- d-----w- c:\users\joanne\appdata\local\CrashDumps2012-04-12 09:11:07 5120 ----a-w- c:\windows\system32\wmi.dll2012-04-12 09:11:07 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys2012-04-12 09:11:07 172544 ----a-w- c:\windows\system32\wintrust.dll2012-04-12 09:11:06 159232 ----a-w- c:\windows\system32\imagehlp.dll2012-04-12 09:09:57 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe2012-04-12 09:09:57 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe.==================== Find3M ====================.2012-05-05 03:58:11 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-05-05 03:58:11 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys2012-03-21 03:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys2012-03-21 03:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys2012-02-16 09:47:53 472808 ----a-w- c:\windows\system32\deployJava1.dll2012-02-14 19:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll.============= FINISH: 14:03:22.75 ===============Attach.txt:.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft Windows 7 Home Premium NBoot Device: \Device\HarddiskVolume1Install Date: 1/9/2010 12:40:45 PMSystem Uptime: 5/8/2012 1:29:29 PM (1 hours ago).Motherboard: Gigabyte Technology Co., Ltd. | | G31M-ES2LProcessor: Intel® Core™2 Duo CPU E8400 @ 3.00GHz | Socket 775 | 2333/333mhz.==== Disk Partitions =========================.A: is RemovableC: is FIXED (NTFS) - 596 GiB total, 528.837 GiB free.D: is CDROM (CDFS).==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP641: 4/19/2012 7:56:15 PM - Windows UpdateRP642: 4/23/2012 10:05:38 AM - Windows UpdateRP643: 4/26/2012 10:09:54 AM - Windows UpdateRP644: 4/29/2012 5:55:49 PM - Windows UpdateRP645: 5/1/2012 12:31:49 AM - Windows UpdateRP646: 5/4/2012 3:00:58 PM - Windows UpdateRP647: 5/7/2012 9:00:19 PM - Windows UpdateRP648: 5/8/2012 1:47:57 PM - OTL Restore Point - 5/8/2012 1:47:54 PM.==== Installed Programs ======================.7-Zip 9.20Adobe Acrobat 9 Pro - English, Français, DeutschAdobe Acrobat 9.5.1 - CPSID_83708Adobe AIRAdobe Community HelpAdobe Creative Suite 5 Design PremiumAdobe Digital EditionsAdobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAdobe Media PlayerAdobe Photoshop Elements 9Adobe Photoshop.com Inspiration BrowserAdobe Reader X (10.1.3)Adobe Shockwave Player 11.5AIM 7Akamai NetSession InterfaceAkamai NetSession Interface ServiceAltova XMLSpy® 2011 rel. 2 sp1 Enterprise EditionAMD Drag and Drop TranscodingApple Application SupportApple Mobile Device SupportApple Software UpdateATI Catalyst Install ManagerATI Catalyst RegistrationAudacity 1.3.12 (Unicode)BlackBerry Desktop Software 5.0.1BlackBerry Desktop Software 6.0.1Blackboard IM 4.0.1-CBonjourBrother MFL-Pro Suite MFC-240CCatalyst Control Center - BrandingCatalyst Control Center Graphics Previews CommonCatalyst Control Center InstallProxyccc-core-staticccc-utilityCCC Help EnglishCore FTP LECoupon Printer for WindowsCreative Lettering ComboData Lifeguard Diagnostic for WindowsDefinition Update for Microsoft Office 2010 (KB982726) 32-Bit EditionDownload Updater (AOL LLC)DropboxEasy CD-DA Extractor 2011Elements 9 OrganizerElements STI InstallerElluminate Publish! 2.3Emicsoft Mod ConverterFile Type AssistantFinePrintFoxit CreatorFoxit ReaderGoogle ChromeGoogle Talk (remove only)Google Talk PluginGoogle Update HelperiBBDemo2iCloudInmagic DB/TextWorksInmagic DB/TextWorks 12.00iTunesJava Auto UpdaterJava™ 6 Update 31JingLAME v3.98.3 for AudacityMalwarebytes Anti-Malware version 1.61.0.1400Microsoft .NET Framework 4 Client ProfileMicrosoft Access 2010Microsoft Application Error ReportingMicrosoft IntelliPoint 7.0Microsoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access 2010Microsoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Excel MUI (English) 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Standard 2010Microsoft Office Word MUI (English) 2010Microsoft Security ClientMicrosoft Security EssentialsMicrosoft SilverlightMicrosoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319Microsoft_VC80_ATL_x86Microsoft_VC80_CRT_x86Microsoft_VC80_MFC_x86Microsoft_VC80_MFCLOC_x86Microsoft_VC90_ATL_x86Microsoft_VC90_CRT_x86Microsoft_VC90_MFC_x86MobileMe Control PanelMozilla Firefox 12.0 (x86 en-US)Mozilla Maintenance ServiceMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)NOOK for PCNotepad++OCLC Dewey Cutter ProgramPDF Settings CS5PrimoPDF -- brought to you by Nitro PDF SoftwareQuickTimeRealNetworks - Microsoft Visual C++ 2008 RuntimeRealPlayerRealUpgrade 1.1SafariSecondLifeViewer2 (remove only)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft Office 2010 (KB2553091)Security Update for Microsoft Office 2010 (KB2553096)Security Update for Microsoft Office 2010 (KB2589320) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2598039) 32-Bit EditionSecurity Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit EditionSkype™ 4.2Snagit 11SSH Secure ShellUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft Excel 2010 (KB2553439) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2494150)Update for Microsoft Office 2010 (KB2553065)Update for Microsoft Office 2010 (KB2553181) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553270) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553310) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553385) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2566458)Update for Microsoft Office 2010 (KB2596964) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2597091) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2553290) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2553248) 32-Bit EditionUpdate for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit EditionVLC media player 1.0.3WD Anywhere BackupWD Drive Manager (x86)Web Accessibility Toolbar UninstallWindows Media Player Firefox PluginWindows Mobile Device Updater ComponentWMV9/VC-1 Video PlaybackYahoo! MessengerZuneZune Language Pack (CHS)Zune Language Pack (CHT)Zune Language Pack (CSY)Zune Language Pack (DAN)Zune Language Pack (DEU)Zune Language Pack (ELL)Zune Language Pack (ESP)Zune Language Pack (FIN)Zune Language Pack (FRA)Zune Language Pack (HUN)Zune Language Pack (IND)Zune Language Pack (ITA)Zune Language Pack (JPN)Zune Language Pack (KOR)Zune Language Pack (MSL)Zune Language Pack (NLD)Zune Language Pack (NOR)Zune Language Pack (PLK)Zune Language Pack (PTB)Zune Language Pack (PTG)Zune Language Pack (RUS)Zune Language Pack (SVE).==== Event Viewer Messages From Past Week ========.5/7/2012 5:03:08 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.5/6/2012 11:12:16 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.5/6/2012 1:35:57 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.5/1/2012 11:02:31 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer T45-EYCHEN that believes that it is the master browser for the domain on transport NetBT_Tcpip_{118867A3-B578-4AC3-9664-37A1D65. The master browser is stopping or an election is being forced..==== End Of File =========================== Link to post Share on other sites More sharing options...
Staff CatByte Posted May 8, 2012 Staff ID:549863 Share Posted May 8, 2012 Hi,Please do the following:Please download aswMBR.exe and save it to your desktop.Double click aswMBR.exe to start the tool. When asked if you want to download Avast's virus definitions please select Yes.Click ScanUpon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet. You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well. Link to post Share on other sites More sharing options...
evie5 Posted May 8, 2012 Author ID:549871 Share Posted May 8, 2012 aswMBR version 0.9.9.1665 Copyright© 2011 AVAST SoftwareRun date: 2012-05-08 15:09:53-----------------------------15:09:53.313 OS Version: Windows 6.1.7601 Service Pack 115:09:53.313 Number of processors: 2 586 0x170615:09:53.314 ComputerName: JOANNE-PC UserName: JoAnne15:09:54.857 Initialize success15:11:28.748 AVAST engine defs: 1205080115:11:31.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-315:11:31.845 Disk 0 Vendor: WDC_WD6400AAKS-22A7B0 01.03B01 Size: 610479MB BusType: 315:11:31.851 Disk 0 MBR read successfully15:11:31.854 Disk 0 MBR scan15:11:31.929 Disk 0 Windows 7 default MBR code15:11:31.935 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 204815:11:31.977 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 610377 MB offset 20684815:11:32.017 Disk 0 scanning sectors +125025894415:11:32.120 Disk 0 scanning C:\Windows\system32\drivers15:11:45.431 Service scanning15:12:00.147 Service MpKsle2fad550 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F18BDFD8-81E9-4457-BB76-D4AE07CC2DAE}\MpKsle2fad550.sys **LOCKED** 3215:12:14.718 Modules scanning15:12:21.140 Disk 0 trace - called modules:15:12:21.155 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys15:12:21.159 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c35948]15:12:21.164 3 CLASSPNP.SYS[891ba59e] -> nt!IofCallDriver -> [0x857cf8b8]15:12:21.169 5 ACPI.sys[88c9f3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-3[0x84e7a030]15:12:23.376 AVAST engine scan C:\Windows15:12:25.690 AVAST engine scan C:\Windows\system3215:15:34.696 AVAST engine scan C:\Windows\system32\drivers15:15:50.769 AVAST engine scan C:\Users\JoAnne15:29:30.844 AVAST engine scan C:\ProgramData15:32:50.299 Scan finished successfully15:33:08.746 Disk 0 MBR has been saved successfully to "C:\Users\JoAnne\Downloads\MBR.dat"15:33:08.813 The log file has been saved successfully to "C:\Users\JoAnne\Downloads\aswMBR.txt"MBR.zip Link to post Share on other sites More sharing options...
Staff CatByte Posted May 9, 2012 Staff ID:549891 Share Posted May 9, 2012 Hi,Please do the followingRefer to the ComboFix User's Guide Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Place ComboFix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next replyNote: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error. Link to post Share on other sites More sharing options...
evie5 Posted May 9, 2012 Author ID:549896 Share Posted May 9, 2012 ComboFix 12-05-08.02 - JoAnne 05/08/2012 17:12:17.1.2 - x86Microsoft Windows 7 Home Premium N 6.1.7601.1.1252.1.1033.18.2046.1083 [GMT -7:00]Running from: c:\users\JoAnne\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\Install.exec:\users\JoAnne\AppData\Local\assembly\tmp..((((((((((((((((((((((((( Files Created from 2012-04-09 to 2012-05-09 )))))))))))))))))))))))))))))))..2012-05-09 00:18 . 2012-05-09 00:18 -------- d-----w- c:\users\JoAnne\AppData\Local\temp2012-05-08 21:03 . 2012-05-08 21:03 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F18BDFD8-81E9-4457-BB76-D4AE07CC2DAE}\MpKsle2fad550.sys2012-05-08 20:41 . 2012-05-08 20:41 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F18BDFD8-81E9-4457-BB76-D4AE07CC2DAE}\offreg.dll2012-05-08 18:55 . 2012-05-08 18:55 448 ----a-w- C:\user.js2012-05-08 04:00 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F18BDFD8-81E9-4457-BB76-D4AE07CC2DAE}\mpengine.dll2012-05-07 03:03 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll2012-04-25 08:16 . 2012-04-25 08:16 -------- d-----w- c:\program files\Mozilla Maintenance Service2012-04-25 08:16 . 2012-04-25 08:16 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe2012-04-25 08:16 . 2012-04-25 08:16 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe2012-04-15 04:53 . 2009-08-20 07:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll2012-04-13 07:33 . 2012-04-13 07:33 -------- d-----w- c:\users\JoAnne\AppData\Local\CrashDumps2012-04-12 09:11 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys2012-04-12 09:11 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll2012-04-12 09:11 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll2012-04-12 09:11 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll2012-04-12 09:09 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe2012-04-12 09:09 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-05-05 03:58 . 2012-03-30 01:30 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-05-05 03:58 . 2011-05-15 19:19 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-04-04 22:56 . 2010-07-15 07:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys2012-03-21 03:44 . 2010-10-25 05:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys2012-03-21 03:44 . 2009-06-19 02:48 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys2012-02-17 05:34 . 2012-03-13 18:26 826880 ----a-w- c:\windows\system32\rdpcore.dll2012-02-17 04:14 . 2012-03-13 18:26 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-02-17 04:13 . 2012-03-13 18:26 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys2012-02-16 09:47 . 2010-12-13 18:12 472808 ----a-w- c:\windows\system32\deployJava1.dll2012-02-14 19:09 . 2012-02-14 19:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX2012-02-11 02:12 . 2012-02-11 02:13 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B4D42F29-44F1-4D25-A1B8-7A9C6824BF97}\gapaengine.dll2012-02-10 05:38 . 2012-03-13 22:08 1077248 ----a-w- c:\windows\system32\DWrite.dll2012-04-25 08:16 . 2011-04-01 09:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\JoAnne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\JoAnne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\JoAnne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]"googletalk"="c:\users\JoAnne\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]"Akamai NetSession Interface"="c:\users\JoAnne\AppData\Local\Akamai\netsession_win.exe" [2012-03-13 3331872].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-07-24 450560]"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2009-11-13 222432]"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-27 336384]"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-05 311296]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-11-03 273528]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200].c:\users\JoAnne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk - c:\program files\Advanced Registry Optimizer\ARO.exe [N/A]Dropbox.lnk - c:\users\JoAnne\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux1"=wdmaud.drv.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service".R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 gupdate1cac52b62dd0291;Google Update Service (gupdate1cac52b62dd0291);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 133104]R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 133104]R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-29 25112]R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976]R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 214952]R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 268512]S1 MpKsle2fad550;MpKsle2fad550;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F18BDFD8-81E9-4457-BB76-D4AE07CC2DAE}\MpKsle2fad550.sys [2012-05-08 29904]S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-09-30 169408]S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [2009-11-13 25824]S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-07-24 102400]S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 7566848]S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 238592]S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-11-17 101392]S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2009-05-21 21392]S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776]..--- Other Services/Drivers In Memory ---.*NewlyCreated* - ASWMBR*NewlyCreated* - MPKSLE2FAD550*Deregistered* - aswMBR.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2SvcAkamai REG_MULTI_SZ Akamai.Contents of the 'Scheduled Tasks' folder.2012-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 03:58].2012-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 17:09].2012-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 17:09].2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1000Core.job- c:\users\JoAnne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 03:39].2012-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1000UA.job- c:\users\JoAnne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 03:39].2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1003Core.job- c:\users\Kayla\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-12 03:39].2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1003UA.job- c:\users\Kayla\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-12 03:39]..------- Supplementary Scan -------.uStart Page = hxxp://mystart.incredibar.com/mb143?a=6OyBggZdYG&i=26uInternet Settings,ProxyOverride = <local>;*.local;127.0.0.1:9421;uSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000IE: Edit with Altova X&MLSpy - c:\program files\Altova\XMLSpy2011\spy.htmIE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\JoAnne\AppData\Roaming\Mozilla\Firefox\Profiles\k2tlyjbb.default\FF - prefs.js: browser.search.defaulturl - hxxp://malaysia.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://Mystart.incredibar.com/mb124FF - prefs.js: keyword.URL - hxxp://malaysia.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=FF - prefs.js: network.proxy.type - 4FF - user.js: extensions.incredibar_i.newTab - falseFF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyBggZdYG&loc=IB_TB&i=26&search=FF - user.js: extensions.incredibar_i.id - 52cfa03a000000000000001fd013055cFF - user.js: extensions.incredibar_i.instlDay - 15468FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1411:55FF - user.js: extensions.incredibar_i.prtnrId - IncredibarFF - user.js: extensions.incredibar_i.prdct - incredibarFF - user.js: extensions.incredibar_i.aflt - orgnlFF - user.js: extensions.incredibar_i.smplGrp - noneFF - user.js: extensions.incredibar_i.tlbrId - baseFF - user.js: extensions.incredibar_i.instlRef -FF - user.js: extensions.incredibar_i.dfltLng -FF - user.js: extensions.incredibar_i.excTlbr - falseFF - user.js: extensions.incredibar_i.ms_url_id -FF - user.js: extensions.incredibar_i.upn2 - 6OyBggZdYGFF - user.js: extensions.incredibar_i.upn2n - 92261375971292222FF - user.js: extensions.incredibar_i.productid - 26FF - user.js: extensions.incredibar_i.installerproductid - 26FF - user.js: extensions.incredibar_i.did - 10643FF - user.js: extensions.incredibar_i.ppd - 1.- - - - ORPHANS REMOVED - - - -.WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exeHKCU-Run-AdobeBridge - (no file)...[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2012-05-08 17:28:05ComboFix-quarantined-files.txt 2012-05-09 00:28.Pre-Run: 570,556,022,784 bytes freePost-Run: 572,405,657,600 bytes free.- - End Of File - - 0DE1651A17B5D0E432D8F3689B2595D7 Link to post Share on other sites More sharing options...
Staff CatByte Posted May 9, 2012 Staff ID:549902 Share Posted May 9, 2012 HiOpen FireFox and take a look at the add-ons/extensions, does "incredibar" show up?Take a look at the tutorial herehttp://support.mozilla.org/en-US/kb/Cannot%20uninstall%20an%20add-ontry following the steps outline there first to remove Incredibar, then run the following ComboFix script which should get rid of the leftoversPlease do the following:Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Copy/paste the text inside the Codebox below into notepad:Here's how to do that:Click Start > Run type Notepad click OK.This will open an empty notepad file:Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')DDS::uStart Page = hxxp://mystart.incredibar.com/mb143?a=6OyBggZdYG&i=26uInternet Settings,ProxyOverride = <local>;*.local;127.0.0.1:9421;FireFox::FF - ProfilePath - c:\users\JoAnne\AppData\Roaming\Mozilla\Firefox\Profiles\k2tlyjbb.default\FF - prefs.js: browser.startup.homepage - hxxp://Mystart.incredibar.com/mb124FF - user.js: extensions.incredibar_i.newTab - falseFF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyBggZdYG&loc=IB_TB&i=26&search=FF - user.js: extensions.incredibar_i.id - 52cfa03a000000000000001fd013055cFF - user.js: extensions.incredibar_i.instlDay - 15468FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1411:55FF - user.js: extensions.incredibar_i.prtnrId - IncredibarFF - user.js: extensions.incredibar_i.prdct - incredibarFF - user.js: extensions.incredibar_i.aflt - orgnlFF - user.js: extensions.incredibar_i.smplGrp - noneFF - user.js: extensions.incredibar_i.tlbrId - baseFF - user.js: extensions.incredibar_i.instlRef -FF - user.js: extensions.incredibar_i.dfltLng -FF - user.js: extensions.incredibar_i.excTlbr - falseFF - user.js: extensions.incredibar_i.ms_url_id -FF - user.js: extensions.incredibar_i.upn2 - 6OyBggZdYGFF - user.js: extensions.incredibar_i.upn2n - 92261375971292222FF - user.js: extensions.incredibar_i.productid - 26FF - user.js: extensions.incredibar_i.installerproductid - 26FF - user.js: extensions.incredibar_i.did - 10643FF - user.js: extensions.incredibar_i.ppd - 1ClearJavaCache::Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')Save this file to your desktop, Save this as "CFScript"Here's how to do that:1.Click File;2.Click Save As... Change the directory to your desktop;3.Change the Save as type to "All Files";4.Type in the file name: CFScript5.Click Save ...Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.ComboFix may request an update; please allow it.ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.NEXTPlease open your MalwareBytes AntiMalware ProgramClick the Update Tab and search for updatesIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish, so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected. <-- very importantWhen disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. NEXTGo here to run an online scanner from ESET.Turn off the real time scanner of any existing antivirus program while performing the online scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activeX control to installClick StartMake sure that the option Remove found threats is unticked and the Scan Archives option is ticked.Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click ScanWait for the scan to finishWhen the scan completes, press the LIST OF THREATS FOUND buttonPress EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop Include the contents of this report in your next reply.Press the BACK button.Press Finish NEXTPlease advise how your computer is running now and if there are any outstanding issues</local> Link to post Share on other sites More sharing options...
evie5 Posted May 9, 2012 Author ID:549987 Share Posted May 9, 2012 ComboFix 12-05-08.02 - JoAnne 05/08/2012 18:43:48.2.2 - x86Microsoft Windows 7 Home Premium N 6.1.7601.1.1252.1.1033.18.2046.1372 [GMT -7:00]Running from: c:\users\JoAnne\Desktop\ComboFix.exeCommand switches used :: c:\users\JoAnne\Desktop\CFScript.txtAV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((( Files Created from 2012-04-09 to 2012-05-09 )))))))))))))))))))))))))))))))..2012-05-09 01:50 . 2012-05-09 01:50 -------- d-----w- c:\users\Kayla\AppData\Local\temp2012-05-09 01:50 . 2012-05-09 01:50 -------- d-----w- c:\users\Default\AppData\Local\temp2012-05-09 01:50 . 2012-05-09 01:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp2012-05-09 00:31 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8ABEEF9-D66C-4482-A8B0-CAD9C2800F28}\mpengine.dll2012-05-09 00:18 . 2012-05-09 01:50 -------- d-----w- c:\users\JoAnne\AppData\Local\temp2012-05-08 18:55 . 2012-05-08 18:55 448 ----a-w- C:\user.js2012-05-07 03:03 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll2012-04-25 08:16 . 2012-04-25 08:16 -------- d-----w- c:\program files\Mozilla Maintenance Service2012-04-25 08:16 . 2012-04-25 08:16 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe2012-04-25 08:16 . 2012-04-25 08:16 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe2012-04-15 04:53 . 2009-08-20 07:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll2012-04-13 07:33 . 2012-04-13 07:33 -------- d-----w- c:\users\JoAnne\AppData\Local\CrashDumps2012-04-12 09:11 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys2012-04-12 09:11 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll2012-04-12 09:11 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll2012-04-12 09:11 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll2012-04-12 09:09 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe2012-04-12 09:09 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-05-05 03:58 . 2012-03-30 01:30 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-05-05 03:58 . 2011-05-15 19:19 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-04-04 22:56 . 2010-07-15 07:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys2012-03-21 03:44 . 2010-10-25 05:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys2012-03-21 03:44 . 2009-06-19 02:48 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys2012-02-17 05:34 . 2012-03-13 18:26 826880 ----a-w- c:\windows\system32\rdpcore.dll2012-02-17 04:14 . 2012-03-13 18:26 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-02-17 04:13 . 2012-03-13 18:26 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys2012-02-16 09:47 . 2010-12-13 18:12 472808 ----a-w- c:\windows\system32\deployJava1.dll2012-02-14 19:09 . 2012-02-14 19:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX2012-02-11 02:12 . 2012-02-11 02:13 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B4D42F29-44F1-4D25-A1B8-7A9C6824BF97}\gapaengine.dll2012-02-10 05:38 . 2012-03-13 22:08 1077248 ----a-w- c:\windows\system32\DWrite.dll2012-04-25 08:16 . 2011-04-01 09:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\JoAnne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\JoAnne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\JoAnne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]"googletalk"="c:\users\JoAnne\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]"Akamai NetSession Interface"="c:\users\JoAnne\AppData\Local\Akamai\netsession_win.exe" [2012-03-13 3331872].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-07-24 450560]"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2009-11-13 222432]"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-27 336384]"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-05 311296]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-11-03 273528]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200].c:\users\JoAnne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk - c:\program files\Advanced Registry Optimizer\ARO.exe [N/A]Dropbox.lnk - c:\users\JoAnne\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux1"=wdmaud.drv.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service".R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 gupdate1cac52b62dd0291;Google Update Service (gupdate1cac52b62dd0291);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 133104]R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 133104]R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-29 25112]R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976]R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 214952]R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 268512]S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-09-30 169408]S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [2009-11-13 25824]S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-07-24 102400]S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 7566848]S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 238592]S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-11-17 101392]S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2009-05-21 21392]S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776]..--- Other Services/Drivers In Memory ---.*NewlyCreated* - WS2IFSL.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2SvcAkamai REG_MULTI_SZ Akamai.Contents of the 'Scheduled Tasks' folder.2012-05-09 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 03:58].2012-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 17:09].2012-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 17:09].2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1000Core.job- c:\users\JoAnne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 03:39].2012-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1000UA.job- c:\users\JoAnne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 03:39].2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1003Core.job- c:\users\Kayla\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-12 03:39].2012-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4048521924-1855791597-468837853-1003UA.job- c:\users\Kayla\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-12 03:39]..------- Supplementary Scan -------.uSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000IE: Edit with Altova X&MLSpy - c:\program files\Altova\XMLSpy2011\spy.htmIE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\JoAnne\AppData\Roaming\Mozilla\Firefox\Profiles\k2tlyjbb.default\FF - prefs.js: browser.search.defaulturl - hxxp://malaysia.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: keyword.URL - hxxp://malaysia.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=FF - prefs.js: network.proxy.type - 4..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(3736)c:\users\JoAnne\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.Completion time: 2012-05-08 19:05:27ComboFix-quarantined-files.txt 2012-05-09 02:05ComboFix2.txt 2012-05-09 00:28.Pre-Run: 571,315,441,664 bytes freePost-Run: 571,320,672,256 bytes free.- - End Of File - - 4BD9FE2A081F80F8AAAC6273371774FA************************************************************************************************************************************************Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.05.09.01Windows 7 Service Pack 1 x86 NTFSInternet Explorer 9.0.8112.16421JoAnne :: JOANNE-PC [administrator]5/8/2012 7:07:14 PMmbam-log-2012-05-08 (19-07-14).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 240191Time elapsed: 2 minute(s), 44 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)************************************************************************************************************************ESET scanner - no threats found*************************************************************************************************************************HUZZAH! Computer seems to be running normally now! Is it safe and secure to carry on as usual? Link to post Share on other sites More sharing options...
Staff CatByte Posted May 9, 2012 Staff ID:550173 Share Posted May 9, 2012 Hi,The logs appear to be clean now, we just some housekeeping to do,Please do the following:You can delete the DDS and aswMBR logs and programs from your desktop.NEXTFollow these steps to uninstall Combofix Make sure your security programs are totally disabled.Click START then RUNNow copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.If there are any logs/tools remaining on your desktop > right click and delete them.NEXTBelow I have included a number of recommendations for how to protect your computer against malware infections.It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.Keep Windows updated by regularly checking their website at :http://windowsupdate.microsoft.com/This will ensure your computer has always the latest security updates available installed on your computer.Make Internet Explorer more secureClick Start > RunType Inetcpl.cpl & click OKClick on the Security tabClick Reset all zones to default levelMake sure the Internet Zone is selected & Click Custom levelIn the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".Next Click OK, then Apply button and then OK to exit the Internet Properties page.[*]Download TFC to your desktopClose any open windows.Double click the TFC icon to run the programTFC will close all open programs itself in order to run, Click the Start button to begin the process. Allow TFC to run uninterrupted.The program should not take long to finish it's jobOnce its finished it should automatically reboot your machine,if it doesn't, manually reboot to ensure a complete cleanIt's normal after running TFC cleaner that the PC will be slower to boot the first time. [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE[*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.[*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.[*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:PC Safety and Security--What Do I Need?.Thank you for your patience, and performing all of the procedures requested.Please respond one last time so we can consider the thread resolved and close it, thank-you. Link to post Share on other sites More sharing options...
evie5 Posted May 10, 2012 Author ID:550221 Share Posted May 10, 2012 Everything's cleaned up.Thanks for the recommendations! I will read thru them right now!Thanks again for all of your help!!! A donation is in order Link to post Share on other sites More sharing options...
Staff CatByte Posted May 10, 2012 Staff ID:550451 Share Posted May 10, 2012 thank-youyou are welcomestay safe ~CB Link to post Share on other sites More sharing options...
LDTate Posted May 14, 2012 ID:551485 Share Posted May 14, 2012 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts