Cranfield Posted December 22, 2013 Author ID:767953 Share Posted December 22, 2013 ComboFix 13-12-21.01 - HP_Owner 22/12/2013 22:53:11.2.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3006.2281 [GMT 0:00]Running from: c:\documents and settings\HP_Owner\My Documents\Downloads\Programs\ComboFix.exeAV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\HP_Owner\Application Data\HPSU_48BitScanUpdate.logc:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferencesc:\windows\SwSys1.bmpc:\windows\SwSys2.bmpc:\windows\wininit.ini..((((((((((((((((((((((((( Files Created from 2013-11-22 to 2013-12-22 )))))))))))))))))))))))))))))))..2013-12-22 22:41 . 2013-12-22 22:48 -------- d-----w- C:\32788R22FWJFW2013-12-17 18:28 . 2013-12-17 19:07 -------- d-----w- C:\FRST2013-12-17 16:37 . 2013-12-17 16:37 -------- d-----w- c:\program files\ESET2013-12-17 16:01 . 2013-12-19 14:55 -------- d-----w- C:\AdwCleaner2013-12-17 12:57 . 2013-12-17 12:57 -------- d-----w- c:\windows\ERUNT2013-12-17 11:58 . 2013-12-17 11:58 -------- d-----w- c:\windows\34949BB008BB4407882F164EB49E335B.TMP2013-12-17 10:57 . 2013-12-17 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)2013-12-17 10:56 . 2013-12-17 10:56 51416 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys2013-12-12 22:47 . 2013-12-17 12:02 -------- d-----w- c:\program files\Enigma Software Group2013-12-12 22:16 . 2013-12-12 22:17 -------- d-----w- c:\windows\CD27142034CF47DC80B7C409B6CD0DD8.TMP2013-11-30 21:17 . 2013-12-19 22:28 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Spotify2013-11-30 21:16 . 2013-12-20 23:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Spotify...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-12-18 17:39 . 2013-07-13 13:14 410528 ----a-w- c:\windows\system32\drivers\aswsp.sys2013-12-18 17:39 . 2013-07-13 13:13 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys2013-12-18 17:39 . 2013-07-13 13:13 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys2013-12-18 17:39 . 2013-07-13 13:13 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys2013-12-18 17:39 . 2013-07-13 13:13 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys2013-12-18 17:39 . 2013-07-13 13:13 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys2013-12-18 17:39 . 2013-07-13 13:13 270240 ----a-w- c:\windows\system32\aswBoot.exe2013-12-18 17:39 . 2013-07-13 13:11 43152 ----a-w- c:\windows\avastSS.scr2013-12-18 17:39 . 2013-07-13 13:13 252336 ----a-w- c:\windows\system32\drivers\aswNdis2.sys2013-12-10 22:21 . 2012-10-11 18:38 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-12-10 22:21 . 2012-10-11 18:38 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-11-28 00:24 . 2010-12-23 19:00 121184 ----a-w- c:\windows\system32\drivers\idmtdi.sys2013-11-13 02:59 . 2004-08-04 11:00 150528 ----a-w- c:\windows\system32\imagehlp.dll2013-11-07 05:38 . 2004-08-04 11:00 591360 ----a-w- c:\windows\system32\rpcrt4.dll2013-11-06 01:03 . 2009-04-15 07:39 7168 ----a-w- c:\windows\system32\xpsp4res.dll2013-10-30 02:26 . 2004-08-04 11:00 1879040 ----a-w- c:\windows\system32\win32k.sys2013-10-29 07:57 . 2004-08-04 11:00 920064 ----a-w- c:\windows\system32\wininet.dll2013-10-29 07:57 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll2013-10-29 07:57 . 2004-08-04 11:00 18944 ----a-w- c:\windows\system32\corpol.dll2013-10-29 07:57 . 2004-08-04 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2013-10-29 00:45 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec2013-10-23 23:45 . 2004-08-04 11:00 172032 ----a-w- c:\windows\system32\scrrun.dll2013-10-21 21:55 . 2013-07-13 13:13 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys2013-10-21 21:55 . 2013-07-13 13:13 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys2013-10-14 17:41 . 2013-07-13 13:13 104752 ----a-w- c:\windows\system32\drivers\aswFW.sys2013-10-12 15:56 . 2004-08-04 11:00 278528 ----a-w- c:\windows\system32\oakley.dll2013-10-09 13:12 . 2004-08-04 11:00 287744 ----a-w- c:\windows\system32\gdi32.dll2013-10-08 06:50 . 2013-10-21 07:51 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll2013-10-08 06:29 . 2012-01-16 14:21 145408 ----a-w- c:\windows\system32\javacpl.cpl2013-10-07 10:59 . 2004-08-04 11:00 603136 ----a-w- c:\windows\system32\crypt32.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F}"= "c:\program files\AVAST Software\Avast\aswWebRepIE.dll" [2013-12-18 1138536].[HKEY_CLASSES_ROOT\clsid\{cc1a175a-e45b-41ed-a30c-c9b1d7a0c02f}][HKEY_CLASSES_ROOT\TypeLib\{6B795924-95E7-4D31-8521-407360C3AA0B}].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]@="{472083B0-C522-11CF-8763-00608CC02F24}"[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]2013-12-18 17:39 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]2012-11-15 23:07 21904 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-12-18 3764024].c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\MailWasherPro.lnk - c:\program files\FireTrust\MailWasher\MailWasherPro.exe -nosplash [2013-10-31 5759816].c:\documents and settings\Default User\Start Menu\Programs\Startup\Pin.lnk - c:\hp\bin\CLOAKER.EXE c:\hp\bin\PinToStart.bat [2006-4-29 27136].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 0 (0x0).[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin F5D8053 N Wireless USB Adapter Utility.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin F5D8053 N Wireless USB Adapter Utility.lnkbackup=c:\windows\pss\Belkin F5D8053 N Wireless USB Adapter Utility.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnkbackup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MailWasherPro.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MailWasherPro.lnkbackup=c:\windows\pss\MailWasherPro.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnkbackup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnkbackup=c:\windows\pss\LimeWire On Startup.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^MailWasherPro.lnk]path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\MailWasherPro.lnkbackup=c:\windows\pss\MailWasherPro.lnkStartup.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]c:\windows\system32\dumprep 0 -k [X].[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]c:\windows\system32\dumprep 0 -u [X].[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]2005-11-10 00:29 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]2005-02-02 16:44 61440 ----a-w- c:\hp\KBD\kbd.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]2007-05-17 21:45 279912 -c--a-w- c:\program files\Microsoft LifeCam\LifeExp.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]2002-06-03 11:38 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE\opware32.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]2010-04-12 08:40 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]2013-01-08 12:59 18705664 ----a-r- c:\program files\Skype\Phone\Skype.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]2004-01-26 11:38 866816 -c--a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]2010-02-10 22:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]2013-07-02 08:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]2013-08-27 15:57 248208 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]2007-04-10 21:46 709992 ----a-w- c:\windows\vVX1000.exe.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Veetle\\Player\\VeetleNet.exe"="c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"="c:\\Program Files\\HP\\Common\\HPDeviceDetection3.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Documents and Settings\\HP_Owner\\Application Data\\Spotify\\spotify.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:Remote Desktop"65533:TCP"= 65533:TCP:Services"52344:TCP"= 52344:TCP:Services.R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [13/07/2013 13:11 12112]R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [13/07/2013 13:13 252336]R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [13/07/2013 13:13 49944]R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [13/07/2013 13:13 180248]R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [02/05/2010 18:38 64288]R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [13/07/2013 13:13 26136]R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [13/07/2013 13:13 775952]R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [13/07/2013 13:14 410528]R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [23/12/2010 19:00 121184]R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [28/10/2009 08:31 101720]R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [13/07/2013 13:13 67824]R2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [13/07/2013 13:11 113704]R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [03/10/2012 21:48 418376]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [07/01/2009 09:06 701512]R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2013 15:57 93072]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [07/01/2009 09:06 22856]S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [09/10/2013 10:58 3275136]S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [08/01/2013 12:55 161536]S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\c:\windows\system32\Drivers\Aldebaran.sys --> c:\windows\system32\Drivers\Aldebaran.sys [?]S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [22/05/2009 15:15 36608]S3 w7lf_.sys;w7lf_.sys;\??\c:\windows\system32\drivers\w7lf_.sys --> c:\windows\system32\drivers\w7lf_.sys [?]S3 YapLoad;Y@pPhone;c:\windows\system32\drivers\YapLoad.Sys [08/07/2008 15:15 19656].[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]2013-12-05 13:57 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe.Contents of the 'Scheduled Tasks' folder.2013-12-22 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-11 22:21].2013-12-22 c:\windows\Tasks\avast! Emergency Update.job- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-07-13 17:39].2013-12-22 c:\windows\Tasks\FreeFileViewerUpdateChecker.job- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2012-05-13 13:24].2013-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-17 22:40].2013-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-17 22:40]..------- Supplementary Scan -------.uInternet Settings,ProxyOverride = *.localIE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htmIE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htmTrusted Zone: microsoft.com\*.updateTrusted Zone: microsoft.com\wwwTrusted Zone: microsoft.com\www.updateTCP: DhcpNameServer = 192.168.2.1.- - - - ORPHANS REMOVED - - - -.MSConfigStartUp-APSDaemon - c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exeMSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exeMSConfigStartUp-SpyHunter Security Suite - c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2013-12-22 23:02Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... ..C:\avast! sandbox.scan completed successfullyhidden files: 1.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]@Denied: (Full) (Everyone)"scansk"=hex(0):a3,d2,7f,04,5f,e5,cb,c8,1b,3a,b6,6f,be,c7,21,a4,1e,4f,c4,11,51, 88,0c,9a,fd,7b,b4,8b,d6,11,2b,24,c8,79,fc,92,34,d0,c1,52,00,00,00,00,00,00,\.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fab9a636-dacc-4cc9-bb60-322c2b2ee7de}]@Denied: (Full) (Everyone)"Model"=dword:000000c7"Therad"=dword:0000001e"MData"=hex(0):ee,92,e9,d3,ea,9e,d4,13,f2,18,2e,ed,42,10,ff,b7,25,e9,20,8b,c2, 56,b0,93,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\.[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(1132)c:\windows\system32\Ati2evxx.dll.Completion time: 2013-12-22 23:05:34ComboFix-quarantined-files.txt 2013-12-22 23:05ComboFix2.txt 2013-12-14 14:06.Pre-Run: 100,597,182,464 bytes freePost-Run: 100,583,985,152 bytes free.WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect.- - End Of File - - BE390B82CFE937C1143F932D19F730F4D11C727E03BB7318DCDA069B06E652F0 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 23, 2013 Root Admin ID:768034 Share Posted December 23, 2013 Please click on START - RUN and type in CMD.EXE and click OK Then type the following and press the Enter key. You should get a success message. It is 3 words with a space between each. SC DELETE w7lf_.sys Then open MBAM and go to the Protection tab and uncheck the "Start protection module with Windows" Then restart the computer. Temporarily disable your avast antivirus. Then run TFC again, this time it should run without an issue Then restart the computer again and let me know what issues you're still having or seeing. Link to post Share on other sites More sharing options...
Cranfield Posted December 23, 2013 Author ID:768242 Share Posted December 23, 2013 Is that SC (space) DELETE (space)_ .sys ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 23, 2013 Root Admin ID:768250 Share Posted December 23, 2013 Yes Link to post Share on other sites More sharing options...
Cranfield Posted December 26, 2013 Author ID:768981 Share Posted December 26, 2013 "Please click on START - RUN and type in CMD.EXE and click OKThen type the following and press the Enter key. You should get a success message.It is 3 words with a space between each.SC DELETE w7lf_.sys " Following this I got the message, " The specified service does not exist as an installed service". Link to post Share on other sites More sharing options...
Cranfield Posted December 26, 2013 Author ID:768983 Share Posted December 26, 2013 I will continue with the rest of your suggestion. Link to post Share on other sites More sharing options...
Cranfield Posted December 26, 2013 Author ID:768992 Share Posted December 26, 2013 I have completed the exercise, TFC ran OK and all appears to be normal. Thank you once again for you skillful and patient assistance, it was very much appreciated by a non techie like myself. Have a Happy New Year. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 26, 2013 Root Admin ID:769156 Share Posted December 26, 2013 Thank you, Happy Holidays to you as well. Please run MBAM and check for updates. Then do a Quick Scan and post back the new log. Next, Please download Security Check by screen317 from HERE or HERE.Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. If you get Unsupported operating system. Aborting now, just reboot and try again. A Notepad document should open automatically called checkup.txt. Please Post the contents of that document. Do Not Attach It!!! Link to post Share on other sites More sharing options...
Cranfield Posted December 27, 2013 Author ID:769356 Share Posted December 27, 2013 Security Check log. Results of screen317's Security Check version 0.99.77 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! Internet Security ESET Online Scanner v3 `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Java 6 Update 22 Java 7 Update 45 Adobe Flash Player 11.9.900.170 Adobe Reader XI Google Chrome 31.0.1650.57 Google Chrome 31.0.1650.63 ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe AVAST Software Avast AvastSvc.exe AVAST Software Avast afwServ.exe AVAST Software Avast AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)````````````````````End of Log`````````````````````` MBAM Quick Scan Log. Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.org Database version: v2013.12.24.05 Windows XP Service Pack 3 x86 NTFSInternet Explorer 8.0.6001.18702HP_Owner :: YOUR-C94F920E24 [administrator] Protection: Enabled 27/12/2013 11:09:20mbam-log-2013-12-27 (11-09-20).txt Scan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 234848Time elapsed: 16 minute(s), 2 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 0(No malicious items detected) Files Detected: 0(No malicious items detected) (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 27, 2013 Root Admin ID:769465 Share Posted December 27, 2013 Please uninstall ALL versions of Java from your Control Panel, Add/Remove Then restart the computer and run the following. Please download JavaRa-1.16 and save it to your computer.Double click to open the zip file and then select all and choose Copy. Create a new folder on your Desktop named RemoveJava and paste the files into this new folder. Quit all browsers and other running applications. Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program. From the drop-down menu, choose English and click on Select. JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer. Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK. A logfile will pop up. Please save it to a convenient location and post it in your next reply. Then restart the computer again and let me know the following. How is the computer running now?Are there still any signs of an infection? Thanks Link to post Share on other sites More sharing options...
Cranfield Posted December 27, 2013 Author ID:769612 Share Posted December 27, 2013 JavaRa 1.16 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Fri Dec 27 22:53:33 2013 Found and removed: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_15 Found and removed: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_20 Found and removed: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_21 Found and removed: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\jre1.7.0_06 Found and removed: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\jre1.7.0_10 Found and removed: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\jre1.7.0_17 Found and removed: C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\jre1.7.0_21 Found and removed: Applications\java.exe Found and removed: Applications\javaw.exe Found and removed: JavaPlugin.FamilyVersionSupport Found and removed: CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA} Found and removed: CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA} Found and removed: CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} Found and removed: Software\Classes\JavaPlugin.160_22 Found and removed: Software\JavaSoft\Java Update Found and removed: Software\JavaSoft\Java Runtime Environment\1.5.0_05 Found and removed: Software\JavaSoft\Java2D\1.5.0_05 Found and removed: SOFTWARE\Classes\JavaPlugin.150_05 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB} Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} Found and removed: SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA} Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/java-deployment-toolkit Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.7.0.0 Found and removed: SOFTWARE\Microsoft\Internet Explorer\Low Rights Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Found and removed: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs Found and removed: SOFTWARE\JavaSoft Found and removed: SOFTWARE\JreMetrics Found and removed: SOFTWARE\MozillaPlugins JavaRa 1.16 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Fri Dec 27 22:54:09 2013 ------------------------------------ Finished reporting. Link to post Share on other sites More sharing options...
Cranfield Posted December 27, 2013 Author ID:769615 Share Posted December 27, 2013 The PC is running well, with no signs of any infections that I can tell. Do I reinstall Java, or not ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 28, 2013 Root Admin ID:769646 Share Posted December 28, 2013 If you can do without Java that wold be the best. Very few websites actually require Java. If an site prompts you to install Java then double check with other resources or come back here and ask us and we'll check on it for you. Some sites want you to install Java as it can be an easier route to try to infect your computer. There are certainly legit valid sites that do run Java and require it but not all that many. At this time there are no more signs of an infection on your system.However if you are still seeing any signs of an infection please let me know.Let's go ahead and remove the tools and logs we've used during this process.Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.They are often updated daily so if you went to use them again in the future they would be outdated anyways.The following procedures will implement some cleanup procedures to remove these tools.It will also reset your System Restore by flushing out previous restore points and create a new restore point.It will also remove all the backups our tools may have created.Uninstall ComboFix (if used):Turn off all active protection software including your antivirus. Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button) Please copy and past the following into the box ComboFix /Uninstall and click OK. Note the space between the X and the /Uninstall, it needs to be there. Remove the rest of the tools used: Please download OTCleanIt and save it to your Desktop. This tool will remove all the tools we used to clean your pc.Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not go ahead and delete it by yourself. If asked to restart the computer, please do soNote: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.AdwCleaner Removal:Double click on AdwCleaner.exe to run the tool. Click on Uninstall Confirm with YesESET antivirus Removal:This tool can be uninstalled via the Control Panel, Programs, Uninstall If there are any other left over Folders, Files, Logs then you can delete them on your own. Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.How to Delete System Protection Restore Points in Windows 7 and Windows 8Remove all but the most recent Restore Point on Windows XPAs Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsersHow do I disable Java in my web browser? - Disable JavaA lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.How Malware Spreads - How did I get infected Best Practices for Safe Computing - Prevention of Malware Infection Avoiding those unwanted free applications A close look at how Oracle installs deceptive software with Java updates IAC / Ask.com toolbars Malwarebytes Unpacked BlogIf you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection. Link to post Share on other sites More sharing options...
Cranfield Posted December 28, 2013 Author ID:769967 Share Posted December 28, 2013 The clean up has been completed as per your guidance and I have read the notes.I have had Malwarebytes Pro installed for quite a few years and thats what led me to this Forum when I had the problem. Once again, thanks for all your help, very much appreciated. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 28, 2013 Root Admin ID:770113 Share Posted December 28, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts