Found splitter.ax Haali media splitter in addition to

[ramy604]

Newbie here, hey guys Here on a home network of now 2 computer, was 3 till either had virus or gave out not sure,  a while back started having trouble with computer, use MBAM, and MS essential, notice that I havent been finding any virsus, so one it started running real slow so I did the normal scans, full scans, and same result, also done a clean & reinstall of MBAM, found MS fixit ran all, blocks, but where I would do the application approval, not as recommanded. I noticed that when I did the Internet Explorer Tab, there were like maybe around 50 Browsers as add on, then on the tab IE performance which is affecting my internet performance, then went to the codec section, there also found like maybe 30 different items, dont know from where, maybe from previous owner of computer.  Months went by no problem then just last week computer started running weird, so running adware, found and remove some, superantispyware  found some and remove, Norman malware cleaner found some and remove it found a oem wanted me to remove but wasnt sure on it so i left it alone, ran bitdefender to do cleaning but now its in on as a online scanner i think,

If running as a administrater and standard and guess (which is off) users, when running updates scan not sure if all are getting the updates.

Went looking and on programs, could not find any of the add on or codec items, I need help.

[Maniac]

Hello ramy604 and ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

I would like to point out something important: We work only on one computer. For any other computer need to create a new thread.

Please follow the instructions here and then post the log files in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

[ramy604]

sure thing here is the info needed, and yea its only on one computer i am concern with, and its this one.

 

I notice on the report generated, dont conside of the the stuff i mention eariler, (1) buts i did little more digging and found the haali splitter in one of the folders mr fixit did recommand not to start it, due to crashing system. (2) Other question is you know how you have the shield of protection on the adminisrtators screen how come it dont come up on a standard user,

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16496  BrowserJavaVersion: 10.25.2
Run by End-User at 15:20:37 on 2013-08-01
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2974.1245 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\COMODO\Time Machine\CtmService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\COMODO\Time Machine\CTM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [COMODO_TimeMachine] "c:\program files\comodo\time machine\CTM.exe" /showtray
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001025-0002-0025-ABCDEFFEDCBC} - <orphaned>
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.






TCP: NameServer = 192.168.1.1
TCP: Interfaces\{9B86FE77-E95A-41BA-AC65-1095EF26B625} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 CtmService;COMODO Time Machine BETA Service;c:\program files\comodo\time machine\CtmService.exe [2010-9-6 280888]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 107392]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2013-7-3 1228504]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2013-7-3 660184]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-8-1 40776]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [2013-7-3 16024]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-4-20 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-4-17 322664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-08-01 20:15:37 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-08-01 18:53:11 7143960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9ad82287-c506-4676-99a6-79ac163db7d8}\mpengine.dll
2013-08-01 18:12:27 7143960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-07-31 18:31:48 -------- d-sh--w- C:\$RECYCLE.BIN
2013-07-31 16:08:34 -------- d-----w- c:\windows\pss
2013-07-30 16:27:28 690 ----a-w- c:\windows\DeleteOnReboot.bat
2013-07-30 14:05:36 -------- d-----w- c:\users\end-user\appdata\roaming\QuickScan
2013-07-28 17:13:33 -------- d-----w- c:\users\end-user\appdata\local\Norman Malware Cleaner
2013-07-24 02:37:44 -------- d-----w- c:\windows\system32\Hotspot Shield
2013-07-23 15:15:23 -------- d-----w- c:\users\end-user\.gimp-2.8
2013-07-23 15:15:22 -------- d-----w- c:\users\end-user\appdata\local\gegl-0.2
2013-07-21 20:44:41 -------- d-----w- c:\program files\GIMP 2
2013-07-21 18:13:52 -------- d-----w- c:\users\end-user\appdata\local\Secunia PSI
2013-07-21 18:13:11 -------- d-----w- c:\program files\Secunia
2013-07-21 02:28:34 -------- d-----w- c:\users\end-user\appdata\roaming\SUPERAntiSpyware.com
2013-07-21 01:37:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-07-20 19:59:27 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-17 17:44:17 698504 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e4d5d9d4-8039-4c88-be4f-6bd3041d73b6}\gapaengine.dll
2013-07-12 23:54:34 -------- d-----w- c:\users\end-user\appdata\roaming\HpUpdate
2013-07-12 23:54:22 -------- d-----w- c:\windows\Hewlett-Packard
2013-07-10 19:48:10 -------- d-----w- c:\program files\CCleaner
2013-07-09 19:58:12 -------- d-----w- c:\windows\system32\MRT
2013-07-09 17:43:05 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-07-09 17:43:05 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-07-09 17:43:03 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-07-09 17:43:03 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-07-09 17:43:03 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-07-09 17:43:01 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-07-09 17:43:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-07-09 17:43:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-07-09 17:43:01 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-07-09 17:42:57 505344 ----a-w- c:\windows\system32\qedit.dll
2013-07-09 17:41:42 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-07-09 17:41:36 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-09 17:36:41 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2013-07-09 17:36:40 983552 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2013-07-09 17:36:40 964608 ----a-w- c:\program files\windows journal\JNWDRV.dll
2013-07-09 17:36:40 1218048 ----a-w- c:\program files\windows journal\NBDoc.DLL
2013-07-03 18:16:26 -------- d-----w- c:\users\end-user\appdata\roaming\Malwarebytes
2013-07-03 18:16:01 -------- d-----w- c:\programdata\Malwarebytes
2013-07-03 18:15:57 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-03 18:15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-03 08:32:42 16024 ----a-w- c:\windows\system32\drivers\psi_mf_x86.sys
.
==================== Find3M  ====================
.
2013-07-14 21:31:13 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-14 21:31:12 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-25 19:55:32 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-25 19:55:27 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-25 19:55:27 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-19 02:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-19 02:50:08 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-05-29 01:50:14 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-29 01:41:52 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-29 01:41:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-29 01:37:15 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-29 01:36:09 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-29 01:33:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-08 03:40:36 914792 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-08 01:58:22 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
1 ntkrnlpa!IofCallDriver[0x82862916] -> \Device\Harddisk0\DR0[0x86267AC8]
3 CLASSPNP[0x8ADC88B3] -> ntkrnlpa!IofCallDriver[0x82862916] -> \Device\Ide\IdeDeviceP0T0L0-0[0x86087390]
kernel: MBR read successfully
_asm { CLI ; JMP 0xef;  }
user != kernel MBR !!!
copy of MBR has been found in sector 22 !
copy of MBR has been found in sector 23 !
.
============= FINISH: 15:22:36.98 ===============
 

having trouble with the attachment unless i just send like previous page

[Maniac]

If you couldn't post it, please attach it.

[AdvancedSetup]

Are you still with us?

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!