azrancher Posted July 23, 2012 ID:575146 Share Posted July 23, 2012 Trojan.Dropper.BCMiner was detected several days ago by malwarebytes, I've been trying different things to remove it, latest log from mbam no longer shows it, however when I type www.malwarebytes.org into IE, it goes to Google, also when I type www.symantec.com into IE it goes to Google, and SEP will not load.mbam log from yesterday:Malwarebytes Anti-Malware (Trial) 1.62.0.1300www.malwarebytes.orgDatabase version: v2012.07.22.03Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421Rancher :: ROCKYCREEK-ST1 [administrator]Protection: Enabled7/22/2012 7:30:09 AMmbam-log-2012-07-22 (07-42-11).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 262203Time elapsed: 9 minute(s), 12 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 1C:\Windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.(end)mbam log from today:Malwarebytes Anti-Malware (Trial) 1.62.0.1300www.malwarebytes.orgDatabase version: v2012.07.23.04Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421Rancher :: ROCKYCREEK-ST1 [administrator]Protection: Enabled7/23/2012 9:49:49 AMmbam-log-2012-07-23 (09-49-49).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 258368Time elapsed: 8 minute(s), 51 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)favr log from yesterday:Fake Antivirus Remover 1.0.0.1019Pattern version: 100024Scan mode: Scan All ProcessesTime elapsed: 00 minute(s), 07 second(s)Summary------------------------------------Processes Detected: 0Files Detected: 1Folders Detected: 0Registry Keys Detected: 0Registry Values Detected: 0Registry Data Detected: 0Detailed Information------------------------------------Files Detected:C:\Users\Rancher\AppData\Local\GDIPFONTCACHEV1.DAT -> Delete (Quarantined and deleted successfully.)DDS log from today:.DDS (Ver_2011-08-26.01) - NTFSAMD64Internet Explorer: 9.0.8112.16421Run by Rancher at 9:36:25 on 2012-07-23Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.9131 [GMT -7:00].SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Program Files (x86)\Zentimo\ZentimoService.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationc:\Program Files\Ocster Backup\bin\backupService-ox.exeC:\Program Files\Splunk\bin\splunkd.exeC:\Windows\system32\conhost.exeC:\Program Files\Splunk\bin\splunkweb.exec:\Program Files\Ocster Backup\bin\oxHelper.exeC:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exeC:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files (x86)\GamesBar\SearchEngineProtection.exeC:\Program Files (x86)\DeskPins\DeskPins.exeC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Windows\system32\taskeng.exeC:\Program Files (x86)\Real\RealPlayer\Update\realsched.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files (x86)\Full Uninstall\FullUninstallAgent.exeC:\Windows\system32\wbem\unsecapp.exeC:\Users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exeC:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\system32\conhost.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = about:blankuSearch Bar = PreservemWinlogon: Userinit=userinit.exe,BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLLBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dllBHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dllTB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllTB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dllTB: {B80F591E-FE9A-46CF-A13E-180377240586} - No FileTB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No FileuRun: [wLite] "C:\Program Files (x86)\wLite\wLite.exe" -autouRun: [fsm]uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quietuRun: [searchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exeuRun: [unoselhic] C:\Users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exemRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exemRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osbootmRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayStartupFolder: C:\Users\Rancher\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DeskPins.lnk - C:\Program Files (x86)\DeskPins\DeskPins.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exemPolicies-explorer: NoActiveDesktop = 1 (0x1)mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: PromptOnSecureDesktop = 0 (0x0)IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLLLSP: mswsock.dllTrusted Zone: intuit.com\ttlcDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.52/img/LinksysMLViewer.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.51/xplugLiteDL.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB} : NameServer = 64.68.248.10,64.68.252.10TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB}\25F434B49534255454B4 : DhcpNameServer = 64.68.248.10 64.68.252.10 64.68.244.250Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLLHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLLSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLLBHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dllBHO-X64: 0x1 - No FileBHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO-X64: AcroIEHelperStub - No FileBHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dllBHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLLBHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dllBHO-X64: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dllBHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO-X64: GamesBarBHO Class: {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dllBHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dllTB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dllTB-X64: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dllTB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllTB-X64: GamesBar: {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dllTB-X64: {B80F591E-FE9A-46CF-A13E-180377240586} - No FileTB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No FilemRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exemRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osbootmRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttraySEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL.============= SERVICES / DRIVERS ===============.R0 hotcore3;hc3ServiceName;C:\Windows\system32\DRIVERS\hotcore3.sys --> C:\Windows\system32\DRIVERS\hotcore3.sys [?]R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-1 13336]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-21 655944]R2 ocster_backup;Ocster Backup;C:\Program Files\Ocster Backup\bin\backupService-ox.exe [2011-5-18 21272]R2 Splunkd;Splunkd;C:\Program Files\Splunk\bin\splunkd.exe [2011-7-14 23355200]R2 Splunkweb;Splunkweb;C:\Program Files\Splunk\bin\splunkweb.exe [2011-7-14 21824]R2 ZentimoService;Zentimo Assistant;C:\Program Files (x86)\Zentimo\ZentimoService.exe [2011-12-12 555844]R3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys --> C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys [?]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]R3 splunkdrv-win6;splunkdrv-win6;C:\Program Files\Splunk\bin\splunkdrv-win6.sys [2011-7-14 37752]R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]S3 wxpSvc;webcamXP Service;C:\Program Files (x86)\wLite\wService.exe [2010-5-2 5027328].=============== Created Last 30 ================.2012-07-23 15:27:17 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Pieklu2012-07-23 15:27:17 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Efgag2012-07-23 15:27:17 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Byxi2012-07-23 10:26:57 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Xakiy2012-07-23 10:26:57 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Isnyad2012-07-23 10:26:57 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Efusa2012-07-23 05:26:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Vuiv2012-07-23 05:26:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qoict2012-07-23 05:26:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ovby2012-07-23 00:26:41 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Nava2012-07-23 00:26:41 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Byyx2012-07-23 00:26:41 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Avze2012-07-22 19:26:56 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Uqxowa2012-07-22 19:26:56 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Upkood2012-07-22 19:26:56 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qenyav2012-07-22 14:25:18 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ucgao2012-07-22 14:25:18 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Opnyz2012-07-22 14:25:18 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Myif2012-07-22 06:09:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Xinyym2012-07-22 06:09:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Afviad2012-07-22 06:09:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Adoruk2012-07-22 01:09:14 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Uwpeu2012-07-22 01:09:14 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ebzail2012-07-22 01:09:14 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Anqu2012-07-21 21:39:04 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys2012-07-21 21:39:04 -------- d-----w- C:\ProgramData\Malwarebytes2012-07-21 21:39:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2012-07-21 20:13:04 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ynor2012-07-21 20:13:04 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Yltuo2012-07-21 20:13:04 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Kuuhxo2012-07-21 19:21:56 -------- d-----w- C:\ProgramData\PLAV2012-07-21 19:20:24 -------- d-----w- C:\ProgramData\ParetoLogic Anti-Virus PLUS2012-07-21 08:23:05 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qutyox2012-07-21 08:23:05 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qaup2012-07-21 08:23:05 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Noutr2012-07-21 03:22:58 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Haob2012-07-21 03:22:58 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Avriv2012-07-21 03:22:58 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Aspis2012-07-20 22:24:25 -------- d-----w- C:\Windows\System32\SPReview2012-07-20 22:23:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Zytyob2012-07-20 22:23:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Kedieb2012-07-20 22:23:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Fygec2012-07-20 22:23:16 -------- d-----w- C:\Windows\System32\EventProviders2012-07-20 11:29:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ugocop2012-07-20 11:29:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Oxnu2012-07-20 11:29:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Baygor2012-07-20 06:29:30 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Paiki2012-07-20 06:29:30 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Icka2012-07-20 06:29:30 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Feyz2012-07-20 01:29:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ymbe2012-07-20 01:29:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Miva2012-07-20 01:29:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Gahuuh2012-07-19 16:45:08 -------- d-----w- C:\DD-WRT bin2012-07-19 16:44:14 -------- d-----w- C:\App Remover2012-07-19 16:42:03 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Zusy2012-07-19 16:42:03 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Kapau2012-07-19 16:42:03 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Cucew2012-07-18 17:27:58 -------- d-----w- C:\SEP2012-07-18 15:13:01 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Malwarebytes2012-07-18 02:16:54 -------- d-----w- C:\Users\Rancher\AppData\Local\Threat Expert2012-07-18 01:43:28 348160 ----a-w- C:\Windows\SysWow64\MSVCR71.DLL2012-07-17 21:49:46 251528 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys2012-07-17 21:49:46 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools2012-07-17 21:47:29 -------- d-----w- C:\ProgramData\PC Tools2012-07-17 21:47:28 -------- d-----w- C:\Users\Rancher\AppData\Roaming\TestApp2012-07-17 21:19:42 -------- d--h--w- C:\Users\Rancher\AppData\Roaming\815267D42012-07-17 20:18:05 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%2012-07-17 17:43:43 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Pieg2012-07-17 17:43:42 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Mutumo2012-07-17 17:43:42 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Aqruoz2012-07-17 12:41:03 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{270AE8F7-E834-4856-B201-9C7975642BD6}\mpengine.dll2012-07-11 10:05:02 3148800 ----a-w- C:\Windows\System32\win32k.sys2012-07-11 06:58:37 2004480 ----a-w- C:\Windows\System32\msxml6.dll2012-07-11 06:53:20 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll2012-07-11 06:53:20 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll2012-07-11 06:53:20 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll2012-07-11 06:53:20 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll2012-07-11 06:53:20 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll2012-07-11 06:53:20 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll2012-07-11 06:53:20 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll2012-07-11 06:53:20 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll2012-07-11 06:53:20 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll2012-07-11 06:53:20 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll2012-07-11 06:53:20 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll2012-07-11 06:53:20 1133568 ----a-w- C:\Windows\System32\cdosys.dll2012-07-11 06:53:20 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll2012-07-01 17:13:26 -------- d-----w- C:\Users\Rancher\AppData\Local\MetaGeek,_LLC2012-07-01 17:06:13 -------- d-----w- C:\Program Files (x86)\MetaGeek2012-07-01 16:54:56 -------- d-----w- C:\ProgramData\Oberon Media2012-07-01 16:54:56 -------- d-----w- C:\Program Files (x86)\Oberon Media2012-07-01 16:54:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Oberon Media2012-07-01 16:54:50 -------- d-----w- C:\ProgramData\GamesBar2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\GamesBar2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media.==================== Find3M ====================.2012-07-20 22:35:11 175616 ----a-w- C:\Windows\System32\msclmd.dll2012-07-20 22:35:11 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe.============= FINISH: 9:37:06.58 ===============Any and all help will be appreciated!Rancher Link to post Share on other sites More sharing options...
Staff screen317 Posted July 23, 2012 Staff ID:575151 Share Posted July 23, 2012 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix When the tool is finished, it will produce a report for you.Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
azrancher Posted July 23, 2012 Author ID:575211 Share Posted July 23, 2012 <div id="yiv1703862802"><div id="yui_3_2_0_1_1343063671497210"><div id="yui_3_2_0_1_1343063671497209" style="color: rgb(0, 0, 0); font-family: times new roman, new york, times, serif; font-size: 12pt; background-color: rgb(255, 255, 255);"><div>Had an error window when using Combofix:</div><div> </div><div>Application has generated an exception that could not be handled</div><div>Process ID=0xa74 (2676)</div><div>Thread ID=0x87c (2172)</div><div> </div><div>But the log printed after I chose Cancel.</div><div> </div><div id="yui_3_2_0_1_1343063671497217">Malwarebytes Anti-Malware (Trial) 1.62.0.1300<br /><a href="http://www.malwarebytes.org/" rel="nofollow" target="_blank">http://www.malwarebytes.org/</a></div><div>Database version: v2012.07.23.10</div><div>Windows 7 Service Pack 1 x64 NTFS<br />Internet Explorer 9.0.8112.16421<br />Rancher :: ROCKYCREEK-ST1 [administrator]</div><div>Protection: Enabled</div><div>7/23/2012 11:12:27 AM<br />mbam-log-2012-07-23 (11-12-27).txt</div><div>Scan type: Quick scan<br />Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM<br />Scan options disabled: P2P<br />Objects scanned: 258656<br />Time elapsed: 1 minute(s), 33 second(s)</div><div>Memory Processes Detected: 0<br />(No malicious items detected)</div><div>Memory Modules Detected: 0<br />(No malicious items detected)</div><div>Registry Keys Detected: 0<br />(No malicious items detected)</div><div>Registry Values Detected: 0<br />(No malicious items detected)</div><div>Registry Data Items Detected: 0<br />(No malicious items detected)</div><div>Folders Detected: 0<br />(No malicious items detected)</div><div>Files Detected: 0<br />(No malicious items detected)</div><div>(end)<br /> </div><div> </div><div>ComboFix 12-07-24.01 - Rancher 07/23/2012 11:17:25.1.8 - x64<br />Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.9002 [GMT -7:00]<br />Running from: c:\users\Rancher\Downloads\ComboFix.exe<br />SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}<br />.<br />.<br />((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))<br />.<br />.<br />c:\program files (x86)\Search Toolbar<br />c:\program files (x86)\Search Toolbar\icon.ico<br />c:\program files (x86)\Search Toolbar\SearchToolbar.dll<br />c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe<br />c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe<br />c:\users\Rancher\AppData\Roaming\Adoruk<br />c:\users\Rancher\AppData\Roaming\Adoruk\laqo.cye<br />c:\users\Rancher\AppData\Roaming\Afviad<br />c:\users\Rancher\AppData\Roaming\Afviad\ihnyi.iho<br />c:\users\Rancher\AppData\Roaming\Anqu<br />c:\users\Rancher\AppData\Roaming\Anqu\aqid.etw<br />c:\users\Rancher\AppData\Roaming\Aqruoz<br />c:\users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe<br />c:\users\Rancher\AppData\Roaming\Aspis<br />c:\users\Rancher\AppData\Roaming\Aspis\duolu.sey<br />c:\users\Rancher\AppData\Roaming\Avriv<br />c:\users\Rancher\AppData\Roaming\Avriv\ylwe.exe<br />c:\users\Rancher\AppData\Roaming\Avze<br />c:\users\Rancher\AppData\Roaming\Avze\fied.epb<br />c:\users\Rancher\AppData\Roaming\Baygor<br />c:\users\Rancher\AppData\Roaming\Baygor\agem.hyy<br />c:\users\Rancher\AppData\Roaming\Byxi<br />c:\users\Rancher\AppData\Roaming\Byxi\ahnuu.nai<br />c:\users\Rancher\AppData\Roaming\Byyx<br />c:\users\Rancher\AppData\Roaming\Byyx\axuf.exe<br />c:\users\Rancher\AppData\Roaming\Cucew<br />c:\users\Rancher\AppData\Roaming\Cucew\opnoi.kei<br />c:\users\Rancher\AppData\Roaming\Ebzail<br />c:\users\Rancher\AppData\Roaming\Ebzail\lues.ahi<br />c:\users\Rancher\AppData\Roaming\Efgag<br />c:\users\Rancher\AppData\Roaming\Efgag\enfiy.exe<br />c:\users\Rancher\AppData\Roaming\Efusa<br />c:\users\Rancher\AppData\Roaming\Efusa\seyny.exe<br />c:\users\Rancher\AppData\Roaming\Feyz<br />c:\users\Rancher\AppData\Roaming\Feyz\yxox.exe<br />c:\users\Rancher\AppData\Roaming\Fygec<br />c:\users\Rancher\AppData\Roaming\Fygec\cafun.ubw<br />c:\users\Rancher\AppData\Roaming\Gahuuh<br />c:\users\Rancher\AppData\Roaming\Gahuuh\dyxo.exe<br />c:\users\Rancher\AppData\Roaming\Haob<br />c:\users\Rancher\AppData\Roaming\Haob\yhyzu.uri<br />c:\users\Rancher\AppData\Roaming\Icka<br />c:\users\Rancher\AppData\Roaming\Icka\apino.oga<br />c:\users\Rancher\AppData\Roaming\Isnyad<br />c:\users\Rancher\AppData\Roaming\Isnyad\uvkea.bai<br />c:\users\Rancher\AppData\R oaming\Kapau<br />c:\users\Rancher\AppData\Roaming\Kapau\gazo.fuy<br />c:\users\Rancher\AppData\Roaming\Kedieb<br />c:\users\Rancher\AppData\Roaming\Kedieb\fyuzo.exe<br />c:\users\Rancher\AppData\Roaming\Kuuhxo<br />c:\users\Rancher\AppData\Roaming\Kuuhxo\caik.dio<br />c:\users\Rancher\AppData\Roaming\Microsoft\~DFK5c9cc74a.tmp<br />c:\users\Rancher\AppData\Roaming\Microsoft\1eaadjc.dll<br />c:\users\Rancher\AppData\Roaming\Microsoft\bass.dll<br />c:\users\Rancher\AppData\Roaming\Microsoft\engine_vx.dll<br />c:\users\Rancher\AppData\Roaming\Microsoft\peaadje.dll<br />c:\users\Rancher\AppData\Roaming\Microsoft\qwadjb.dll<br />c:\users\Rancher\AppData\Roaming\Microsoft\rsaadjd.dll<br />c:\users\Rancher\AppData\Roaming\Miva<br />c:\users\Rancher\AppData\Roaming\Miva\etyb.hic<br />c:\users\Rancher\AppData\Roaming\Myif<br />c:\users\Rancher\AppData\Roaming\Myif\axcav.aqd<br />c:\users\Rancher\AppData\Roaming\Nava<br />c:\users\Rancher\AppData\Roaming\Nava\yhsa.omd<br />c:\users\Rancher\AppData\R oaming\Noutr<br />c:\users\Rancher\AppData\Roaming\Noutr\veugl.sif<br />c:\users\Rancher\AppData\Roaming\Opnyz<br />c:\users\Rancher\AppData\Roaming\Opnyz\qotai.exe<br />c:\users\Rancher\AppData\Roaming\Ovby<br />c:\users\Rancher\AppData\Roaming\Ovby\gyxu.kiy<br />c:\users\Rancher\AppData\Roaming\Oxnu<br />c:\users\Rancher\AppData\Roaming\Oxnu\imivs.puy<br />c:\users\Rancher\AppData\Roaming\Paiki<br />c:\users\Rancher\AppData\Roaming\Paiki\naahr.hav<br />c:\users\Rancher\AppData\Roaming\Pieklu<br />c:\users\Rancher\AppData\Roaming\Pieklu\obek.esx<br />c:\users\Rancher\AppData\Roaming\Qaup<br />c:\users\Rancher\AppData\Roaming\Qaup\biliu.exe<br />c:\users\Rancher\AppData\Roaming\Qenyav<br />c:\users\Rancher\AppData\Roaming\Qenyav\zeyp.itw<br />c:\users\Rancher\AppData\Roaming\Qoict<br />c:\users\Rancher\AppData\Roaming\Qoict\hibav.cef<br />c:\users\Rancher\AppData\Roaming\Qutyox<br />c:\users\Rancher\AppData\Roaming\Qutyox\ofhyb.ila<br />c:\users\Rancher\AppData\Roaming\Ucgao<br />c:\users\Ranch er\AppData\Roaming\Ucgao\simur.wer<br />c:\users\Rancher\AppData\Roaming\Ugocop<br />c:\users\Rancher\AppData\Roaming\Ugocop\ezule.exe<br />c:\users\Rancher\AppData\Roaming\Upkood<br />c:\users\Rancher\AppData\Roaming\Upkood\ohhi.exe<br />c:\users\Rancher\AppData\Roaming\Uqxowa<br />c:\users\Rancher\AppData\Roaming\Uqxowa\seci.uro<br />c:\users\Rancher\AppData\Roaming\Uwpeu<br />c:\users\Rancher\AppData\Roaming\Uwpeu\akopz.exe<br />c:\users\Rancher\AppData\Roaming\Vuiv<br />c:\users\Rancher\AppData\Roaming\Vuiv\puqau.exe<br />c:\users\Rancher\AppData\Roaming\Xakiy<br />c:\users\Rancher\AppData\Roaming\Xakiy\emahe.eqg<br />c:\users\Rancher\AppData\Roaming\Xinyym<br />c:\users\Rancher\AppData\Roaming\Xinyym\ylat.exe<br />c:\users\Rancher\AppData\Roaming\Yltuo<br />c:\users\Rancher\AppData\Roaming\Yltuo\elrif.huu<br />c:\users\Rancher\AppData\Roaming\Ymbe<br />c:\users\Rancher\AppData\Roaming\Ymbe\buot.arq<br />c:\users\Rancher\AppData\Roaming\Ynor<br />c:\users\Rancher\AppData\Roaming\Ynor\ehqu .exe<br />c:\users\Rancher\AppData\Roaming\Zusy<br />c:\users\Rancher\AppData\Roaming\Zusy\caykx.exe<br />c:\users\Rancher\AppData\Roaming\Zytyob<br />c:\users\Rancher\AppData\Roaming\Zytyob\ucozh.sud<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\@<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\L\00000004.@<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\L\1afb2d56<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\L\201d3dde<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\00000004.@<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\000000cb.@<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000000.@<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000032.@<br />c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000064.@<br />.<br />.<br />((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))<br />.<br />.<br />-------\Legacy_KXESCORE<br />.<br />.<br />((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))<br />.<br />.<br />2012-07-23 18:24 . 2012-07-23 18:24 -------- d-----w- c:\users\Terri\AppData\Local\temp<br />2012-07-23 18:24 . 2012-07-23 18:24 -------- d-----w- c:\users\Default\AppData\Local\temp<br />2012-07-23 18:24 . 2012-07-23 18:24 -------- d-----w- c:\users\_ocster_backup_\AppData\Local\temp<br />2012-07-21 21:39 . 2012-07-21 21:39 -------- d-----w- c:\programdata\Malwarebytes<br />2012-07-21 21:39 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys<br />2012-07-21 21:39 . 2012-07-21 22:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware<br />2012-07-21 19:21 . 2012-07-21 22:38 -------- d-----w- c:\programdata\PLAV<br />2012-07-21 19:20 . 2012-07-21 19:20 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS<br />2012-07-20 22:24 . 2012-07-20 22:24 -------- d-----w- c:\windows\system32\SPReview<br />2012-07-20 22:23 . 2012-07-20 22:23 -------- d-----w- c:\windows\system32\EventProviders<br />2012-07-19 16:45 . 2012-07-19 16:45 -------- d-----w- C:\DD-WRT bin<br />2012-07-19 16:44 . 2012-07-19 16:44 -------- d-----w- C:\App Remover<br />2012-07-18 17:27 . 2012-07-18 17:28 -------- d-----w- C:\SEP<br />2012-07-18 15:13 . 2012-07-21 21:39 -------- d-----w- c:\users\Rancher\AppData\Roaming\Malwarebytes<br />2012-07-18 02:16 . 2012-07-18 02:16 -------- d-----w- c:\users\Rancher\AppData\Local\Threat Expert<br />2012-07-18 01:43 . 2007-03-22 03:33 348160 ----a-w- c:\windows\SysWow64\MSVCR71.DLL<br />2012-07-17 21:49 . 2012-07-18 21:47 -------- d-----w- c:\program files (x86)\Common Files\PC Tools<br />2012-07-17 21:49 . 2012-05-11 18:14 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys<br />2012-07-17 21:47 . 2012-07-18 21:46 -------- d-----w- c:\programdata\PC Tools<br />2012-07-17 21:47 . 2012-07-17 21:47 -------- d-----w- c:\users\Rancher\AppData\Roaming\TestApp<br />2012-07-17 21:19 . 2012-07-18 14:16 -------- d--h--w- c:\users\Rancher\AppData\Roaming\815267D4<br />2012-07-17 20:18 . 2012-07-17 20:18 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%<br />2012-07-17 17:43 . 2012-07-17 17:43 -------- d-----w- c:\users\Rancher\AppData\Roaming\Pieg<br />2012-07-17 17:43 . 2012-07-23 13:33 -------- d-----w- c:\users\Rancher\AppData\Roaming\Mutumo<br />2012-07-17 12:41 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{270AE8F7-E834-4856-B201-9C7975642BD6}\mpengine.dll<br />2012-07-11 10:05 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys<br />2012-07-11 06:58 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll<br />2012-07-11 06:53 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll<br />2012-07-11 06:53 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll<br />2012-07-11 06:53 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll<br />2012-07-11 06:53 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll<br />2012-07-11 06:53 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll<br />2012-07-11 06:53 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll<br />2012-07-11 06:53 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll<br />2012-07-11 06:53 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll<br />2012-07-11 06:53 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll<br />2012-07-11 06:53 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll<br />2012-07-11 06:53 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll<br />2012-07-11 06:53 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll<br />2012-07-11 06:53 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll<br />2012-07-01 17:13 . 2012-07-01 17:13 -------- d-----w- c:\users\Rancher\AppData\Local\MetaGeek,_LLC<br />2012-07-01 17:06 . 2012-07-01 17:06 -------- d-----w- c:\program files (x86)\MetaGeek<br />2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\programdata\Oberon Media<br />2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\program files (x86)\Oberon Media<br />2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\users\Rancher\AppData\Roaming\Oberon Media<br />2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\programdata\GamesBar<br />2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\program files (x86)\GamesBar<br />2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\program files (x86)\Common Files\Oberon Media<br />.<br />.<br />.<br />(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))<br />.<br />2012-07-20 22:35 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll<br />2012-07-20 22:35 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll<br />2012-07-11 10:02 . 2010-04-07 23:52 59701280 ----a-w- c:\windows\system32\MRT.exe<br />2012-06-02 22:19 . 2012-06-22 18:49 38424 ----a-w- c:\windows\system32\wups.dll<br />2012-06-02 22:19 . 2012-06-22 18:50 2428952 ----a-w- c:\windows\system32\wuaueng.dll<br />2012-06-02 22:19 . 2012-06-22 18:50 57880 ----a-w- c:\windows\system32\wuauclt.exe<br />2012-06-02 22:19 . 2012-06-22 18:50 44056 ----a-w- c:\windows\system32\wups2.dll<br />2012-06-02 22:19 . 2012-06-22 18:49 186752 ----a-w- c:\windows\system32\wuwebv.dll<br />2012-06-02 22:19 . 2012-06-22 18:49 701976 ----a-w- c:\windows\system32\wuapi.dll<br />2012-06-02 22:15 . 2012-06-22 18:50 2622464 ----a-w- c:\windows\system32\wucltux.dll<br />2012-06-02 22:15 . 2012-06-22 18:49 36864 ----a-w- c:\windows\system32\wuapp.exe<br />2012-06-02 22:15 . 2012-06-22 18:49 99840 ----a-w- c:\windows\system32\wudriver.dll<br />2012-05-31 19:25 . 2010-04-02 00:54 279656 ------w- c:\windows\system32\MpSigStub.exe<br />2012-05-04 11:06 . 2012-06-13 01:19 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe<br />2012-05-04 10:03 . 2012-06-13 01:19 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe<br />2012-05-04 10:03 . 2012-06-13 01:19 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe<br />2012-05-01 05:40 . 2012-06-13 01:20 209920 ----a-w- c:\windows\system32\profsvc.dll<br />2012-04-28 03:55 . 2012-06-13 01:16 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys<br />2012-04-26 05:41 . 2012-06-13 01:25 77312 ----a-w- c:\windows\system32\rdpwsx.dll<br />2012-04-26 05:41 . 2012-06-13 01:25 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll<br />2012-04-26 05:34 . 2012-06-13 01:25 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe<br />.<br />.<br />((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))<br />.<br />.<br />*Note* empty entries & legit default entries are not shown<br />REGEDIT4<br />.<br />[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br />"wLite"="c:\program files (x86)\wLite\wLite.exe" [2010-05-02 5611520]<br />"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]<br />"SearchEngineProtection"="c:\program files (x86)\Gamesbar\SearchEngineProtection.exe" [2011-03-03 591248]<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]<br />"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]<br />"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]<br />"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]<br />"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2010-10-29 274608]<br />"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]<br />.<br />c:\users\Rancher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<br />DeskPins.lnk - c:\program files (x86)\DeskPins\DeskPins.exe [2004-5-2 62464]<br />.<br />c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled<br />McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]<br />.<br />[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]<br />"ConsentPromptBehaviorAdmin"= 0 (0x0)<br />"ConsentPromptBehaviorUser"= 3 (0x3)<br />"EnableLUA"= 0 (0x0)<br />"EnableUIADesktopToggle"= 0 (0x0)<br />"PromptOnSecureDesktop"= 0 (0x0)<br />.<br />R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]<br />R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br />R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br />R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]<br />R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]<br />R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-09 1255736]<br />R3 wxpSvc;webcamXP Service;c:\program files (x86)\wLite\wService.exe [2010-05-02 5027328]<br />S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2010-09-15 37392]<br />S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]<br />S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]<br />S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]<br />S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]<br />S2 ocster_backup;Ocster Backup;c:\program files\Ocster Backup\bin\backupService-ox.exe [2011-05-19 21272]<br />S2 Splunkd;Splunkd;c:\program files\Splunk\bin\splunkd.exe service [x]<br />S2 Splunkweb;Splunkweb;c:\program files\Splunk\bin\splunkweb.exe [2011-07-14 21824]<br />S2 ZentimoService;Zentimo Assistant;c:\program files (x86)\Zentimo\ZentimoService.exe [2011-12-10 555844]<br />S3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;c:\windows\system32\drivers\Apowersoft_AudioDevice.sys [2010-12-24 29288]<br />S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]<br />S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-12-03 31744]<br />S3 splunkdrv-win6;splunkdrv-win6;c:\program files\Splunk\bin\splunkdrv-win6.sys [2011-07-14 37752]<br />S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]<br />.<br />.<br />Contents of the 'Scheduled Tasks' folder<br />.<br />2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job<br />- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:38]<br />.<br />2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job<br />- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:38]<br />.<br />.<br />--------- X64 Entries -----------<br />.<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br />"combofix"="c:\combofix\CF27112.3XE" [2010-11-20 345088]<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]<br />"LoadAppInit_DLLs"=0x0<br />.<br />------- Supplementary Scan -------<br />.<br />uLocal Page = c:\windows\system32\blank.htm<br />uStart Page = about:blank<br />mLocal Page = c:\windows\system32\blank.htm<br />Trusted Zone: intuit.com\ttlc<br />TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB}: NameServer = 64.68.248.10,64.68.252.10<br />DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.52/img/LinksysMLViewer.cab<br />DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.51/xplugLiteDL.cab<br />.<br />- - - - ORPHANS REMOVED - - - -<br />.<br />Toolbar-Locked - (no file)<br />Wow6432Node-HKCU-Run-fsm - (no file)<br />Wow6432Node-HKCU-Run-Unoselhic - c:\users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe<br />Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe<br />WebBrowser-{B80F591E-FE9A-46CF-A13E-180377240586} - (no file)<br />AddRemove-Easy Watermark Studio2.1 - c:\program files (x86)\Easy Watermark Studio\Uninstall\uninstall.exe<br />AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe<br />AddRemove-wLite - c:\program files (x86)\wLite\wl-uninst.exe<br />.<br />.<br />.<br />[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wxpSvc]<br />"ImagePath"="c:\program files (x86)\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"<br />.<br />--------------------- LOCKED REGISTRY KEYS ---------------------<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]<br />@Denied: (A 2) (Everyone)<br />@="FlashBroker"<br />"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]<br />"Enabled"=dword:00000001<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]<br />@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]<br />@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]<br />@Denied: (A 2) (Everyone)<br />@="Shockwave Flash Object"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]<br />@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"<br />"ThreadingModel"="Apartment"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]<br />@="0"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]<br />@="ShockwaveFlash.ShockwaveFlash.10"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]<br />@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]<br />@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]<br />@="1.0"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]<br />@="ShockwaveFlash.ShockwaveFlash"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]<br />@Denied: (A 2) (Everyone)<br />@="Macromedia Flash Factory Object"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]<br />@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"<br />"ThreadingModel"="Apartment"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]<br />@="FlashFactory.FlashFactory.1"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]<br />@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]<br />@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]<br />@="1.0"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]<br />@="FlashFactory.FlashFactory"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]<br />@Denied: (A 2) (Everyone)<br />@="IFlashBroker4"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]<br />@="{00020424-0000-0000-C000-000000000046}"<br />.<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]<br />@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"<br />"Version"="1.0"<br />.<br />[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]<br />@Denied: (Full) (Everyone)<br />.<br />------------------------ Other Running Processes ------------------------<br />.<br />c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe<br />c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe<br />c:\program files (x86)\Full Uninstall\FullUninstallAgent.exe<br />.<br />**************************************************************************<br />.<br />Completion time: 2012-07-23 11:40:25 - machine was rebooted<br />ComboFix-quarantined-files.txt 2012-07-23 18:40<br />.<br />Pre-Run: 78,291,451,904 bytes free<br />Post-Run: 79,412,862,976 bytes free<br />.<br />- - End Of File - - 538009FFBCB5B3CEC8A3873F423781F8</div><div> </div><div id="yui_3_2_0_1_1343063671497218">.<br />DDS (Ver_2011-08-26.01) - NTFSAMD64<br />Internet Explorer: 9.0.8112.16421<br />Run by Rancher at 12:06:45 on 2012-07-23<br />Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.10315 [GMT -7:00]<br />.<br />SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}<br />.<br />============== Running Processes ===============<br />.<br />C:\Windows\system32\wininit.exe<br />C:\Windows\system32\lsm.exe<br />C:\Windows\system32\svchost.exe -k DcomLaunch<br />C:\Program Files (x86)\Zentimo\ZentimoService.exe<br />C:\Windows\system32\svchost.exe -k RPCSS<br />C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted<br />C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted<br />C:\Windows\system32\svchost.exe -k netsvcs<br />C:\Windows\system32\svchost.exe -k LocalService<br />C:\Windows\system32\svchost.exe -k NetworkService<br />C:\Windows\System32\spoolsv.exe<br />C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork<br />C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation<br />c:\Program Files\Ocster Backup\bin\backupService-ox.exe<br />C:\Program Files\Splunk\bin\splunkd.exe<br />C:\Windows\system32\conhost.exe<br />C:\Program Files\Splunk\bin\splunkweb.exe<br />c:\Program Files\Ocster Backup\bin\oxHelper.exe<br />C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe<br />C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe<br />C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe<br />C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe<br />C:\Program Files\Windows Media Player\wmpnetwk.exe<br />C:\Windows\system32\SearchIndexer.exe<br />C:\Windows\system32\Dwm.exe<br />C:\Windows\Explorer.EXE<br />C:\Windows\system32\taskhost.exe<br />C:\Windows\system32\taskeng.exe<br />C:\Program Files (x86)\Full Uninstall\FullUninstallAgent.exe<br />C:\Program Files (x86)\GamesBar\SearchEngineProtection.exe<br />C:\Program Files (x86)\DeskPins\DeskPins.exe<br />C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe<br />C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe<br />C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe<br />C:\Windows\system32\wbem\unsecapp.exe<br />C:\Program Files (x86)\Internet Explorer\iexplore.exe<br />C:\Program Files (x86)\Internet Explorer\iexplore.exe<br />C:\Program Files (x86)\Internet Explorer\iexplore.exe<br />C:\Windows\system32\NOTEPAD.EXE<br />C:\Windows\system32\taskhost.exe<br />C:\Windows\system32\DllHost.exe<br />C:\Windows\SysWOW64\cmd.exe<br />C:\Windows\system32\conhost.exe<br />C:\Windows\SysWOW64\cscript.exe<br />C:\Windows\system32\wbem\wmiprvse.exe<br />.<br />============== Pseudo HJT Report ===============<br />.<br />uStart Page = about:blank<br />BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br />BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll<br />BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll<br />BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br />BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll<br />BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br />BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll<br />BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll<br />TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br />TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br />TB: {B80F591E-FE9A-46CF-A13E-180377240586} - No File<br />TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File<br />uRun: [wLite] "C:\Program Files (x86)\wLite\wLite.exe" -auto<br />uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet<br />uRun: [searchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe<br />mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe<br />mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"<br />mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"<br />mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot<br />mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray<br />StartupFolder: C:\Users\Rancher\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DeskPins.lnk - C:\Program Files (x86)\DeskPins\DeskPins.exe<br />StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe<br />mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)<br />mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)<br />mPolicies-system: EnableLUA = 0 (0x0)<br />mPolicies-system: EnableUIADesktopToggle = 0 (0x0)<br />mPolicies-system: PromptOnSecureDesktop = 0 (0x0)<br />IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll<br />IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL<br />Trusted Zone: intuit.com\ttlc<br />DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab<br />DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.52/img/LinksysMLViewer.cab<br />DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab<br />DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab<br />DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab<br />DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.51/xplugLiteDL.cab<br />DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab<br />TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB} : NameServer = 64.68.248.10,64.68.252.10<br />TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB}\25F434B49534255454B4 : DhcpNameServer = 64.68.248.10 64.68.252.10 64.68.244.250<br />Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL<br />Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL<br />SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br />BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br />BHO-X64: 0x1 - No File<br />BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll<br />BHO-X64: AcroIEHelperStub - No File<br />BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll<br />BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br />BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll<br />BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br />BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll<br />BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll<br />TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br />TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br />TB-X64: {B80F591E-FE9A-46CF-A13E-180377240586} - No File<br />TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File<br />mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe<br />mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"<br />mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"<br />mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot<br />mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray<br />SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br />.<br />============= SERVICES / DRIVERS ===============<br />.<br />R0 hotcore3;hc3ServiceName;C:\Windows\system32\DRIVERS\hotcore3.sys --> C:\Windows\system32\DRIVERS\hotcore3.sys [?]<br />R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]<br />R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-1 13336]<br />R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-21 655944]<br />R2 ocster_backup;Ocster Backup;C:\Program Files\Ocster Backup\bin\backupService-ox.exe [2011-5-18 21272]<br />R2 Splunkd;Splunkd;C:\Program Files\Splunk\bin\splunkd.exe [2011-7-14 23355200]<br />R2 Splunkweb;Splunkweb;C:\Program Files\Splunk\bin\splunkweb.exe [2011-7-14 21824]<br />R2 ZentimoService;Zentimo Assistant;C:\Program Files (x86)\Zentimo\ZentimoService.exe [2011-12-12 555844]<br />R3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys --> C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys [?]<br />R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]<br />R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]<br />R3 splunkdrv-win6;splunkdrv-win6;C:\Program Files\Splunk\bin\splunkdrv-win6.sys [2011-7-14 37752]<br />R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]<br />S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]<br />S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]<br />S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br />S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br />S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]<br />S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]<br />S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]<br />S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]<br />S3 wxpSvc;webcamXP Service;C:\Program Files (x86)\wLite\wService.exe [2010-5-2 5027328]<br />.<br />=============== Created Last 30 ================<br />.<br />2012-07-23 18:15:50 98816 ----a-w- C:\Windows\sed.exe<br />2012-07-23 18:15:50 518144 ----a-w- C:\Windows\SWREG.exe<br />2012-07-23 18:15:50 256000 ----a-w- C:\Windows\PEV.exe<br />2012-07-23 18:15:50 208896 ----a-w- C:\Windows\MBR.exe<br />2012-07-21 21:39:04 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys<br />2012-07-21 21:39:04 -------- d-----w- C:\ProgramData\Malwarebytes<br />2012-07-21 21:39:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware<br />2012-07-21 19:21:56 -------- d-----w- C:\ProgramData\PLAV<br />2012-07-21 19:20:24 -------- d-----w- C:\ProgramData\ParetoLogic Anti-Virus PLUS<br />2012-07-20 22:24:25 -------- d-----w- C:\Windows\System32\SPReview<br />2012-07-20 22:23:16 -------- d-----w- C:\Windows\System32\EventProviders<br />2012-07-19 16:45:08 -------- d-----w- C:\DD-WRT bin<br />2012-07-19 16:44:14 -------- d-----w- C:\App Remover<br />2012-07-18 17:27:58 -------- d-----w- C:\SEP<br />2012-07-18 15:13:01 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Malwarebytes<br />2012-07-18 02:16:54 -------- d-----w- C:\Users\Rancher\AppData\Local\Threat Expert<br />2012-07-18 01:43:28 348160 ----a-w- C:\Windows\SysWow64\MSVCR71.DLL<br />2012-07-17 21:49:46 251528 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys<br />2012-07-17 21:49:46 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools<br />2012-07-17 21:47:29 -------- d-----w- C:\ProgramData\PC Tools<br />2012-07-17 21:47:28 -------- d-----w- C:\Users\Rancher\AppData\Roaming\TestApp<br />2012-07-17 21:19:42 -------- d--h--w- C:\Users\Rancher\AppData\Roaming\815267D4<br />2012-07-17 20:18:05 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%<br />2012-07-17 17:43:43 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Pieg<br />2012-07-17 17:43:42 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Mutumo<br />2012-07-17 12:41:03 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{270AE8F7-E834-4856-B201-9C7975642BD6}\mpengine.dll<br />2012-07-11 10:05:02 3148800 ----a-w- C:\Windows\System32\win32k.sys<br />2012-07-11 06:58:37 2004480 ----a-w- C:\Windows\System32\msxml6.dll<br />2012-07-11 06:53:20 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll<br />2012-07-11 06:53:20 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll<br />2012-07-11 06:53:20 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll<br />2012-07-11 06:53:20 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll<br />2012-07-11 06:53:20 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll<br />2012-07-11 06:53:20 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll<br />2012-07-11 06:53:20 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll<br />2012-07-11 06:53:20 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll<br />2012-07-11 06:53:20 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll<br />2012-07-11 06:53:20 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll<br />2012-07-11 06:53:20 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll<br />2012-07-11 06:53:20 1133568 ----a-w- C:\Windows\System32\cdosys.dll<br />2012-07-11 06:53:20 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll<br />2012-07-01 17:13:26 -------- d-----w- C:\Users\Rancher\AppData\Local\MetaGeek,_LLC<br />2012-07-01 17:06:13 -------- d-----w- C:\Program Files (x86)\MetaGeek<br />2012-07-01 16:54:56 -------- d-----w- C:\ProgramData\Oberon Media<br />2012-07-01 16:54:56 -------- d-----w- C:\Program Files (x86)\Oberon Media<br />2012-07-01 16:54:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Oberon Media<br />2012-07-01 16:54:50 -------- d-----w- C:\ProgramData\GamesBar<br />2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\GamesBar<br />2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media<br />.<br />==================== Find3M ====================<br />.<br />2012-07-20 22:35:11 175616 ----a-w- C:\Windows\System32\msclmd.dll<br />2012-07-20 22:35:11 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll<br />2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll<br />2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll<br />2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll<br />2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll<br />2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll<br />2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe<br />2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll<br />2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll<br />2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll<br />2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl<br />2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe<br />2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb<br />2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll<br />2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll<br />2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl<br />2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe<br />2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb<br />2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys<br />2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys<br />2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys<br />2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll<br />2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll<br />2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll<br />2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll<br />2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll<br />2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll<br />2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe<br />2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe<br />2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe<br />2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe<br />2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll<br />2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys<br />2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll<br />2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll<br />2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe<br />.<br />============= FINISH: 12:07:03.93 ===============</div></div></div></div><p> </p> Link to post Share on other sites More sharing options...
Staff screen317 Posted July 25, 2012 Staff ID:576142 Share Posted July 25, 2012 Hi, Next, please run a free online scan with the ESET Online Scanner Note: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Scan Wait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topic Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document. Let me know how things are running now and what issues remain. Link to post Share on other sites More sharing options...
azrancher Posted July 25, 2012 Author ID:576557 Share Posted July 25, 2012 ESETSmartInstaller@High as CAB hook log:OnlineScanner64.ocx - registred OKOnlineScanner.ocx - registred OK# version=7# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)# OnlineScanner.ocx=1.0.0.6583# api_version=3.0.2# EOSSerial=8bf021ef0783de4d8d7ef6fb7ae48340# end=finished# remove_checked=true# archives_checked=true# unwanted_checked=true# unsafe_checked=true# antistealth_checked=true# utc_time=2012-07-25 05:37:47# local_time=2012-07-25 10:37:47 (-0700, US Mountain Standard Time)# country="United States"# lang=1033# osver=6.1.7601 NT Service Pack 1# compatibility_mode=5893 16776573 100 94 0 94776530 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=321531# found=22# cleaned=22# scan_time=4787C:\Program Files (x86)\FoxTabMP4Converter\MP4Converter.exe a variant of Win32/InstallCore.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Avriv\ylwe.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Byyx\axuf.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Efgag\enfiy.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Efusa\seyny.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Feyz\yxox.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Gahuuh\dyxo.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Kedieb\fyuzo.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Opnyz\qotai.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Qaup\biliu.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Ugocop\ezule.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Upkood\ohhi.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Uwpeu\akopz.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Vuiv\puqau.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Xinyym\ylat.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Ynor\ehqu.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Zusy\caykx.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Users\Rancher\AppData\Local\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000000.@ Win64/Sirefef.AE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Users\Rancher\AppData\Local\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000064.@ Win64/Sirefef.AN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CResults of screen317's Security Check version 0.99.43Windows 7 Service Pack 1 x64 (UAC is disabled!)Internet Explorer 9``````````````Antivirus/Firewall Check:``````````````Windows Firewall Enabled!WMI entry may not exist for antivirus; attempting automatic update.`````````Anti-malware/Other Utilities Check:`````````Malwarebytes Anti-Malware version 1.62.0.1300ExifCleaner 1.6Java 6 Update 21Java 6 Update 3Java version out of Date!Adobe Reader 9 Adobe Reader out of Date!````````Process Check: objlist.exe by Laurent````````Malwarebytes Anti-Malware mbamservice.exeMalwarebytes Anti-Malware mbamgui.exe`````````````````System Health check`````````````````Total Fragmentation on Drive C: 0%````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
Staff screen317 Posted July 26, 2012 Staff ID:577119 Share Posted July 26, 2012 Hi,Delete this folder if present:C:\Users\Rancher\AppData\Local\{ca3bcf3c-1eca-c859-cb02-33ec77d20950Run TFC by OldTimer to clear temporary files:Please download TFC from here and save it to your desktop.Close any open programs and Internet browsers.Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.Please be patient as clearing out temp files may take a while.Once it completes you may be prompted to restart your computer, please do so.Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):Java™ 6 Update 21Java™ 6 Update 3Adobe Reader 9Restart your computer.Get the latest version of Java, Adobe Reader, and Adobe Flash Player.Let me know what issues remain. Link to post Share on other sites More sharing options...
azrancher Posted July 27, 2012 Author ID:577608 Share Posted July 27, 2012 OK did all this, re-ran ESET scanner, it found one more thing, I quarinteened that, everything seems OK now.BUT what started all this was I cannot load Symantic SEP v 11.0..5002.333 that has been loaded on all my other computers (4), 3 running Windows 7 64, and one running Vista..It will not load and rolls back, and then gives you the pending changes screen if yoiu try to load it again, wanting you to re-boot, but that makes no difference.Is theer a location for experts on how to fix this problem, I've been all over Symantec's forum.Rancher Link to post Share on other sites More sharing options...
Staff screen317 Posted July 30, 2012 Staff ID:578345 Share Posted July 30, 2012 Hi,Unfortunately I don't know that much about how Symantec's programs work. You'd have better luck at their own forum but it seems that they haven't been able to help.. What have they been saying? What you can try doing is posting in our PC Help forum section where multiple people can look at your topic. If someone's seen it before I'm sure they'll chime in with a solution.Let me know how it goes. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 7, 2012 Staff ID:581903 Share Posted August 7, 2012 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 15, 2012 Staff ID:585395 Share Posted August 15, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts