Anders001 Posted March 10, 2013 ID:655332 Share Posted March 10, 2013 Hello and thank you for your time spent reading this.Recently my computer has been running slower and a check of my task manager revealed that a program calling itself "Svchost.exe *32" has been using upwards of one gigabyte of RAM in the background. I attempted to manually remove the program, but it reappeard and a scan and removal using "Malwarebyte's Anti-Malware" has proven ineffective.As instructed by the pinned topic, here are the loggs from DDS and Attach.DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: 9.0.8112.16464Run by Bryan at 18:39:12 on 2013-03-09Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4044.1613 [GMT -6:00].SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\windows\system32\lsm.exeC:\windows\system32\svchost.exe -k DcomLaunchC:\windows\system32\svchost.exe -k RPCSSC:\windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\windows\system32\svchost.exe -k LocalServiceC:\windows\system32\svchost.exe -k netsvcsC:\windows\system32\svchost.exe -k NetworkServiceC:\windows\System32\spoolsv.exeC:\windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\windows\system32\taskhost.exeC:\windows\system32\Dwm.exeC:\windows\Explorer.EXEC:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\windows\system32\spool\DRIVERS\x64\3\lxdxserv.exeC:\windows\system32\lxdxcoms.exeC:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exeC:\windows\system32\TODDSrv.exeC:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exeC:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exeC:\windows\System32\svchost.exe -k secsvcsC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\TOSHIBA\Power Saver\TPwrMain.exeC:\Program Files\TOSHIBA\FlashCards\TCrdMain.exeC:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exeC:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exeC:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\windows\system32\wbem\wmiprvse.exeC:\windows\system32\SearchIndexer.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\windows\System32\svchost.exe -k LocalServicePeerNet\\.\globalroot\systemroot\svchost.exe -netsvcsC:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exeC:\windows\servicing\TrustedInstaller.exeC:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exeC:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exeC:\windows\system32\sppsvc.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exeC:\windows\system32\wbem\wmiprvse.exeC:\windows\System32\cscript.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.comuProxyOverride = <local>BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dllmRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServicesmRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"uPolicies-Explorer: NoDrives = dword:0mPolicies-Explorer: NoDrives = dword:0mPolicies-System: ConsentPromptBehaviorAdmin = dword:5mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cabTCP: NameServer = 192.168.2.1TCP: Interfaces\{A70668E1-766A-4AE2-9208-5237FCEBB048} : DHCPNameServer = 192.168.2.1TCP: Interfaces\{A70668E1-766A-4AE2-9208-5237FCEBB048}\55F666D402355636572756 : DHCPNameServer = 128.101.101.101 134.84.84.84TCP: Interfaces\{A70668E1-766A-4AE2-9208-5237FCEBB048}\55F666D4027457563747 : DHCPNameServer = 128.101.101.101 134.84.84.84Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllSSODL: WebCheck - <orphaned>SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLx64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLLx64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllx64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLLx64-BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dllx64-Run: [igfxTray] C:\windows\System32\igfxtray.exex64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exex64-Run: [Persistence] C:\windows\System32\igfxpers.exex64-Run: [smartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /tx64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exex64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXEx64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exex64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exex64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exex64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exex64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exex64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dllx64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dllx64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLx64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>x64-Notify: igfxcui - igfxdev.dllx64-SSODL: WebCheck - <orphaned>x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.================= FIREFOX ===================.FF - ProfilePath - C:\Users\Bryan\AppData\Roaming\Mozilla\Firefox\Profiles\xiruw803.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLLFF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLLFF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dllFF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dllFF - plugin: C:\windows\SysWOW64\Adobe\Director\np32dsw_1168638.dllFF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll.============= SERVICES / DRIVERS ===============.R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2009-6-24 482384]R1 avgtp;avgtp;C:\windows\System32\drivers\avgtpx64.sys [2013-1-29 39768]R2 lxdx_device;lxdx_device;C:\windows\System32\lxdxcoms.exe -service --> C:\windows\System32\lxdxcoms.exe -service [?]R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;C:\windows\System32\spool\drivers\x64\3\lxdxserv.exe [2012-9-16 29184]R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2012-4-4 126392]R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-4-4 2656280]R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2013-2-22 968880]R3 FwLnk;FwLnk Driver;C:\windows\System32\drivers\FwLnk.sys [2012-4-4 9216]R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2011-2-9 77424]R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2012-4-4 38096]R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2012-4-4 1109096]R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2012-4-4 57216]R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-9 138152]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-4-4 243712]S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-8-9 1255736]S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184].=============== Created Last 30 ================.2013-03-10 00:34:12 20480 ----a-w- C:\windows\svchost.exe2013-03-10 00:16:38 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll2013-03-10 00:16:30 9162192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A242102A-8B2D-4493-B116-05AF1920812E}\mpengine.dll2013-03-09 23:41:43 7680 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\44DA.tmp2013-03-09 23:41:43 7680 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\44D9.tmp2013-03-09 17:13:24 -------- d-----w- C:\Users\Bryan\AppData\Roaming\UDP Software2013-03-06 01:56:20 -------- d-----w- C:\Users\Bryan\AppData\Roaming\WindowsDatabase2013-03-04 21:24:43 -------- d-sh--w- C:\$RECYCLE.BIN2013-03-04 21:19:45 121 ----a-w- C:\windows\DeleteOnReboot.bat2013-03-04 19:44:27 -------- d-----w- C:\Users\Bryan\AppData\Roaming\f-secure2013-03-04 19:44:19 -------- d-----w- C:\ProgramData\F-Secure2013-03-03 19:27:46 -------- d-----w- C:\Users\Bryan\AppData\Local\CrashDumps2013-03-03 18:05:42 -------- d-----w- C:\Users\Bryan\AppData\Local\jZip2013-03-03 18:05:24 -------- d-----w- C:\Program Files (x86)\jZip2013-03-03 17:54:19 -------- d-----w- C:\Users\Bryan\AppData\Roaming\SpeedyPC Software2013-03-03 17:54:19 -------- d-----w- C:\Users\Bryan\AppData\Roaming\DriverCure2013-03-03 17:53:48 -------- d-----w- C:\ProgramData\SpeedyPC Software2013-03-03 16:55:14 -------- d-----w- C:\Users\Bryan\AppData\Local\LogMeIn Rescue Applet2013-02-28 11:54:22 -------- d-----w- C:\Users\Bryan\AppData\Local\NPE2013-02-19 16:40:34 -------- d-----w- C:\Users\Bryan\AppData\Local\Apple Computer2013-02-17 18:50:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll2013-02-17 18:50:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll2013-02-17 18:50:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll2013-02-17 18:50:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll2013-02-17 18:50:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll2013-02-17 18:50:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll2013-02-17 18:50:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll2013-02-14 11:31:55 996352 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll2013-02-14 11:31:55 768000 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll2013-02-13 20:47:13 5553512 ----a-w- C:\windows\System32\ntoskrnl.exe2013-02-13 20:47:13 3967848 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe2013-02-13 20:47:13 3913064 ----a-w- C:\windows\SysWow64\ntoskrnl.exe2013-02-13 20:46:55 3153408 ----a-w- C:\windows\System32\win32k.sys2013-02-13 20:41:15 7680 ----a-w- C:\windows\SysWow64\instnm.exe2013-02-13 20:41:15 5120 ----a-w- C:\windows\SysWow64\wow32.dll2013-02-13 20:41:15 25600 ----a-w- C:\windows\SysWow64\setup16.exe2013-02-13 20:41:15 215040 ----a-w- C:\windows\System32\winsrv.dll2013-02-13 20:41:15 2048 ----a-w- C:\windows\SysWow64\user.exe2013-02-13 20:41:15 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll2013-02-13 20:41:11 288088 ----a-w- C:\windows\System32\drivers\FWPKCLNT.SYS2013-02-13 20:41:11 1913192 ----a-w- C:\windows\System32\drivers\tcpip.sys.==================== Find3M ====================.2013-02-27 03:49:35 71024 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-02-27 03:49:35 691568 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe2013-02-22 12:11:46 39768 ----a-w- C:\windows\System32\drivers\avgtpx64.sys2013-01-17 07:28:58 273840 ------w- C:\windows\System32\MpSigStub.exe2013-01-13 21:17:03 9728 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll2013-01-13 21:17:02 2560 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll2013-01-13 21:16:42 10752 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll2013-01-13 21:12:46 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll2013-01-13 21:11:21 4096 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll2013-01-13 21:11:08 5632 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll2013-01-13 21:11:07 5632 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll2013-01-13 21:11:07 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll2013-01-13 21:11:07 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll2013-01-13 20:35:31 9728 ---ha-w- C:\windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll2013-01-13 20:35:31 2560 ---ha-w- C:\windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll2013-01-13 20:35:18 10752 ---ha-w- C:\windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll2013-01-13 20:32:07 3584 ---ha-w- C:\windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll2013-01-13 20:31:48 4096 ---ha-w- C:\windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll2013-01-13 20:31:41 5632 ---ha-w- C:\windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll2013-01-13 20:31:40 5632 ---ha-w- C:\windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll2013-01-13 20:31:40 3072 ---ha-w- C:\windows\System32\api-ms-win-downlevel-version-l1-1-0.dll2013-01-13 20:31:40 3072 ---ha-w- C:\windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll2013-01-13 20:31:00 1247744 ----a-w- C:\windows\SysWow64\DWrite.dll2013-01-13 20:22:22 1988096 ----a-w- C:\windows\SysWow64\d3d10warp.dll2013-01-13 20:20:31 293376 ----a-w- C:\windows\SysWow64\dxgi.dll2013-01-13 20:09:00 249856 ----a-w- C:\windows\SysWow64\d3d10_1core.dll2013-01-13 20:08:43 220160 ----a-w- C:\windows\SysWow64\d3d10core.dll2013-01-13 20:08:35 1504768 ----a-w- C:\windows\SysWow64\d3d11.dll2013-01-13 19:59:04 1643520 ----a-w- C:\windows\System32\DWrite.dll2013-01-13 19:58:28 1175552 ----a-w- C:\windows\System32\FntCache.dll2013-01-13 19:54:01 604160 ----a-w- C:\windows\SysWow64\d3d10level9.dll2013-01-13 19:53:58 207872 ----a-w- C:\windows\SysWow64\WindowsCodecsExt.dll2013-01-13 19:53:14 187392 ----a-w- C:\windows\SysWow64\UIAnimation.dll2013-01-13 19:51:30 2565120 ----a-w- C:\windows\System32\d3d10warp.dll2013-01-13 19:49:17 363008 ----a-w- C:\windows\System32\dxgi.dll2013-01-13 19:48:47 161792 ----a-w- C:\windows\SysWow64\d3d10_1.dll2013-01-13 19:46:25 1080832 ----a-w- C:\windows\SysWow64\d3d10.dll2013-01-13 19:43:21 1230336 ----a-w- C:\windows\SysWow64\WindowsCodecs.dll2013-01-13 19:38:39 333312 ----a-w- C:\windows\System32\d3d10_1core.dll2013-01-13 19:38:32 1887232 ----a-w- C:\windows\System32\d3d11.dll2013-01-13 19:38:21 296960 ----a-w- C:\windows\System32\d3d10core.dll2013-01-13 19:37:57 3419136 ----a-w- C:\windows\SysWow64\d2d1.dll2013-01-13 19:25:04 245248 ----a-w- C:\windows\System32\WindowsCodecsExt.dll2013-01-13 19:24:33 648192 ----a-w- C:\windows\System32\d3d10level9.dll2013-01-13 19:24:30 221184 ----a-w- C:\windows\System32\UIAnimation.dll2013-01-13 19:20:42 194560 ----a-w- C:\windows\System32\d3d10_1.dll2013-01-13 19:20:04 1238528 ----a-w- C:\windows\System32\d3d10.dll2013-01-13 19:15:40 1424384 ----a-w- C:\windows\System32\WindowsCodecs.dll2013-01-13 19:10:36 3928064 ----a-w- C:\windows\System32\d2d1.dll2013-01-13 19:02:06 417792 ----a-w- C:\windows\SysWow64\WMPhoto.dll2013-01-13 18:34:58 364544 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll2013-01-13 18:32:43 465920 ----a-w- C:\windows\System32\WMPhoto.dll2013-01-13 18:09:52 522752 ----a-w- C:\windows\System32\XpsGdiConverter.dll2013-01-13 17:26:42 1158144 ----a-w- C:\windows\SysWow64\XpsPrint.dll2013-01-13 17:05:09 1682432 ----a-w- C:\windows\System32\XpsPrint.dll2013-01-09 01:19:09 2312704 ----a-w- C:\windows\System32\jscript9.dll2013-01-09 01:12:03 1392128 ----a-w- C:\windows\System32\wininet.dll2013-01-09 01:11:06 1494528 ----a-w- C:\windows\System32\inetcpl.cpl2013-01-09 01:07:51 173056 ----a-w- C:\windows\System32\ieUnatt.exe2013-01-09 01:07:47 599040 ----a-w- C:\windows\System32\vbscript.dll2013-01-09 01:04:42 2382848 ----a-w- C:\windows\System32\mshtml.tlb2013-01-08 22:11:21 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll2013-01-08 22:03:20 1129472 ----a-w- C:\windows\SysWow64\wininet.dll2013-01-08 22:03:12 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl2013-01-08 21:59:02 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe2013-01-08 21:58:29 420864 ----a-w- C:\windows\SysWow64\vbscript.dll2013-01-08 21:56:23 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb2013-01-04 06:11:21 2284544 ----a-w- C:\windows\SysWow64\msmpeg2vdec.dll2013-01-04 06:11:13 2776576 ----a-w- C:\windows\System32\msmpeg2vdec.dll2013-01-04 04:43:21 44032 ----a-w- C:\windows\apppatch\acwow64.dll2012-12-16 17:11:22 46080 ----a-w- C:\windows\System32\atmlib.dll2012-12-16 14:45:03 367616 ----a-w- C:\windows\System32\atmfd.dll2012-12-16 14:13:28 295424 ----a-w- C:\windows\SysWow64\atmfd.dll2012-12-16 14:13:20 34304 ----a-w- C:\windows\SysWow64\atmlib.dll2012-12-14 22:49:28 24176 ----a-w- C:\windows\System32\drivers\mbam.sys.============= FINISH: 18:40:24.95 ===============.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Home PremiumBoot Device: \Device\HarddiskVolume1Install Date: 7/9/2012 3:12:01 PMSystem Uptime: 3/9/2013 6:32:56 PM (0 hours ago).Motherboard: TOSHIBA | | Portable PCProcessor: Intel® Pentium® CPU B960 @ 2.20GHz | CPU | 2200/1333mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 283 GiB total, 234.683 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP61: 3/4/2013 3:24:41 PM - ComboFix created restore pointRP62: 3/9/2013 6:15:34 PM - Windows Update.==== Installed Programs ======================.Adobe AIRAdobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAdobe Reader XIAdobe Shockwave Player 11.6Apple Application SupportAtheros Communications Inc.® AR81Family Gigabit/Fast Ethernet DriverAudacity 2.0.2Conexant HD AudioD3DX10Definition Update for Microsoft Office 2010 (KB982726) 32-Bit EditionFraps (remove only)GIMP 2.8.2Intel® Management Engine ComponentsIntel® Processor GraphicsIntel® Rapid Storage TechnologyJava Auto UpdaterJava 6 Update 25Junk Mail filter updatejZipLabel@Once 1.0Lexmark 3600-4600 SeriesMalwarebytes Anti-Malware version 1.70.0.1100Mesh RuntimeMicrosoft .NET Framework 4 Client ProfileMicrosoft Application Error ReportingMicrosoft Office 2010Microsoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Excel MUI (English) 2010Microsoft Office Groove MUI (English) 2010Microsoft Office InfoPath MUI (English) 2010Microsoft Office Office 64-bit Components 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Professional Plus 2010Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared 64-bit MUI (English) 2010Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Word MUI (English) 2010Microsoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x64 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219Mozilla Firefox 19.0.2 (x86 en-US)Mozilla Maintenance ServiceMSVCRTMSVCRT_amd64PlayReady PC Runtime amd64PlayReady PC Runtime x86Pokemon ShowdownQuickTimeRealtek USB 2.0 Card ReaderRealtek WLAN DriverSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553091)Security Update for Microsoft Office 2010 (KB2553096)Security Update for Microsoft Office 2010 (KB2553371) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553447) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2589320) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2597986) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2598243) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687501) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687510) 32-Bit EditionSecurity Update for Microsoft Visio 2010 (KB2687508) 32-Bit EditionSecurity Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit EditionSecurity Update for Microsoft Word 2010 (KB2760410) 32-Bit EditionSkype LauncherSkype™ 6.1SteamswMSMSynaptics Pointing Device DriverToshiba App PlaceTOSHIBA Application InstallerTOSHIBA AssistTOSHIBA Bulletin BoardTOSHIBA Disc CreatorTOSHIBA Face RecognitionTOSHIBA Hardware SetupTOSHIBA HDD/SSD AlertToshiba Laptop CheckupTOSHIBA Media ControllerTOSHIBA Media Controller Plug-inToshiba Online BackupTOSHIBA Quality ApplicationTOSHIBA Recovery Media CreatorTOSHIBA ReelTimeTOSHIBA Resolution+ Plug-in for Windows Media PlayerTOSHIBA Service StationTOSHIBA Supervisor PasswordTOSHIBA Value Added PackageTOSHIBA Web Camera ApplicationTOSHIBARegistrationUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft Office 2010 (KB2553065)Update for Microsoft Office 2010 (KB2553092)Update for Microsoft Office 2010 (KB2553181) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553267) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553310) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553378) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2566458)Update for Microsoft Office 2010 (KB2596964) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2598242) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2687509) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760631) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2553290) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2687277) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2597090) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2687623) 32-Bit EditionUpdate for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit EditionUpdate for Microsoft PowerPoint 2010 (KB2598240) 32-Bit EditionUpdate for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit EditionWindows Live Communications PlatformWindows Live EssentialsWindows Live ID Sign-in AssistantWindows Live InstallerWindows Live Language SelectorWindows Live MailWindows Live MeshWindows Live Mesh ActiveX Control for Remote ConnectionsWindows Live MessengerWindows Live MIME IFilterWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live Remote ClientWindows Live Remote Client ResourcesWindows Live Remote ServiceWindows Live Remote Service ResourcesWindows Live SOXEWindows Live SOXE DefinitionsWindows Live UX PlatformWindows Live UX Platform Language PackWindows Live WriterWindows Live Writer ResourcesXCOM: Enemy Unknown.==== Event Viewer Messages From Past Week ========.3/9/2013 6:29:47 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer CINDY-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A70668E1-766A-4AE2-9208-5237FCEBB048}. The master browser is stopping or an election is being forced.3/9/2013 1:13:18 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.3/9/2013 1:13:18 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.3/4/2013 5:12:11 AM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.3/4/2013 3:17:32 PM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).3/4/2013 11:45:46 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.3/4/2013 11:45:18 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.3/4/2013 1:45:03 PM, Error: Application Popup [1060] - \??\C:\Users\Bryan\AppData\Local\Temp\OnlineScanner\Anti-Virus\ has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.3/3/2013 11:21:18 AM, Error: Service Control Manager [7000] - The Intel® Management and Security Application Local Management Service service failed to start due to the following error: The pipe has been ended..==== End Of File =========================== Link to post Share on other sites More sharing options...
Staff CatByte Posted March 10, 2013 Staff ID:655340 Share Posted March 10, 2013 Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to the disclaimer.[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there[*]Press Scan button.[*]type exit and reboot the computer normally[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply. Link to post Share on other sites More sharing options...
Anders001 Posted March 10, 2013 Author ID:655383 Share Posted March 10, 2013 Thank you for getting back to me.I have done as you said. However, upon selecting "Repair Your Computer," my computer begins loading the files and then a window appears reading"Error: F3-F100-0010" and forces me to shut down the computer.If it helps, my computer is a Toshiba. Link to post Share on other sites More sharing options...
Staff CatByte Posted March 10, 2013 Staff ID:655470 Share Posted March 10, 2013 ok, let's try another approachplease run the following:Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.MBAR tutorialDownload Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt~~~~~~~~~~~~~~~~~~~~~~~Note:If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:Internet accessWindows UpdateWindows FirewallIf there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.Verify that your system is now functioning normally. Link to post Share on other sites More sharing options...
Anders001 Posted March 10, 2013 Author ID:655511 Share Posted March 10, 2013 All three of those items seem to still be working properly.Here are the logs from the scan:Mbar LogMalwarebytes Anti-Rootkit BETA 1.01.0.1021www.malwarebytes.orgDatabase version: v2013.03.10.03Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421Bryan :: BRYAN-LAPTOP [administrator]3/10/2013 9:24:23 AMmbar-log-2013-03-10 (09-24-23).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled:Objects scanned: 26932Time elapsed: 7 minute(s), 59 second(s)Memory Processes Detected: 1c:\Windows\svchost.exe (Trojan.Agent) -> 1384 -> Delete on reboot.Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 5C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_56_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_625142416_user.mbam (Forged physical sector) -> Delete on reboot.c:\Users\Bryan\AppData\Local\Temp\0.5799601618144113 (Trojan.FakeMS) -> Delete on reboot.c:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.(end)System Log---------------------------------------Malwarebytes Anti-Rootkit BETA 1.01.0.1021© Malwarebytes Corporation 2011-2012OS version: 6.1.7601 Windows 7 Service Pack 1 x64Account is AdministrativeInternet Explorer version: 9.0.8112.16421Java version: 1.6.0_25File system is: NTFSDisk drives: C:\ DRIVE_FIXEDCPU speed: 2.195000 GHzMemory total: 4240293888, free: 2867716096------------ Kernel report ------------ 03/10/2013 09:16:11------------ Loaded modules -----------\SystemRoot\system32\ntoskrnl.exe\SystemRoot\system32\hal.dll\SystemRoot\system32\kdcom.dll\SystemRoot\system32\mcupdate_GenuineIntel.dll\SystemRoot\system32\PSHED.dll\SystemRoot\system32\CLFS.SYS\SystemRoot\system32\CI.dll\SystemRoot\system32\drivers\Wdf01000.sys\SystemRoot\system32\drivers\WDFLDR.SYS\SystemRoot\system32\drivers\ACPI.sys\SystemRoot\system32\drivers\WMILIB.SYS\SystemRoot\system32\drivers\msisadrv.sys\SystemRoot\system32\drivers\pci.sys\SystemRoot\system32\drivers\vdrvroot.sys\SystemRoot\System32\drivers\partmgr.sys\SystemRoot\system32\drivers\compbatt.sys\SystemRoot\system32\drivers\BATTC.SYS\SystemRoot\system32\drivers\volmgr.sys\SystemRoot\System32\drivers\volmgrx.sys\SystemRoot\System32\drivers\mountmgr.sys\SystemRoot\system32\DRIVERS\pciide.sys\SystemRoot\system32\DRIVERS\PCIIDEX.SYS\SystemRoot\system32\DRIVERS\iaStor.sys\SystemRoot\system32\drivers\atapi.sys\SystemRoot\system32\drivers\ataport.SYS\SystemRoot\system32\DRIVERS\msahci.sys\SystemRoot\system32\drivers\amdxata.sys\SystemRoot\system32\drivers\fltmgr.sys\SystemRoot\system32\drivers\fileinfo.sys\SystemRoot\System32\Drivers\Ntfs.sys\SystemRoot\System32\Drivers\msrpc.sys\SystemRoot\System32\Drivers\ksecdd.sys\SystemRoot\System32\Drivers\cng.sys\SystemRoot\System32\drivers\pcw.sys\SystemRoot\System32\Drivers\Fs_Rec.sys\SystemRoot\system32\drivers\ndis.sys\SystemRoot\system32\drivers\NETIO.SYS\SystemRoot\System32\Drivers\ksecpkg.sys\SystemRoot\System32\drivers\tcpip.sys\SystemRoot\System32\drivers\fwpkclnt.sys\SystemRoot\system32\drivers\wd.sys\SystemRoot\system32\drivers\volsnap.sys\SystemRoot\system32\DRIVERS\TVALZ_O.SYS\SystemRoot\system32\DRIVERS\tos_sps64.sys\SystemRoot\System32\Drivers\spldr.sys\SystemRoot\System32\drivers\rdyboost.sys\SystemRoot\System32\Drivers\mup.sys\SystemRoot\System32\drivers\hwpolicy.sys\SystemRoot\System32\DRIVERS\fvevol.sys\SystemRoot\system32\drivers\disk.sys\SystemRoot\system32\drivers\CLASSPNP.SYS\SystemRoot\system32\DRIVERS\cdrom.sys\SystemRoot\System32\Drivers\Null.SYS\SystemRoot\System32\Drivers\Beep.SYS\??\C:\windows\system32\drivers\avgtpx64.sys\SystemRoot\System32\drivers\vga.sys\SystemRoot\System32\drivers\VIDEOPRT.SYS\SystemRoot\System32\drivers\watchdog.sys\SystemRoot\System32\DRIVERS\RDPCDD.sys\SystemRoot\system32\drivers\rdpencdd.sys\SystemRoot\system32\drivers\rdprefmp.sys\SystemRoot\System32\Drivers\Msfs.SYS\SystemRoot\System32\Drivers\Npfs.SYS\SystemRoot\system32\DRIVERS\tdx.sys\SystemRoot\system32\DRIVERS\TDI.SYS\SystemRoot\system32\drivers\afd.sys\SystemRoot\System32\DRIVERS\netbt.sys\SystemRoot\system32\drivers\ws2ifsl.sys\SystemRoot\system32\DRIVERS\wfplwf.sys\SystemRoot\system32\DRIVERS\pacer.sys\SystemRoot\system32\DRIVERS\vwififlt.sys\SystemRoot\system32\DRIVERS\netbios.sys\SystemRoot\system32\DRIVERS\wanarp.sys\SystemRoot\system32\DRIVERS\termdd.sys\SystemRoot\system32\DRIVERS\rdbss.sys\SystemRoot\system32\drivers\nsiproxy.sys\SystemRoot\system32\DRIVERS\mssmbios.sys\SystemRoot\System32\drivers\discache.sys\SystemRoot\System32\Drivers\dfsc.sys\SystemRoot\system32\DRIVERS\blbdrive.sys\SystemRoot\system32\DRIVERS\tunnel.sys\SystemRoot\system32\DRIVERS\igdkmd64.sys\SystemRoot\System32\drivers\dxgkrnl.sys\SystemRoot\System32\drivers\dxgmms1.sys\SystemRoot\system32\DRIVERS\HECIx64.sys\SystemRoot\system32\DRIVERS\usbehci.sys\SystemRoot\system32\DRIVERS\USBPORT.SYS\SystemRoot\system32\DRIVERS\HDAudBus.sys\SystemRoot\system32\DRIVERS\L1C62x64.sys\SystemRoot\system32\DRIVERS\rtl8192Ce.sys\SystemRoot\system32\DRIVERS\vwifibus.sys\SystemRoot\system32\DRIVERS\i8042prt.sys\SystemRoot\system32\DRIVERS\kbdclass.sys\SystemRoot\system32\DRIVERS\SynTP.sys\SystemRoot\system32\DRIVERS\USBD.SYS\SystemRoot\system32\DRIVERS\mouclass.sys\SystemRoot\system32\DRIVERS\CmBatt.sys\SystemRoot\system32\DRIVERS\tdcmdpst.sys\SystemRoot\system32\DRIVERS\intelppm.sys\SystemRoot\system32\DRIVERS\FwLnk.sys\SystemRoot\system32\DRIVERS\CompositeBus.sys\SystemRoot\system32\DRIVERS\AgileVpn.sys\SystemRoot\system32\DRIVERS\rasl2tp.sys\SystemRoot\system32\DRIVERS\ndistapi.sys\SystemRoot\system32\DRIVERS\ndiswan.sys\SystemRoot\system32\DRIVERS\raspppoe.sys\SystemRoot\system32\DRIVERS\raspptp.sys\SystemRoot\system32\DRIVERS\rassstp.sys\SystemRoot\system32\DRIVERS\swenum.sys\SystemRoot\system32\DRIVERS\ks.sys\SystemRoot\system32\DRIVERS\umbus.sys\SystemRoot\system32\DRIVERS\usbhub.sys\SystemRoot\System32\Drivers\NDProxy.SYS\SystemRoot\system32\drivers\CHDRT64.sys\SystemRoot\system32\drivers\portcls.sys\SystemRoot\system32\drivers\drmk.sys\SystemRoot\system32\drivers\ksthunk.sys\SystemRoot\System32\Drivers\crashdmp.sys\SystemRoot\System32\Drivers\dump_iaStor.sys\SystemRoot\System32\Drivers\dump_dumpfve.sys\SystemRoot\System32\win32k.sys\SystemRoot\System32\drivers\Dxapi.sys\SystemRoot\system32\DRIVERS\usbccgp.sys\SystemRoot\System32\Drivers\usbvideo.sys\SystemRoot\system32\DRIVERS\pgeffect.sys\SystemRoot\system32\DRIVERS\monitor.sys\SystemRoot\System32\TSDDD.dll\SystemRoot\System32\cdd.dll\SystemRoot\system32\drivers\luafv.sys\SystemRoot\system32\drivers\WudfPf.sys\SystemRoot\system32\DRIVERS\lltdio.sys\SystemRoot\system32\DRIVERS\nwifi.sys\SystemRoot\system32\DRIVERS\ndisuio.sys\SystemRoot\system32\DRIVERS\rspndr.sys\SystemRoot\System32\Drivers\fastfat.SYS\SystemRoot\system32\drivers\HTTP.sys\SystemRoot\system32\DRIVERS\bowser.sys\SystemRoot\System32\drivers\mpsdrv.sys\SystemRoot\system32\DRIVERS\mrxsmb.sys\SystemRoot\system32\DRIVERS\mrxsmb10.sys\SystemRoot\system32\DRIVERS\mrxsmb20.sys\SystemRoot\system32\drivers\peauth.sys\SystemRoot\System32\Drivers\secdrv.SYS\SystemRoot\System32\DRIVERS\srvnet.sys\SystemRoot\System32\drivers\tcpipreg.sys\SystemRoot\System32\DRIVERS\srv2.sys\SystemRoot\System32\DRIVERS\srv.sys\??\C:\windows\system32\drivers\mbamchameleon.sys\??\C:\windows\system32\drivers\mbamswissarmy.sys\Windows\System32\ntdll.dll\Windows\System32\smss.exe\Windows\System32\apisetschema.dll\Windows\System32\autochk.exe\Windows\System32\iertutil.dll\Windows\System32\clbcatq.dll\Windows\System32\shell32.dll\Windows\System32\imagehlp.dll\Windows\System32\kernel32.dll\Windows\System32\user32.dll\Windows\System32\rpcrt4.dll\Windows\System32\ws2_32.dll\Windows\System32\urlmon.dll\Windows\System32\imm32.dll\Windows\System32\nsi.dll\Windows\System32\advapi32.dll\Windows\System32\Wldap32.dll\Windows\System32\ole32.dll\Windows\System32\oleaut32.dll\Windows\System32\comdlg32.dll\Windows\System32\psapi.dll\Windows\System32\difxapi.dll\Windows\System32\gdi32.dll\Windows\System32\usp10.dll\Windows\System32\wininet.dll\Windows\System32\shlwapi.dll\Windows\System32\setupapi.dll\Windows\System32\msvcrt.dll\Windows\System32\normaliz.dll\Windows\System32\lpk.dll\Windows\System32\msctf.dll\Windows\System32\sechost.dll\Windows\System32\wintrust.dll\Windows\System32\devobj.dll\Windows\System32\crypt32.dll\Windows\System32\KernelBase.dll\Windows\System32\cfgmgr32.dll\Windows\System32\comctl32.dll\Windows\System32\msasn1.dll----------- End -----------<<<1>>>Upper Device Name: \Device\Harddisk0\DR0Upper Device Object: 0xfffffa8004f15700Upper Device Driver Name: \Driver\Disk\Lower Device Name: \Device\Ide\IAAStorageDevice-1\Lower Device Object: 0xfffffa8004dcc050Lower Device Driver Name: \00000197\Driver name found: iaStorInitialization returned 0x0Load Function returned 0x0Downloaded database version: v2013.03.10.03Initializing...Done!<<<2>>>Device number: 0, partition: 2Physical Sector Size: 512Drive: 0, DevicePointer: 0xfffffa8004f15700, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\--------- Disk Stack ------DevicePointer: 0xfffffa8004f15150, DeviceName: Unknown, DriverName: \Driver\partmgr\DevicePointer: 0xfffffa8004f15700, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\DevicePointer: 0xfffffa8004dcc050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \00000197\------------ End ----------Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\Upper DeviceData: 0xfffff8a00a34efe0, 0xfffffa8004f15700, 0xfffffa800436e510Lower DeviceData: 0xfffff8a003e1a650, 0xfffffa8004dcc050, 0xfffffa80046bf980<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesScanning directory: C:\windows\system32\drivers...<<<2>>>Device number: 0, partition: 2<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesDone!Drive 0Scanning MBR on drive 0...MBR buffers are not equalMBR is forged! [4333f673a96dbe57f4d0023e55e5303d]Inspecting partition table:MBR Signature: 55AADisk Signature: 10ED62APartition information: Partition 0 type is Empty (0x0) Partition is ACTIVE. Partition starts at LBA: 56 Numsec = 0 Partition is not bootableInfected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]Changing partition to empty and not active. New active partition is 1 on drive 0 ... Partition 0 type is Other (0x27) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 3072000 Partition file system is NTFS Partition is bootable Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 3074048 Numsec = 593401856 Partition file system is NTFS Partition is bootable Partition 2 type is HIDDEN (0x17) Partition is NOT ACTIVE. Partition starts at LBA: 596475904 Numsec = 28665856 Partition is not bootableHidden partition VBR is not infected. Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0MBR infection found on drive 0Disk Size: 320072933376 bytesSector size: 512 bytesScanning physical sectors of unpartitioned space on drive 0 (1-55-625122448-625142448)...Done!Performing system, memory and registry scan...Infected: c:\Users\Bryan\AppData\Local\Temp\0.5799601618144113 --> [Trojan.FakeMS]Infected: c:\Windows\svchost.exe --> [Trojan.Agent]Infected: c:\Windows\svchost.exe --> [Trojan.Agent]Done!Scan finishedCreating System Restore point...Scheduling clean up...<<<2>>>Device number: 0, partition: 2<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesRemoval scheduling successful. System shutdown needed.System shutdown occurred=======================================---------------------------------------Malwarebytes Anti-Rootkit BETA 1.01.0.1021© Malwarebytes Corporation 2011-2012OS version: 6.1.7601 Windows 7 Service Pack 1 x64Account is AdministrativeInternet Explorer version: 9.0.8112.16421Java version: 1.6.0_25File system is: NTFSDisk drives: C:\ DRIVE_FIXEDCPU speed: 2.195000 GHzMemory total: 4240293888, free: 3260661760Removal queue found; removal startedRemoving c:\Users\Bryan\AppData\Local\Temp\0.5799601618144113...Removing c:\Windows\svchost.exe...Removal finished=======================================---------------------------------------Malwarebytes Anti-Rootkit BETA 1.01.0.1021© Malwarebytes Corporation 2011-2012OS version: 6.1.7601 Windows 7 Service Pack 1 x64Account is AdministrativeInternet Explorer version: 9.0.8112.16421Java version: 1.6.0_25File system is: NTFSDisk drives: C:\ DRIVE_FIXEDCPU speed: 2.195000 GHzMemory total: 4240293888, free: 3041112064------------ Kernel report ------------ 03/10/2013 09:27:02------------ Loaded modules -----------\SystemRoot\system32\ntoskrnl.exe\SystemRoot\system32\hal.dll\SystemRoot\system32\kdcom.dll\SystemRoot\system32\mcupdate_GenuineIntel.dll\SystemRoot\system32\PSHED.dll\SystemRoot\system32\CLFS.SYS\SystemRoot\system32\CI.dll\SystemRoot\system32\drivers\Wdf01000.sys\SystemRoot\system32\drivers\WDFLDR.SYS\SystemRoot\system32\drivers\ACPI.sys\SystemRoot\system32\drivers\WMILIB.SYS\SystemRoot\system32\drivers\msisadrv.sys\SystemRoot\system32\drivers\pci.sys\SystemRoot\system32\drivers\vdrvroot.sys\SystemRoot\System32\drivers\partmgr.sys\SystemRoot\system32\drivers\compbatt.sys\SystemRoot\system32\drivers\BATTC.SYS\SystemRoot\system32\drivers\volmgr.sys\SystemRoot\System32\drivers\volmgrx.sys\SystemRoot\System32\drivers\mountmgr.sys\SystemRoot\system32\DRIVERS\pciide.sys\SystemRoot\system32\DRIVERS\PCIIDEX.SYS\SystemRoot\system32\DRIVERS\iaStor.sys\SystemRoot\system32\drivers\atapi.sys\SystemRoot\system32\drivers\ataport.SYS\SystemRoot\system32\DRIVERS\msahci.sys\SystemRoot\system32\drivers\amdxata.sys\SystemRoot\system32\drivers\fltmgr.sys\SystemRoot\system32\drivers\fileinfo.sys\SystemRoot\System32\Drivers\Ntfs.sys\SystemRoot\System32\Drivers\msrpc.sys\SystemRoot\System32\Drivers\ksecdd.sys\SystemRoot\System32\Drivers\cng.sys\SystemRoot\System32\drivers\pcw.sys\SystemRoot\System32\Drivers\Fs_Rec.sys\SystemRoot\system32\drivers\ndis.sys\SystemRoot\system32\drivers\NETIO.SYS\SystemRoot\System32\Drivers\ksecpkg.sys\SystemRoot\System32\drivers\tcpip.sys\SystemRoot\System32\drivers\fwpkclnt.sys\SystemRoot\system32\drivers\wd.sys\SystemRoot\system32\drivers\volsnap.sys\SystemRoot\system32\DRIVERS\TVALZ_O.SYS\SystemRoot\system32\DRIVERS\tos_sps64.sys\SystemRoot\System32\Drivers\spldr.sys\SystemRoot\System32\drivers\rdyboost.sys\SystemRoot\System32\Drivers\mup.sys\SystemRoot\System32\drivers\hwpolicy.sys\SystemRoot\System32\DRIVERS\fvevol.sys\SystemRoot\system32\drivers\disk.sys\SystemRoot\system32\drivers\CLASSPNP.SYS\SystemRoot\system32\DRIVERS\cdrom.sys\SystemRoot\System32\Drivers\Null.SYS\SystemRoot\System32\Drivers\Beep.SYS\??\C:\windows\system32\drivers\avgtpx64.sys\SystemRoot\System32\drivers\vga.sys\SystemRoot\System32\drivers\VIDEOPRT.SYS\SystemRoot\System32\drivers\watchdog.sys\SystemRoot\System32\DRIVERS\RDPCDD.sys\SystemRoot\system32\drivers\rdpencdd.sys\SystemRoot\system32\drivers\rdprefmp.sys\SystemRoot\System32\Drivers\Msfs.SYS\SystemRoot\System32\Drivers\Npfs.SYS\SystemRoot\system32\DRIVERS\tdx.sys\SystemRoot\system32\DRIVERS\TDI.SYS\SystemRoot\system32\drivers\afd.sys\SystemRoot\System32\DRIVERS\netbt.sys\SystemRoot\system32\drivers\ws2ifsl.sys\SystemRoot\system32\DRIVERS\wfplwf.sys\SystemRoot\system32\DRIVERS\pacer.sys\SystemRoot\system32\DRIVERS\vwififlt.sys\SystemRoot\system32\DRIVERS\netbios.sys\SystemRoot\system32\DRIVERS\wanarp.sys\SystemRoot\system32\DRIVERS\termdd.sys\SystemRoot\system32\DRIVERS\rdbss.sys\SystemRoot\system32\drivers\nsiproxy.sys\SystemRoot\system32\DRIVERS\mssmbios.sys\SystemRoot\System32\drivers\discache.sys\SystemRoot\System32\Drivers\dfsc.sys\SystemRoot\system32\DRIVERS\blbdrive.sys\SystemRoot\system32\DRIVERS\tunnel.sys\SystemRoot\system32\DRIVERS\igdkmd64.sys\SystemRoot\System32\drivers\dxgkrnl.sys\SystemRoot\System32\drivers\dxgmms1.sys\SystemRoot\system32\DRIVERS\HECIx64.sys\SystemRoot\system32\DRIVERS\usbehci.sys\SystemRoot\system32\DRIVERS\USBPORT.SYS\SystemRoot\system32\DRIVERS\HDAudBus.sys\SystemRoot\system32\DRIVERS\L1C62x64.sys\SystemRoot\system32\DRIVERS\rtl8192Ce.sys\SystemRoot\system32\DRIVERS\vwifibus.sys\SystemRoot\system32\DRIVERS\i8042prt.sys\SystemRoot\system32\DRIVERS\kbdclass.sys\SystemRoot\system32\DRIVERS\SynTP.sys\SystemRoot\system32\DRIVERS\USBD.SYS\SystemRoot\system32\DRIVERS\mouclass.sys\SystemRoot\system32\DRIVERS\CmBatt.sys\SystemRoot\system32\DRIVERS\tdcmdpst.sys\SystemRoot\system32\DRIVERS\intelppm.sys\SystemRoot\system32\DRIVERS\FwLnk.sys\SystemRoot\system32\DRIVERS\CompositeBus.sys\SystemRoot\system32\DRIVERS\AgileVpn.sys\SystemRoot\system32\DRIVERS\rasl2tp.sys\SystemRoot\system32\DRIVERS\ndistapi.sys\SystemRoot\system32\DRIVERS\ndiswan.sys\SystemRoot\system32\DRIVERS\raspppoe.sys\SystemRoot\system32\DRIVERS\raspptp.sys\SystemRoot\system32\DRIVERS\rassstp.sys\SystemRoot\system32\DRIVERS\swenum.sys\SystemRoot\system32\DRIVERS\ks.sys\SystemRoot\system32\DRIVERS\umbus.sys\SystemRoot\system32\DRIVERS\usbhub.sys\SystemRoot\System32\Drivers\NDProxy.SYS\SystemRoot\system32\drivers\CHDRT64.sys\SystemRoot\system32\drivers\portcls.sys\SystemRoot\system32\drivers\drmk.sys\SystemRoot\system32\drivers\ksthunk.sys\SystemRoot\System32\Drivers\crashdmp.sys\SystemRoot\System32\Drivers\dump_iaStor.sys\SystemRoot\System32\Drivers\dump_dumpfve.sys\SystemRoot\System32\win32k.sys\SystemRoot\System32\drivers\Dxapi.sys\SystemRoot\system32\DRIVERS\usbccgp.sys\SystemRoot\System32\Drivers\usbvideo.sys\SystemRoot\system32\DRIVERS\pgeffect.sys\SystemRoot\system32\DRIVERS\monitor.sys\SystemRoot\System32\TSDDD.dll\SystemRoot\System32\cdd.dll\SystemRoot\system32\drivers\luafv.sys\SystemRoot\system32\drivers\WudfPf.sys\SystemRoot\system32\DRIVERS\lltdio.sys\SystemRoot\system32\DRIVERS\nwifi.sys\SystemRoot\system32\DRIVERS\ndisuio.sys\SystemRoot\system32\DRIVERS\rspndr.sys\SystemRoot\system32\drivers\HTTP.sys\SystemRoot\system32\DRIVERS\bowser.sys\SystemRoot\System32\drivers\mpsdrv.sys\SystemRoot\system32\DRIVERS\mrxsmb.sys\SystemRoot\system32\DRIVERS\mrxsmb10.sys\SystemRoot\system32\DRIVERS\mrxsmb20.sys\SystemRoot\system32\drivers\peauth.sys\SystemRoot\System32\Drivers\secdrv.SYS\SystemRoot\System32\DRIVERS\srvnet.sys\SystemRoot\System32\drivers\tcpipreg.sys\SystemRoot\System32\DRIVERS\srv2.sys\SystemRoot\System32\DRIVERS\srv.sys\??\C:\windows\system32\drivers\mbamchameleon.sys\??\C:\windows\system32\drivers\mbamswissarmy.sys\Windows\System32\ntdll.dll\Windows\System32\smss.exe\Windows\System32\apisetschema.dll\Windows\System32\autochk.exe----------- End -----------<<<1>>>Upper Device Name: \Device\Harddisk0\DR0Upper Device Object: 0xfffffa8004f2d200Upper Device Driver Name: \Driver\Disk\Lower Device Name: \Device\Ide\IAAStorageDevice-1\Lower Device Object: 0xfffffa8004ddf050Lower Device Driver Name: \Driver\iaStor\Driver name found: iaStorInitialization returned 0x0Load Function returned 0x0No address foundHost not foundInitializing...Done!<<<2>>>Device number: 0, partition: 2Physical Sector Size: 512Drive: 0, DevicePointer: 0xfffffa8004f2d200, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\--------- Disk Stack ------DevicePointer: 0xfffffa8004f2e040, DeviceName: Unknown, DriverName: \Driver\partmgr\DevicePointer: 0xfffffa8004f2d200, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\DevicePointer: 0xfffffa8004ddf050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\------------ End ----------Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\Upper DeviceData: 0xfffff8a001fc7560, 0xfffffa8004f2d200, 0xfffffa8004030090Lower DeviceData: 0xfffff8a001afc580, 0xfffffa8004ddf050, 0xfffffa80088a78b0<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesScanning directory: C:\windows\system32\drivers...<<<2>>>Device number: 0, partition: 2<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesDone!Drive 0Scanning MBR on drive 0...Inspecting partition table:MBR Signature: 55AADisk Signature: 10ED62APartition information: Partition 0 type is Other (0x27) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 3072000 Partition file system is NTFS Partition is bootable Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 3074048 Numsec = 593401856 Partition file system is NTFS Partition is bootable Partition 2 type is HIDDEN (0x17) Partition is NOT ACTIVE. Partition starts at LBA: 596475904 Numsec = 28665856 Partition is not bootableHidden partition VBR is not infected. Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0Disk Size: 320072933376 bytesSector size: 512 bytesScanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...Done!Performing system, memory and registry scan...Done!Scan finished======================================= Link to post Share on other sites More sharing options...
Staff CatByte Posted March 10, 2013 Staff ID:655513 Share Posted March 10, 2013 looks betterplease run the following:Refer to the ComboFix User's Guide Download ComboFix from the following location:Link * IMPORTANT !!! Place ComboFix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next replyNote: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error. Link to post Share on other sites More sharing options...
Anders001 Posted March 10, 2013 Author ID:655531 Share Posted March 10, 2013 ComboFix 13-03-10.02 - Bryan 03/10/2013 11:09:53.2.2 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4044.2719 [GMT -5:00]Running from: c:\users\Bryan\Desktop\ComboFix.exeSP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\programdata\Microsoft\Windows\DRM\44D9.tmpc:\programdata\Microsoft\Windows\DRM\44DA.tmp..((((((((((((((((((((((((( Files Created from 2013-02-10 to 2013-03-10 )))))))))))))))))))))))))))))))..2013-03-10 16:14 . 2013-03-10 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp2013-03-10 14:16 . 2013-03-10 14:16 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A242102A-8B2D-4493-B116-05AF1920812E}\offreg.dll2013-03-10 04:07 . 2013-03-10 04:07 -------- d-----w- C:\FRST2013-03-10 00:16 . 2013-02-19 09:57 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A242102A-8B2D-4493-B116-05AF1920812E}\mpengine.dll2013-03-09 17:13 . 2013-03-09 17:13 -------- d-----w- c:\users\Bryan\AppData\Roaming\UDP Software2013-03-06 01:56 . 2013-03-06 01:56 -------- d-----w- c:\users\Bryan\AppData\Roaming\WindowsDatabase2013-03-04 21:19 . 2013-03-04 21:19 121 ----a-w- c:\windows\DeleteOnReboot.bat2013-03-04 19:44 . 2013-03-04 19:44 -------- d-----w- c:\users\Bryan\AppData\Roaming\f-secure2013-03-04 19:44 . 2013-03-04 19:44 -------- d-----w- c:\programdata\F-Secure2013-03-03 19:27 . 2013-03-10 01:52 -------- d-----w- c:\users\Bryan\AppData\Local\CrashDumps2013-03-03 18:05 . 2013-03-03 18:06 -------- d-----w- c:\users\Bryan\AppData\Local\jZip2013-03-03 18:05 . 2013-03-03 18:06 -------- d-----w- c:\program files (x86)\jZip2013-03-03 17:54 . 2013-03-03 17:54 -------- d-----w- c:\users\Bryan\AppData\Roaming\SpeedyPC Software2013-03-03 17:54 . 2013-03-03 17:54 -------- d-----w- c:\users\Bryan\AppData\Roaming\DriverCure2013-03-03 17:53 . 2013-03-03 18:50 -------- d-----w- c:\programdata\SpeedyPC Software2013-03-03 16:55 . 2013-03-03 17:19 -------- d-----w- c:\users\Bryan\AppData\Local\LogMeIn Rescue Applet2013-02-28 11:54 . 2013-03-03 17:20 -------- d-----w- c:\users\Bryan\AppData\Local\NPE2013-02-19 16:40 . 2013-02-19 16:40 -------- d-----w- c:\users\Bryan\AppData\Local\Apple Computer2013-02-17 18:50 . 2013-02-17 18:50 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll2013-02-17 18:50 . 2013-02-17 18:50 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll2013-02-17 18:50 . 2013-02-17 18:50 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll2013-02-17 18:50 . 2013-02-17 18:50 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll2013-02-17 18:50 . 2013-02-17 18:50 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll2013-02-17 18:50 . 2013-02-17 18:50 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll2013-02-17 18:50 . 2013-02-17 18:50 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll2013-02-14 11:31 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll2013-02-14 11:31 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll2013-02-13 20:47 . 2013-01-05 05:53 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe2013-02-13 20:47 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe2013-02-13 20:47 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe2013-02-13 20:46 . 2013-01-04 03:26 3153408 ----a-w- c:\windows\system32\win32k.sys2013-02-13 20:41 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll2013-02-13 20:41 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll2013-02-13 20:41 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe2013-02-13 20:41 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe2013-02-13 20:41 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe2013-02-13 20:41 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll2013-02-13 20:41 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys2013-02-13 20:41 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-02-27 03:49 . 2012-08-31 11:27 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2013-02-27 03:49 . 2011-10-31 02:34 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-02-22 12:11 . 2013-01-30 02:43 39768 ----a-w- c:\windows\system32\drivers\avgtpx64.sys2013-02-14 11:37 . 2012-12-09 01:33 70004024 ----a-w- c:\windows\system32\MRT.exe2013-01-17 07:28 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe2013-01-04 04:43 . 2013-02-13 20:41 44032 ----a-w- c:\windows\apppatch\acwow64.dll2012-12-16 17:11 . 2012-12-21 09:00 46080 ----a-w- c:\windows\system32\atmlib.dll2012-12-16 14:45 . 2012-12-21 09:00 367616 ----a-w- c:\windows\system32\atmfd.dll2012-12-16 14:13 . 2012-12-21 09:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll2012-12-16 14:13 . 2012-12-21 09:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll2012-12-14 22:49 . 2012-12-19 22:54 24176 ----a-w- c:\windows\system32\drivers\mbam.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]"Z1"="c:\users\Bryan\Desktop\mbar\mbar.exe" [2013-02-16 1363016].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-10-08 243712]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-10 1255736]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-06-24 482384]S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2013-02-22 39768]S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2010-02-04 1039872]S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [2010-02-04 29184]S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2013-02-22 968880]S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2011-02-09 77424]S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2011-02-09 38096]S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-01-05 1109096]S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]..Contents of the 'Scheduled Tasks' folder.2013-03-10 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-31 03:49]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560].HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceFontCache.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmuStart Page = hxxp://www.google.commLocal Page = c:\windows\SysWOW64\blank.htmuInternet Settings,ProxyOverride = <local>IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 192.168.2.1FF - ProfilePath - c:\users\Bryan\AppData\Roaming\Mozilla\Firefox\Profiles\xiruw803.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/.- - - - ORPHANS REMOVED - - - -.Toolbar-Locked - (no file)Wow6432Node-HKLM-Run-vProt - c:\program files (x86)\AVG Secure Search\vprot.exeHKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exeHKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXEHKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exeHKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exeHKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exeAddRemove-NortonPCCheckup - c:\program files (x86)\NortonInstaller\{170fa89a-6886-4c9e-b17b-12bccdd80788}\NortonPCCheckup\LicenseType\2.0.13.11\InstStub.exe...[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.11".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2013-03-10 11:15:36ComboFix-quarantined-files.txt 2013-03-10 16:15ComboFix2.txt 2013-03-04 17:47.Pre-Run: 250,665,304,064 bytes freePost-Run: 250,759,041,024 bytes free.- - End Of File - - BD350EB0DC5F5DBCB513E83203500A1E Link to post Share on other sites More sharing options...
Staff CatByte Posted March 10, 2013 Staff ID:655535 Share Posted March 10, 2013 Please run the following:Please download Junkware Removal Tool to your desktop.Shutdown your antivirus to avoid any conflicts.Right-mouse click JRT.exe and select Run as administratorThe tool will open and start scanning your system.Please be patient as this can take a while to complete.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next messageNEXTDownload AdwCleaner from here and save it to your desktop.Run AdwCleaner and select DeleteOnce done it will ask to reboot, allow the rebootOn reboot a log will be produced, please attach the content of the log to your next replyNEXTPlease open your MalwareBytes AntiMalware ProgramClick the Update Tab and search for updatesIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish, so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected. <-- very importantWhen disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. NEXTGo here to run an online scanner from ESET.Turn off the real time scanner of any existing antivirus program while performing the online scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activeX control to installClick StartMake sure that the option Remove found threats is unticked and the Scan Archives option is ticked.Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click ScanWait for the scan to finishWhen the scan completes, press the LIST OF THREATS FOUND buttonPress EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop Include the contents of this report in your next reply.Press the BACK button.Press Finish Link to post Share on other sites More sharing options...
Anders001 Posted March 10, 2013 Author ID:655552 Share Posted March 10, 2013 Malewarebyte's Anti-maleware Quickscan did not detect any threats and did not save a log anywhere that I was able to locate. There was no log saved for the scan done today under the logs tab.Here are the logs for the other tools you had me run:Junkware Removal Tool Log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 4.6.9 (03.06.2013:1)OS: Windows 7 Home Premium x64Ran by Bryan on Sun 03/10/2013 at 11:43:58.94~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry Values~~~ Registry Keys~~~ Files~~~ FoldersSuccessfully deleted: [Folder] "C:\ProgramData\speedypc software"Successfully deleted: [Folder] "C:\Users\Bryan\AppData\Roaming\drivercure"Successfully deleted: [Folder] "C:\Users\Bryan\AppData\Roaming\pccustubinstaller"Successfully deleted: [Folder] "C:\Users\Bryan\AppData\Roaming\speedypc software"~~~ FireFoxSuccessfully deleted: [File] C:\Users\Bryan\AppData\Roaming\mozilla\firefox\profiles\xiruw803.default\extensions\rjxykeksdq@rjxykeksdq.org.xpi [Tracur]Emptied folder: C:\Users\Bryan\AppData\Roaming\mozilla\firefox\profiles\xiruw803.default\minidumps [353 files]~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sun 03/10/2013 at 11:50:07.50End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~AdwCleaner Log# AdwCleaner v2.114 - Logfile created 03/10/2013 at 11:53:07# Updated 05/03/2013 by Xplode# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)# User : Bryan - BRYAN-LAPTOP# Boot Mode : Normal# Running from : C:\Users\Bryan\Desktop\adwcleaner.exe# Option [Delete]***** [services] ********** [Files / Folders] *****Deleted on reboot : C:\Program Files (x86)\Common Files\AVG Secure Search***** [Registry] ********** [internet Browsers] *****-\\ Internet Explorer v9.0.8112.16464[OK] Registry is clean.-\\ Mozilla Firefox v19.0.2 (en-US)File : C:\Users\Bryan\AppData\Roaming\Mozilla\Firefox\Profiles\xiruw803.default\prefs.js[OK] File is clean.*************************AdwCleaner[s1].txt - [748 octets] - [10/03/2013 11:53:07]########## EOF - C:\AdwCleaner[s1].txt - [807 octets] ##########ESETSCAN Threats FoundC:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\44D9.tmp.vir Win64/Olmarik.AY trojanC:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\44DA.tmp.vir Win64/Olmarik.AY trojan Link to post Share on other sites More sharing options...
Staff CatByte Posted March 10, 2013 Staff ID:655567 Share Posted March 10, 2013 those items detected by ESET are in quarantine, we will clean that up when we clean up the tools at the endYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.Scroll down to where it says Java SE 7u17Click the Download button under JRE to the right.Read the License Agreement then select Accept License AgreementClick on the link to download Windows x86 Offline and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-7u17-windows-i586.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are three options in the window to clear the cache - Leave these two CheckedTrace and Log FilesCached Applications and AppletsClick OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.Click OK to leave the Temporary Files WindowClick OK to leave the Java Control Panel.Please advise how the computer is running now and if there are any outstanding issues Link to post Share on other sites More sharing options...
Anders001 Posted March 10, 2013 Author ID:655581 Share Posted March 10, 2013 Thank you again, the computer appears to be running fine.I have not noticed any problems with anything. Link to post Share on other sites More sharing options...
Staff CatByte Posted March 10, 2013 Staff ID:655585 Share Posted March 10, 2013 We just have some housekeeping to do now,Please do the following:You can delete the DDS, JRT, MBAR and FRST logs and programs from your desktop.NEXTFollow these steps to uninstall Combofix Make sure your security programs are totally disabled.Press the WinKey +R to open a run boxNow copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.NEXTDouble click on adwcleaner.exe to run the tool.Click on Uninstall.Confirm with yes.If there are any logs/tools remaining on your desktop > right click and delete them.NEXT------------------------------------------------------ImportantDue to continued exploits of zero-day vulnerabilities in Oracle's Java application, it is the recommendation of many security experts, as well as the TSF Security Team, that you disable Java in your web browsers.JavaUS-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass VulnerabilityWe recommend disabling Java in your browsers, and enabling it only when needed by certain websites.Please disable Java in your browser(s) by following these instructions:How do I disable Java in my web browser?------------------------------------------------------NEXTBelow I have included a number of recommendations for how to protect your computer against malware infections.It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.Keep Windows updated by regularly checking their website at :http://windowsupdate.microsoft.com/This will ensure your computer has always the latest security updates available installed on your computer.Make Internet Explorer more secureClick Start > RunType Inetcpl.cpl & click OKClick on the Security tabClick Reset all zones to default levelMake sure the Internet Zone is selected & Click Custom levelIn the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".Next Click OK, then Apply button and then OK to exit the Internet Properties page.[*]Download TFC to your desktopClose any open windows.Double click the TFC icon to run the programTFC will close all open programs itself in order to run, Click the Start button to begin the process. Allow TFC to run uninterrupted.The program should not take long to finish it's jobOnce its finished it should automatically reboot your machine,if it doesn't, manually reboot to ensure a complete cleanIt's normal after running TFC cleaner that the PC will be slower to boot the first time. [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE[*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.[*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:PC Safety and Security--What Do I Need?.[*]Simple and easy ways to keep your computer safe and secure on the InternetThank you for your patience, and performing all of the procedures requested.Please respond one last time so we can consider the thread resolved and close it, thank-you. Link to post Share on other sites More sharing options...
Anders001 Posted March 10, 2013 Author ID:655592 Share Posted March 10, 2013 Thank you very much. Link to post Share on other sites More sharing options...
Staff CatByte Posted March 10, 2013 Staff ID:655594 Share Posted March 10, 2013 you are welcomestay safe~CB Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 16, 2013 ID:657636 Share Posted March 16, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts