Jump to content

Recommended Posts

Hello,

According to my Malwarebytes scan, my computer is infected with PUM.UserWLoad and Trojan.Ransom.

I've tried removing them, rebooted, re-scanned, and they just keep coming back.

Thanks!

-Daniel

Here's the DDS and Attach files:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16464

Run by wzhong at 17:31:11 on 2013-02-25

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3037.1844 [GMT -5:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Broadcom\BPowMon\BPowMon.exe

C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe

C:\Windows\system32\HPSIsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe

C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\PFU\ScanSnap\CardMinder V3.2\CardLauncher.exe

C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Windows\system32\UI0Detect.exe

C:\Windows\System32\WUDFHost.exe

C:\Windows\system32\wbengine.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/webhp?client=aff-ime

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070718

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uWindows: Load = c:\users\wzhong\locals~1\temp\msvtioe.bat

BHO: {06433BFE-4946-4E89-823D-CD359C81CD06} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - <orphaned>

BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll

BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\18.7.2.3\ips\ipsbho.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

"uRun: [Google Update] ""c:\users\wzhong\appdata\local\google\update\GoogleUpdate.exe"" /c"

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

"mRun: [HPUsageTrackingLEDM] ""c:\program files\hp\hp ut ledm\bin\hppusg.exe"" ""c:\program files\hp\hp ut ledm\"""

"mRun: [Adobe Reader Speed Launcher] ""c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"""

"mRun: [Adobe ARM] ""c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"""

"mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe ""c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll"",ProcessCleanupScript"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\scansnap\cardminder v3.2\CardLauncher.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} -

.

INFO: HKCU has more than 50 listed domains.

"If you wish to scan all of them, select the 'Force scan all domains' option."

.

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T27L10NSP25/webex/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: NameServer = 192.168.1.204 192.168.2.252

"TCP: Interfaces\{BE7E8324-B07A-43CA-9749-766B7550D17D} : NameServer = 192.168.1.201,192.168.1.225"

TCP: Interfaces\{BE7E8324-B07A-43CA-9749-766B7550D17D} : DHCPNameServer = 192.168.1.204 192.168.2.252

TCP: Interfaces\{EF3D8893-EBA9-4CFA-8897-C47C402E4E19} : DHCPNameServer = 192.168.1.225 66.28.0.45 192.168.1.201

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\qlikview\qvprotocol\Qvp.dll

SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\wzhong\appdata\roaming\mozilla\firefox\profiles\wokxkn8x.default\

FF - prefs.js: browser.startup.homepage - hxxp://us.ard.yahoo.com/SIG=157tpqcdh/M=650008.12783705.13293953.12384300/D=yahoo_top/S=2023432473:HEADR/_ylt=Al6ba8R5iiBBFwCJddZACmgZIZt4/Y=YAHOO/EXP=1226953342/L=JHzDvVf4cdAFNfepSL2C3flkJnAb_kkhtl4AAU4X/B=bPMvGUwNBkk-/J=1226946142135266/A=5509528/R=5/SIG=10uacnjgh/*http://www.yahoo.com/bin/set

FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll

FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\users\wzhong\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207020.003\symds.sys [2012-6-12 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207020.003\symefa.sys [2012-6-12 744568]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20130208.001\BHDrvx86.sys [2013-2-13 997464]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20130222.001\IDSvix86.sys [2013-2-25 386720]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207020.003\ironx86.sys [2012-6-12 136312]

R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\nis\1207020.003\symnets.sys [2012-6-12 299640]

R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]

R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]

R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2009-11-9 99896]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.2.3\ccsvchst.exe [2012-6-12 130008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-9 106656]

R3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-8-6 273960]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-7 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-2 1343400]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-4-16 11520]

.

=============== File Associations ===============

.

"FileExt: .txt: Applications\EXCEL.EXE=""c:\program files\microsoft office\office14\EXCEL.EXE"" ""%1"" [userChoice]"

.

=============== Created Last 30 ================

.

2/22/2013 21:31 -------- d-----w- c:\users\wzhong\appdata\roaming\Malwarebytes

2/22/2013 21:31 -------- d-----w- c:\programdata\Malwarebytes

2/22/2013 21:31 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2/22/2013 21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2/22/2013 21:31 -------- d-----w- c:\users\wzhong\appdata\local\Programs

2/13/2013 15:00 2347008 ----a-w- c:\windows\system32\win32k.sys

2/13/2013 15:00 169984 ----a-w- c:\windows\system32\winsrv.dll

2/13/2013 15:00 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2/13/2013 15:00 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys

2/13/2013 15:00 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe

2/13/2013 15:00 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe

2/12/2013 15:46 16365936 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

.

==================== Find3M ====================

.

2/12/2013 15:46 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2/12/2013 15:46 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe

1/8/2013 22:11 1800704 ----a-w- c:\windows\system32\jscript9.dll

1/8/2013 22:03 1129472 ----a-w- c:\windows\system32\wininet.dll

1/8/2013 22:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

1/8/2013 21:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe

1/8/2013 21:58 420864 ----a-w- c:\windows\system32\vbscript.dll

1/8/2013 21:56 2382848 ----a-w- c:\windows\system32\mshtml.tlb

12/16/2012 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll

12/16/2012 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll

12/7/2012 12:26 308736 ----a-w- c:\windows\system32\Wpc.dll

12/7/2012 12:20 2576384 ----a-w- c:\windows\system32\gameux.dll

11/30/2012 4:47 293376 ----a-w- c:\windows\system32\KernelBase.dll

11/30/2012 2:55 271360 ----a-w- c:\windows\system32\conhost.exe

11/30/2012 2:38 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

11/30/2012 2:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

11/30/2012 2:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

11/30/2012 2:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

.

============= FINISH: 17:31:44.45 ===============

.

"UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG."

"IF REQUESTED, ZIP IT UP & ATTACH IT"

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 7/2/2010 1:39:38 AM

System Uptime: 2/25/2013 3:33:45 PM (2 hours ago)

.

Motherboard: Dell Inc. | | 07N90W

Processor: Intel® Core2 Duo CPU E7500 @ 2.93GHz | CPU 1 | 2926/266mhz

.

==== Disk Partitions =========================

.

"C: is FIXED (NTFS) - 298 GiB total, 242.101 GiB free."

D: is CDROM ()

E: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP190: 1/22/2013 9:55:31 AM - Installed Sage 100 Fund Accounting Workstation.

RP191: 1/29/2013 4:15:01 PM - Scheduled Checkpoint

RP192: 2/13/2013 5:51:22 PM - Windows Update

RP193: 2/21/2013 4:25:10 PM - Scheduled Checkpoint

.

==== Installed Programs ======================

.

??????? 2.7

1099FIRE 2011

32 Bit HP CIO Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.0.1)

Amazon Add to Wish List IE Extension 1.1

Belarc Advisor 8.2

Broadcom Gigabit NetLink Controller

Broadcom Management Programs

CardMinder V3.2

Collaboration Data Objects 1.2.1

Crystal Report

CutePDF Writer 2.8

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

HP LaserJet Professional P1100-P1560-P1600 Series

hppLaserJetService

hppP1100P1560P1600SeriesLaserJetService

hppusgP1100P1560P1600Series

HPSSupply

LiveUpdate 3.2 (Symantec Corporation)

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Microsoft .NET Framework 1.1

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Excel MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Standard 2010

Microsoft Office Word MUI (English) 2010

Microsoft Office XP Web Components

Microsoft Silverlight

Microsoft SQL Server 2005 Backward compatibility

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft XML Parser

Mozilla Firefox 18.0.2 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Norton Internet Security

QlikView OCX

Sage 100 Fund Accounting Workstation

Sage Advisor Update PlugIn For Sage 100 Fund Accounting

ScanSnap Manager

ScanSnap Organizer

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition

Tax Forms and E-Filing by Aatrix

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition

VBA (2627.01)

VISTA 6.0.3 Upgrade

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

"2/25/2013 4:05:08 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107."

"2/25/2013 4:05:08 PM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."

"2/25/2013 4:00:47 PM, Error: Microsoft-Windows-DistributedCOM [10009] - DCOM was unable to communicate with the computer CSR|icpfile02 using any of the configured protocols."

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

http://tigzy.geeksto...ueKillerX64.exe <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop. (please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

<+>
Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>
Please stick with me until I give you the "all clear".

<+>The removal of malware isn't instantaneous, please be patient.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

uWindows: Load = c:\users\wzhong\locals~1\temp\msvtioe.bat

Link to post
Share on other sites

Hi MrCharlie,Thanks for getting back to me.

Here's the Roguekiller report:

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : wzhong [Admin rights]

Mode : Scan -- Date : 02/26/2013 10:21:29

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤

[sHELL][sUSP PATH] HKCU\[...]\Windows : Load (C:\Users\WZhong\Local Settings\Temp\msvtioe.bat) [x] -> FOUND

[sHELL][sUSP PATH] HKUS\S-1-5-21-1969434105-834934542-9522986-1091[...]\Windows : Load (C:\Users\WZhong\Local Settings\Temp\msvtioe.bat) [x] -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[13] : NtAlertResumeThread @ 0x82F1BB8B -> HOOKED (Unknown @ 0x86B875E8)

SSDT[14] : NtAlertThread @ 0x82E6EBB0 -> HOOKED (Unknown @ 0x86B87770)

SSDT[19] : NtAllocateVirtualMemory @ 0x82E67BBC -> HOOKED (Unknown @ 0x86B69228)

SSDT[22] : NtAlpcConnectPort @ 0x82EB337E -> HOOKED (Unknown @ 0x86AAE3B0)

SSDT[43] : NtAssignProcessToJobObject @ 0x82E3CFEC -> HOOKED (Unknown @ 0x86C90938)

SSDT[74] : NtCreateMutant @ 0x82E4E27A -> HOOKED (Unknown @ 0x86B87338)

SSDT[86] : NtCreateSymbolicLinkObject @ 0x82E3F8F4 -> HOOKED (Unknown @ 0x86C90658)

SSDT[87] : NtCreateThread @ 0x82F19DC6 -> HOOKED (Unknown @ 0x855975D8)

SSDT[88] : NtCreateThreadEx @ 0x82EAE2AB -> HOOKED (Unknown @ 0x86C90748)

SSDT[96] : NtDebugActiveProcess @ 0x82EEBCBA -> HOOKED (Unknown @ 0x86C90A18)

SSDT[111] : NtDuplicateObject @ 0x82E6F64A -> HOOKED (Unknown @ 0x86B693F8)

SSDT[131] : NtFreeVirtualMemory @ 0x82CF67FC -> HOOKED (Unknown @ 0x86B6DCE8)

SSDT[145] : NtImpersonateAnonymousToken @ 0x82E338DE -> HOOKED (Unknown @ 0x86B87428)

SSDT[147] : NtImpersonateThread @ 0x82EB7772 -> HOOKED (Unknown @ 0x86B87508)

SSDT[155] : NtLoadDriver @ 0x82E03C14 -> HOOKED (Unknown @ 0x8686CC48)

SSDT[168] : NtMapViewOfSection @ 0x82E844D9 -> HOOKED (Unknown @ 0x86B6DBE8)

SSDT[177] : NtOpenEvent @ 0x82E4DC76 -> HOOKED (Unknown @ 0x86B68B20)

SSDT[190] : NtOpenProcess @ 0x82E4FAC1 -> HOOKED (Unknown @ 0x86B69698)

SSDT[191] : NtOpenProcessToken @ 0x82EA217F -> HOOKED (Unknown @ 0x86B69318)

SSDT[194] : NtOpenSection @ 0x82EA77FB -> HOOKED (Unknown @ 0x86B68960)

SSDT[198] : NtOpenThread @ 0x82E9BF05 -> HOOKED (Unknown @ 0x86B695A8)

SSDT[215] : NtProtectVirtualMemory @ 0x82E80539 -> HOOKED (Unknown @ 0x86C90848)

SSDT[304] : NtResumeThread @ 0x82EAE4D2 -> HOOKED (Unknown @ 0x86B87850)

SSDT[316] : NtSetContextThread @ 0x82F1B637 -> HOOKED (Unknown @ 0x86B6D938)

SSDT[333] : NtSetInformationProcess @ 0x82E7675D -> HOOKED (Unknown @ 0x86B6DA18)

SSDT[350] : NtSetSystemInformation @ 0x82E8C23C -> HOOKED (Unknown @ 0x86B68818)

SSDT[366] : NtSuspendProcess @ 0x82F1BAC7 -> HOOKED (Unknown @ 0x86B68A40)

SSDT[367] : NtSuspendThread @ 0x82ED2FAB -> HOOKED (Unknown @ 0x86B87930)

SSDT[370] : NtTerminateProcess @ 0x82E98B9D -> HOOKED (Unknown @ 0x86B6BAD8)

SSDT[371] : NtTerminateThread @ 0x82EB64AB -> HOOKED (Unknown @ 0x86B6D858)

SSDT[385] : NtUnmapViewOfSection @ 0x82EA27BA -> HOOKED (Unknown @ 0x86B6DB08)

SSDT[399] : NtWriteVirtualMemory @ 0x82E9D89A -> HOOKED (Unknown @ 0x86B690D0)

S_SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x873C3BF8)

S_SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x875D2B30)

S_SSDT[434] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x875D2A70)

S_SSDT[436] : NtUserGetKeyState -> HOOKED (Unknown @ 0x873AD428)

S_SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x875D2C78)

S_SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x875D2800)

S_SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x875D29A0)

S_SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x875D28D0)

S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x876541B8)

S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8758DE30)

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320418AS ATA Device +++++

--- User ---

[MBR] 192cc4d7885d31ba63b09a3adaa85525

[bSP] cf42810ed9eb59b389d280cc8e4491c9 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 128520 | Size: 305180 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02262013_02d1021.txt >>

RKreport[1]_S_02262013_02d1021.txt

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[sHELL][sUSP PATH] HKCU\[...]\Windows : Load (C:\Users\WZhong\Local Settings\Temp\msvtioe.bat) [x] -> FOUND

[sHELL][sUSP PATH] HKUS\S-1-5-21-1969434105-834934542-9522986-1091[...]\Windows : Load (C:\Users\WZhong\Local Settings\Temp\msvtioe.bat) [x] -> FOUND

Now click Delete on the right hand column under Options

Then........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

<p>Sorry for the delay. Here's the combofix log file:</p>

<p> </p>

<p> </p>

<div>ComboFix 13-02-26.01 - wzhong 02/26/2013  11:45:54.1.2 - x86</div>

<div>Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3037.1864 [GMT -5:00]</div>

<div>Running from: c:\users\WZhong\Desktop\ComboFix.exe</div>

<div>AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}</div>

<div>FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}</div>

<div>SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}</div>

<div>SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}</div>

<div> * Created a new restore point</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{402C2BCF-77F8-4579-A177-8457602425BA}.xps</div>

<div>c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7ECE36F1-1A01-41CC-B934-D6C2C59C04F5}.xps</div>

<div>c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{81C76323-63EC-455C-85F9-736FAFC9B4DA}.xps</div>

<div>c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8B61616E-B785-4B06-A295-EEDF3BE122EB}.xps</div>

<div>c:\users\WZhong\g2mdlhlpx.exe</div>

<div>c:\users\WZhong\GoToAssistDownloadHelper.exe</div>

<div>c:\windows\system32\spool\prtprocs\w32x86\x5pp.dll</div>

<div>c:\windows\system32\URTTemp</div>

<div>c:\windows\system32\URTTemp\regtlib.exe</div>

<div>c:\windows\UNWISE.EXE</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((   Files Created from 2013-01-26 to 2013-02-26  )))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>2013-02-22 21:31 . 2013-02-22 21:31<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\users\WZhong\AppData\Roaming\Malwarebytes</div>

<div>2013-02-22 21:31 . 2013-02-22 21:31<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\programdata\Malwarebytes</div>

<div>2013-02-22 21:31 . 2013-02-22 21:31<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Malwarebytes' Anti-Malware</div>

<div>2013-02-22 21:31 . 2012-12-14 21:49<span class="Apple-tab-span" style="white-space:pre"> </span>21104<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div>

<div>2013-02-22 21:31 . 2013-02-22 21:31<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\users\WZhong\AppData\Local\Programs</div>

<div>2013-02-13 15:00 . 2013-01-04 03:00<span class="Apple-tab-span" style="white-space:pre"> </span>2347008<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\win32k.sys</div>

<div>2013-02-13 15:00 . 2013-01-04 04:50<span class="Apple-tab-span" style="white-space:pre"> </span>169984<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\winsrv.dll</div>

<div>2013-02-13 15:00 . 2013-01-03 05:05<span class="Apple-tab-span" style="white-space:pre"> </span>1293672<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\tcpip.sys</div>

<div>2013-02-13 15:00 . 2013-01-03 05:04<span class="Apple-tab-span" style="white-space:pre"> </span>187752<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\FWPKCLNT.SYS</div>

<div>2013-02-13 15:00 . 2013-01-05 05:00<span class="Apple-tab-span" style="white-space:pre"> </span>3967848<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntkrnlpa.exe</div>

<div>2013-02-13 15:00 . 2013-01-05 05:00<span class="Apple-tab-span" style="white-space:pre"> </span>3913064<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntoskrnl.exe</div>

<div>2013-02-12 15:46 . 2013-02-12 15:46<span class="Apple-tab-span" style="white-space:pre"> </span>16365936<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerInstaller.exe</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>2013-02-12 15:46 . 2012-07-19 14:02<span class="Apple-tab-span" style="white-space:pre"> </span>697712<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div>

<div>2013-02-12 15:46 . 2011-07-11 21:56<span class="Apple-tab-span" style="white-space:pre"> </span>74096<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div>

<div>2012-12-16 14:13 . 2012-12-21 22:35<span class="Apple-tab-span" style="white-space:pre"> </span>295424<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atmfd.dll</div>

<div>2012-12-16 14:13 . 2012-12-21 22:35<span class="Apple-tab-span" style="white-space:pre"> </span>34304<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atmlib.dll</div>

<div>2012-12-07 12:26 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>308736<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Wpc.dll</div>

<div>2012-12-07 12:20 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>2576384<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\gameux.dll</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>43520<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\csrr.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>30720<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\usk.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>45568<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\oflc-nz.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>44544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\pegibbfc.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>20480<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\pegi-pt.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>23552<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\oflc.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>20480<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\pegi-fi.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>46592<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\fpb.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>20480<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\pegi.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>21504<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\grb.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>40960<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\cob-au.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>15360<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\djctq.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>55296<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\cero.rs</div>

<div>2012-12-07 10:46 . 2013-01-09 14:49<span class="Apple-tab-span" style="white-space:pre"> </span>51712<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\esrb.rs</div>

<div>2012-11-30 04:47 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>293376<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\KernelBase.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>4608<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>4096<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>4096<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>4096<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>4096<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>4096<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3584<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3584<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3584<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3584<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3584<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3584<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-string-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-io-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>5120<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-file-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll</div>

<div>2012-11-30 04:45 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-console-l1-1-0.dll</div>

<div>2012-11-30 02:55 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>271360<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\conhost.exe</div>

<div>2012-11-30 02:38 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>6144<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-security-base-l1-1-0.dll</div>

<div>2012-11-30 02:38 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>4608<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll</div>

<div>2012-11-30 02:38 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3584<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll</div>

<div>2012-11-30 02:38 . 2013-01-09 14:50<span class="Apple-tab-span" style="white-space:pre"> </span>3072<span class="Apple-tab-span" style="white-space:pre"> </span>---ha-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\api-ms-win-core-util-l1-1-0.dll</div>

<div>2013-02-07 18:01 . 2013-02-07 18:01<span class="Apple-tab-span" style="white-space:pre"> </span>262552<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\mozilla firefox\components\browsercomps.dll</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>*Note* empty entries & legit default entries are not shown </div>

<div>REGEDIT4</div>

<div>.</div>

<div>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"HPUsageTrackingLEDM"="c:\program files\HP\HP UT LEDM\bin\hppusg.exe" [2009-08-04 30264]</div>

<div>"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]</div>

<div>"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]</div>

<div>.</div>

<div>c:\users\lintern\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\</div>

<div>OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]</div>

<div>.</div>

<div>c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\</div>

<div>CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder V3.2\CardLauncher.exe [2011-9-13 36864]</div>

<div>Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2011-9-13 24576]</div>

<div>ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2011-9-13 1159168]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]</div>

<div>"ConsentPromptBehaviorAdmin"= 5 (0x5)</div>

<div>"ConsentPromptBehaviorUser"= 3 (0x3)</div>

<div>"EnableUIADesktopToggle"= 0 (0x0)</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]</div>

<div>   Ime File<span class="Apple-tab-span" style="white-space:pre"> </span>REG_SZ         <span class="Apple-tab-span" style="white-space:pre"> </span>GOOGLEPINYIN2.IME</div>

<div>.</div>

<div>R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]</div>

<div>R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]</div>

<div>R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]</div>

<div>S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\SYMDS.SYS [x]</div>

<div>S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\SYMEFA.SYS [x]</div>

<div>S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20130208.001\BHDrvx86.sys [x]</div>

<div>S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20130223.001\IDSvix86.sys [x]</div>

<div>S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [x]</div>

<div>S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NIS\1207020.003\SYMNETS.SYS [x]</div>

<div>S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]</div>

<div>S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [x]</div>

<div>S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [x]</div>

<div>S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]</div>

<div>S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]</div>

<div>S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]</div>

<div>.</div>

<div>.</div>

<div>--- Other Services/Drivers In Memory ---</div>

<div>.</div>

<div>*NewlyCreated* - TRUESIGHT</div>

<div>*Deregistered* - TrueSight</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]</div>

<div>HPZ12<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ   <span class="Apple-tab-span" style="white-space:pre"> </span>Pml Driver HPZ12 Net Driver HPZ12</div>

<div>.</div>

<div>Contents of the 'Scheduled Tasks' folder</div>

<div>.</div>

<div>2013-02-26 c:\windows\Tasks\Adobe Flash Player Updater.job</div>

<div>- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-19 15:46]</div>

<div>.</div>

<div>2013-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job</div>

<div>- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-23 13:45]</div>

<div>.</div>

<div>2013-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job</div>

<div>- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-23 13:45]</div>

<div>.</div>

<div>2013-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1969434105-834934542-9522986-1091Core1ce056d591ada65.job</div>

<div>- c:\users\WZhong\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-13 16:52]</div>

<div>.</div>

<div>2013-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1969434105-834934542-9522986-1091UA.job</div>

<div>- c:\users\WZhong\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-13 16:52]</div>

<div>.</div>

<div>.</div>

<div>------- Supplementary Scan -------</div>

<div>.</div>

<div>uStart Page = hxxp://www.google.com/webhp?client=aff-ime</div>

<div>IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000</div>

<div>IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105</div>

<div>Trusted Zone: travelexglobalpay.com</div>

<div>TCP: DhcpNameServer = 192.168.1.204 192.168.2.252</div>

<div>TCP: Interfaces\{BE7E8324-B07A-43CA-9749-766B7550D17D}: NameServer = 192.168.1.201,192.168.1.225</div>

<div>FF - ProfilePath - c:\users\WZhong\AppData\Roaming\Mozilla\Firefox\Profiles\wokxkn8x.default\</div>

<div>FF - prefs.js: browser.startup.homepage - hxxp://us.ard.yahoo.com/SIG=157tpqcdh/M=650008.12783705.13293953.12384300/D=yahoo_top/S=2023432473:HEADR/_ylt=Al6ba8R5iiBBFwCJddZACmgZIZt4/Y=YAHOO/EXP=1226953342/L=JHzDvVf4cdAFNfepSL2C3flkJnAb_kkhtl4AAU4X/B=bPMvGUwNBkk-/J=1226946142135266/A=5509528/R=5/SIG=10uacnjgh/*http://www.yahoo.com/bin/set</div>

<div>.</div>

<div>- - - - ORPHANS REMOVED - - - -</div>

<div>.</div>

<div>MSConfigStartUp-{D22AE122-D37B-AD7F-D977-1E7FEAEC3D62} - c:\users\WZhong\AppData\Roaming\Rijaoq\inde.exe</div>

<div>AddRemove-VISTA 6.0.3 Upgrade - c:\windows\UNWISE.EXE</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]</div>

<div>"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"</div>

<div>.</div>

<div>--------------------- LOCKED REGISTRY KEYS ---------------------</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]</div>

<div>@Denied: (Full) (Everyone)</div>

<div>.</div>

<div>Completion time: 2013-02-26  11:53:27</div>

<div>ComboFix-quarantined-files.txt  2013-02-26 16:53</div>

<div>.</div>

<div>Pre-Run: 264,932,737,024 bytes free</div>

<div>Post-Run: 265,088,057,344 bytes free</div>

<div>.</div>

<div>- - End Of File - - 54BDDC22895A6029BEF697D5834B0110</div>

<div> </div>

Link to post
Share on other sites

I don't know why it came out like that but here's a better format

ComboFix 13-02-26.01 - wzhong 02/26/2013 11:45:54.1.2 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3037.1864 [GMT -5:00]

Running from: c:\users\WZhong\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{402C2BCF-77F8-4579-A177-8457602425BA}.xps

c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7ECE36F1-1A01-41CC-B934-D6C2C59C04F5}.xps

c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{81C76323-63EC-455C-85F9-736FAFC9B4DA}.xps

c:\users\WZhong\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8B61616E-B785-4B06-A295-EEDF3BE122EB}.xps

c:\users\WZhong\g2mdlhlpx.exe

c:\users\WZhong\GoToAssistDownloadHelper.exe

c:\windows\system32\spool\prtprocs\w32x86\x5pp.dll

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\regtlib.exe

c:\windows\UNWISE.EXE

.

.

((((((((((((((((((((((((( Files Created from 2013-01-26 to 2013-02-26 )))))))))))))))))))))))))))))))

.

.

2013-02-22 21:31 . 2013-02-22 21:31 -------- d-----w- c:\users\WZhong\AppData\Roaming\Malwarebytes

2013-02-22 21:31 . 2013-02-22 21:31 -------- d-----w- c:\programdata\Malwarebytes

2013-02-22 21:31 . 2013-02-22 21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-02-22 21:31 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-22 21:31 . 2013-02-22 21:31 -------- d-----w- c:\users\WZhong\AppData\Local\Programs

2013-02-13 15:00 . 2013-01-04 03:00 2347008 ----a-w- c:\windows\system32\win32k.sys

2013-02-13 15:00 . 2013-01-04 04:50 169984 ----a-w- c:\windows\system32\winsrv.dll

2013-02-13 15:00 . 2013-01-03 05:05 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-02-13 15:00 . 2013-01-03 05:04 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2013-02-13 15:00 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-02-13 15:00 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-02-12 15:46 . 2013-02-12 15:46 16365936 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-12 15:46 . 2012-07-19 14:02 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-02-12 15:46 . 2011-07-11 21:56 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-16 14:13 . 2012-12-21 22:35 295424 ----a-w- c:\windows\system32\atmfd.dll

2012-12-16 14:13 . 2012-12-21 22:35 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-07 12:26 . 2013-01-09 14:49 308736 ----a-w- c:\windows\system32\Wpc.dll

2012-12-07 12:20 . 2013-01-09 14:49 2576384 ----a-w- c:\windows\system32\gameux.dll

2012-12-07 10:46 . 2013-01-09 14:49 43520 ----a-w- c:\windows\system32\csrr.rs

2012-12-07 10:46 . 2013-01-09 14:49 30720 ----a-w- c:\windows\system32\usk.rs

2012-12-07 10:46 . 2013-01-09 14:49 45568 ----a-w- c:\windows\system32\oflc-nz.rs

2012-12-07 10:46 . 2013-01-09 14:49 44544 ----a-w- c:\windows\system32\pegibbfc.rs

2012-12-07 10:46 . 2013-01-09 14:49 20480 ----a-w- c:\windows\system32\pegi-pt.rs

2012-12-07 10:46 . 2013-01-09 14:49 23552 ----a-w- c:\windows\system32\oflc.rs

2012-12-07 10:46 . 2013-01-09 14:49 20480 ----a-w- c:\windows\system32\pegi-fi.rs

2012-12-07 10:46 . 2013-01-09 14:49 46592 ----a-w- c:\windows\system32\fpb.rs

2012-12-07 10:46 . 2013-01-09 14:49 20480 ----a-w- c:\windows\system32\pegi.rs

2012-12-07 10:46 . 2013-01-09 14:49 21504 ----a-w- c:\windows\system32\grb.rs

2012-12-07 10:46 . 2013-01-09 14:49 40960 ----a-w- c:\windows\system32\cob-au.rs

2012-12-07 10:46 . 2013-01-09 14:49 15360 ----a-w- c:\windows\system32\djctq.rs

2012-12-07 10:46 . 2013-01-09 14:49 55296 ----a-w- c:\windows\system32\cero.rs

2012-12-07 10:46 . 2013-01-09 14:49 51712 ----a-w- c:\windows\system32\esrb.rs

2012-11-30 04:47 . 2013-01-09 14:50 293376 ----a-w- c:\windows\system32\KernelBase.dll

2012-11-30 04:45 . 2013-01-09 14:50 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2012-11-30 04:45 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2012-11-30 02:55 . 2013-01-09 14:50 271360 ----a-w- c:\windows\system32\conhost.exe

2012-11-30 02:38 . 2013-01-09 14:50 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2012-11-30 02:38 . 2013-01-09 14:50 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-30 02:38 . 2013-01-09 14:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2012-11-30 02:38 . 2013-01-09 14:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2013-02-07 18:01 . 2013-02-07 18:01 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPUsageTrackingLEDM"="c:\program files\HP\HP UT LEDM\bin\hppusg.exe" [2009-08-04 30264]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

.

c:\users\lintern\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder V3.2\CardLauncher.exe [2011-9-13 36864]

Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2011-9-13 24576]

ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2011-9-13 1159168]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]

Ime File REG_SZ GOOGLEPINYIN2.IME

.

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\SYMDS.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\SYMEFA.SYS [x]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20130208.001\BHDrvx86.sys [x]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20130223.001\IDSvix86.sys [x]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [x]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NIS\1207020.003\SYMNETS.SYS [x]

S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]

S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [x]

S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [x]

S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-26 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-19 15:46]

.

2013-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-23 13:45]

.

2013-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-23 13:45]

.

2013-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1969434105-834934542-9522986-1091Core1ce056d591ada65.job

- c:\users\WZhong\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-13 16:52]

.

2013-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1969434105-834934542-9522986-1091UA.job

- c:\users\WZhong\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-13 16:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?client=aff-ime

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105

Trusted Zone: travelexglobalpay.com

TCP: DhcpNameServer = 192.168.1.204 192.168.2.252

TCP: Interfaces\{BE7E8324-B07A-43CA-9749-766B7550D17D}: NameServer = 192.168.1.201,192.168.1.225

FF - ProfilePath - c:\users\WZhong\AppData\Roaming\Mozilla\Firefox\Profiles\wokxkn8x.default\

FF - prefs.js: browser.startup.homepage - hxxp://us.ard.yahoo.com/SIG=157tpqcdh/M=650008.12783705.13293953.12384300/D=yahoo_top/S=2023432473:HEADR/_ylt=Al6ba8R5iiBBFwCJddZACmgZIZt4/Y=YAHOO/EXP=1226953342/L=JHzDvVf4cdAFNfepSL2C3flkJnAb_kkhtl4AAU4X/B=bPMvGUwNBkk-/J=1226946142135266/A=5509528/R=5/SIG=10uacnjgh/*http://www.yahoo.com/bin/set

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-{D22AE122-D37B-AD7F-D977-1E7FEAEC3D62} - c:\users\WZhong\AppData\Roaming\Rijaoq\inde.exe

AddRemove-VISTA 6.0.3 Upgrade - c:\windows\UNWISE.EXE

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-02-26 11:53:27

ComboFix-quarantined-files.txt 2013-02-26 16:53

.

Pre-Run: 264,932,737,024 bytes free

Post-Run: 265,088,057,344 bytes free

.

- - End Of File - - 54BDDC22895A6029BEF697D5834B0110

.

Link to post
Share on other sites

Everything seems good. Here's the last report.

Thank you for all your help!

-Daniel

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.25.08

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

wzhong :: WZHONG [administrator]

2/26/2013 12:21:58 PM

mbam-log-2013-02-26 (12-21-58).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 511143

Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Good...........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.