Jump to content

Infected with Trojan:JS/Medfos.B virus

nissan200sxx
 Share

Recommended Posts

nissan200sxx

nissan200sxx

Posted
Posted

MSC keeps detecting Trojan:JS/Medfos.B and quarantines it, but after 5 minutes it detects again, in the Task Manager there's an Internet Explorer that's opened but i can't close it, or open the window up.

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.7.2

Run by Owner at 6:29:39 on 2013-04-14

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3817.1610 [GMT 10:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe

C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe

C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\XFastUsb\XFastUsb.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe

C:\Users\Owner\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001

C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe

C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe

C:\Program Files (x86)\Memeo\AutoBackup\MemeoUpdater.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

D:\Malwarebytes' Anti-Malware\mbamscheduler.exe

D:\Malwarebytes' Anti-Malware\mbamservice.exe

D:\Malwarebytes' Anti-Malware\mbamgui.exe

D:\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCHelper.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Microsoft Security Client\MpCmdRun.exe

C:\Windows\notepad.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:splashtopconnect

uURLSearchHooks: Splashtop Connect SearchHook: {0F3DC9E0-C459-4a40-BCF8-747BD9322E10} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll

mWinlogon: Userinit = userinit.exe

BHO: Splashtop Connect VisualBookmark: {0E5680D1-BF44-4929-94AF-FD30D784AD1D} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STC.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [ASRockXTU] <no file>

mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r

mRun: [sTCAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe"

mRun: [ZyngaGamesAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe"

mRun: [smartViewAgent] "C:\Program Files (x86)\DeviceVM\SmartView\SmartViewAgent.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [XFastUsb] C:\Program Files (x86)\XFastUsb\XFastUsb.exe

mRun: [updReg] C:\Windows\UpdReg.EXE

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui

mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"

mRun: [Memeo Instant Backup] C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui

mRun: [Memeo AutoSync] C:\Program Files (x86)\Memeo\AutoSync\MemeoLauncher2.exe --silent

mRun: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"

mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup

mRun: [CTSyncService] C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe /StartRunKey

mRunOnce: [Malwarebytes Anti-Malware] D:\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 192.168.1.254

TCP: Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A} : NameServer = 203.134.64.66,203.134.65.66

TCP: Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A} : DHCPNameServer = 192.168.1.254

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [RunDLLEntry] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\AmbRunE.dll,RunDLLEntry

x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [zckqe] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\zckqe.dll",vCleanup

x64-Run: [csubdx] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\csubdx.dll",Number_Int

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]

R1 AsrAppCharger;AsrAppCharger;C:\Windows\System32\drivers\AsrAppCharger.sys [2011-4-8 15368]

R1 FNETURPX;FNETURPX;C:\Windows\System32\drivers\FNETURPX.SYS [2011-4-8 15936]

R2 MBAMScheduler;MBAMScheduler;D:\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-4-14 418376]

R2 MBAMService;MBAMService;D:\Malwarebytes' Anti-Malware\mbamservice.exe [2013-4-14 701512]

R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-5-13 25824]

R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 130008]

R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-3-23 87040]

R2 SCBackService;Splashtop Connect Service;C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe [2010-11-15 477000]

R2 SeagateDashboardService;Seagate Dashboard Service;C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-6-2 14088]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-4-8 2656280]

R2 WCUService_STC_IE;Splashtop Connect IE Software Updater Service;C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe [2011-3-22 497480]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-4-8 317440]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-4-8 76912]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-4-14 25928]

R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-4-10 115272]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]

R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2011-4-8 79360]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]

S2 SmartViewService;SmartView service;C:\Program Files (x86)\DeviceVM\SmartView\SmartViewService.exe --> C:\Program Files (x86)\DeviceVM\SmartView\SmartViewService.exe [?]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-4-8 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-4-8 79360]

S3 FNETTBOH_305;FNETTBOH_305;C:\Windows\System32\drivers\FNETTBOH_305.SYS [2011-4-8 31808]

S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]

S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-5-17 59392]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-17 1255736]

.

=============== Created Last 30 ================

.

2013-04-13 19:38:41 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes

2013-04-13 19:38:28 -------- d-----w- C:\ProgramData\Malwarebytes

2013-04-13 19:38:27 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-04-13 19:38:06 -------- d-----w- C:\Users\Owner\AppData\Local\Programs

2013-04-13 19:20:54 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6EC7E13C-AD9F-4D7A-9649-16DFBF17DC29}\offreg.dll

2013-04-13 17:29:07 44032 ----a-w- C:\Windows\System32\tsgqec.dll

2013-04-13 17:29:07 3717632 ----a-w- C:\Windows\System32\mstscax.dll

2013-04-13 17:29:07 36864 ----a-w- C:\Windows\SysWow64\tsgqec.dll

2013-04-13 17:29:07 3217408 ----a-w- C:\Windows\SysWow64\mstscax.dll

2013-04-13 17:29:07 158720 ----a-w- C:\Windows\System32\aaclient.dll

2013-04-13 17:29:07 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll

2013-04-13 17:27:12 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-04-13 17:27:12 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-04-13 17:27:11 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-04-13 17:27:11 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-04-13 17:27:11 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-04-13 17:27:11 112640 ----a-w- C:\Windows\System32\smss.exe

2013-04-13 17:27:09 3153408 ----a-w- C:\Windows\System32\win32k.sys

2013-04-13 15:46:58 9311288 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6EC7E13C-AD9F-4D7A-9649-16DFBF17DC29}\mpengine.dll

2013-04-13 13:43:24 446464 ----a-w- C:\Users\Owner\AppData\Roaming\csubdx.dll

2013-04-13 13:43:18 716800 ----a-w- C:\Users\Owner\AppData\Roaming\zckqe.dll

2013-04-13 05:08:17 9311288 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-04-10 04:34:51 115272 ----a-w- C:\Windows\System32\drivers\MijXfilt.sys

2013-04-06 07:30:26 -------- d-----r- C:\Program Files (x86)\Skype

2013-04-03 05:44:42 163088 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10143.bin

2013-04-01 11:27:29 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2013-04-01 11:27:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2013-04-01 11:27:29 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2013-04-01 11:27:29 215040 ----a-w- C:\Windows\System32\winsrv.dll

2013-04-01 11:27:29 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2013-04-01 11:27:28 2048 ----a-w- C:\Windows\SysWow64\user.exe

2013-04-01 11:27:22 750592 ----a-w- C:\Windows\System32\win32spl.dll

2013-04-01 11:27:22 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2013-04-01 11:27:04 2002432 ----a-w- C:\Windows\System32\msxml6.dll

2013-04-01 11:27:04 1882624 ----a-w- C:\Windows\System32\msxml3.dll

2013-04-01 11:27:03 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll

2013-04-01 11:27:03 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2013-04-01 11:26:49 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2013-04-01 11:26:48 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2013-04-01 11:26:27 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2013-04-01 11:26:27 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2013-04-01 11:26:08 68608 ----a-w- C:\Windows\System32\taskhost.exe

2013-03-21 23:17:27 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7E9815AB-60D0-45F8-978A-5ACB99DCE8D9}\gapaengine.dll

2013-03-15 06:31:27 -------- d-----w- C:\Users\Owner\AppData\Roaming\Aion RainMeter

.

==================== Find3M ====================

.

2013-04-02 10:34:28 282744 ------w- C:\Windows\System32\MpSigStub.exe

2013-03-21 12:37:26 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-21 12:37:26 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-02-22 06:27:49 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2013-02-22 06:20:51 1392128 ----a-w- C:\Windows\System32\wininet.dll

2013-02-22 06:19:37 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2013-02-22 06:15:48 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2013-02-22 06:15:23 599040 ----a-w- C:\Windows\System32\vbscript.dll

2013-02-22 06:12:41 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2013-02-22 03:46:00 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-02-22 03:38:00 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-02-22 03:37:50 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2013-02-22 03:34:17 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2013-02-22 03:34:03 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2013-02-22 03:31:46 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-01-20 04:59:04 230320 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

2013-01-20 04:59:04 130008 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

.

============= FINISH: 6:30:19.18 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: Friday 8:57:09 AM

System Uptime: Sunday 5:20:08 AM (1 hours ago)

.

Motherboard: ASRock | | H61M-S

Processor: Intel® Core i5-2300 CPU @ 2.80GHz | CPUSocket | 1596/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 98 GiB total, 57.941 GiB free.

D: is FIXED (NTFS) - 834 GiB total, 804.905 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP460: Friday 2:36:47 PM - Windows Update

RP461: Saturday 6:25:33 PM - Removed Skype™ 6.3

RP462: Tuesday 12:55:02 PM - Windows Update

RP463: Wednesday 2:39:34 PM - Device Driver Package Install: www.MotioninJoy.com Microsoft Common Controller For Windows Class

RP464: Wednesday 2:39:42 PM - Device Driver Package Install: www.MotioninJoy.com Microsoft Common Controller For Windows Class

RP465: Saturday 3:07:49 PM - Windows Update

RP466: Sunday 3:33:28 AM - Windows Update

RP467: Sunday 3:53:55 AM - Windows Update

.

==== Installed Programs ======================

.

Acrobat.com

Adobe AIR

Adobe Download Assistant

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.0.1)

Aion

ASRock App Charger v1.0.4

ASRock eXtreme Tuner v0.1.42

ASRock InstantBoot v1.26

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

D3DX10

HTC BMP USB Driver

HTC Driver Installer

HTC Sync

Intel® Control Center

Intel® Management Engine Components

Intel® Processor Graphics

Java 7 Update 7

Java Auto Updater

JavaFX 2.1.1

Junk Mail filter update

Malwarebytes Anti-Malware version 1.75.0.1300

Memeo AutoSync

Memeo Instant Backup

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Age of Empires

Microsoft Application Error Reporting

Microsoft Games for Windows - LIVE Redistributable

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

MotioninJoy Gamepad tool 0.7.0000

MSVCRT

MSVCRT_amd64

MSVCRT110

MSVCRT110_amd64

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB2721691)

MSXML 4.0 SP3 Parser (KB2758694)

NCsoft Launcher

Nero 7 Ultra Edition

Pando Media Booster

PCSX2 - Playstation 2 Emulator

Photo Common

PowerDVD

Realtek High Definition Audio Driver

Seagate Dashboard

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Skype™ 6.3

Sound Blaster X-Fi MB

Splashtop Connect IE

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinRAR archiver

XFastUsb

.

==== Event Viewer Messages From Past Week ========

.

.

==== End Of File ===========================

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello nissan200sxx and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

Please uninstall this application: Splashtop Connect IE

Step 2

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 4

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Junkware Removal Tool log
  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log

Link to post
Share on other sites
nissan200sxx

nissan200sxx

Posted
  • Author
Posted

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.8.3 (04.05.2013:1)

OS: Windows 7 Home Premium x64

Ran by Owner on Sun at 14:28:06.78

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\S-1-5-21-2586863577-133460293-3042322573-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\conduit

Successfully deleted: [Registry Key] hkey_current_user\software\softonic

Successfully deleted: [Registry Key] hkey_local_machine\software\systweak

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\crossrider

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\smartbar

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{96bd48dd-741b-41ae-ac4a-aff96ba00f7e}

Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"

Successfully deleted: [Registry Key] "hkey_current_user\software\pip"

Successfully deleted: [Registry Key] "hkey_local_machine\software\pip"

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\splashtop"

Successfully deleted: [Folder] "C:\Users\Owner\AppData\Roaming\splashtop"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun at 14:34:28.89

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.13.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Owner :: OWNER-PC [administrator]

Protection: Enabled

Sunday 2:37:07 PM

mbam-log-2013-04-14 (14-37-07).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 211829

Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-04-14 14:53:10

-----------------------------

14:53:10.988 OS Version: Windows x64 6.1.7601 Service Pack 1

14:53:10.988 Number of processors: 4 586 0x2A07

14:53:10.988 ComputerName: OWNER-PC UserName: Owner

14:53:12.829 Initialize success

14:53:20.662 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

14:53:20.677 Disk 0 Vendor: ST31000524AS JC45 Size: 953869MB BusType: 3

14:53:20.755 Disk 0 MBR read successfully

14:53:20.755 Disk 0 MBR scan

14:53:20.755 Disk 0 Windows 7 default MBR code

14:53:20.771 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048

14:53:20.771 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 99899 MB offset 206848

14:53:20.787 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 853868 MB offset 204800000

14:53:20.818 Disk 0 scanning C:\Windows\system32\drivers

14:53:26.512 Service scanning

14:53:36.574 Modules scanning

14:53:36.574 Disk 0 trace - called modules:

14:53:36.589 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys

14:53:36.589 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a37060]

14:53:36.589 3 CLASSPNP.SYS[fffff880018ee43f] -> nt!IofCallDriver -> [0xfffffa800433ae40]

14:53:36.589 5 ACPI.sys[fffff88000e1b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800433f060]

14:53:36.605 Scan finished successfully

14:54:16.681 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"

14:54:16.681 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.7.2

Run by Owner at 14:55:34 on 2013-04-14

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3817.2096 [GMT 10:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

D:\Malwarebytes' Anti-Malware\mbamscheduler.exe

D:\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

D:\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\XFastUsb\XFastUsb.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe

C:\Users\Owner\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001

C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe

C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\explorer.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\notepad.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit = userinit.exe

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [ASRockXTU] <no file>

mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r

mRun: [smartViewAgent] "C:\Program Files (x86)\DeviceVM\SmartView\SmartViewAgent.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [XFastUsb] C:\Program Files (x86)\XFastUsb\XFastUsb.exe

mRun: [updReg] C:\Windows\UpdReg.EXE

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui

mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"

mRun: [Memeo Instant Backup] C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui

mRun: [Memeo AutoSync] C:\Program Files (x86)\Memeo\AutoSync\MemeoLauncher2.exe --silent

mRun: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"

mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup

mRun: [CTSyncService] C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe /StartRunKey

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 192.168.1.254

TCP: Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A} : NameServer = 203.134.64.66,203.134.65.66

TCP: Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A} : DHCPNameServer = 192.168.1.254

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [RunDLLEntry] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\AmbRunE.dll,RunDLLEntry

x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [zckqe] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\zckqe.dll",vCleanup

x64-Run: [csubdx] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\csubdx.dll",Number_Int

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]

R1 AsrAppCharger;AsrAppCharger;C:\Windows\System32\drivers\AsrAppCharger.sys [2011-4-8 15368]

R1 FNETURPX;FNETURPX;C:\Windows\System32\drivers\FNETURPX.SYS [2011-4-8 15936]

R2 MBAMScheduler;MBAMScheduler;D:\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-4-14 418376]

R2 MBAMService;MBAMService;D:\Malwarebytes' Anti-Malware\mbamservice.exe [2013-4-14 701512]

R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-5-13 25824]

R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-3-23 87040]

R2 SeagateDashboardService;Seagate Dashboard Service;C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-6-2 14088]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-4-8 2656280]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-4-8 317440]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-4-8 76912]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-4-14 25928]

R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-4-10 115272]

R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2011-4-8 79360]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]

S2 SmartViewService;SmartView service;C:\Program Files (x86)\DeviceVM\SmartView\SmartViewService.exe --> C:\Program Files (x86)\DeviceVM\SmartView\SmartViewService.exe [?]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-4-8 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-4-8 79360]

S3 FNETTBOH_305;FNETTBOH_305;C:\Windows\System32\drivers\FNETTBOH_305.SYS [2011-4-8 31808]

S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]

S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 130008]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-5-17 59392]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-17 1255736]

.

=============== Created Last 30 ================

.

2013-04-14 04:28:03 -------- d-----w- C:\Windows\ERUNT

2013-04-14 04:27:57 -------- d-----w- C:\JRT

2013-04-14 04:15:38 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6EC7E13C-AD9F-4D7A-9649-16DFBF17DC29}\offreg.dll

2013-04-13 19:38:41 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes

2013-04-13 19:38:28 -------- d-----w- C:\ProgramData\Malwarebytes

2013-04-13 19:38:27 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-04-13 19:38:06 -------- d-----w- C:\Users\Owner\AppData\Local\Programs

2013-04-13 17:29:07 44032 ----a-w- C:\Windows\System32\tsgqec.dll

2013-04-13 17:29:07 3717632 ----a-w- C:\Windows\System32\mstscax.dll

2013-04-13 17:29:07 36864 ----a-w- C:\Windows\SysWow64\tsgqec.dll

2013-04-13 17:29:07 3217408 ----a-w- C:\Windows\SysWow64\mstscax.dll

2013-04-13 17:29:07 158720 ----a-w- C:\Windows\System32\aaclient.dll

2013-04-13 17:29:07 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll

2013-04-13 17:27:12 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-04-13 17:27:12 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-04-13 17:27:11 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-04-13 17:27:11 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-04-13 17:27:11 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-04-13 17:27:11 112640 ----a-w- C:\Windows\System32\smss.exe

2013-04-13 17:27:09 3153408 ----a-w- C:\Windows\System32\win32k.sys

2013-04-13 15:46:58 9311288 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6EC7E13C-AD9F-4D7A-9649-16DFBF17DC29}\mpengine.dll

2013-04-13 13:43:24 446464 ----a-w- C:\Users\Owner\AppData\Roaming\csubdx.dll

2013-04-13 13:43:18 716800 ----a-w- C:\Users\Owner\AppData\Roaming\zckqe.dll

2013-04-13 05:08:17 9311288 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-04-10 04:34:51 115272 ----a-w- C:\Windows\System32\drivers\MijXfilt.sys

2013-04-06 07:30:26 -------- d-----r- C:\Program Files (x86)\Skype

2013-04-03 05:44:42 163088 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10143.bin

2013-04-01 11:27:29 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2013-04-01 11:27:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2013-04-01 11:27:29 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2013-04-01 11:27:29 215040 ----a-w- C:\Windows\System32\winsrv.dll

2013-04-01 11:27:29 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2013-04-01 11:27:28 2048 ----a-w- C:\Windows\SysWow64\user.exe

2013-04-01 11:27:22 750592 ----a-w- C:\Windows\System32\win32spl.dll

2013-04-01 11:27:22 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2013-04-01 11:27:04 2002432 ----a-w- C:\Windows\System32\msxml6.dll

2013-04-01 11:27:04 1882624 ----a-w- C:\Windows\System32\msxml3.dll

2013-04-01 11:27:03 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll

2013-04-01 11:27:03 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2013-04-01 11:26:49 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2013-04-01 11:26:48 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2013-04-01 11:26:27 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2013-04-01 11:26:27 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2013-04-01 11:26:08 68608 ----a-w- C:\Windows\System32\taskhost.exe

2013-03-21 23:17:27 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7E9815AB-60D0-45F8-978A-5ACB99DCE8D9}\gapaengine.dll

2013-03-15 06:31:27 -------- d-----w- C:\Users\Owner\AppData\Roaming\Aion RainMeter

.

==================== Find3M ====================

.

2013-04-02 10:34:28 282744 ------w- C:\Windows\System32\MpSigStub.exe

2013-03-21 12:37:26 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-21 12:37:26 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-02-22 06:27:49 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2013-02-22 06:20:51 1392128 ----a-w- C:\Windows\System32\wininet.dll

2013-02-22 06:19:37 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2013-02-22 06:15:48 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2013-02-22 06:15:23 599040 ----a-w- C:\Windows\System32\vbscript.dll

2013-02-22 06:12:41 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2013-02-22 03:46:00 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-02-22 03:38:00 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-02-22 03:37:50 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2013-02-22 03:34:17 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2013-02-22 03:34:03 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2013-02-22 03:31:46 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-01-20 04:59:04 230320 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

2013-01-20 04:59:04 130008 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

.

============= FINISH: 14:56:07.52 ===============

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites
nissan200sxx

nissan200sxx

Posted
  • Author
Posted

ComboFix 13-04-12.02 - Owner Sun 19:39:44.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3817.1849 [GMT 10:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\ntuser.dat

c:\users\Owner\AppData\Local\assembly\tmp

c:\users\Owner\AppData\Roaming\app

c:\users\Owner\AppData\Roaming\app\Jerakine_lang.dat

c:\users\Owner\AppData\Roaming\app\Jerakine_lang_vesrion.dat

c:\users\Owner\AppData\Roaming\csubdx.dll

c:\users\Owner\AppData\Roaming\zckqe.dll

c:\windows\SysWow64\tmp360D.tmp

c:\windows\SysWow64\tmp360E.tmp

.

.

((((((((((((((((((((((((( Files Created from 2013-03-14 to 2013-04-14 )))))))))))))))))))))))))))))))

.

.

2013-04-14 09:43 . 2013-04-14 09:43 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-04-14 09:35 . 2013-04-14 09:35 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{139B7CF0-04AA-45EA-BF37-0F9D88C16727}\offreg.dll

2013-04-14 09:30 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{139B7CF0-04AA-45EA-BF37-0F9D88C16727}\mpengine.dll

2013-04-14 05:05 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-04-14 04:28 . 2013-04-14 04:28 -------- d-----w- c:\windows\ERUNT

2013-04-14 04:27 . 2013-04-14 04:27 -------- d-----w- C:\JRT

2013-04-13 19:38 . 2013-04-13 19:38 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes

2013-04-13 19:38 . 2013-04-13 19:38 -------- d-----w- c:\programdata\Malwarebytes

2013-04-13 19:38 . 2013-04-04 04:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-13 19:38 . 2013-04-13 19:38 -------- d-----w- c:\users\Owner\AppData\Local\Programs

2013-04-13 17:29 . 2013-02-15 06:08 44032 ----a-w- c:\windows\system32\tsgqec.dll

2013-04-13 17:29 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll

2013-04-13 17:29 . 2013-02-15 06:02 158720 ----a-w- c:\windows\system32\aaclient.dll

2013-04-13 17:29 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\SysWow64\mstscax.dll

2013-04-13 17:29 . 2013-02-15 04:34 131584 ----a-w- c:\windows\SysWow64\aaclient.dll

2013-04-13 17:29 . 2013-02-15 03:25 36864 ----a-w- c:\windows\SysWow64\tsgqec.dll

2013-04-13 17:27 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-04-13 17:27 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-04-13 17:27 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-04-13 17:27 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-04-13 17:27 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-04-13 17:27 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe

2013-04-13 17:27 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys

2013-04-10 04:34 . 2012-03-25 00:26 115272 ----a-w- c:\windows\system32\drivers\MijXfilt.sys

2013-04-06 07:30 . 2013-04-06 07:30 -------- d-----w- c:\program files (x86)\Common Files\Skype

2013-04-06 07:30 . 2013-04-06 07:30 -------- d-----r- c:\program files (x86)\Skype

2013-04-03 05:44 . 2013-04-03 05:44 163088 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10143.bin

2013-04-01 11:47 . 2013-04-01 11:47 -------- d-----w- c:\program files\Microsoft Silverlight

2013-04-01 11:47 . 2013-04-01 11:47 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

2013-04-01 11:27 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll

2013-04-01 11:27 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2013-04-01 11:27 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2013-04-01 11:27 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2013-04-01 11:27 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2013-04-01 11:27 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe

2013-04-01 11:27 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll

2013-04-01 11:27 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-04-01 11:27 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll

2013-04-01 11:27 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2013-04-01 11:27 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-04-01 11:27 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-04-01 11:26 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-04-01 11:26 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2013-04-01 11:26 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-04-01 11:26 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-04-01 11:26 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

2013-03-21 23:17 . 2012-11-29 02:49 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E9815AB-60D0-45F8-978A-5ACB99DCE8D9}\gapaengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-13 17:35 . 2011-04-14 13:55 72702784 ----a-w- c:\windows\system32\MRT.exe

2013-04-02 10:34 . 2011-04-08 07:54 282744 ------w- c:\windows\system32\MpSigStub.exe

2013-03-21 12:37 . 2012-04-26 16:44 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-21 12:37 . 2012-04-26 16:44 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-20 04:59 . 2013-01-20 04:59 230320 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2013-01-20 04:59 . 2010-10-24 11:25 130008 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2013-03-06 3093624]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-28 18642024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2009-05-04 241789]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"XFastUsb"="c:\program files (x86)\XFastUsb\XFastUsb.exe" [2011-04-07 4942336]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]

"Seagate Dashboard"="c:\program files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]

"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"Memeo Instant Backup"="c:\program files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-05-12 136416]

"Memeo AutoSync"="c:\program files (x86)\Memeo\AutoSync\MemeoLauncher2.exe" [2011-05-13 144608]

"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]

"CTSyncService"="c:\program files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe" [2009-07-08 1233195]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R1 rfynymjz;rfynymjz;c:\windows\system32\drivers\rfynymjz.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 MBAMScheduler;MBAMScheduler;d:\malwarebytes' anti-malware\mbamscheduler.exe [2013-04-04 418376]

R2 MBAMService;MBAMService;d:\malwarebytes' anti-malware\mbamservice.exe [2013-04-04 701512]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-02-28 161384]

R2 SmartViewService;SmartView service;c:\program files (x86)\DeviceVM\SmartView\SmartViewService.exe [x]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-04-07 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-04-07 79360]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-17 47616]

R3 FNETTBOH_305;FNETTBOH_305;c:\windows\system32\drivers\FNETTBOH_305.SYS [2011-04-07 31808]

R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]

R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2011-04-07 79360]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-16 1255736]

R3 X6va005;X6va005;c:\users\Owner\AppData\Local\Temp\00593C8.tmp [x]

S1 AsrAppCharger;AsrAppCharger;c:\windows\system32\DRIVERS\AsrAppCharger.sys [2010-06-11 15368]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2011-04-07 15936]

S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-05-12 25824]

S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-03-23 87040]

S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-06-01 14088]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-08-24 76912]

S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-03-25 115272]

.

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]

"RunDLLEntry"="c:\windows\system32\AmbRunE.dll" [2009-02-26 17920]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-13 172144]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-13 399984]

"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-13 441968]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A}: NameServer = 203.134.64.66,203.134.65.66

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-ASRockXTU - (no file)

Wow6432Node-HKCU-Run-zASRockInstantBoot - (no file)

Wow6432Node-HKCU-Run-PlayNC Launcher - (no file)

Wow6432Node-HKCU-Run-Imnewatey - c:\users\Owner\AppData\Roaming\Ehmi\wido.exe

Wow6432Node-HKCU-Run-DS3 Tool - D:\DS3_Tool.exe

Wow6432Node-HKLM-Run-SmartViewAgent - c:\program files (x86)\DeviceVM\SmartView\SmartViewAgent.exe

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe

HKLM-Run-zckqe - c:\users\Owner\AppData\Roaming\zckqe.dll

HKLM-Run-csubdx - c:\users\Owner\AppData\Roaming\csubdx.dll

AddRemove-NCsoft-Aion - c:\program files (x86)\NCSoft\Launcher\NCLauncher.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]

"ImagePath"="\??\c:\users\Owner\AppData\Local\Temp\00593C8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2586863577-133460293-3042322573-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-2586863577-133460293-3042322573-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-04-14 19:44:38

ComboFix-quarantined-files.txt 2013-04-14 09:44

.

Pre-Run: 63,114,227,712 bytes free

Post-Run: 62,825,955,328 bytes free

.

- - End Of File - - 4709A4E90DD0F159CD510B9935556F28

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::

rfynymjz

File::

c:\windows\system32\drivers\rfynymjz.sys

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites
nissan200sxx

nissan200sxx

Posted
  • Author
Posted

I've done as told.

ComboFix 13-04-12.02 - Owner Sun 20:09:13.3.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3817.2492 [GMT 10:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

Command switches used :: c:\users\Owner\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\windows\system32\drivers\rfynymjz.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_rfynymjz

.

.

((((((((((((((((((((((((( Files Created from 2013-03-14 to 2013-04-14 )))))))))))))))))))))))))))))))

.

.

2013-04-14 10:13 . 2013-04-14 10:13 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-04-14 09:47 . 2013-04-14 09:47 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9D702C09-1777-4B46-8424-86FBFF324B6D}\offreg.dll

2013-04-14 09:47 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9D702C09-1777-4B46-8424-86FBFF324B6D}\mpengine.dll

2013-04-14 05:05 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-04-14 04:28 . 2013-04-14 04:28 -------- d-----w- c:\windows\ERUNT

2013-04-14 04:27 . 2013-04-14 04:27 -------- d-----w- C:\JRT

2013-04-13 19:38 . 2013-04-13 19:38 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes

2013-04-13 19:38 . 2013-04-13 19:38 -------- d-----w- c:\programdata\Malwarebytes

2013-04-13 19:38 . 2013-04-04 04:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-13 19:38 . 2013-04-13 19:38 -------- d-----w- c:\users\Owner\AppData\Local\Programs

2013-04-13 17:29 . 2013-02-15 06:08 44032 ----a-w- c:\windows\system32\tsgqec.dll

2013-04-13 17:29 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll

2013-04-13 17:29 . 2013-02-15 06:02 158720 ----a-w- c:\windows\system32\aaclient.dll

2013-04-13 17:29 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\SysWow64\mstscax.dll

2013-04-13 17:29 . 2013-02-15 04:34 131584 ----a-w- c:\windows\SysWow64\aaclient.dll

2013-04-13 17:29 . 2013-02-15 03:25 36864 ----a-w- c:\windows\SysWow64\tsgqec.dll

2013-04-13 17:27 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-04-13 17:27 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-04-13 17:27 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-04-13 17:27 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-04-13 17:27 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-04-13 17:27 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe

2013-04-13 17:27 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys

2013-04-10 04:34 . 2012-03-25 00:26 115272 ----a-w- c:\windows\system32\drivers\MijXfilt.sys

2013-04-06 07:30 . 2013-04-06 07:30 -------- d-----w- c:\program files (x86)\Common Files\Skype

2013-04-06 07:30 . 2013-04-06 07:30 -------- d-----r- c:\program files (x86)\Skype

2013-04-03 05:44 . 2013-04-03 05:44 163088 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10143.bin

2013-04-01 11:47 . 2013-04-01 11:47 -------- d-----w- c:\program files\Microsoft Silverlight

2013-04-01 11:47 . 2013-04-01 11:47 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

2013-04-01 11:27 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll

2013-04-01 11:27 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2013-04-01 11:27 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2013-04-01 11:27 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2013-04-01 11:27 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2013-04-01 11:27 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe

2013-04-01 11:27 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll

2013-04-01 11:27 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-04-01 11:27 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll

2013-04-01 11:27 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2013-04-01 11:27 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-04-01 11:27 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-04-01 11:26 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-04-01 11:26 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2013-04-01 11:26 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-04-01 11:26 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-04-01 11:26 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

2013-03-21 23:17 . 2012-11-29 02:49 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E9815AB-60D0-45F8-978A-5ACB99DCE8D9}\gapaengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-13 17:35 . 2011-04-14 13:55 72702784 ----a-w- c:\windows\system32\MRT.exe

2013-04-02 10:34 . 2011-04-08 07:54 282744 ------w- c:\windows\system32\MpSigStub.exe

2013-03-21 12:37 . 2012-04-26 16:44 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-21 12:37 . 2012-04-26 16:44 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-20 04:59 . 2013-01-20 04:59 230320 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2013-01-20 04:59 . 2010-10-24 11:25 130008 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2013-03-06 3093624]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-28 18642024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2009-05-04 241789]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"XFastUsb"="c:\program files (x86)\XFastUsb\XFastUsb.exe" [2011-04-07 4942336]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]

"Seagate Dashboard"="c:\program files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]

"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"Memeo Instant Backup"="c:\program files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-05-12 136416]

"Memeo AutoSync"="c:\program files (x86)\Memeo\AutoSync\MemeoLauncher2.exe" [2011-05-13 144608]

"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]

"CTSyncService"="c:\program files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe" [2009-07-08 1233195]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 MBAMScheduler;MBAMScheduler;d:\malwarebytes' anti-malware\mbamscheduler.exe [2013-04-04 418376]

R2 MBAMService;MBAMService;d:\malwarebytes' anti-malware\mbamservice.exe [2013-04-04 701512]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-02-28 161384]

R2 SmartViewService;SmartView service;c:\program files (x86)\DeviceVM\SmartView\SmartViewService.exe [x]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-04-07 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-04-07 79360]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-17 47616]

R3 FNETTBOH_305;FNETTBOH_305;c:\windows\system32\drivers\FNETTBOH_305.SYS [2011-04-07 31808]

R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]

R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2011-04-07 79360]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-16 1255736]

R3 X6va005;X6va005;c:\users\Owner\AppData\Local\Temp\00593C8.tmp [x]

S1 AsrAppCharger;AsrAppCharger;c:\windows\system32\DRIVERS\AsrAppCharger.sys [2010-06-11 15368]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2011-04-07 15936]

S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-05-12 25824]

S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-03-23 87040]

S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-06-01 14088]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-08-24 76912]

S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-03-25 115272]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]

"RunDLLEntry"="c:\windows\system32\AmbRunE.dll" [2009-02-26 17920]

"MSC"="c:\program files\Microsoft Security Client\mssecex.exe" [bU]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-13 172144]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-13 399984]

"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-13 441968]

"zckqe"="c:\users\Owner\AppData\Roaming\zckqe.dll" [bU]

"csubdx"="c:\users\Owner\AppData\Roaming\csubdx.dll" [bU]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A}: NameServer = 203.134.64.66,203.134.65.66

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]

"ImagePath"="\??\c:\users\Owner\AppData\Local\Temp\00593C8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2586863577-133460293-3042322573-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-2586863577-133460293-3042322573-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-04-14 20:15:05

ComboFix-quarantined-files.txt 2013-04-14 10:15

ComboFix2.txt 2013-04-14 09:44

.

Pre-Run: 62,775,308,288 bytes free

Post-Run: 62,475,563,008 bytes free

.

- - End Of File - - CE617F7F98D43991E389C22FBF3E7E3E

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Thanks! :)

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites
nissan200sxx

nissan200sxx

Posted
  • Author
Posted

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=8

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=c2b6bfaf0e201e4996842c4400ec9079

# engine=13613

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=false

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-04-14 11:53:38

# local_time=2013-04-14 09:53:38 (+1000, AUS Eastern Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 100 94 16066945 117573868 0 0

# scanned=116560

# found=3

# cleaned=3

# scan_time=2604

sh=293DC2DC4C51FC289E3A98C8CF6FC7095F6F84EA ft=0 fh=0000000000000000 vn="a variant of Win32/Medfos.NN trojan (deleted - quarantined)" ac=C fn="C:\$RECYCLE.BIN\S-1-5-21-2586863577-133460293-3042322573-1000\$RBAPFNE.rar"

sh=882E04FC221C909838D603E7DD389E4F64B47FBB ft=0 fh=0000000000000000 vn="a variant of Win32/Medfos.NN trojan (deleted - quarantined)" ac=C fn="C:\Qoobox\Quarantine.rar"

sh=300735B9A9C8C3AFF42113017911C1F905839D1B ft=1 fh=be5ef3fdee767b2c vn="a variant of Win32/Medfos.NN trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Users\Owner\AppData\Roaming\zckqe.dll.vir"

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Glad I could help! :)

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Next, uninstall ESET Online Scanner.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing! :)

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Link to post
Share on other sites
nissan200sxx

nissan200sxx

Posted
  • Author
Posted

OTL logfile created on: Sunday 11:58:25 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Owner\Desktop

64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: dddd

3.73 Gb Total Physical Memory | 2.56 Gb Available Physical Memory | 68.61% Memory free

7.45 Gb Paging File | 5.91 Gb Available in Paging File | 79.31% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 97.56 Gb Total Space | 57.41 Gb Free Space | 58.84% Space Free | Partition Type: NTFS

Drive D: | 833.86 Gb Total Space | 804.92 Gb Free Space | 96.53% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013 (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe

PRC - [2013 (Macrovision Europe Ltd.) -- C:\Users\Owner\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001

PRC - [2013 () -- C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

PRC - [2012 () -- C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

PRC - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe

PRC - [2011 (Memeo) -- C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe

PRC - [2011 (Memeo) -- C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe

PRC - [2011 (Memeo Inc.) -- C:\Program Files (x86)\Memeo\AutoBackup\MemeoUpdater.exe

PRC - [2011 (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

PRC - [2011 (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

PRC - [2011 (FNet Co., Ltd.) -- C:\Program Files (x86)\XFastUsb\XFastUsb.exe

PRC - [2011 (Creative Labs) -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe

PRC - [2011 (Axentra Corporation) -- C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe

PRC - [2011 () -- C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe

PRC - [2009 (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe

PRC - [2009 (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

PRC - [2009 (Creative Technology Ltd) -- C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe

========== Modules (No Company Name) ==========

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\7ff638de44686eab4afaa8b3c8a9cfca\System.ServiceProcess.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\302207b4fa3083899fd8ab4db98cecc5\System.Management.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\dd20416f723ee13ffb4173ec1afc4ec4\System.Data.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll

MOD - [2013 () -- C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7366a39c36523a084bc11c230929ff92\Microsoft.VisualBasic.ni.dll

MOD - [2013 () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d908c91e24616e6b8d38c9da61038b25\Accessibility.ni.dll

MOD - [2013 () -- C:\Users\Owner\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0002\~df394b.tmp

MOD - [2013 () -- C:\Users\Owner\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0002\~de6248.tmp

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.dll

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.7.dll

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\Maps\R66Api.dll

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\OutputLog.dll

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDisk.dll

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDetectLegend.dll

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDetect.dll

MOD - [2012 () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\fdHttpd.dll

MOD - [2011 () -- C:\Program Files (x86)\Seagate\Seagate Dashboard\Memeo.Progress.dll

MOD - [2011 () -- C:\Program Files (x86)\Seagate\Seagate Dashboard\Plugins\Memeo.Dashboard.SeagateSharePlusPlugin.dll

MOD - [2011 () -- C:\Program Files (x86)\Memeo\AutoBackup\Memeo.Client.UI.dll

MOD - [2011 () -- C:\Program Files (x86)\Memeo\AutoBackup\Memeo.Client.DriveDetection.dll

MOD - [2011 () -- C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\libxml2.dll

MOD - [2011 () -- C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\libupnp.dll

MOD - [2011 () -- C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe

MOD - [2010 () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

MOD - [2010 () -- C:\Program Files (x86)\Memeo\AutoBackup\sqlite3.dll

MOD - [2009 () -- C:\Windows\SysWOW64\CmdRtr.DLL

MOD - [2009 () -- C:\Windows\SysWOW64\APOMngr.DLL

========== Services (SafeList) ==========

SRV:64bit: - [2013 (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)

SRV:64bit: - [2013 (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)

SRV:64bit: - [2009 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2013 (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)

SRV - [2012 (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs)

SRV - [2012 () [Auto | Running] -- C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)

SRV - [2011 (Memeo) [Auto | Running] -- C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe -- (SeagateDashboardService)

SRV - [2011 (Memeo) [Auto | Running] -- C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe -- (MemeoBackgroundService)

SRV - [2011 (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS)

SRV - [2011 (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)

SRV - [2011 (Creative Labs) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe -- (Sound Blaster X-Fi MB Licensing Service)

SRV - [2011 (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)

SRV - [2011 (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)

SRV - [2010 (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2009 (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2009 (Creative Technology Ltd) [Auto | Running] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2013 (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)

DRV:64bit: - [2012 (MotioninJoy) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\MijXfilt.sys -- (MotioninJoyXFilter)

DRV:64bit: - [2012 (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)

DRV:64bit: - [2012 (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)

DRV:64bit: - [2011 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)

DRV:64bit: - [2011 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nuidfltr.sys -- (NuidFltr)

DRV:64bit: - [2011 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)

DRV:64bit: - [2011 (FNet Co., Ltd.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\FNETURPX.SYS -- (FNETURPX)

DRV:64bit: - [2011 (FNet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\FNETTBOH_305.SYS -- (FNETTBOH_305)

DRV:64bit: - [2011 (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2011 (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2010 (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\htcnprot.sys -- (htcnprot)

DRV:64bit: - [2010 (Windows ® Win 7 DDK provider) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\AsrAppCharger.sys -- (AsrAppCharger)

DRV:64bit: - [2010 (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)

DRV:64bit: - [2010 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)

DRV:64bit: - [2010 (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)

DRV:64bit: - [2010 (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)

DRV:64bit: - [2010 (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2010 (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)

DRV:64bit: - [2009 (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx)

DRV:64bit: - [2009 (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009 (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ANDROIDUSB.sys -- (HTCAND64)

DRV:64bit: - [2009 (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009 (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009 (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009 (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009 (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV - [2009 (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\..\SearchScopes,DefaultScope = {0633ee93-d776-472f-a0ff-e1416b8b2e3a}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,defaultscope = {0633ee93-d776-472f-a0ff-e1416b8b2e3a}

IE - HKU\S-1-5-20\..\SearchScopes,defaultscope = {0633ee93-d776-472f-a0ff-e1416b8b2e3a}

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A5 FD 97 F8 F8 38 CE 01 [binary data]

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\..\SearchScopes,DefaultScope = {0BB8EE00-A234-46ba-98DA-97C325A0CC43}

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\..\SearchScopes\{0BB8EE00-A234-46ba-98DA-97C325A0CC43}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SPLEP1&pc=SPLH

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\..\SearchScopes\{67944298-91D3-4289-8EB3-16F4B1C9C1E8}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=ASRK

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\..\SearchScopes\{A756AA1A-A190-4047-938D-0D895501B47A}: "URL" = http://search.chatzum.com/?q={searchTerms}

IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll File not found

FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

O1 HOSTS File: () - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O4:64bit: - HKLM..\Run: [csubdx] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\csubdx.dll",Number_Int File not found

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [MSC] "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey File not found

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4:64bit: - HKLM..\Run: [RunDLLEntry] C:\Windows\SysNative\AmbRunE.DLL (Creative Technology Ltd.)

O4:64bit: - HKLM..\Run: [zckqe] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\zckqe.dll",vCleanup File not found

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [CTSyncService] C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe (Creative Technology Ltd)

O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()

O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe ()

O4 - HKLM..\Run: [Memeo AutoSync] C:\Program Files (x86)\Memeo\AutoSync\MemeoLauncher2.exe (Memeo Inc.)

O4 - HKLM..\Run: [Memeo Instant Backup] C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe (Memeo Inc.)

O4 - HKLM..\Run: [seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe ()

O4 - HKLM..\Run: [updReg] C:\Windows\Updreg.EXE (Creative Technology Ltd.)

O4 - HKLM..\Run: [VolPanel] C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe (Creative Technology Ltd)

O4 - HKLM..\Run: [XFastUsb] C:\Program Files (x86)\XFastUsb\XFastUsb.exe (FNet Co., Ltd.)

O4 - HKU\S-1-5-21-2586863577-133460293-3042322573-1000..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O13 - gopher Prefix: missing

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab (UnoCtrl Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Value error.)

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)

O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 10.7.2)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A}: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A80DA39F-1AA6-4BDF-802D-D662376E545A}: NameServer = 203.134.64.66,203.134.65.66

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\skype4com - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll File not found

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll File not found

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013

[2013 (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe

[2013 (MotioninJoy) -- C:\Windows\SysNative\drivers\MijXfilt.sys

========== Files - Modified Within 30 Days ==========

[2013 (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe

[2013 () -- C:\Users\Public\Desktop\Skype.lnk

[2013 () -- C:\Users\Owner\random.dat

[2013 () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2013 () -- C:\Windows\SysNative\PerfStringBackup.INI

[2013 () -- C:\Windows\SysNative\perfh009.dat

[2013 () -- C:\Windows\SysNative\perfc009.dat

[2013 () -- C:\Users\Owner\Desktop\pcsx2-r5350 - Shortcut.lnk

[2013 () -- C:\Users\Owner\jagex_cl_runescape_LIVE.dat

[2013 () -- C:\Windows\SysNative\drivers\etc\hosts

[2013 () -- C:\hiberfil.sys

[2013 () -- C:\Windows\SysNative\FNTCACHE.DAT

[2013 () -- C:\Windows\epplauncher.mif

[2013 () -- C:\Windows\bootstat.dat

[2013 () -- C:\Users\Owner\Documents\aionmemo_a1d29eb3.dat

[2013 () -- C:\Users\Owner\Documents\aionmemo_a1d29eb3.bak

[2013 () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2013 () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

========== Files Created - No Company Name ==========

[2013 () -- C:\Users\Public\Desktop\Skype.lnk

[2013 () -- C:\Users\Owner\random.dat

[2013 () -- C:\Users\Owner\Desktop\pcsx2-r5350 - Shortcut.lnk

[2013 () -- C:\Users\Owner\jagex_cl_runescape_LIVE.dat

[2012 () -- C:\Windows\SysWow64\zlib1.dll

[2012 () -- C:\Windows\SysWow64\igvpkrng600.bin

[2012 () -- C:\Windows\SysWow64\igkrng600.bin

[2012 () -- C:\Windows\SysWow64\igfcg600m.bin

[2012 () -- C:\Windows\SysWow64\igdde32.dll

[2012 () -- C:\Windows\SysWow64\igcodeckrng600.bin

[2012 () -- C:\Windows\SysWow64\HtsysmNT.sys

[2011 () -- C:\Windows\SysWow64\xlive.dll.cat

[2011 () -- C:\Users\Owner\AppData\Local\Resmon.ResmonCfg

[2011 () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2011 () -- C:\Windows\patchw32.dll

[2011 () -- C:\Windows\patchw.dll

========== ZeroAccess Check ==========

[2009 () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

"" = C:\Windows\SysNative\shell32.dll -- [2012 (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012 (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2010 (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009 (Microsoft Corporation)

"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2011

[2012

[2012

[2012

[2012

[2012

[2011

========== Purity Check ==========

< End of report >

Link to post
Share on other sites
nissan200sxx

nissan200sxx

Posted
  • Author
Posted

OTL Extras logfile created on: Sunday 11:58:25 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Owner\Desktop

64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: dddd

3.73 Gb Total Physical Memory | 2.56 Gb Available Physical Memory | 68.61% Memory free

7.45 Gb Paging File | 5.91 Gb Available in Paging File | 79.31% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 97.56 Gb Total Space | 57.41 Gb Free Space | 58.84% Space Free | Partition Type: NTFS

Drive D: | 833.86 Gb Total Space | 804.92 Gb Free Space | 96.53% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"TCP Query User{01EC3D4F-99EA-4250-AAA6-80469C38CBDB}C:\program files (x86)\pando networks\media booster\pmb.exe" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"TCP Query User{19454AD7-2C15-4768-B39D-436213BF2D02}C:\program files (x86)\skype\phone\skype.exe" = protocol=6 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

"TCP Query User{8FDE339D-B73D-4C1D-8134-F5907FD5D8B7}C:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe |

"TCP Query User{D72917BF-A7A9-40BE-9A09-2B247326EE3A}C:\program files (x86)\pando networks\media booster\pmb.exe" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"TCP Query User{E51214BD-5A57-4A02-8431-C09F854A08D4}C:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe |

"UDP Query User{089CEB04-C1F2-4608-9CAF-6B8C6C49F6A6}C:\program files (x86)\pando networks\media booster\pmb.exe" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"UDP Query User{0A36DB90-A025-4520-BFFC-E19A6D34388A}C:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe |

"UDP Query User{4A048F19-5AE3-4318-AF1A-D9C4557AE721}C:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\seagate\seagate dashboard\hipservagent\hipservagent.exe |

"UDP Query User{BD2AC88F-2D1D-4581-BCD1-8892798FD00B}C:\program files (x86)\pando networks\media booster\pmb.exe" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"UDP Query User{FBB249B4-77C4-45D0-AE6F-1C4F04A42B2E}C:\program files (x86)\skype\phone\skype.exe" = protocol=17 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{330DAC67-5B62-452A-A0E4-6B4A5923940F}_is1" = MotioninJoy Gamepad tool 0.7.0000

"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended

"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting

"{CE52672C-A0E9-4450-8875-88A221D5CD50}" = Windows Live ID Sign-in Assistant

"{D954C6C2-544B-4091-A47F-11E77162883E}" = Microsoft Security Client

"{E9FA781F-3E80-4399-825A-AD3E11C28C77}" = MSVCRT110_amd64

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"{F6822EFD-3F7D-4B35-8845-757A26AEC8E2}" = Windows Live MIME IFilter

"ASRock App Charger_is1" = ASRock App Charger v1.0.4

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended

"Microsoft Security Client" = Microsoft Security Essentials

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0454BB9A-2A7A-4214-BDFF-937F7A711A44}" = Windows Live Communications Platform

"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1

"{18272881-CFC0-434D-A975-E5BE44206AA0}" = Windows Live UX Platform Language Pack

"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser

"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

"{1EA7C505-E6DA-4B85-9432-EBD3C70D510D}" = Windows Live Messenger

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{23A3E560-069F-4CFC-8F6C-1B526EC735FC}" = Windows Live Writer Resources

"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7

"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

"{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver

"{400C31E4-796F-4E86-8FDC-C3C4FACC6847}" = Junk Mail filter update

"{47FA2C44-D148-4DBC-AF60-B91934AA4842}" = Adobe AIR

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CCBD1F4-CEEC-452A-9CB8-46564B501315}" = Windows Live UX Platform

"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3

"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = NCsoft Launcher

"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{6A8DB215-7BCD-4377-B015-2E4541A3E7C6}" = Windows Live PIMT Platform

"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer

"{70854FE6-3BF1-4C69-94D0-BEB821102E34}" = Windows Live Mail

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{75B7F766-7998-44d8-A202-F1EC76A121BA}" = Memeo AutoSync

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable

"{8A642ACD-CE3A-4A23-A8B1-A0F7EB12B214}" = Windows Live SOXE Definitions

"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT

"{8E14DDC8-EA60-4E18-B3E3-1937104D5BDA}" = MSVCRT110

"{8E666407-AC41-46a2-9692-6C7BFCBFDD37}" = Memeo Instant Backup

"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{AB77DFDE-9949-4AEF-B180-BE322C3E65D0}" = HTC Sync

"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)

"{B80D3EA9-A252-4AE5-AC51-81729F5C586F}" = Windows Live Mail

"{C034A6F9-6569-491B-B3BF-F5D15221A708}" = Windows Live Essentials

"{C3A11907-930D-41AC-A135-CC3B12F92011}" = Seagate Dashboard

"{C424CD5E-EA05-4D3E-B5DA-F9F149E1D3AC}" = Windows Live Installer

"{C9B6EFD0-4F01-4BBA-8374-39AD99A3ED72}" = Windows Live Photo Common

"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64

"{D2C146B1-948D-47EF-8387-5D1C6B980F7C}" = Windows Live Writer

"{D888F114-7537-4D48-AF03-5DA9C82D7540}" = Photo Common

"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10

"{E1845F1C-068C-F8F4-D31D-D3540D47C453}" = Adobe Download Assistant

"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Processor Graphics

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F14B8ECC-BDA0-4987-9201-D7B7DBE11033}" = Nero 7 Ultra Edition

"{F2235E5E-7881-4293-9B6F-04B2609FBFF0}" = Windows Live Messenger

"{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}" = Sound Blaster X-Fi MB

"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel® Control Center

"{FE7C0B3D-50B9-4951-BE78-A321CBF86552}" = Windows Live SOXE

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Age of Empires" = Microsoft Age of Empires

"ASRock eXtreme Tuner_is1" = ASRock eXtreme Tuner v0.1.42

"ASRock InstantBoot_is1" = ASRock InstantBoot v1.26

"com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"pcsx2-r5350" = PCSX2 - Playstation 2 Emulator

"WinLiveSuite" = Windows Live Essentials

"WinRAR archiver" = WinRAR archiver

"XFastUsb" = XFastUsb

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - Sunday 3:24:10 AM | Computer Name = Owner-PC | Source = Customer Experience Improvement Program | ID = 1008

Description =

Error - Sunday 7:55:46 AM | Computer Name = Owner-PC | Source = SideBySide | ID = 16842832

Description = Activation context generation failed for "C:\Program Files (x86)\ESET\ESET

Online Scanner\ESETSmartInstaller.exe".Error in manifest or policy file "" on line

. A component version required by the application conflicts with another component

version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.

Component

2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

[ System Events ]

Error - Sunday 5:41:29 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - Sunday 5:42:44 AM | Computer Name = Owner-PC | Source = Application Popup | ID = 1060

Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility

with this system. Please contact your software vendor for a compatible version

of the driver.

Error - Sunday 5:43:10 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - Sunday 5:58:58 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - Sunday 6:00:13 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - Sunday 6:00:17 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - Sunday 6:05:50 AM | Computer Name = Owner-PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 8:04:48 PM on ?4/?14/?2013 was unexpected.

Error - Sunday 6:12:23 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - Sunday 6:13:51 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

< End of report >

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O4:64bit: - HKLM..\Run: [csubdx] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\csubdx.dll",Number_Int File not found
    O4:64bit: - HKLM..\Run: [zckqe] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\zckqe.dll",vCleanup File not found
    IE - HKU\S-1-5-21-2586863577-133460293-3042322573-1000\..\SearchScopes\{A756AA1A-A190-4047-938D-0D895501B47A}: "URL" = http://search.chatzu...?q={searchTerms}
    :files
    ipconfig /flushdns /c
    :Commands
    [emptytemp]
    [clearallrestorepoints]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Please post the OTL fix log in your next reply.

Note: A copy of an OTL fix log is saved in a text file at C:\_OTL\MovedFiles

Link to post
Share on other sites
nissan200sxx

nissan200sxx

Posted
  • Author
Posted

All processes killed

========== OTL ==========

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\csubdx deleted successfully.

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\zckqe deleted successfully.

Registry key HKEY_USERS\S-1-5-21-2586863577-133460293-3042322573-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A756AA1A-A190-4047-938D-0D895501B47A}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A756AA1A-A190-4047-938D-0D895501B47A}\ not found.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Owner\Desktop\cmd.bat deleted successfully.

C:\Users\Owner\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 56466 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Desktop

->Temp folder emptied: 0 bytes

User: Owner

->Temp folder emptied: 312715 bytes

->Temporary Internet Files folder emptied: 9975326 bytes

->Java cache emptied: 1 bytes

->Flash cache emptied: 72892 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 27802 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 04152013_155853

Files\Folders moved on Reboot...

C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

File\Folder C:\Users\Owner\AppData\Local\Temp\~DFEE73CD29DD7BEB5A.TMP not found!

File\Folder C:\Users\Owner\AppData\Local\Temp\~DFF7EB93F29F157645.TMP not found!

C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad that we could help.

Safer practices & malware prevention

Glad that we could help. I am marking this as closed. cool.gif

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.