Need help removing Tojan.fakeAlert

[MrCharlie]

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt, place it next to ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

[mattbizly]

Hi MrC,

 

Here's that log. It didn't ask to reboot when it was finished, if that makes any difference to you.

 

 

ComboFix 14-01-13.01 - Matt Billington 14/01/2014  15:14:06.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.2934.1365 [GMT 0:00]
Running from: c:\users\Matt Billington\Desktop\ComboFix.exe
Command switches used :: c:\users\Matt Billington\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\deckowbr.sys"
"c:\windows\system32\drivers\orwkijbh.sys"
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-14 to 2014-01-14  )))))))))))))))))))))))))))))))
.
.
2067-05-27 13:16 . 2012-07-10 18:40    1249280    ----a-w-    c:\program files (x86)\Microsoft Games\Impossible Creatures\InsectMod.dll
2067-05-21 20:35 . 2003-06-05 15:40    106496    ----a-w-    c:\program files (x86)\Microsoft Games\Impossible Creatures\Filesystem.dll
2014-01-14 15:23 . 2014-01-14 15:23    --------    d-----w-    c:\users\hedev\AppData\Local\temp
2014-01-14 15:23 . 2014-01-14 15:23    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-01-14 03:22 . 2014-01-14 03:22    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{A8467DD1-EBAD-4B07-A750-DA32F3B9449A}\offreg.dll
2014-01-14 01:49 . 2013-12-16 01:54    10315576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{A8467DD1-EBAD-4B07-A750-DA32F3B9449A}\mpengine.dll
2014-01-13 19:51 . 2014-01-13 20:11    --------    d-----w-    C:\AdwCleaner
2014-01-13 19:08 . 2014-01-13 19:08    44032    ----a-w-    c:\windows\system32\drivers\npfs.sys.bak
2014-01-11 00:53 . 2014-01-11 00:53    422216    ----a-w-    c:\windows\system32\drivers\deckowbr.sys
2014-01-11 00:52 . 2014-01-11 00:52    422216    ----a-w-    c:\windows\system32\drivers\orwkijbh.sys
2014-01-11 00:43 . 2014-01-13 20:13    --------    d-----w-    c:\programdata\AVAST Software
2014-01-03 13:32 . 2014-01-03 13:32    --------    d-----w-    c:\programdata\Firefly Studios
2014-01-03 13:30 . 2014-01-03 13:30    --------    d-----w-    c:\program files (x86)\Firefly Studios
2013-12-28 18:01 . 2013-12-28 18:01    --------    d-----w-    C:\GOG Games
2013-12-28 16:51 . 2013-12-28 16:51    --------    d-----w-    c:\users\Matt Billington\AppData\Local\Geckofx
2013-12-28 16:51 . 2013-12-28 16:51    --------    d-----w-    c:\users\Matt Billington\AppData\Roaming\Firefly Studios
2013-12-27 10:41 . 2013-10-14 18:00    28368    ----a-w-    c:\windows\system32\IEUDINIT.EXE
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-12 15:35 . 2012-01-05 18:46    466456    ----a-w-    c:\windows\system32\wrap_oal.dll
2013-12-12 15:35 . 2012-01-05 18:46    444952    ----a-w-    c:\windows\SysWow64\wrap_oal.dll
2013-12-12 15:35 . 2012-01-05 18:46    122904    ----a-w-    c:\windows\system32\OpenAL32.dll
2013-12-12 15:35 . 2012-01-05 18:46    109080    ----a-w-    c:\windows\SysWow64\OpenAL32.dll
2013-12-11 00:11 . 2012-12-21 11:18    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-11 00:11 . 2011-06-08 09:30    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-26 12:25 . 2010-11-12 17:45    267936    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-23 18:26 . 2013-12-12 15:46    417792    ----a-w-    c:\windows\SysWow64\WMPhoto.dll
2013-11-23 17:47 . 2013-12-12 15:46    465920    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-11-12 02:23 . 2013-12-12 15:46    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-11-12 02:07 . 2013-12-12 15:46    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-11-03 04:11 . 2010-12-21 20:27    282104    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-11-03 04:11 . 2010-12-21 20:21    282104    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
2013-11-03 03:41 . 2010-12-21 20:21    76888    ----a-w-    c:\windows\SysWow64\PnkBstrA.exe
2013-11-03 03:41 . 2010-12-21 20:21    282104    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-10-30 02:32 . 2013-12-12 15:46    335360    ----a-w-    c:\windows\system32\msieftp.dll
2013-10-30 02:19 . 2013-12-12 15:46    301568    ----a-w-    c:\windows\SysWow64\msieftp.dll
2013-10-30 01:24 . 2013-12-12 15:46    3155968    ----a-w-    c:\windows\system32\win32k.sys
2013-10-19 02:18 . 2013-12-12 15:46    81408    ----a-w-    c:\windows\system32\imagehlp.dll
2013-10-19 01:36 . 2013-12-12 15:46    159232    ----a-w-    c:\windows\SysWow64\imagehlp.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{E1E069F7-03C0-4F9A-9150-362CE3DF0784}]
2014-01-06 16:50    438784    ----a-w-    c:\program files (x86)\MintCastNetworks\IE\MintCastScript.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Spotify Web Helper"="c:\users\Matt Billington\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-08-06 1104384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2010-06-02 61112]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-11-02 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui]
 [bU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys;c:\windows\SYSNATIVE\DRIVERS\ggflt.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe;c:\windows\SYSNATIVE\ezSharedSvcHost.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MintCastHelper;MintCastHelper;c:\program files (x86)\MintCastNetworks\MintCastHelper.exe;c:\program files (x86)\MintCastNetworks\MintCastHelper.exe [x]
S2 PDF Architect Helper Service;PDF Architect Helper Service;c:\program files (x86)\PDF Architect\HelperService.exe;c:\program files (x86)\PDF Architect\HelperService.exe [x]
S2 PDF Architect Service;PDF Architect Service;c:\program files (x86)\PDF Architect\ConversionService.exe;c:\program files (x86)\PDF Architect\ConversionService.exe [x]
S2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsfiltera.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 17:36    451872    ----a-w-    c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-21 00:11]
.
2014-01-11 c:\windows\Tasks\HPCeeScheduleForMatt Billington.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 21:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1E069F7-03C0-4F9A-9150-362CE3DF0784}]
2014-01-06 16:50    426496    ----a-w-    c:\program files (x86)\MintCastNetworks\IE64\MintCastScript64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-02-13 6486120]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2013-12-12 21720]
.
------- Supplementary Scan -------
.

uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Matt Billington\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default\
FF - prefs.js: browser.search.selectedEngine - Search Term

.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
AddRemove-BattlEye A2 Free - c:\program files (x86)\steam\steamapps\common\arma 2 freeBattlEye\UnInstallBE.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~2\UNWISE.EXE
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-01-14  15:27:05
ComboFix-quarantined-files.txt  2014-01-14 15:27
ComboFix2.txt  2014-01-14 01:44
.
Pre-Run: 62,181,773,312 bytes free
Post-Run: 64,550,653,952 bytes free
.
- - End Of File - - B514C77F6CF8301FB125ACDE277CB14E
 

[MrCharlie]

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

  :Filefinddeckowbr.sysorwkijbh.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

[mattbizly]

SystemLook 30.07.11 by jpshortstuff
Log created at 15:44 on 14/01/2014 by Matt Billington
Administrator - Elevation successful

========== Filefind ==========

Searching for "deckowbr.sys"
C:\Windows\System32\drivers\deckowbr.sys    --a---- 422216 bytes    [00:53 11/01/2014]    [00:53 11/01/2014] 251360C2FCA22BAFE0583314B3262F98

Searching for "orwkijbh.sys"
C:\Windows\System32\drivers\orwkijbh.sys    --a---- 422216 bytes    [00:52 11/01/2014]    [00:52 11/01/2014] 251360C2FCA22BAFE0583314B3262F98

-= EOF =-

[MrCharlie]

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

MrC

[mattbizly]

Hi MrC,

 

Sorry for the slow reply, I had to go out for a couple of hours. I've attached the logs for FRST as they are both quite large.

 

Cheers

 

Matt

Addition.txt

FRST.txt

[MrCharlie]

Did you ever run that uninstaller for Avast??

MrC

[mattbizly]

No sorry, I never got round to doing that, I'll do that now and post a reply when that's done.

 

Matt

[MrCharlie]

Please run it then.......

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a FULL Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[mattbizly]

Hi MrC,

 

Here is the fixlog -

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2014
Ran by Matt Billington at 2014-01-15 00:00:28 Run:1
Running from C:\Users\Matt Billington\Desktop\Farbar Recovery Scan Tool
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
DPF: HKLM-x32 {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
C:\Users\Matt Billington\Desktop\avast_free_antivirus_setup.exe
C:\ProgramData\AVAST Software
C:\Windows\system32\Drivers\deckowbr.sys
C:\Windows\system32\Drivers\orwkijbh.sys
C:\ProgramData\AVAST Software
C:\Users\Matt Billington\Desktop\avast_free_antivirus_setup.exe
C:\Windows\system32\Drivers\deckowbr.sys.bak
C:\Windows\system32\Drivers\orwkijbh.sys.bak

*****************

HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} => Key deleted successfully.
HKCR\PROTOCOLS\Filter\text/xml => Key deleted successfully.
HKCR\CLSID\{807553E5-5146-11D5-A672-00B0D022E945} => Key not found.
C:\Users\Matt Billington\Desktop\avast_free_antivirus_setup.exe => Moved successfully.
C:\ProgramData\AVAST Software => Moved successfully.
C:\Windows\system32\Drivers\deckowbr.sys => Moved successfully.
C:\Windows\system32\Drivers\orwkijbh.sys => Moved successfully.
"C:\ProgramData\AVAST Software" => File/Directory not found.
"C:\Users\Matt Billington\Desktop\avast_free_antivirus_setup.exe" => File/Directory not found.
C:\Windows\system32\Drivers\deckowbr.sys.bak => Moved successfully.
C:\Windows\system32\Drivers\orwkijbh.sys.bak => Moved successfully.

==== End of Fixlog ====

 

 

Also running a full scan now, it'll probably take another 2 and a half hours, so I'll post around that time

 

cheers

 

Matt

[mattbizly]

The scan has been running for less than a minute and it's found 10 potential threats already; should I be concerned?

[MrCharlie]

Lets see what they are. MrC

[mattbizly]

Hi MrC,

 

Here's the log - a total of 74 threats .... I hope that isn't some kind of record!

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.14.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Matt Billington :: MATTSMACHINE2 [administrator]

15/01/2014 00:05:21
MBAM-log-2014-01-15 (02-02-59)newest.txt

Scan type: Full scan (C:\|D:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 614252
Time elapsed: 1 hour(s), 56 minute(s), 44 second(s)

Memory Processes Detected: 1
C:\Program Files (x86)\MintCastNetworks\MintCastHelper.exe (PUP.Optional.MintCast.A) -> 1972 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 20
HKCR\CLSID\{E1E069F7-03C0-4F9A-9150-362CE3DF0784} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\CLSID\{88A6B9C8-AC8A-4665-8BC7-4936763DCC4F} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\TypeLib\{FD5D186C-7B14-4BC4-BDF3-378E83959B01} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Interface\{2CEC52F1-78A3-4B85-B3C3-32D2E3BF7599} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Mint Cast Networks.Tool.1 (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Mint Cast Networks.Tool (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Mint Cast Networks.ScriptHostObject.1 (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Mint Cast Networks.ScriptHostObject (PUP.Optional.MintCast.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1E069F7-03C0-4F9A-9150-362CE3DF0784} (PUP.Optional.MintCast.A) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\MintCastHelper (PUP.Optional.MintCast.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MintCastNetworks (PUP.Optional.MintCast.A) -> No action taken.
HKCR\TypeLib\{6AF63CE5-0C9D-4EBF-8A09-F5BBBC191FBD} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Interface\{9290D8AD-F765-4D89-8B34-92BE7C033AEF} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\TypeLib\{2439FECB-D84C-4C66-AD1F-C8C180E4A5BC} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Interface\{2856A636-0BBA-4A08-BC82-37E64AA15429} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\CLSID\{9B33B45E-FB8F-43E1-A538-45971701BFBB} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\TypeLib\{E9260EB0-589D-422E-A659-AC641319BCA6} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\Interface\{22AB7456-5415-4C61-A906-60F3AF71BC56} (PUP.Optional.MintCast.A) -> No action taken.
HKCR\axUtils.RegistryHelper.1 (PUP.Optional.MintCast.A) -> No action taken.
HKCR\axUtils.RegistryHelper (PUP.Optional.MintCast.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 10
C:\Program Files (x86)\MintCastNetworks (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\img (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\lib (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64 (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\img (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\lib (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\Utils (PUP.Optional.MintCast.A) -> No action taken.

Files Detected: 43
C:\Program Files (x86)\MintCastNetworks\IE\MintCastScript.dll (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\MintCastHelper.exe (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\uninstall.exe (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\background.html (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\config.xml (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\jquery-1.9.1.min.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\json2.min.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\MintCastBackground.exe (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\MintCastFramework.Typelib.dll (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\options.htm (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\updater.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\updaterWrapper.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\img\128x128default.png (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\img\32x32default.ico (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\img\32x32default.png (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\js\bg.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\js\content.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\js\encryption.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\js\resources.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\js\utils.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE\lib\aes.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\background.html (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\config.xml (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\jquery-1.9.1.min.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\json2.min.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\MintCastBackground64.exe (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\MintCastFramework.Typelib64.dll (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\MintCastScript64.dll (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\options.htm (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\updater.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\updaterWrapper.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\img\128x128default.png (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\img\32x32default.ico (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\img\32x32default.png (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\js\bg.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\js\content.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\js\encryption.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\js\resources.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\js\utils.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\IE64\lib\aes.js (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\Utils\axUtils.dll (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\Utils\axUtilsx64.dll (PUP.Optional.MintCast.A) -> No action taken.
C:\Program Files (x86)\MintCastNetworks\Utils\npUtils.dll (PUP.Optional.MintCast.A) -> No action taken.

(end)
 

I haven't deleted them just yet, shall I go ahead and remove them?

 

Matt

[MrCharlie]

Yes, delete them all.

MrC

[mattbizly]

Okay, they've been removed (hopefully) and my laptop has been rebooted. It did reboot much quicker this time, I have to say. What do you need me to do next?

 

Matt

[mattbizly]

Hi MrC,

 

Just want to let you know I haven't done anything further since Malwarebytes removed that large group of PUPs in that last log. There have been no obvious problems with my laptop since then, but I have not done a scan yet. Shall I go ahead and do a full scan, or is there something else that you want me to do first?

 

Matt

[MrCharlie]

Just update and run a quick scan and if there's no other problems........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[mattbizly]

MrC

 

Here's the log from the quick scan, looks like we're all clear

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.14.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Matt Billington :: MATTSMACHINE2 [administrator]

15/01/2014 14:29:39
mbam-log-2014-01-15 (14-29-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221963
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

Doing the security check now, will post when that's finished.

 

Matt

[mattbizly]

Here is the log from the security checker -

 

 

 Results of screen317's Security Check version 0.99.79  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 45  
 Java version out of Date!
 Adobe Flash Player 11.9.900.170  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (26.0)
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe
 AVG avgtray.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

One thing I did want to mention, everytime I open and close my browser (Firefox) I see the little arrow icon that's used for the downloads window flash for a moment, the way it does when you have just started to download something. Is it worth just checking Firefox specifically, or will this go away after clean up?

 

Cheers

 

Matt

[MrCharlie]

I'm not familiar with Firefox, I suggest you ask that question here:
http://forums.whatthetech.com/index.php?showforum=123

-------------------------------------------

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~


Java 7 Update 45 <----please update, should be Update 51

Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

--------------------------------------------------


Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.
If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[mattbizly]

Hi MrC,

 

Everything on that list is done. What I will do as a final precaution is let run a full scan with Malwarebytes and also go ahead and change my passwords etc. I'll post a reply here if the scan comes up with anything, but I doubt it will.

 

You've been a real help, couldn't have got this sorted by myself. Massive thanks When payday rolls around I'll be more than happy to make a donation, will also leave you some feedback on your profile.

 

All the best, and thanks again.

 

Matt

[mattbizly]

Hold fire! Got a problem detected during the scan doh! Will let you know what it is when it has finished ...

 

 

Cheers

 

Matt

[mattbizly]

Hi MrC,

 

The full scan finished up and I had one of those PUP.OptionalMintCastNetworks things again, but only the one. I removed that and will probably run a quick scan. Do you have any recommendations?

 

Cheers

 

Matt

[mattbizly]

Just an update - quick scan came up clean, here's the log.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.14.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Matt Billington :: MATTSMACHINE2 [administrator]

15/01/2014 18:32:11
mbam-log-2014-01-15 (18-32-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222156
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

Is it worth doing another full scan?

 

Cheers

 

Matt

[MrCharlie]

If you want....MrC