Jump to content

multiple instances of explorer.exe in task manager


Recommended Posts

Hi everyone any help would be appreciated.

 

The bosses daughter got on one of our computers and played some silly games along with downloading some music from a random website. Now every so often several windows pop up on the desktop which appear to be a webpage with external links(mostly just advertisements) but no browser is open and nothing was clicked on.  When i open task manager i can see a separate instance of explorer.exe running for each window that opens. (usually 3 to 4) Also a download box appears from time to time asking to save or open a random video file. This dialog box also opens without any user input. 

 

Here is the log file from dds.exe

 

Attach.txt was the only log that was generated though. here it is:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/11/2011 9:57:34 AM
System Uptime: 1/23/2014 4:14:15 PM (0 hours ago)
.
Motherboard: FOXCONN |  | M61PMV
Processor: AMD Athlon 64 X2 Dual Core Processor 5000+ | AMD Athlon 64 X2 Dual Core Processor 5000+ | 2612/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 40.262 GiB free.
D: is CDROM ()
E: is Removable
N: is NetworkDisk (FAT) - 75 GiB total, 40.262 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Image File Execution Options =============
.
IFEO: Your Image File Name Here without a path - ntsd -d
.
==== Installed Programs ======================
.
.
==== End Of File ===========================
 
Link to post
Share on other sites

  • Staff

Hello kahnark89

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
Link to post
Share on other sites

Thanks for the help gringo. jus got back in the office this morning. sorry for the delay. I ran the Farbar recovery scan tool and here are the logs.

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-01-2014
Ran by user (administrator) on BECKY on 27-01-2014 09:40:21
Running from C:\Documents and Settings\user\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) ===================

(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
(Gladinet, INC) C:\Program Files\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe
() C:\Program Files\Nuance\Nuance Cloud Connector\WOSVSSSvrXP32.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Nuance Communications, Inc.) C:\Program Files\Dell Printers\paperport\PaperPort\PDFProFiltSrvPP.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(VIA Technologies, Inc.) C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
(Flexera Software, Inc.) C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
(Nuance Communications, Inc.) C:\Program Files\Dell Printers\paperport\PaperPort\pptd40nt.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PDF Viewer Plus\PdfPro7Hook.exe
(Nuance Communications, Inc.) C:\Program Files\Dell Printers\paperport\PDFCreate\PdfCreate7Hook.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE
(Gladinet, INC) C:\Program Files\Nuance\Nuance Cloud Connector\GladinetClient.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\WINDOWS\system32\ntvdm.exe
(Flexera Software, Inc.) C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe
(Nuance Communications, Inc.) C:\Program Files\Dell Printers\paperport\PaperPort\ppscandr.exe
(Nuance Communications, Inc.) C:\Program Files\Dell Printers\paperport\PaperPort\pplinks.exe
(Nuance Communications, Inc.) C:\Program Files\Dell Printers\paperport\PaperPort\ppscanmg.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [LogMeIn GUI] - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2010-09-17] (LogMeIn, Inc.)
HKLM\...\Run: [HDAudDeck] - C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [29896704 2011-01-11] (VIA Technologies, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [49152 2004-02-12] (Hewlett-Packard Company)
HKLM\...\Run: [iSUSPM] - C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.)
HKLM\...\Run: [PaperPort PTD] - C:\Program Files\Dell Printers\paperport\PaperPort\pptd40nt.exe [38848 2011-11-17] (Nuance Communications, Inc.)
HKLM\...\Run: [indexSearch] - C:\Program Files\Dell Printers\paperport\PaperPort\IndexSearch.exe [51136 2011-11-17] (Nuance Communications, Inc.)
HKLM\...\Run: [PDFProHook] - C:\Program Files\Nuance\PDF Viewer Plus\pdfpro7hook.exe [607592 2011-07-01] (Nuance Communications, Inc.)
HKLM\...\Run: [PDFCreHook] - C:\Program Files\Dell Printers\paperport\PDFCreate\pdfcreate7hook.exe [605032 2011-06-28] (Nuance Communications, Inc.)
HKLM\...\Run: [PDF7 Registry Controller] - C:\Program Files\Dell Printers\paperport\PDFCreate\RegistryController.exe [140136 2011-06-28] (Nuance Communications, Inc.)
HKLM\...\Run: [DLPSP] - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [902536 2012-04-11] (Dell Inc.)
HKLM\...\Run: [DLUPDR] - C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE [1099072 2012-04-11] (Dell Inc.)
HKLM\...\Run: [DLQLU] - C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE [1082688 2012-04-11] (Dell Inc.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Nuance Cloud Connector.lnk
ShortcutTarget: Nuance Cloud Connector.lnk -> C:\Program Files\Nuance\Nuance Cloud Connector\GladLauncher.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA63F31F32543CC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {DEED4915-633E-480B-BBE7-111CE86CDA41} URL = http://websearch.ask.com/redirect?client=ie&tb=MTV&o=1590&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^AAH&apn_dtid=^YYYYYY^SG^US&apn_uid=6c8c558c-8d11-403a-936d-33dcc6622d91&apn_sauid=41A1F0AB-C468-46B4-868B-82043D48DCE9&
BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)
BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll (Zeon Corporation)
Toolbar: HKLM - No Name - !{EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Toolbar: HKLM - DocuCom PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll (Zeon Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Chrome:
=======
CHR HomePage:
CHR RestoreOnStartup: "translate_blocked_languages": [ "en"
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\32.0.1700.76\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\32.0.1700.76\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\32.0.1700.76\pdf.dll ()
CHR Plugin: (registryAccess) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aaaaobhcmeiifeadmdbjbpbdngaoille\7.13.1.0_0\background/registryAccess.dll No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\plugins/avgnpss.dll No File
CHR Plugin: (Application Manager) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pgafcinpmmpklohkojmllohdhomoefph\1.0_0\spext.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
CHR Extension: (Google Wallet) - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-19]
CHR StartMenuInternet: Google Chrome - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

R2 ADExchange; C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [43112 2012-02-16] (ArcSoft Inc.)
R2 GladFileMonSvc; C:\Program Files\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe [29552 2011-09-29] (Gladinet, INC)
R2 PDFProFiltSrvPP; C:\Program Files\Dell Printers\paperport\PaperPort\PDFProFiltSrvPP.exe [219496 2012-01-03] (Nuance Communications, Inc.)
S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
S4 srv13F4; \\?\globalroot\Device\HarddiskVolume1\DOCUME~1\user\LOCALS~1\Temp\srv13F4.tmp [x]

==================== Drivers (Whitelisted) ====================

R3 monfilt; C:\WINDOWS\System32\drivers\monfilt.sys [1389056 2011-01-11] (Creative Technology Ltd.)
R0 nvata; C:\WINDOWS\System32\DRIVERS\nvata.sys [105344 2006-08-14] (NVIDIA Corporation)
R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [57856 2006-07-11] (NVIDIA Corporation)
R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [20480 2006-07-11] (NVIDIA Corporation)
R3 VIAHdAudAddService; C:\WINDOWS\System32\drivers\viahduaa.sys [279680 2011-01-11] (VIA Technologies, Inc.)
S1 wceusbsh; C:\WINDOWS\System32\DRIVERS\wceusbsh.sys [31744 2008-04-13] (Microsoft Corporation)
S3 catchme; \??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys [x]
S4 IntelIde; No ImagePath
S4 LMIRfsClientNP; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

NETSVC: srv13F4 -> \\?\globalroot\Device\HarddiskVolume1\DOCUME~1\user\LOCALS~1\Temp\srv13F4.tmp ==> No File.

==================== One Month Created Files and Folders ========

2014-01-27 09:40 - 2014-01-27 09:40 - 00011731 _____ C:\Documents and Settings\user\Desktop\FRST.txt
2014-01-27 09:40 - 2014-01-27 09:40 - 00000000 ____D C:\FRST
2014-01-27 09:39 - 2014-01-27 09:34 - 01223168 _____ (Farbar) C:\Documents and Settings\user\Desktop\FRST.exe
2014-01-23 16:45 - 2014-01-23 16:49 - 00000995 _____ C:\Documents and Settings\user\Desktop\attach.txt
2014-01-23 15:57 - 2014-01-23 16:13 - 00000000 ____D C:\AdwCleaner
2014-01-23 15:56 - 2014-01-23 15:54 - 01236282 _____ C:\Documents and Settings\user\Desktop\AdwCleaner.exe
2014-01-23 15:56 - 2014-01-23 15:35 - 01933048 _____ (Bleeping Computer, LLC) C:\Documents and Settings\user\Desktop\rkill.exe
2014-01-23 15:56 - 2014-01-17 09:15 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\user\Desktop\mbam-setup-1.75.0.1300.exe
2014-01-21 16:00 - 2014-01-23 16:14 - 00000735 _____ C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Client.lnk
2014-01-21 16:00 - 2014-01-21 16:00 - 00000719 _____ C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-01-17 14:48 - 2014-01-17 14:48 - 00016316 _____ C:\ComboFix.txt
2014-01-17 14:34 - 2014-01-17 14:34 - 00000000 _RSHD C:\cmdcons
2014-01-17 14:34 - 2011-07-15 13:22 - 00000211 _____ C:\Boot.bak
2014-01-17 14:34 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2014-01-17 10:44 - 2014-01-17 10:44 - 00000000 ____D C:\Documents and Settings\user\Application Data\Malwarebytes
2014-01-17 10:43 - 2014-01-17 12:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-17 10:43 - 2014-01-17 10:43 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-17 10:43 - 2014-01-17 10:43 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-01-17 10:43 - 2014-01-17 10:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-01-17 10:43 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-01-15 03:00 - 2014-01-15 03:00 - 00004340 _____ C:\WINDOWS\KB2914368.log
2014-01-15 03:00 - 2014-01-15 03:00 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2914368$
2014-01-13 14:32 - 2014-01-15 12:59 - 00000000 ____D C:\Documents and Settings\user\My Documents\BRAYTON ENERGY
2013-12-30 08:30 - 2013-12-30 08:30 - 00000871 _____ C:\Documents and Settings\user\Desktop\Shortcut to RECEIVABLES JANUARY  '14.lnk

==================== One Month Modified Files and Folders =======

2014-01-27 09:40 - 2014-01-27 09:40 - 00011731 _____ C:\Documents and Settings\user\Desktop\FRST.txt
2014-01-27 09:40 - 2014-01-27 09:40 - 00000000 ____D C:\FRST
2014-01-27 09:39 - 2011-01-14 10:40 - 00000374 _____ C:\WINDOWS\QAWIN.INI
2014-01-27 09:35 - 2011-10-30 22:35 - 00000974 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-179605362-839522115-1003UA.job
2014-01-27 09:34 - 2014-01-27 09:39 - 01223168 _____ (Farbar) C:\Documents and Settings\user\Desktop\FRST.exe
2014-01-27 09:34 - 2013-07-22 18:48 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-01-27 09:31 - 2012-04-11 14:00 - 00000000 ____D C:\Documents and Settings\user\My Documents\STATEMENT OF ACCOUNTS
2014-01-27 09:11 - 2013-05-23 08:11 - 00000488 _____ C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2014-01-27 09:08 - 2011-01-11 09:55 - 01977854 _____ C:\WINDOWS\WindowsUpdate.log
2014-01-27 08:48 - 2011-01-14 10:12 - 00000000 ____D C:\Documents and Settings\user\My Documents\AMERICAN MARINE
2014-01-27 08:47 - 2011-01-11 03:41 - 00008284 _____ C:\WINDOWS\wiadebug.log
2014-01-27 08:35 - 2011-10-30 22:35 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-179605362-839522115-1003Core.job
2014-01-27 08:28 - 2012-12-26 16:32 - 00002521 _____ C:\Documents and Settings\user\Desktop\Microsoft Office Outlook 2003.lnk
2014-01-27 01:35 - 2011-01-11 09:59 - 00032540 _____ C:\WINDOWS\SchedLgU.Txt
2014-01-27 00:10 - 2011-01-11 11:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\LogMeIn
2014-01-26 12:17 - 2011-01-11 11:36 - 00000420 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{E7F8C04E-25CA-4973-A8ED-8A0F032B93A4}.job
2014-01-24 14:38 - 2013-10-23 16:20 - 00000000 ____D C:\Documents and Settings\user\Local Settings\Application Data\gladinet
2014-01-24 14:36 - 2011-01-11 10:03 - 00000278 __SHC C:\Documents and Settings\user\ntuser.ini
2014-01-24 12:29 - 2011-01-14 10:13 - 00000000 ____D C:\Documents and Settings\user\My Documents\CRIPOLY
2014-01-24 11:32 - 2011-01-14 10:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\PROGRESS RAIL
2014-01-24 10:27 - 2011-05-05 09:46 - 00000000 ____D C:\Documents and Settings\user\My Documents\POWERTEAMUS
2014-01-24 08:18 - 2011-01-14 10:17 - 00000000 ____D C:\Documents and Settings\user\My Documents\STEWART & STEVENSON
2014-01-24 07:46 - 2011-01-14 10:13 - 00000000 ____D C:\Documents and Settings\user\My Documents\DOTSON
2014-01-24 07:42 - 2012-12-04 08:56 - 00000000 ____D C:\Documents and Settings\user\My Documents\STRIEGEL SUPPLY
2014-01-23 16:49 - 2014-01-23 16:45 - 00000995 _____ C:\Documents and Settings\user\Desktop\attach.txt
2014-01-23 16:17 - 2011-04-11 11:05 - 00000000 ____D C:\WINDOWS\ERDNT
2014-01-23 16:17 - 2011-04-11 11:04 - 00000000 ____D C:\Qoobox
2014-01-23 16:17 - 2011-01-11 09:54 - 00000000 ____D C:\WINDOWS\system32\Restore
2014-01-23 16:14 - 2014-01-21 16:00 - 00000735 _____ C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Client.lnk
2014-01-23 16:14 - 2011-01-11 09:59 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2014-01-23 16:14 - 2011-01-11 03:41 - 00000049 _____ C:\WINDOWS\wiaservc.log
2014-01-23 16:13 - 2014-01-23 15:57 - 00000000 ____D C:\AdwCleaner
2014-01-23 15:59 - 2012-11-21 09:47 - 00000000 ____D C:\Program Files\Mozilla Firefox
2014-01-23 15:54 - 2014-01-23 15:56 - 01236282 _____ C:\Documents and Settings\user\Desktop\AdwCleaner.exe
2014-01-23 15:35 - 2014-01-23 15:56 - 01933048 _____ (Bleeping Computer, LLC) C:\Documents and Settings\user\Desktop\rkill.exe
2014-01-23 14:13 - 2012-11-21 08:48 - 00000000 ____D C:\Documents and Settings\user\My Documents\K & L ELECTRONICS
2014-01-23 13:03 - 2012-07-30 07:21 - 00000000 ____D C:\Documents and Settings\user\My Documents\S & S SALES & LEASING
2014-01-23 11:14 - 2011-06-27 15:04 - 00000000 ____D C:\Documents and Settings\user\My Documents\MASTER PACKING
2014-01-23 10:34 - 2011-01-14 10:12 - 00000000 ____D C:\Documents and Settings\user\My Documents\AMEREN SALES
2014-01-23 10:20 - 2011-01-14 10:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\NREC POWER SYSTEMS
2014-01-23 09:17 - 2001-08-23 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2014-01-23 08:57 - 2011-01-14 10:14 - 00000000 ____D C:\Documents and Settings\user\My Documents\LAWRENCE & ASSOC
2014-01-23 08:31 - 2011-01-14 10:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\MIKE'S
2014-01-22 14:18 - 2011-09-01 12:51 - 00000000 ____D C:\Documents and Settings\user\My Documents\BECKY'S EBAY
2014-01-22 13:57 - 2011-01-14 10:14 - 00000000 ____D C:\Documents and Settings\user\My Documents\EURO-AMERICAN DIESEL CHILE
2014-01-22 13:53 - 2012-12-21 07:58 - 00000000 ____D C:\Documents and Settings\user\My Documents\DIESEL LOKO DIST
2014-01-22 13:45 - 2011-09-01 13:07 - 00000000 ____D C:\Documents and Settings\user\My Documents\J & L CONSULTING
2014-01-22 11:17 - 2011-01-14 10:14 - 00000000 ____D C:\Documents and Settings\user\My Documents\LASCASIANA
2014-01-21 17:13 - 2011-01-11 09:58 - 00000000 __SHD C:\Documents and Settings\NetworkService
2014-01-21 16:07 - 2012-06-26 15:56 - 00000000 ____D C:\Documents and Settings\user\My Documents\MIDWEST MAINTENANCE SVC
2014-01-21 16:00 - 2014-01-21 16:00 - 00000719 _____ C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-01-21 16:00 - 2011-01-11 11:55 - 00000000 ____D C:\Program Files\LogMeIn
2014-01-21 15:59 - 2011-01-11 11:56 - 00086888 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2014-01-21 15:59 - 2011-01-11 11:56 - 00031560 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIport.dll
2014-01-21 15:59 - 2011-01-11 11:55 - 00085832 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2014-01-21 08:35 - 2011-01-14 10:17 - 00000000 ____D C:\Documents and Settings\user\My Documents\WORLD BRIDGE
2014-01-21 08:21 - 2012-10-18 10:01 - 00000000 ____D C:\Documents and Settings\user\My Documents\DESIGN POWER
2014-01-21 08:02 - 2011-01-14 10:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\POWER RAIL
2014-01-20 14:12 - 2011-01-11 10:04 - 00071936 ____C C:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-01-20 12:56 - 2011-01-14 10:17 - 00000000 ____D C:\Documents and Settings\user\My Documents\SPECIALIZED DIESEL
2014-01-20 08:55 - 2011-01-14 10:39 - 00000000 ____D C:\qawin
2014-01-17 14:58 - 2011-01-11 03:38 - 00275760 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2014-01-17 14:55 - 2011-01-11 11:43 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2014-01-17 14:48 - 2014-01-17 14:48 - 00016316 _____ C:\ComboFix.txt
2014-01-17 14:47 - 2001-08-23 06:00 - 00000227 _____ C:\WINDOWS\system.ini
2014-01-17 14:34 - 2014-01-17 14:34 - 00000000 _RSHD C:\cmdcons
2014-01-17 14:34 - 2011-01-11 03:37 - 00000327 __RSH C:\boot.ini
2014-01-17 14:17 - 2013-07-22 18:32 - 00000000 ____D C:\Documents and Settings\user\Local Settings\Application Data\Avg2013
2014-01-17 14:17 - 2011-01-11 12:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2014-01-17 14:07 - 2013-08-16 15:13 - 00127683 _____ C:\WINDOWS\setupapi.log
2014-01-17 14:07 - 2013-07-22 18:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVG2013
2014-01-17 14:07 - 2011-06-15 16:27 - 00000000 ____D C:\$AVG
2014-01-17 12:53 - 2011-01-11 03:39 - 00588972 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2014-01-17 12:50 - 2011-01-11 12:02 - 00000376 ____C C:\WINDOWS\ODBC.INI
2014-01-17 12:50 - 2001-08-23 06:00 - 00000573 _____ C:\WINDOWS\win.ini
2014-01-17 12:32 - 2011-01-11 03:34 - 00000000 ____D C:\WINDOWS\system32\ias
2014-01-17 12:27 - 2004-08-04 00:56 - 00033280 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\rundll32.exe
2014-01-17 12:27 - 2004-08-04 00:56 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
2014-01-17 12:18 - 2014-01-17 10:43 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-17 10:44 - 2014-01-17 10:44 - 00000000 ____D C:\Documents and Settings\user\Application Data\Malwarebytes
2014-01-17 10:43 - 2014-01-17 10:43 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-17 10:43 - 2014-01-17 10:43 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-01-17 10:43 - 2014-01-17 10:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-01-17 09:15 - 2014-01-23 15:56 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\user\Desktop\mbam-setup-1.75.0.1300.exe
2014-01-17 08:59 - 2013-04-26 13:29 - 00001769 _____ C:\InstallHelper.log
2014-01-17 08:59 - 2013-04-26 13:29 - 00000000 ____D C:\Documents and Settings\All Users\eBay
2014-01-17 08:35 - 2012-01-31 15:26 - 00000000 ____D C:\Program Files\Philips
2014-01-17 08:31 - 2011-01-11 03:34 - 00000000 ____D C:\WINDOWS\Help
2014-01-16 08:18 - 2011-07-06 11:21 - 00002347 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
2014-01-16 08:18 - 2011-07-06 11:21 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-15 16:27 - 2013-07-30 11:58 - 00000000 ____D C:\Documents and Settings\user\My Documents\TPS HOUSTON GROUP
2014-01-15 12:59 - 2014-01-13 14:32 - 00000000 ____D C:\Documents and Settings\user\My Documents\BRAYTON ENERGY
2014-01-15 11:35 - 2011-01-14 10:14 - 00000000 ____D C:\Documents and Settings\user\My Documents\LOCODOCS
2014-01-15 08:19 - 2012-04-10 06:43 - 00000000 ____D C:\Documents and Settings\user\My Documents\VMV PADUCAHBILT
2014-01-15 03:02 - 2013-08-09 02:00 - 00000000 ____D C:\WINDOWS\system32\MRT
2014-01-15 03:00 - 2014-01-15 03:00 - 00004340 _____ C:\WINDOWS\KB2914368.log
2014-01-15 03:00 - 2014-01-15 03:00 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2914368$
2014-01-15 03:00 - 2012-07-03 16:15 - 83425928 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-01-15 03:00 - 2011-01-11 03:39 - 01410105 ____C C:\WINDOWS\iis6.log
2014-01-15 03:00 - 2011-01-11 03:39 - 01261044 ____C C:\WINDOWS\FaxSetup.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00614613 ____C C:\WINDOWS\ocgen.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00580858 ____C C:\WINDOWS\tsoc.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00425031 ____C C:\WINDOWS\comsetup.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00383752 ____C C:\WINDOWS\msmqinst.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00256263 ____C C:\WINDOWS\ntdtcsetup.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00221739 ____C C:\WINDOWS\netfxocm.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00088142 ____C C:\WINDOWS\MedCtrOC.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00069915 ____C C:\WINDOWS\ocmsn.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00064230 ____C C:\WINDOWS\tabletoc.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00063303 ____C C:\WINDOWS\msgsocm.log
2014-01-15 03:00 - 2011-01-11 03:39 - 00001374 _____ C:\WINDOWS\imsins.log
2014-01-14 15:49 - 2011-01-14 10:17 - 00000000 ____D C:\Documents and Settings\user\My Documents\SUPCO CANADA
2014-01-14 08:13 - 2011-01-14 10:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\MARINSA
2014-01-14 08:09 - 2012-06-20 09:40 - 00000000 ____D C:\Documents and Settings\user\My Documents\MARINE SYSTEMS
2014-01-13 16:42 - 2011-01-14 10:14 - 00000000 ____D C:\Documents and Settings\user\My Documents\HILLCREST CAMSHAFT
2014-01-13 13:50 - 2013-03-12 07:26 - 00000000 ____D C:\Documents and Settings\user\My Documents\AMTRAK BIDS
2014-01-13 13:11 - 2011-01-14 10:14 - 00000000 ____D C:\Documents and Settings\user\My Documents\LAWRENCE & ASSOCIATES
2014-01-09 16:05 - 2011-05-19 15:14 - 00000000 ____D C:\Documents and Settings\user\My Documents\AMERICAN TURBO
2014-01-09 13:54 - 2012-02-02 08:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\WABTEC
2014-01-09 08:26 - 2011-01-14 10:13 - 00000000 ____D C:\Documents and Settings\user\My Documents\DICKSON MARINE
2014-01-02 14:02 - 2013-08-22 08:13 - 00000000 ____D C:\Documents and Settings\user\My Documents\MARINE DIESEL OF SEATTLE
2013-12-30 15:44 - 2011-01-14 10:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\PEAKER SERVICES
2013-12-30 08:30 - 2013-12-30 08:30 - 00000871 _____ C:\Documents and Settings\user\Desktop\Shortcut to RECEIVABLES JANUARY  '14.lnk
2013-12-30 08:29 - 2011-01-14 10:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\RECEIVABLES
2013-12-30 07:58 - 2012-03-07 14:15 - 00000000 ____D C:\Documents and Settings\user\My Documents\LOCOMOTORAS

Some content of TEMP:
====================
C:\Documents and Settings\user\Local Settings\temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

Addition.txt

Link to post
Share on other sites

  • Staff

Hello kahnark89

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

i ran adwcleaner but the junkware removal tool would not run.

 

After adw finished the computer rebooted and seemed to be running fine. But then about an hour later the same issues popped up again.

 

here is the log from adwcleaner.

 

# AdwCleaner v3.017 - Report created 23/01/2014 at 15:59:46
# Updated 12/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : user - BECKY
# Running from : C:\Documents and Settings\user\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : Browser Manager

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Free Offers from Freeze.com
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Documents and Settings\user\Local Settings\Application Data\apn
Folder Deleted : C:\Documents and Settings\user\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\user\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\user\Application Data\imeshbandmltbpi
Folder Deleted : C:\Documents and Settings\user\Application Data\wincoreimband
File Deleted : C:\Program Files\Mozilla Firefox\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{58BD07EB-0EE0-4DF0-8121-DC9B693373DF}]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [m3ffxtbr@mywebsearch.com]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\iMesh
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\MyWebSearch.ThirdPartyInstaller
Key Deleted : HKLM\SOFTWARE\Classes\MyWebSearch.ThirdPartyInstaller.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows Media\Wmsdk\Sources [F3PopularScreenSavers]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKCU\Software\5928cdce26dea17
Key Deleted : HKLM\SOFTWARE\5928cdce26dea17
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3209604
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{799391D3-EB86-4BAC-9BD3-CBFEA58A0E15}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{819FFE22-35C7-4925-8CDA-4E0E2DB94302}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D858DAFC-9573-4811-B323-7011A3AA7E61}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01947140-417F-46B6-8751-A3A2B8345E1A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{120927BF-1700-43BC-810F-FAB92549B390}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E720451-B472-4954-B7AA-33069EB53906}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{819FFE21-35C7-4925-8CDA-4E0E2DB94302}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{991AAC62-B100-47CE-8B75-253965244F69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{819FFE20-35C7-4925-8CDA-4E0E2DB94302}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8FFDF636-0D87-4B33-B9E9-79A53F6E1DAE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{474597C5-AB09-49D6-A4D5-2E8D7341384E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{474597C5-AB09-49D6-A4D5-2E8D7341384E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List [C:\Program Files\iMesh Applications\iMesh\iMesh.exe]
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\FLEXnet
Key Deleted : HKCU\Software\Imesh
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\Trymedia Systems
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Google Chrome v

[ File : C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [12741 octets] - [23/01/2014 15:57:37]
AdwCleaner[s0].txt - [12981 octets] - [23/01/2014 15:59:46]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [13042 octets] ##########
 

Link to post
Share on other sites

  • Staff

Hello kahnark89

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
Link to post
Share on other sites

I ran combofix at the last minute this afternoon. I will post the log file now and check on how the computer is running in the morning

 

Here is the log from combofix:

 

ComboFix 14-01-27.02 - user 01/27/2014  16:41:47.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2430.1798 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-27 to 2014-01-27  )))))))))))))))))))))))))))))))
.
.
2014-01-27 15:40 . 2014-01-27 15:40 -------- d-----w- C:\FRST
2014-01-23 21:57 . 2014-01-27 20:29 -------- d-----w- C:\AdwCleaner
2014-01-17 16:44 . 2014-01-17 16:44 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2014-01-17 16:43 . 2014-01-17 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-17 16:43 . 2014-01-17 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-01-17 16:43 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-21 21:59 . 2011-01-11 17:56 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-01-21 21:59 . 2011-01-11 17:56 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2014-01-21 21:59 . 2011-01-11 17:56 31560 ----a-w- c:\windows\system32\LMIport.dll
2014-01-21 21:59 . 2011-01-11 17:55 85832 ----a-w- c:\windows\system32\LMIinit.dll
2014-01-17 18:27 . 2004-08-04 06:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2013-12-12 18:31 . 2011-01-11 17:56 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2013-12-12 18:31 . 2011-01-11 17:55 85832 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2013-12-11 16:34 . 2012-07-19 21:42 692616 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 16:34 . 2011-06-07 14:08 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 16:34 . 2013-09-11 00:34 8699272 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-11-27 20:21 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59 . 2004-08-04 06:56 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2004-08-04 06:56 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2012-06-27 08:01 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2004-08-04 05:17 1879040 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2011-09-30 03:27 198512 ----a-w- c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetUploading]
@="{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}"
[HKEY_CLASSES_ROOT\CLSID\{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}]
2011-09-30 03:30 194416 ----a-w- c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIconU.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2011-01-11 29896704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976]
"PaperPort PTD"="c:\program files\Dell Printers\paperport\PaperPort\pptd40nt.exe" [2011-11-17 38848]
"IndexSearch"="c:\program files\Dell Printers\paperport\PaperPort\IndexSearch.exe" [2011-11-17 51136]
"PDFProHook"="c:\program files\Nuance\PDF Viewer Plus\pdfpro7hook.exe" [2011-07-01 607592]
"PDFCreHook"="c:\program files\Dell Printers\paperport\PDFCreate\pdfcreate7hook.exe" [2011-06-28 605032]
"PDF7 Registry Controller"="c:\program files\Dell Printers\paperport\PDFCreate\RegistryController.exe" [2011-06-28 140136]
"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2012-04-11 902536]
"DLUPDR"="c:\program files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2012-04-11 1099072]
"DLQLU"="c:\program files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE" [2012-04-11 1082688]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nuance Cloud Connector.lnk - c:\program files\Nuance\Nuance Cloud Connector\GladLauncher.exe [2011-9-29 87920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2014-01-21 21:59 85832 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv13F4]
@="service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\GladinetClient.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvr.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvr2003.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvrXP32.exe"=
.
R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [2/16/2012 10:46 AM 43112]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [10/23/2013 4:15 PM 226696]
R2 GladFileMonSvc;GladFileMonSvc;c:\program files\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe [9/29/2011 9:35 PM 29552]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 13624]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Dell Printers\paperport\PaperPort\PDFProFiltSrvPP.exe [1/3/2012 11:58 AM 219496]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/12/2008 4:20 PM 279680]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S4 srv13F4;srv13F4;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
srv13F4
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-19 16:34]
.
2014-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-179605362-839522115-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-31 04:35]
.
2014-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-179605362-839522115-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-31 04:35]
.
2014-01-27 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2013-10-25 13:22]
.
2014-01-27 c:\windows\Tasks\User_Feed_Synchronization-{E7F8C04E-25CA-4973-A8ED-8A0F032B93A4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Append the content of the link to existing PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Open with PDF Viewer 7 - c:\program files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
MSConfigStartUp-AOL Fast Start - c:\program files\AOL Desktop 9.6\AOL.EXE
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1295022866\ee\AOLSoftware.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
AddRemove-{52357C6C-FE7F-4E8C-B045-EDE5146A1F9C} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{52357~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-27 16:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srv13F4]
"servicedll"="\\?\globalroot\Device\HarddiskVolume1\DOCUME~1\user\LOCALS~1\Temp\srv13F4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(452)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2444)
c:\windows\system32\WININET.dll
c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIcon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIconU.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'explorer.exe'(3436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
Completion time: 2014-01-27  16:52:48
ComboFix-quarantined-files.txt  2014-01-27 22:52
ComboFix2.txt  2014-01-17 20:48
.
Pre-Run: 42,570,137,600 bytes free
Post-Run: 42,886,291,456 bytes free
.
- - End Of File - - A231165C3F00E3B14B29A9CDBF3D2D08
8F558EB6672622401DA993E1E865C861
Link to post
Share on other sites

  • Staff

Hello kahnark89

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
Link to post
Share on other sites

this morning i noticed a warning message saying:

 

"explorer.exe has referenced instruction ------------ at memory location --------. the instruction is no longer there."

 

Or something along those lines.

I have not seen any other pop ups so far this morning but as i pointed out before, they seem to happen at random times so i will inform you of any updates.

 

I ran combofix again as you instructed. Here is the log:

 

ComboFix 14-01-27.02 - user 01/28/2014   8:13.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2430.1774 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-28 to 2014-01-28  )))))))))))))))))))))))))))))))
.
.
2014-01-27 15:40 . 2014-01-27 15:40 -------- d-----w- C:\FRST
2014-01-23 21:57 . 2014-01-27 20:29 -------- d-----w- C:\AdwCleaner
2014-01-17 16:44 . 2014-01-17 16:44 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2014-01-17 16:43 . 2014-01-17 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-17 16:43 . 2014-01-17 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-01-17 16:43 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-21 21:59 . 2011-01-11 17:56 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-01-21 21:59 . 2011-01-11 17:56 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2014-01-21 21:59 . 2011-01-11 17:56 31560 ----a-w- c:\windows\system32\LMIport.dll
2014-01-21 21:59 . 2011-01-11 17:55 85832 ----a-w- c:\windows\system32\LMIinit.dll
2014-01-17 18:27 . 2004-08-04 06:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2013-12-12 18:31 . 2011-01-11 17:56 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2013-12-12 18:31 . 2011-01-11 17:55 85832 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2013-12-11 16:34 . 2012-07-19 21:42 692616 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 16:34 . 2011-06-07 14:08 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 16:34 . 2013-09-11 00:34 8699272 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-11-27 20:21 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59 . 2004-08-04 06:56 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2004-08-04 06:56 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2012-06-27 08:01 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2011-09-30 03:27 198512 ----a-w- c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetUploading]
@="{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}"
[HKEY_CLASSES_ROOT\CLSID\{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}]
2011-09-30 03:30 194416 ----a-w- c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIconU.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2011-01-11 29896704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976]
"PaperPort PTD"="c:\program files\Dell Printers\paperport\PaperPort\pptd40nt.exe" [2011-11-17 38848]
"IndexSearch"="c:\program files\Dell Printers\paperport\PaperPort\IndexSearch.exe" [2011-11-17 51136]
"PDFProHook"="c:\program files\Nuance\PDF Viewer Plus\pdfpro7hook.exe" [2011-07-01 607592]
"PDFCreHook"="c:\program files\Dell Printers\paperport\PDFCreate\pdfcreate7hook.exe" [2011-06-28 605032]
"PDF7 Registry Controller"="c:\program files\Dell Printers\paperport\PDFCreate\RegistryController.exe" [2011-06-28 140136]
"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2012-04-11 902536]
"DLUPDR"="c:\program files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2012-04-11 1099072]
"DLQLU"="c:\program files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE" [2012-04-11 1082688]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nuance Cloud Connector.lnk - c:\program files\Nuance\Nuance Cloud Connector\GladLauncher.exe [2011-9-29 87920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2014-01-21 21:59 85832 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv13F4]
@="service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\GladinetClient.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvr.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvr2003.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvrXP32.exe"=
.
R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [2/16/2012 10:46 AM 43112]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [10/23/2013 4:15 PM 226696]
R2 GladFileMonSvc;GladFileMonSvc;c:\program files\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe [9/29/2011 9:35 PM 29552]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 13624]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Dell Printers\paperport\PaperPort\PDFProFiltSrvPP.exe [1/3/2012 11:58 AM 219496]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/12/2008 4:20 PM 279680]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S4 srv13F4;srv13F4;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
srv13F4
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-19 16:34]
.
2014-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-179605362-839522115-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-31 04:35]
.
2014-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-179605362-839522115-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-31 04:35]
.
2014-01-28 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2013-10-25 13:22]
.
2014-01-27 c:\windows\Tasks\User_Feed_Synchronization-{E7F8C04E-25CA-4973-A8ED-8A0F032B93A4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Append the content of the link to existing PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Dell Printers\paperport\PDFCreate\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Open with PDF Viewer 7 - c:\program files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-28 08:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srv13F4]
"servicedll"="\\?\globalroot\Device\HarddiskVolume1\DOCUME~1\user\LOCALS~1\Temp\srv13F4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(452)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(552)
c:\windows\system32\WININET.dll
c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIcon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIconU.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'explorer.exe'(844)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
Completion time: 2014-01-28  08:17:17
ComboFix-quarantined-files.txt  2014-01-28 14:17
ComboFix2.txt  2014-01-27 22:52
ComboFix3.txt  2014-01-17 20:48
.
Pre-Run: 42,789,658,624 bytes free
Post-Run: 42,852,691,968 bytes free
.
- - End Of File - - 4EC2B4A1FD95EB77B17B5E737F49710E
8F558EB6672622401DA993E1E865C861
Link to post
Share on other sites

  • Staff

Hello kahnark89

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access

    •Windows Update

    •Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo

When you are complete please send me both reports

Gringo

Link to post
Share on other sites

The computer seems to be running fine with no sign of the issues arising all day.

 

i ran mbar and it came back with a message that said "No malware found." there was no log report when i closed the program.

 

I ran rougue killer and it found 1 bad process. here is the log:

 

RogueKiller V8.8.4 [Jan 27 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : DNSFix -- Date : 01/28/2014 15:19:27
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH] agent.exe -- C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 0 ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
Finished : << RKreport[0]_DN_01282014_151927.txt >>
RKreport[0]_D_01282014_151920.txt;RKreport[0]_H_01282014_151926.txt;RKreport[0]_S_01282014_151650.txt
Link to post
Share on other sites

  • Staff

Hello kahnark89

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo

Link to post
Share on other sites

It seems like everything is running fine but then we keep getting download windows that pop up from random video advertising sites.(liverail.com) when we hit cancel they would reappear instantly. then they just went off by themselves 

 

here is the report that combofix produced:

 

Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.9)
ArcSoft PhotoStudio 6
AVG 2011
Canon D460-490
Canon MF Toolbox 4.9.1.1.mf07
Compatibility Pack for the 2007 Office system
Dell C3765dnf Color MFP Address Book Editor Ver.1.0.0.1
Dell C3765dnf Color MFP ScanButton Manager Ver.1.0.0.1
Dell C3765dnf Multifunction Color Laser Printer Scanner Driver
Dell Printer Software
Funambol Outlook Sync Client 8.2.7
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Photo Creations
HP Software Update
LogMeIn
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4048
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Works 6-9 Converter
Microsoft Works 7.0
MSN
Nuance Cloud Connector
Nuance PaperPort 14
Nuance PDF Create 7
Nuance PDF Viewer Plus
NVIDIA Drivers
PaperPort Image Printer
Platform
PrintScreen
Realtek High Definition Audio Driver
Scansoft PDF Create
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB2870699)
Security Update for Windows Internet Explorer 8 (KB2879017)
Security Update for Windows Internet Explorer 8 (KB2888505)
Security Update for Windows Internet Explorer 8 (KB2898785)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904-v2)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2847311)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2862152)
Security Update for Windows XP (KB2862330)
Security Update for Windows XP (KB2862335)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2868038)
Security Update for Windows XP (KB2868626)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876315)
Security Update for Windows XP (KB2876331)
Security Update for Windows XP (KB2883150)
Security Update for Windows XP (KB2892075)
Security Update for Windows XP (KB2893294)
Security Update for Windows XP (KB2893984)
Security Update for Windows XP (KB2898715)
Security Update for Windows XP (KB2900986)
Security Update for Windows XP (KB2914368)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2863058)
Update for Windows XP (KB2904266)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows XP Service Pack 3
Link to post
Share on other sites

we use avg free edition on our computers here. I had to uninstall it so we could run most of these malware removal programs. I reinstalled it after we ran the last combofix and the person that uses this computer told me that AVG said that it blocked 2 potential threats this morning and she hasn't seen any of the pesky pop up windows. I didnt see the notification but is there i way i can go back and look at the avg logs or something to get a clue to what it is detecting?

Link to post
Share on other sites

  • Staff

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

  • Programs to remove
    • Adobe Reader X (10.1.9)
  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe reader

  • Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html

    After installing the latest Adobe Reader, uninstall all previous versions.

    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    • If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.