Jump to content

Trojans Keep Returning


Recommended Posts

Hey, a couple days ago Mcafee went crazy finding a ton of malicious files. After reading around and finding that my security was garbage I installed the free version of your product and it removed several files. It popped up again a few days later, and after about a week, today, it popped up again with a huge amount of files quarantined. I appreciate any help with this, thanks.

Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please re-run a scan with MBAM. Allow it to fix anything it finds and then post the contents of the log in your reply.

=====

  • Also, please download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed.

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

    [*]Double click on the DDS icon and allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

=====

In your reply please provide the contents of both logs.

Link to post
Share on other sites

Here's the MBAM log:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.07.03

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Allan :: VINCENTPRICE [administrator]

Protection: Enabled

1/7/2013 10:28:19 PM

mbam-log-2013-01-07 (22-28-19).txt

Scan type: Full scan (C:\|D:\|Q:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 306779

Time elapsed: 43 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 2

HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$b27192da75a7840537918232e90cd930\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-1474778107-3533465811-3742675228-1002\$b27192da75a7840537918232e90cd930\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Here's the DDS Log:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 1.6.0_32

Run by Allan at 22:45:41 on 2013-01-07

Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1013.228 [GMT -8:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\dlcjcoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe

C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files\WSED\WSED.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe

C:\Program Files\Dell Photo AIO Printer 964\memcard.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\BYOND\bin\byond.exe

C:\Users\Allan\AppData\Local\Temp\2jfuweif.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = www.dell.com

uDefault_Page_URL = www.dell.com

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - c:\program files\logitech\setpointp\SetPointSmooth.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [bTMeter] c:\program files\battery meter\BTMeter.exe

mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2

mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"

mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatchTray12OEM.exe"

mRun: [Desktop Disc Tool] "c:\program files\roxio\oem\roxio burn\RoxioBurnLauncher.exe"

mRun: [WSED] c:\program files\wsed\WSED.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [DLCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCJtime.dll,_RunDLLEntry@16

mRun: [dlcjmon.exe] "c:\program files\dell photo aio printer 964\dlcjmon.exe"

mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 964\memcard.exe"

mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming

StartupFolder: c:\users\allan\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

LSP: mswsock.dll

DPF: {1DC420F0-D89A-40D0-B5CC-92B9AD19A1AC} - hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP28.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{4B27CF3C-D7AD-4AC6-B536-D87E594C0A79} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{4B27CF3C-D7AD-4AC6-B536-D87E594C0A79}\14625462C472370205562737F6E616C6027594D26494 : DHCPNameServer = 10.0.1.1

TCP: Interfaces\{4B27CF3C-D7AD-4AC6-B536-D87E594C0A79}\2375942554832353 : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{4B27CF3C-D7AD-4AC6-B536-D87E594C0A79}\55C4834553 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{4B27CF3C-D7AD-4AC6-B536-D87E594C0A79}\74F6C666023456E6472716C6 : DHCPNameServer = 71.9.127.107 68.190.192.35 24.205.224.36

TCP: Interfaces\{4B27CF3C-D7AD-4AC6-B536-D87E594C0A79}\D616279656 : DHCPNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\allan\appdata\roaming\mozilla\firefox\profiles\kgvuflc5.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\battlelog web plugins\1.118.0\npesnlaunch.dll

FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.4\npesnsonar.dll

FF - plugin: c:\program files\byond\bin\npbyond.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\allan\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-6-26 13680]

R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-2 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-1-2 682344]

R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2011-11-23 143968]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2012-9-18 43704]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2012-9-18 12216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-2 21104]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]

R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]

R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]

R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]

R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2011-11-23 134144]

S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-11-23 174592]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]

S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

.

=============== Created Last 30 ================

.

2013-01-02 09:17:58 -------- d-----w- c:\users\allan\appdata\roaming\Malwarebytes

2013-01-02 09:17:30 -------- d-----w- c:\programdata\Malwarebytes

2013-01-02 09:17:27 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-02 09:17:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-02 09:17:09 -------- d-----w- c:\users\allan\appdata\local\Programs

2012-12-21 11:00:20 295424 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 11:00:19 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-13 01:19:53 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-12-13 01:16:28 376832 ----a-w- c:\windows\system32\dpnet.dll

2012-12-13 01:15:11 2048 ----a-w- c:\windows\system32\tzres.dll

.

==================== Find3M ====================

.

2013-01-02 09:01:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-01-02 09:01:01 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-07 09:32:08 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

.

============= FINISH: 22:47:05.21 ===============

I also have the attach log if you need it.

Link to post
Share on other sites

Good evening Bluedragon07. :)

Thank you for the logs.

For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using the Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt.

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select Computer, find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Press the Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-01-2013

Ran by SYSTEM at 09-01-2013 02:28:11

Running from E:\

Windows 7 Starter (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1692968 2010-02-05] (Synaptics Incorporated)

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7866912 2009-11-17] (Realtek Semiconductor)

HKLM\...\Run: [bTMeter] C:\Program Files\Battery Meter\BTMeter.exe [623984 2009-07-22] (Dell)

HKLM\...\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

HKLM\...\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2010-10-01] (CyberLink Corp.)

HKLM\...\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-09-17] (CyberLink Corp.)

HKLM\...\Run: [] [x]

HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)

HKLM\...\Run: [Desktop Disc Tool] "C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()

HKLM\...\Run: [WSED] C:\Program Files\WSED\WSED.exe [247080 2009-05-27] (Dell)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM\...\Run: [DLCJCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16 [73728 2006-10-20] ()

HKLM\...\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [439792 2007-01-12] (Dell)

HKLM\...\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [304008 2006-12-11] ()

HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1851192 2012-11-04] (Logitech, Inc.)

HKU\Allan\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6497592 2011-11-23] (Yahoo! Inc.)

HKU\Allan\...\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent [1354736 2012-12-04] (Valve Corporation)

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [X]

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Startup: C:\Users\Allan\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

ShortcutTarget: Logitech . Product Registration.lnk -> C:\Program Files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe (Leader Technologies/Logitech)

==================== Services (Whitelisted) ===================

2 dlcj_device; C:\Windows\system32\dlcjcoms.exe -service [537480 2006-12-11] ( )

2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)

3 RoxMediaDB12OEM; "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe" [1116656 2010-11-25] (Sonic Solutions)

2 RoxWatch12; "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)

==================== Drivers (Whitelisted) ====================

0 EMSC; C:\Windows\System32\DRIVERS\EMSC.SYS [13680 2009-06-26] (Windows ® Win 7 DDK provider)

3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [43704 2012-09-18] (Logitech, Inc.)

3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [12216 2012-09-18] (Logitech, Inc.)

3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [39608 2012-09-18] (Logitech, Inc.)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [21104 2012-12-14] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-01-09 02:27 - 2013-01-09 02:27 - 00000000 ____D C:\FRST

2013-01-09 02:18 - 2013-01-09 02:18 - 00909506 ____A (Farbar) C:\Users\Allan\Downloads\FRST.exe

2013-01-07 22:47 - 2013-01-07 22:48 - 00013425 ____A C:\Users\Allan\Desktop\dds.txt

2013-01-07 22:47 - 2013-01-07 22:48 - 00006229 ____A C:\Users\Allan\Desktop\attach.txt

2013-01-07 22:44 - 2013-01-07 22:44 - 00688992 ____R (Swearware) C:\Users\Allan\Downloads\dds.com

2013-01-02 01:17 - 2013-01-02 01:17 - 00001077 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-01-02 01:17 - 2013-01-02 01:17 - 00000000 ____D C:\Users\Allan\AppData\Roaming\Malwarebytes

2013-01-02 01:17 - 2013-01-02 01:17 - 00000000 ____D C:\Users\All Users\Malwarebytes

2013-01-02 01:17 - 2013-01-02 01:17 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-01-02 01:17 - 2012-12-14 16:49 - 00021104 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-01-02 01:16 - 2013-01-02 01:16 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\Allan\Downloads\mbam-setup-1.70.0.1100.exe

2012-12-28 16:03 - 2012-12-28 16:03 - 00000052 ____A C:\Users\Allan\Desktop\Interview.txt

2012-12-21 03:00 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-21 03:00 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-14 19:44 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-12-14 19:44 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-12-14 19:44 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-12-14 19:44 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-12-14 19:44 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-12-14 19:44 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-12-14 19:44 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-12-14 19:44 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-12-14 19:44 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-12-14 19:44 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-12-14 19:44 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-12-14 19:44 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-12-14 19:44 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-12-14 19:44 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-12-14 19:44 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-12-14 19:44 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-12-12 17:19 - 2012-11-21 18:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-12-12 17:19 - 2012-10-04 08:47 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2012-12-12 17:19 - 2012-10-04 08:43 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2012-12-12 17:19 - 2012-10-04 08:43 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 06:57 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2012-12-12 17:19 - 2012-10-04 06:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 06:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 06:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2012-12-12 17:19 - 2012-10-04 06:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2012-12-12 17:16 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll

2012-12-12 17:15 - 2012-11-08 20:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

==================== One Month Modified Files and Folders ========

2013-01-09 02:27 - 2013-01-09 02:27 - 00000000 ____D C:\FRST

2013-01-09 02:21 - 2011-11-23 14:43 - 01761495 ____A C:\Windows\WindowsUpdate.log

2013-01-09 02:21 - 2009-07-13 20:34 - 00016928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-09 02:21 - 2009-07-13 20:34 - 00016928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-09 02:18 - 2013-01-09 02:18 - 00909506 ____A (Farbar) C:\Users\Allan\Downloads\FRST.exe

2013-01-09 02:18 - 2010-11-20 13:01 - 00779700 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-09 01:58 - 2012-04-08 23:18 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-07 22:54 - 2012-04-08 23:18 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-01-07 22:54 - 2011-12-24 02:28 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-01-07 22:48 - 2013-01-07 22:47 - 00013425 ____A C:\Users\Allan\Desktop\dds.txt

2013-01-07 22:48 - 2013-01-07 22:47 - 00006229 ____A C:\Users\Allan\Desktop\attach.txt

2013-01-07 22:44 - 2013-01-07 22:44 - 00688992 ____R (Swearware) C:\Users\Allan\Downloads\dds.com

2013-01-04 03:27 - 2011-12-23 20:45 - 00000000 ____D C:\Users\Allan\AppData\Local\VirtualStore

2013-01-03 18:58 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\restore

2013-01-02 17:59 - 2012-06-01 17:07 - 00000000 ____D C:\Users\Allan\AppData\Roaming\Applian FLV and Media Player

2013-01-02 16:50 - 2012-06-26 03:55 - 00000000 ____D C:\Program Files\Steam

2013-01-02 10:42 - 2010-11-20 13:48 - 00082404 ____A C:\Windows\PFRO.log

2013-01-02 10:42 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-02 10:42 - 2009-07-13 20:39 - 00050576 ____A C:\Windows\setupact.log

2013-01-02 03:13 - 2012-06-26 03:55 - 00000000 ____D C:\Program Files\Common Files\Steam

2013-01-02 03:12 - 2011-11-23 14:00 - 00000000 ____D C:\Users\All Users\McAfee

2013-01-02 02:04 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore

2013-01-02 02:02 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public

2013-01-02 01:17 - 2013-01-02 01:17 - 00001077 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-01-02 01:17 - 2013-01-02 01:17 - 00000000 ____D C:\Users\Allan\AppData\Roaming\Malwarebytes

2013-01-02 01:17 - 2013-01-02 01:17 - 00000000 ____D C:\Users\All Users\Malwarebytes

2013-01-02 01:17 - 2013-01-02 01:17 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-01-02 01:16 - 2013-01-02 01:16 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\Allan\Downloads\mbam-setup-1.70.0.1100.exe

2012-12-28 16:03 - 2012-12-28 16:03 - 00000052 ____A C:\Users\Allan\Desktop\Interview.txt

2012-12-23 01:39 - 2009-07-13 20:33 - 00312472 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-18 18:56 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache

2012-12-16 06:13 - 2012-12-21 03:00 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-16 06:13 - 2012-12-21 03:00 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-15 11:47 - 2012-09-10 12:57 - 00000000 ____D C:\Program Files\Dl_cats

2012-12-15 11:45 - 2012-05-07 16:54 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2012-12-15 11:43 - 2012-01-11 20:27 - 00000000 ____D C:\Users\Allan\AppData\Roaming\SoftGrid Client

2012-12-14 19:36 - 2012-11-29 04:30 - 65087872 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-12-14 16:49 - 2013-01-02 01:17 - 00021104 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-1474778107-3533465811-3742675228-1002\$b27192da75a7840537918232e90cd930

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$b27192da75a7840537918232e90cd930

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-03 18:59:03

==================== Memory info ===========================

Percentage of memory in use: 49%

Total physical RAM: 1013.36 MB

Available physical RAM: 510.13 MB

Total Pagefile: 1013.36 MB

Available Pagefile: 505.74 MB

Total Virtual: 2047.88 MB

Available Virtual: 1960.7 MB

==================== Partitions =============================

1 Drive c: (OSDisk) (Fixed) (Total:135.38 GB) (Free:114.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (Recovery) (Fixed) (Total:13.67 GB) (Free:8.28 GB) NTFS

3 Drive e: () (Removable) (Total:1.83 GB) (Free:0.17 GB) FAT

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 1876 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 135 GB 1024 KB

Partition 2 Primary 13 GB 135 GB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 C OSDisk NTFS Partition 135 GB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D Recovery NTFS Partition 13 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1875 MB 68 KB

=========================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E FAT Removable 1875 MB Healthy

=========================================================

Last Boot: 2013-01-06 16:44

==================== End Of Log ============================

Link to post
Share on other sites

Good morning Bluedragon07. :)

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

On Windows XP: Now please boot into the BartPE CD.

Please download the attached fixlist.txt.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). Please post it in your reply.

fixlist.txt

Link to post
Share on other sites

Sorry about the wait, here you go!

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-01-2013

Ran by SYSTEM at 2013-01-11 01:51:51 Run:1

Running from E:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

C:\$Recycle.Bin\S-1-5-21-1474778107-3533465811-3742675228-1002\$b27192da75a7840537918232e90cd930 moved successfully.

C:\$Recycle.Bin\S-1-5-18\$b27192da75a7840537918232e90cd930 moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Good morning Bluedragon07. :)

Please run a fresh scan with MBAM and post its new log.

=====

Also, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

In your reply I would like to see the contents of the following logs please:

  • MBAM log.
  • ComboFix.txt.

How is your computer currently running?

Link to post
Share on other sites

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.07.03

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Allan :: VINCENTPRICE [administrator]

Protection: Enabled

1/13/2013 1:10:33 AM

mbam-log-2013-01-13 (01-10-33).txt

Scan type: Full scan (C:\|D:\|Q:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 311893

Time elapsed: 57 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

omboFix 13-01-13.01 - Allan 01/13/2013 2:19.1.2 - x86

Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1013.323 [GMT -8:00]

Running from: c:\users\Allan\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Allan\AppData\Local\Microsoft\Windows\Temporary Internet Files\hgstarterjp_verinfo.dat

.

.

((((((((((((((((((((((((( Files Created from 2012-12-13 to 2013-01-13 )))))))))))))))))))))))))))))))

.

.

2013-01-10 11:34 . 2012-11-23 02:56 2345984 ----a-w- c:\windows\system32\win32k.sys

2013-01-10 11:34 . 2012-11-22 04:45 626688 ----a-w- c:\windows\system32\usp10.dll

2013-01-10 11:33 . 2012-11-09 04:43 492032 ----a-w- c:\windows\system32\win32spl.dll

2013-01-10 11:31 . 2012-12-07 10:46 43520 ----a-w- c:\windows\system32\csrr.rs

2013-01-09 11:00 . 2012-11-20 04:51 220160 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 11:00 . 2012-11-23 02:48 49152 ----a-w- c:\windows\system32\taskhost.exe

2013-01-09 10:27 . 2013-01-09 10:27 -------- d-----w- C:\FRST

2013-01-02 09:17 . 2013-01-02 09:17 -------- d-----w- c:\users\Allan\AppData\Roaming\Malwarebytes

2013-01-02 09:17 . 2013-01-02 09:17 -------- d-----w- c:\programdata\Malwarebytes

2013-01-02 09:17 . 2012-12-15 00:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-02 09:17 . 2013-01-02 09:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-02 09:17 . 2013-01-02 09:17 -------- d-----w- c:\users\Allan\AppData\Local\Programs

2012-12-21 11:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 11:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-11 09:28 . 2012-04-09 07:18 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-01-11 09:28 . 2011-12-24 10:28 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-09 04:42 . 2012-12-13 01:15 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-07 09:32 . 2012-11-07 09:32 53248 ----a-r- c:\users\Allan\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2012-11-07 09:32 . 2012-11-07 09:32 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2012-11-02 05:11 . 2012-12-13 01:16 376832 ----a-w- c:\windows\system32\dpnet.dll

2012-10-18 22:06 . 2012-10-18 22:06 163056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin

2012-10-16 07:39 . 2012-11-29 01:18 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-12-07 02:15 . 2012-10-17 19:02 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-11-24 6497592]

"Steam"="c:\program files\Steam\Steam.exe" [2012-12-04 1354736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-05 1692968]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-05 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-05 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-05 150552]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-17 7866912]

"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]

"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]

"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-18 50472]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]

"Desktop Disc Tool"="c:\program files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]

"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"DLCJCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2006-10-20 73728]

"dlcjmon.exe"="c:\program files\Dell Photo AIO Printer 964\dlcjmon.exe" [2007-01-12 439792]

"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 964\memcard.exe" [2006-12-11 304008]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2012-11-04 1851192]

.

c:\users\Allan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2012-10-01 07:22 66360 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]

R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [x]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [x]

S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]

S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]

S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]

S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-13 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 09:28]

.

.

------- Supplementary Scan -------

.

uStart Page = www.dell.com

TCP: DhcpNameServer = 192.168.1.1

DPF: {1DC420F0-D89A-40D0-B5CC-92B9AD19A1AC} - hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP28.cab

FF - ProfilePath - c:\users\Allan\AppData\Roaming\Mozilla\Firefox\Profiles\kgvuflc5.default\

FF - prefs.js: network.proxy.type - 0

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

AddRemove-Battlelog Web Plugins - c:\program files\Battlelog Web Plugins\uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLANExt.exe

c:\windows\system32\conhost.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\windows\system32\dlcjcoms.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\taskhost.exe

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\windows\System32\WUDFHost.exe

c:\windows\System32\rundll32.exe

c:\windows\system32\conhost.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2013-01-13 02:40:56 - machine was rebooted

ComboFix-quarantined-files.txt 2013-01-13 10:40

.

Pre-Run: 121,298,931,712 bytes free

Post-Run: 121,624,911,872 bytes free

.

- - End Of File - - F0E7B01F1F90510373694BC31D9E82BB

It seems okay, maybe a little slow here and there.

Link to post
Share on other sites

Hello Bluedragon07. :)

Thank you for the logs.

Please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

Also, please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

=====

In your reply I would like to see the contents of the following logs please:

  • Both MBAR logs.
  • AdwCleaner[R1].txt.

What issues remain?

Link to post
Share on other sites

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_32

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 1.662000 GHz

Memory total: 1062584320, free: 362827776

------------ Kernel report ------------

01/17/2013 15:46:46

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\PxHelp20.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\EMSC.SYS

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\igdkmd32.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt86win7.sys

\SystemRoot\system32\DRIVERS\bcmwl6.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\drivers\usbuhci.sys

\SystemRoot\system32\drivers\USBPORT.SYS

\SystemRoot\system32\drivers\usbehci.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHDA.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_msahci.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\Drivers\LEqdUsb.Sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\Drivers\LHidEqd.Sys

\SystemRoot\system32\DRIVERS\LHidFilt.Sys

\SystemRoot\system32\DRIVERS\LMouFilt.Sys

\SystemRoot\System32\Drivers\RtsUStor.sys

\SystemRoot\System32\Drivers\usbvideo.sys

\SystemRoot\system32\DRIVERS\CtClsFlt.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\vwifimp.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\??\C:\Windows\system32\Drivers\PROCEXP113.SYS

\SystemRoot\system32\DRIVERS\monitor.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\nsi.dll

\Windows\System32\advapi32.dll

\Windows\System32\sechost.dll

\Windows\System32\imagehlp.dll

\Windows\System32\iertutil.dll

\Windows\System32\psapi.dll

\Windows\System32\urlmon.dll

\Windows\System32\setupapi.dll

\Windows\System32\msvcrt.dll

\Windows\System32\user32.dll

\Windows\System32\usp10.dll

\Windows\System32\kernel32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\msctf.dll

\Windows\System32\Wldap32.dll

\Windows\System32\gdi32.dll

\Windows\System32\imm32.dll

\Windows\System32\lpk.dll

\Windows\System32\shlwapi.dll

\Windows\System32\ws2_32.dll

\Windows\System32\difxapi.dll

\Windows\System32\wininet.dll

\Windows\System32\comdlg32.dll

\Windows\System32\ole32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\shell32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\normaliz.dll

\Windows\System32\KernelBase.dll

\Windows\System32\comctl32.dll

\Windows\System32\crypt32.dll

\Windows\System32\devobj.dll

\Windows\System32\wintrust.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\msasn1.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff853d2610

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007b\

Lower Device Object: 0xffffffff85387418

Lower Device Driver Name: \Driver\RSUSBSTOR\

Driver name found: RSUSBSTOR

Load Function returned 0xc0000001

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff845507c8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xffffffff84437908

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

Initialization returned 0x0

Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)

Load Function returned 0x0

Downloaded database version: v2013.01.17.09

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff845507c8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff84550400, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff845507c8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff84456c10, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff84437908, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffb1210ca8, 0xffffffff845507c8, 0xffffffff839005f8

Lower DeviceData: 0xffffffffb1678008, 0xffffffff84437908, 0xffffffff8575d900

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: E57A60C3

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 283904000

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 283906048 Numsec = 28672000

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-312561808-312581808)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff853d2610, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff85387aa8, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff853d2610, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85387418, DeviceName: \Device\0000007b\, DriverName: \Driver\RSUSBSTOR\

------------ End ----------

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 0

Partition information:

Partition 0 type is Other (0x6)

Partition is NOT ACTIVE.

Partition starts at LBA: 137 Numsec = 3841911

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 1967128576 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

www.malwarebytes.org

Database version: v2013.01.17.09

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Allan :: VINCENTPRICE [administrator]

1/17/2013 4:03:12 PM

mbar-log-2013-01-17 (16-03-12).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 28336

Time elapsed: 15 minute(s), 46 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

# AdwCleaner v2.106 - Logfile created 01/17/2013 at 16:05:57

# Updated 17/01/2013 by Xplode

# Operating system : Windows 7 Starter Service Pack 1 (32 bits)

# User : Allan - VINCENTPRICE

# Boot Mode : Normal

# Running from : C:\Users\Allan\Downloads\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKLM\Software\Conduit

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\Allan\AppData\Roaming\Mozilla\Firefox\Profiles\kgvuflc5.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [967 octets] - [17/01/2013 16:05:57]

########## EOF - C:\AdwCleaner[R1].txt - [1026 octets] ##########

I haven't noticed anything recently, computer seems to be okay.

Link to post
Share on other sites

Howdy Bluedragon07. :)

Please do the following to re-run AdwCleaner:

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
    Note: If you get a message that you must reboot the computer before starting deletion, please do. At reboot, only AdwCleaner will run and you can only click on the Delete button.
    When the deletion is done, AdwCleaner will reboot the computer again and open the logfile.

Link to post
Share on other sites

# AdwCleaner v2.106 - Logfile created 01/17/2013 at 23:34:57

# Updated 17/01/2013 by Xplode

# Operating system : Windows 7 Starter Service Pack 1 (32 bits)

# User : Allan - VINCENTPRICE

# Boot Mode : Normal

# Running from : C:\Users\Allan\Downloads\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\Allan\AppData\Roaming\Mozilla\Firefox\Profiles\kgvuflc5.default\prefs.js

C:\Users\Allan\AppData\Roaming\Mozilla\Firefox\Profiles\kgvuflc5.default\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1095 octets] - [17/01/2013 16:05:57]

AdwCleaner[s1].txt - [1131 octets] - [17/01/2013 23:34:57]

########## EOF - C:\AdwCleaner[s1].txt - [1191 octets] ##########

Link to post
Share on other sites

Hey Bluedragon07,

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6889

# api_version=3.0.2

# EOSSerial=f71a2caff8df5948acbb5461ded5a418

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-01-22 07:21:14

# local_time=2013-01-21 11:21:14 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 66 85 67617745 110384065 0 0

# scanned=91028

# found=1

# cleaned=0

# scan_time=3508

C:\Users\Allan\Downloads\WinZip170.exe a variant of Win32/OpenInstall application 36326217E447F16600CF77DEBDDA0145E431543C I

Link to post
Share on other sites

Hello Bluedragon07. :)

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.57

Windows 7 Service Pack 1 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java 6 Update 32

Java version out of Date!

Adobe Flash Player 11.5.502.146

Adobe Reader 10.1.5 Adobe Reader out of Date!

Mozilla Firefox (18.0.1)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Howdy Bluedragon07,

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

  • Please go to the below link and download the latest Windows 7 version:

http://www.java.com/en/download/manual.jsp

  • Save it to your Desktop.
  • Please go to Start>Control Panel>Programs.
  • Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them: javaicon.gif
  • Select Uninstall.
  • Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.

=====

Also, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

  • Please go to Start>All Programs>Adobe Reader.
  • Open Adobe Reader and navigate to Help>Check for Updates.
  • Please follow the prompts to install the latest version.

=====

In your reply please let me know how the updates go.

Link to post
Share on other sites

Good afternoon Bluedragon07. :)

That's fine.

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.

And AdwCleaner:

  • Please double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with Yes.

=====

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.