Jump to content

Virus issues and cannot install MBAM


Recommended Posts

Hello all!

 

I'm currently trying to fix a friends PC and have managed to remove some stuff to the point where the program in question (plus some others), coin-miner.exe, is now removed and not hogging the ram, however I believe there are still some remnants of malware/viruses floating around and have locked a few things (i.e. I couldn't open any anti-virus etc). I ran a number of programs while removing the initial threats and have attached some of the logs.

 

For the HJThis log, I received a message when I scanned, which I have attached.

 

Also, I won't have physical access to the computer in question, however I will be performing any cleaning via teamviewer. I will be able to guide the user to do certain tasks as they are computer literate.

 

After removing the major threats, I removed all anti-virus and MBAM (including using the cleaner) and attempted to re install. I managed to re install Microsoft security essentials (after it refused to fix itself) and is now working fine (haven't scanned yet). I then attempted to re install MBAM however during installation (as soon as it starts), it gives me error 5: access denied message. This also happens when I right click and run as admin (account is admin anyway).

 

Thanks in advance!

 

Here is a combofix log (as I wasn't able to upload it for some reason):

ComboFix 14-05-27.02 - Ali 27/05/2014  16:55:59.2.4 - x64Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.6089.4135 [GMT 1:00]Running from: c:\users\Ali\Downloads\ComboFix.exeAV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..(((((((((((((((((((((((((   Files Created from 2014-04-27 to 2014-05-27  )))))))))))))))))))))))))))))))..2014-05-27 15:59 . 2014-05-27 15:59 -------- d-----w- c:\users\HomeGroupUser$\AppData\Local\temp2014-05-27 15:59 . 2014-05-27 15:59 -------- d-----w- c:\users\Guest\AppData\Local\temp2014-05-27 15:59 . 2014-05-27 15:59 -------- d-----w- c:\users\Default\AppData\Local\temp2014-05-27 15:59 . 2014-05-27 15:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp2014-05-27 15:31 . 2014-05-27 15:32 -------- d-----w- C:\FRST2014-05-27 14:11 . 2014-05-27 14:11 1031560 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B318A01E-0C80-475D-A3FE-5DD05B7B1810}\gapaengine.dll2014-05-27 14:11 . 2014-04-30 15:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82E592A7-072D-44EE-BF18-6FE78102912E}\mpengine.dll2014-05-27 14:11 . 2014-05-27 14:11 -------- d-----w- c:\program files (x86)\Microsoft Security Client2014-05-27 14:11 . 2014-05-27 14:11 -------- d-----w- c:\program files\Microsoft Security Client2014-05-27 14:09 . 2014-05-20 00:26 10702536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F593F00D-CC46-4FBE-AEB9-BA1E37F54115}\mpengine.dll2014-05-27 13:52 . 2014-05-27 14:03 -------- d-----w- c:\users\Ali\AppData\Local\CrashDumps2014-05-27 13:50 . 2014-05-27 13:50 -------- d-----w- c:\users\Ali\AppData\Local\Eraser 62014-05-27 13:19 . 2014-05-27 13:19 -------- d-----w- c:\program files\Eraser2014-05-27 13:06 . 2014-05-27 13:06 -------- d-----w- C:\TDSSKiller_Quarantine2014-05-25 12:13 . 2014-05-25 12:13 -------- d-----w- c:\program files\Microsoft.NET2014-05-25 08:49 . 2014-05-06 04:40 23544320 ----a-w- c:\windows\system32\mshtml.dll2014-05-25 08:49 . 2014-05-06 03:00 84992 ----a-w- c:\windows\system32\mshtmled.dll2014-05-25 08:49 . 2014-05-06 04:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb2014-05-25 08:49 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb2014-05-25 08:44 . 2014-03-25 02:43 14175744 ----a-w- c:\windows\system32\shell32.dll2014-05-04 12:41 . 2014-05-21 12:24 0 ----a-w- c:\users\Ali\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wepp.vbs2014-05-03 09:36 . 2014-05-03 09:36 -------- d-----w- c:\program files (x86)\predm2014-05-03 08:30 . 2014-05-03 08:30 1356664 ----a-w- c:\windows\system32\ZombieAlert.A222801BB6B4.2.6.80.dll2014-05-03 08:25 . 2014-05-03 08:25 1161080 ----a-w- c:\windows\SysWow64\ZombieAlert.A222801BB6B4.2.6.80.dll...((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2014-05-25 12:06 . 2013-12-04 19:27 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2014-05-25 12:06 . 2013-12-04 19:27 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2014-04-17 11:01 . 2014-04-17 11:01 1611848 ----a-w- c:\windows\SysWow64\setup.exe2014-04-08 19:58 . 2014-04-08 19:58 61112 ----a-w- c:\windows\system32\drivers\wStLibG64.sys2014-03-31 08:35 . 2010-11-21 03:27 270496 ------w- c:\windows\system32\MpSigStub.exe2014-03-28 17:28 . 2014-02-17 09:04 282104 ----a-w- c:\windows\SysWow64\PnkBstrB.exe2014-03-28 17:28 . 2013-11-10 19:41 282104 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr2014-03-28 17:27 . 2013-11-10 19:37 234768 ----a-w- c:\windows\SysWow64\PnkBstrB.ex02014-03-26 20:42 . 2014-02-17 09:04 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe2014-03-26 18:32 . 2014-03-26 18:32 4296192 ----a-w- c:\program files (x86)\SW.Booster2014-03-21 10:46 . 2014-03-21 10:46 152848 ----a-w- c:\windows\SysWow64\comdlg32.ocx2014-03-21 10:46 . 2014-03-21 10:46 1081616 ----a-w- c:\windows\SysWow64\mscomctl.ocx2014-03-12 15:00 . 2014-04-18 07:47 338120 ----a-w- c:\windows\system32\SecureAssist64.dll2014-03-12 15:00 . 2014-04-18 07:47 295080 ----a-w- c:\windows\SysWow64\SecureAssist.dll2014-03-11 15:46 . 2014-03-11 15:46 82432 ----a-w- c:\users\Ali\AppData\Roaming\Microsoft\MSXML2\msxml4r.dll2014-03-11 15:46 . 2014-03-11 15:46 44544 ----a-w- c:\users\Ali\AppData\Roaming\Microsoft\MSXML2\msxml4a.dll2014-03-11 15:46 . 2014-03-11 15:46 1275392 ----a-w- c:\users\Ali\AppData\Roaming\Microsoft\MSXML2\msxml4.dll2014-03-11 08:52 . 2014-03-11 08:52 133928 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys2014-03-06 09:31 . 2014-04-18 21:16 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll2014-03-06 08:59 . 2014-04-18 21:16 66048 ----a-w- c:\windows\system32\iesetup.dll2014-03-06 08:57 . 2014-04-18 21:16 548352 ----a-w- c:\windows\system32\vbscript.dll2014-03-06 08:57 . 2014-04-18 21:16 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll2014-03-06 08:53 . 2014-04-18 21:16 2767360 ----a-w- c:\windows\system32\iertutil.dll2014-03-06 08:40 . 2014-04-18 21:16 51200 ----a-w- c:\windows\system32\jsproxy.dll2014-03-06 08:39 . 2014-04-18 21:16 33792 ----a-w- c:\windows\system32\iernonce.dll2014-03-06 08:32 . 2014-04-18 21:16 574976 ----a-w- c:\windows\system32\ieui.dll2014-03-06 08:29 . 2014-04-18 21:16 139264 ----a-w- c:\windows\system32\ieUnatt.exe2014-03-06 08:29 . 2014-04-18 21:16 111616 ----a-w- c:\windows\system32\ieetwcollector.exe2014-03-06 08:28 . 2014-04-18 21:16 752640 ----a-w- c:\windows\system32\jscript9diag.dll2014-03-06 08:15 . 2014-04-18 21:16 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe2014-03-06 08:11 . 2014-04-18 21:16 5784064 ----a-w- c:\windows\system32\jscript9.dll2014-03-06 08:09 . 2014-04-18 21:16 453120 ----a-w- c:\windows\system32\dxtmsft.dll2014-03-06 08:03 . 2014-04-18 21:16 586240 ----a-w- c:\windows\system32\ie4uinit.exe2014-03-06 08:02 . 2014-04-18 21:16 61952 ----a-w- c:\windows\SysWow64\iesetup.dll2014-03-06 08:02 . 2014-04-18 21:16 455168 ----a-w- c:\windows\SysWow64\vbscript.dll2014-03-06 08:01 . 2014-04-18 21:16 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll2014-03-06 07:56 . 2014-04-18 21:16 38400 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll2014-03-06 07:48 . 2014-04-18 21:16 195584 ----a-w- c:\windows\system32\msrating.dll2014-03-06 07:46 . 2014-04-18 21:15 4254720 ----a-w- c:\windows\SysWow64\jscript9.dll2014-03-06 07:42 . 2014-04-18 21:16 296960 ----a-w- c:\windows\system32\dxtrans.dll2014-03-06 07:38 . 2014-04-18 21:16 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe2014-03-06 07:36 . 2014-04-18 21:16 592896 ----a-w- c:\windows\SysWow64\jscript9diag.dll2014-03-06 07:21 . 2014-04-18 21:16 628736 ----a-w- c:\windows\system32\msfeeds.dll2014-03-06 07:13 . 2014-04-18 21:16 32256 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll2014-03-06 07:11 . 2014-04-18 21:16 2043904 ----a-w- c:\windows\system32\inetcpl.cpl2014-03-06 06:53 . 2014-04-18 21:16 13551104 ----a-w- c:\windows\system32\ieframe.dll2014-03-06 06:40 . 2014-04-18 21:16 1967104 ----a-w- c:\windows\SysWow64\inetcpl.cpl2014-03-06 06:22 . 2014-04-18 21:16 2260480 ----a-w- c:\windows\system32\wininet.dll2014-03-06 05:58 . 2014-04-18 21:16 1400832 ----a-w- c:\windows\system32\urlmon.dll2014-03-06 05:50 . 2014-04-18 21:16 846336 ----a-w- c:\windows\system32\ieapfltr.dll2014-03-06 05:41 . 2014-04-18 21:16 1789440 ----a-w- c:\windows\SysWow64\wininet.dll2014-03-04 09:44 . 2014-04-09 10:50 362496 ----a-w- c:\windows\system32\wow64win.dll2014-03-04 09:44 . 2014-04-09 10:50 243712 ----a-w- c:\windows\system32\wow64.dll2014-03-04 09:44 . 2014-04-09 10:50 13312 ----a-w- c:\windows\system32\wow64cpu.dll2014-03-04 09:44 . 2014-04-09 10:50 16384 ----a-w- c:\windows\system32\ntvdm64.dll2014-03-04 09:44 . 2014-04-09 10:50 1163264 ----a-w- c:\windows\system32\kernel32.dll2014-03-04 09:17 . 2014-04-09 10:50 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll2014-03-04 09:17 . 2014-04-09 10:50 44032 ----a-w- c:\windows\apppatch\acwow64.dll2014-03-04 09:16 . 2014-04-09 10:50 25600 ----a-w- c:\windows\SysWow64\setup16.exe2014-03-04 09:16 . 2014-04-09 10:50 5120 ----a-w- c:\windows\SysWow64\wow32.dll2014-03-04 08:09 . 2014-04-09 10:50 7680 ----a-w- c:\windows\SysWow64\instnm.exe2014-03-04 08:09 . 2014-04-09 10:50 2048 ----a-w- c:\windows\SysWow64\user.exe..------- Sigcheck -------Note: Unsigned files aren't necessarily malware..[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll[-] 2013-11-02 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll.[-] 2013-11-02 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]2014-04-08 13:22 1728216 ----a-w- c:\progra~2\MICROS~2\Office15\GROOVEEX.DLL.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]2014-04-08 13:22 1728216 ----a-w- c:\progra~2\MICROS~2\Office15\GROOVEEX.DLL.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]2014-04-08 13:22 1728216 ----a-w- c:\progra~2\MICROS~2\Office15\GROOVEEX.DLL.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"f.lux"="c:\users\Ali\AppData\Local\FluxSoftware\Flux\flux.exe" [2013-10-23 1017224]"EADM"="c:\program files (x86)\Origin\Origin.exe" [2014-05-03 3588952]"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-12-11 1564528].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-02-09 5015040]"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-21 291648]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-12-11 311152].c:\users\Ali\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2013-11-3 576000]wepp.vbs [2014-5-21 0].c:\users\Ali\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\wepp.vbs [2014-4-12 154864].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1).[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service".R2 70e6ca8c;Optimizer Pro Crash Monitor;c:\windows\system32\rundll32.exe;c:\windows\SYSNATIVE\rundll32.exe [x]R2 avgfws;AVG Firewall;c:\program files (x86)\AVG\AVG2014\avgfws.exe;c:\program files (x86)\AVG\AVG2014\avgfws.exe [x]R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe [x]R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]R4 MgAssistService;MgAssist Service;c:\program files (x86)\Mobogenie\MgAssist.exe;c:\program files (x86)\Mobogenie\MgAssist.exe [x]R4 xmkysecqun64;xmkysecqun64;c:\program files\003\xmkysecqun64.exe run options=01110010030000000000000000000000 sourceguid=22B56083-F1A6-4ABE-8F9C-21B4CB1099AD;c:\program files\003\xmkysecqun64.exe run options=01110010030000000000000000000000 sourceguid=22B56083-F1A6-4ABE-8F9C-21B4CB1099AD [x]S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]S1 Avgdiska;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiska.sys;c:\windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys;c:\windows\SYSNATIVE\DRIVERS\avgfwd6a.sys [x]S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]S1 wStLibG64;wStLibG64;c:\windows\system32\drivers\wStLibG64.sys;c:\windows\SYSNATIVE\drivers\wStLibG64.sys [x]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [x]S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe [x]S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys [x]..--- Other Services/Drivers In Memory ---.*NewlyCreated* - NISDRV.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]2014-04-20 07:20 1077576 ----a-w- c:\program files (x86)\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe.Contents of the 'Scheduled Tasks' folder.2014-05-27 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-04 12:06].2014-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-11-02 21:21]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-10-18 1028384]"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2013-12-10 1100248]"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2013-12-10 2279712]"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2012-05-22 980920]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072].------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmuStart Page = hxxp://websearch.amaizingsearches.info/?pid=2396&r=2014/04/12&hid=14923493841607965970&lg=EN&cc=GB&unqvl=51mStart Page = hxxp://websearch.amaizingsearches.info/?pid=2396&r=2014/04/12&hid=14923493841607965970&lg=EN&cc=GB&unqvl=51mLocal Page = c:\windows\SysWOW64\blank.htmuSearchAssistant = hxxp://www.bing.com/search?q={searchTerms}IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office15\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office15\ONBttnIE.dll/105TCP: DhcpNameServer = 192.168.0.1Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL.- - - - ORPHANS REMOVED - - - -.BHO-{84FF7BD6-B47F-46F8-9130-01B2696B36CB} - (no file)Toolbar-10 - (no file)c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.285\SSScheduler.exeAddRemove-{ed8deea4-29fa-3932-9612-e2122d8a62d9}}_is1 - c:\program files (x86)\WarThunder\unins000.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-2575845399-3806110959-851055711-1000_Classes\Wow6432Node\CLSID\{34e55a5f-7c29-4e36-a316-7e2a028132e4}]@Denied: (Full) (Everyone)@Allowed: (Read) (RestrictedCode)"Model"=dword:0000006a"Therad"=dword:00000006.[HKEY_USERS\S-1-5-21-2575845399-3806110959-851055711-1000_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]@Denied: (Full) (Everyone)@Allowed: (Read) (RestrictedCode)"scansk"=hex(0):68,7c,ee,2d,ab,5f,78,ee,11,38,84,22,f5,8a,fc,f7,b7,3a,80,ce,ee,   c5,83,52,6f,0d,a4,d9,ad,ba,3a,53,58,62,28,36,1c,f6,14,43,00,00,00,00,00,00,\.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.13".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2014-05-27  17:01:18ComboFix-quarantined-files.txt  2014-05-27 16:01ComboFix2.txt  2014-05-27 13:50.Pre-Run: 856,493,256,704 bytes freePost-Run: 856,188,444,672 bytes free.- - End Of File - - CF6E6B6E2408CD756209C30986646774A36C5E4F47E84449FF07ED3517B43A31

Addition.txt

FRST.txt

post-164845-0-60106800-1401205849_thumb.

hijackthis.log

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Very sorry for the delay. We've simply been overrun with requests for help and have not been able to get to everyone requesting help in a timely manner.

Now that we're finally getting our head a bit above water again I've been going back to review old missed requests. If you do still need help please let me know.

Thank you

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.