Jump to content
adh

Malicious Website Blocked - dllhost.exe

Recommended Posts

Still getting ALOT of malicious website block referencing the windows\explorer.exe file. and multiple websites now showing in history tab of IE.  I had even gone in and deleted the earlier ones when I restarted.  Don't know if it will help but a have attached the protection log.

protectionlog.txt

Share this post


Link to post
Share on other sites

Delete your copy of ComboFix and obtain a fresh one. Run it from this account.

51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.

Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).
Include that log in your next reply.

icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

icon_idea.gif Don't forget to re-enable your previously switched-off protection software!

Share this post


Link to post
Share on other sites

gmericon.png Scan with Gmer

This type of scan often produces false positives. At any point do not take any action for any suspicious entries you may see there. Instead post the log to be analyzed.

Please download GMER by Gmer and save the file to your desktop.

It will come as a randomly named file (like a6ge38b4.exe) - that's absolutely normal.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on randomly named gmericon.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • It is very important that you do not use your computer while Gmer is running!
  • Gmer will open to the Rootkit/Malware tab and perform an automatic quick scan.
  • If you receive a warning about rootkit activity and are asked to fully scan your system click NO!

When the pre-scan is completed, please do the following:

  • Please check in the Quick scan box.
  • Please uncheck the IAT/EAT and Show All.
  • Click Scan.
  • If you see a rootkit warning window click OK.
  • When the scan is finished, Save the results to your desktop as gmer.log.

Please include the content of this file in your next reply.

Don't forget to re-enable previously switched-off protection software!

icon_idea.gif If you encounter any problems, try running GMER in Safe Mode.

icon_idea.gif If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning.

Share this post


Link to post
Share on other sites

OTS.png Scan with OTS

Please download OTS by OldTimer and save the file to your desktop.

  • Right-click on OTS.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Make sure that Scan All Users (upper bar) is ticked.
  • For 64-bit systems only - make sure that Include 64-bit option is also ticked.
  • Sections Processes, Modules, Services, Drivers, Standard Registry are set to Use Safelist.
  • Under the Additional scans bar press once Extras.
  • Push Run Scan at the top and wait patiently.
  • A notepad window will be opened after this run, named OTS.txt (saved also to your desktop).

Pleasepost that file in your reply.

Share this post


Link to post
Share on other sites

I do not see anything bad here.

grayhitmanpro_16px.png Scan with HitmanPro

In any case don't remove on your own anything that Hitman Pro detects!

This scanner, as it is a really good for checking, has been known for deleting files instead od curing them, which in some cases may render the machine unbootable.

Any removals will be done manually after careful analysis of the scan results!

Please download HitmanPro by SurfRight and save it to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on grayhitmanpro_16px.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button. You must agree with the terms of EULA (if asked).
  • Check the box beside No, I only want to perform a one-time scan to check this computer.
  • Click on the Next button.
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore.
    • If there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro!

      Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply.

  • Click on the Next button.
  • Click on the Save Log button.
  • Save that file to your desktop.
Please include that logfile in your next reply.

Don't forget to re-enable your previously switched-off protection software!

aswMBR.png Scan with aswMBR

Please download aswMBR by Avast! & Gmer and save it to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on the aswMBR.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Allow virtualisation if offered.
  • If you are prompted to download the latest anti-virus definitions from avast!, click Yes.
  • Click the AV Scan: drop down box and select C:\.
  • Select scan.
  • Upon completion, you will see Scan finished successfully. Click Save log.
Do NOT click Fix or FixMBR!

A file (MBR.dat) will be created on your desktop. Do NOT click or delete it!

Copy the contents of the logfile ans paste in into your next reply.

Do not forget to re-enable your previously switched-off protection software!

Share this post


Link to post
Share on other sites

Not sure where the bugger is hiding but had 24 blocks in less than 15 min. Been trying to run aswmbr and keeps repeating that scan stopped, disk 0 statistics, scan stopped. It did find infected file before that started. Should I close scan and start over? Thanks

Share this post


Link to post
Share on other sites

HitmanPro 3.7.9.232

www.hitmanpro.com

Computer name . . . . : HEATHMAN-PC

Windows . . . . . . . : 6.1.1.7601.X64/4

User name . . . . . . : Heathman-PC\Heathman

UAC . . . . . . . . . : Enabled

License . . . . . . . : Free

Scan date . . . . . . : 2014-10-30 16:16:40

Scan mode . . . . . . : Normal

Scan duration . . . . : 3m 36s

Disk access mode . . : Direct disk access (SRB)

Cloud . . . . . . . . : Internet

Reboot . . . . . . . : No

Threats . . . . . . . : 11

Traces . . . . . . . : 83

Objects scanned . . . : 2,324,527

Files scanned . . . . : 100,659

Remnants scanned . . : 1,018,453 files / 1,205,415 keys

Suspicious files ____________________________________________________________

C:\Users\ADH.Heathman-PC\Desktop\FRST64\FRST-OlderVersion\FRST64.exe

Size . . . . . . . : 2,113,024 bytes

Age . . . . . . . : 1.8 days (2014-10-28 22:03:50)

Entropy . . . . . : 7.5

SHA-256 . . . . . : 9414025AB0585D2AEF7C95651E20EE27AC2C02D8A57B0E42C3F50D35E02D6850

Needs elevation . : Yes

Fuzzy . . . . . . : 24.0

Program has no publisher information but prompts the user for permission elevation.

Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

Authors name is missing in version info. This is not common to most programs.

Version control is missing. This file is probably created by an individual. This is not typical for most programs.

Time indicates that the file appeared recently on this computer.

C:\Users\ADH.Heathman-PC\Desktop\FRST64\FRST64.exe

Size . . . . . . . : 2,113,536 bytes

Age . . . . . . . : 1.3 days (2014-10-29 09:19:04)

Entropy . . . . . : 7.5

SHA-256 . . . . . : 4CB4634B1474D2057787103E89DA1774BBA8A7EC62B877DCE28D3DAB2EBADCBD

Needs elevation . : Yes

Fuzzy . . . . . . : 24.0

Program has no publisher information but prompts the user for permission elevation.

Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

Authors name is missing in version info. This is not common to most programs.

Version control is missing. This file is probably created by an individual. This is not typical for most programs.

Time indicates that the file appeared recently on this computer.

Forensic Cluster

-0.1s C:\Users\ADH.Heathman-PC\AppData\Roaming\Microsoft\Windows\Cookies\WTOCOROL.txt

0.0s C:\Users\ADH.Heathman-PC\Desktop\FRST64\FRST64.exe

C:\Users\Heathman\Desktop\FRST\FRST64.exe

Size . . . . . . . : 2,113,536 bytes

Age . . . . . . . : 0.3 days (2014-10-30 08:47:53)

Entropy . . . . . : 7.5

SHA-256 . . . . . : 4CB4634B1474D2057787103E89DA1774BBA8A7EC62B877DCE28D3DAB2EBADCBD

Needs elevation . : Yes

Fuzzy . . . . . . : 24.0

Program has no publisher information but prompts the user for permission elevation.

Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

Authors name is missing in version info. This is not common to most programs.

Version control is missing. This file is probably created by an individual. This is not typical for most programs.

Time indicates that the file appeared recently on this computer.

Malware remnants ____________________________________________________________

HKLM\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ (Adware.MyWebSearch)

HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}\ (Adware.MyWebSearch)

Potential Unwanted Programs _________________________________________________

ask.com

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF\ (AskBar)

HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\AskPartnerCobrandingTool_RASAPI32\ (AskBar)

HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\AskPartnerCobrandingTool_RASMANCS\ (AskBar)

HKU\S-1-5-21-2456594501-3595835612-1662665200-501\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ (AskBar)

HKU\S-1-5-21-616022151-183045692-1389677156-1002\Software\AppDataLow\Software\AskToolbar\ (AskBar)

HKU\S-1-5-21-616022151-183045692-1389677156-1002\Software\Ask.com\ (AskBar)

Cookies _____________________________________________________________________

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:synacortoshiba.112.2o7.net

C:\Users\ADH.Heathman-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\0RRG3OJQ.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\1IDS3PCI.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\2A46W0SP.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\2GDIACXV.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\35PPEOQ5.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\4880JXDO.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\4MI8MVPC.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\4P57Q9JM.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\6IGGO2ZU.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\77S1VNV4.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\8EURT56H.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\8ZKPRZRZ.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\8ZWUA2V7.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\92J4S9SS.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\95M8LUUO.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\A2LI1RT6.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\AFY7XWDS.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\AWL3P90L.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\B09ID0P3.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\B3N8MV3K.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\BN0C2PIH.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\CVW2ZWBC.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\D7C4DCV7.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\DPIWJ2M4.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\F3PL3FYW.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\FGRBOC2X.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\G2WK2XBW.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\G4HYKQEV.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\IHY4I17U.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\IQIMOXUB.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\IUF2C128.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\KEQ5319C.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\KOHDZS08.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\LF8E3S73.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\LMBBUH0I.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\LU7YDH5Y.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\NJ6VDOQ7.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\O61VQAI4.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\O8PA9O5D.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\OMR4PUE1.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\SGT8GHO5.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\T7Y964CY.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\U13KD5C0.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\UATHI1VU.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\VGP66I0G.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\VXJLPOA1.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\VY7P9SVU.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\VZ216WB1.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\WXURKHMM.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\XRP31WUV.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\YIL357SM.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\ZDRPDJHK.txt

C:\Users\Heathman\AppData\Roaming\Microsoft\Windows\Cookies\ZDS5DYTS.txt

Share this post


Link to post
Share on other sites

Was able to run the aswMBR and it looks like it found a couple of things.

aswMBR version 1.0.1.2172 Copyright© 2014 AVAST Software

Run date: 2014-10-30 19:44:09

-----------------------------

19:44:09.575 OS Version: Windows x64 6.1.7601 Service Pack 1

19:44:09.575 Number of processors: 4 586 0x2A07

19:44:09.575 ComputerName: HEATHMAN-PC UserName: Heathman

19:44:11.853 Initialize success

19:44:11.913 VM: initialized successfully

19:44:11.914 VM: Intel CPU supported

19:44:18.368 VM: supported disk I/O iaStor.sys

19:44:44.112 AVAST engine defs: 14103001

19:44:58.714 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

19:44:58.714 Disk 0 Vendor: Seagate_ TD27 Size: 476940MB BusType: 3

19:44:58.776 VM: Disk 0 MBR read successfully

19:44:58.776 Disk 0 MBR scan

19:44:58.776 Disk 0 Windows VISTA default MBR code

19:44:58.776 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048

19:44:58.776 Disk 0 default boot code

19:44:58.792 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 460012 MB offset 3074048

19:44:58.792 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 15427 MB offset 945178624

19:44:58.807 Disk 0 scanning C:\windows\system32\drivers

19:45:03.051 Service scanning

19:45:04.221 Service BHDrvx64 C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20141024.001\BHDrvx64.sys **LOCKED** 5

19:45:05.110 Service eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys **LOCKED** 5

19:45:05.235 Service EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5

19:45:06.202 Service IDSVia64 C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20141030.001\IDSvia64.sys **LOCKED** 5

19:45:08.401 Service NAVENG C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141030.004\ENG64.SYS **LOCKED** 5

19:45:08.526 Service NAVEX15 C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141030.004\EX64.SYS **LOCKED** 5

19:45:16.669 Modules scanning

19:45:16.669 Disk 0 trace - called modules:

19:45:16.669 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys iaStor.sys hal.dll

19:45:16.685 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009406060]

19:45:16.685 3 CLASSPNP.SYS[fffff88001c0143f] -> nt!IofCallDriver -> \Device\THPDRV1[0xfffffa8009405060]

19:45:16.685 5 thpdrv.sys[fffff88001d282b0] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007898050]

19:45:18.729 AVAST engine scan C:\

20:14:05.539 File: C:\Users\ADH.Heathman-PC\AppData\LocalLow\grbfa.dll **INFECTED** Win64:Agent-F [Trj]

20:14:09.829 File: C:\Users\ADH.Heathman-PC\AppData\LocalLow\srayb.dll **INFECTED** Win64:Agent-F [Trj]

22:15:41.574 Disk 0 statistics 33691835/0/22 @ 2.06 MB/s

22:15:41.590 Scan finished successfully

22:17:31.492 Disk 0 MBR has been saved successfully to "C:\Users\Heathman\Desktop\MBR.dat"

22:17:31.508 The log file has been saved successfully to "C:\Users\Heathman\Desktop\aswMBR.txt"

Share this post


Link to post
Share on other sites

The locked services are not any problem, as they belong to security software.

51a5bf3d99e8a-ComboFixlogo16.png Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script:

    File::C:\Users\ADH.Heathman-PC\AppData\LocalLow\grbfa.dllC:\Users\ADH.Heathman-PC\AppData\LocalLow\srayb.dll
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
  • Name the file CFScript and select Save.
Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Now drag your CFScript file and drop it onto the 51a5bf3d99e8a-ComboFixlogo16.png icon:

    CFScript.gif

  • This will start ComboFix. Let it run uninterrupted!
  • A reboot may be needed during this run. Allow it.
  • When finished, it shall produce a log for you at C:\ComboFix.txt and display it.
Please include that log in your next reply.

icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

icon_idea.gif Do not forget to turn on your previously switched-off protection software!

Share this post


Link to post
Share on other sites

Heres the log you requested. Thanks.

ComboFix 14-10-29.01 - ADH 10/31/2014 6:54.3.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8099.4477 [GMT -5:00]

Running from: c:\users\ADH.Heathman-PC\Desktop\ComboFix.exe

Command switches used :: c:\users\ADH.Heathman-PC\Desktop\CFScript.txt

AV: Norton 360 Premier Edition *Disabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}

FW: Norton 360 Premier Edition *Disabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}

SP: Norton 360 Premier Edition *Disabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\users\ADH.Heathman-PC\AppData\LocalLow\grbfa.dll"

"c:\users\ADH.Heathman-PC\AppData\LocalLow\srayb.dll"

.

.

((((((((((((((((((((((((( Files Created from 2014-09-28 to 2014-10-31 )))))))))))))))))))))))))))))))

.

.

2014-10-31 12:02 . 2014-10-31 12:02 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2014-10-31 12:02 . 2014-10-31 12:02 -------- d-----w- c:\users\UpdatusUser.Heathman-PC\AppData\Local\temp

2014-10-31 12:02 . 2014-10-31 12:02 -------- d-----w- c:\users\Heathman\AppData\Local\temp

2014-10-31 12:02 . 2014-10-31 12:02 -------- d-----w- c:\users\Guest\AppData\Local\temp

2014-10-31 12:02 . 2014-10-31 12:02 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-10-30 21:15 . 2014-10-30 21:23 -------- d-----w- c:\programdata\HitmanPro

2014-10-30 16:24 . 2014-10-31 12:02 -------- d-----w- c:\users\ADH.Heathman-PC\AppData\Local\temp

2014-10-30 13:09 . 2014-10-30 13:09 -------- d-sh--w- c:\users\Heathman\AppData\Local\EmieUserList

2014-10-30 13:09 . 2014-10-30 13:09 -------- d-sh--w- c:\users\Heathman\AppData\Local\EmieSiteList

2014-10-30 12:08 . 2014-10-30 12:08 -------- d-----w- C:\zoek_backup

2014-10-30 11:58 . 2014-10-30 11:58 -------- d-----w- c:\program files (x86)\Common Files\Java

2014-10-30 11:57 . 2014-10-30 11:57 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2014-10-30 11:57 . 2014-10-30 11:58 -------- d-----w- c:\programdata\Oracle

2014-10-30 11:45 . 2014-10-30 11:45 -------- d-sh--w- c:\users\ADH.Heathman-PC\AppData\Local\EmieUserList

2014-10-30 11:45 . 2014-10-30 11:45 -------- d-sh--w- c:\users\ADH.Heathman-PC\AppData\Local\EmieSiteList

2014-10-30 11:42 . 2013-10-14 23:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE

2014-10-29 22:50 . 2014-10-29 22:50 -------- d-----w- c:\program files (x86)\ESET

2014-10-29 17:59 . 2014-10-29 17:59 -------- d-----w- c:\users\Public\TOSHIBA

2014-10-29 17:11 . 2014-10-29 17:11 -------- d-----w- C:\_OTL

2014-10-29 03:04 . 2014-10-30 14:04 -------- d-----w- C:\FRST

2014-10-24 23:49 . 2014-10-31 11:48 -------- d--h--w- c:\programdata\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}

2014-10-21 15:22 . 2014-10-21 15:22 -------- d-----w- c:\users\ADH.Heathman-PC\AppData\Local\Diagnostics

2014-10-20 17:22 . 2014-09-05 02:11 6584320 ----a-w- c:\windows\system32\mstscax.dll

2014-10-20 17:22 . 2014-09-05 01:52 5703168 ----a-w- c:\windows\SysWow64\mstscax.dll

2014-10-19 21:19 . 2014-10-19 21:19 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared

2014-10-19 21:00 . 2014-10-19 21:00 177752 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS

2014-10-19 21:00 . 2014-10-19 21:00 -------- d-----w- c:\program files (x86)\Norton 360

2014-10-19 20:49 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll

2014-10-19 20:49 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll

2014-10-19 20:45 . 2014-09-13 01:58 77312 ----a-w- c:\windows\system32\packager.dll

2014-10-19 20:45 . 2014-09-13 01:40 67072 ----a-w- c:\windows\SysWow64\packager.dll

2014-10-04 13:18 . 2014-10-19 21:04 -------- d-----w- c:\windows\system32\drivers\N360x64\1506000.020

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-10-31 11:48 . 2014-05-18 01:38 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-10-19 21:44 . 2012-03-29 00:04 103265616 ----a-w- c:\windows\system32\MRT.exe

2014-10-01 16:11 . 2014-05-17 22:12 63704 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-10-01 16:11 . 2014-05-17 22:12 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-10-01 16:11 . 2013-07-29 22:47 25816 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-09-24 01:24 . 2012-04-02 01:34 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2014-09-24 01:24 . 2011-11-22 04:31 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2014-09-09 22:11 . 2014-09-23 17:27 2048 ----a-w- c:\windows\system32\tzres.dll

2014-09-09 21:47 . 2014-09-23 17:27 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2014-08-28 23:29 . 2011-03-29 02:36 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2014-08-23 02:07 . 2014-08-27 17:37 404480 ----a-w- c:\windows\system32\gdi32.dll

2014-08-23 01:45 . 2014-08-27 17:37 311808 ----a-w- c:\windows\SysWow64\gdi32.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-03-24 39408]

"umzmebh"="c:\users\ADH.Heathman-PC\AppData\Local\Programs\umzmebh.dll" [2014-10-31 313344]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-11-09 532480]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2011-03-10 423936]

"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2010-08-16 34160]

"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]

"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2009-12-09 606208]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-07-31 43816]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-08-01 152392]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-10-07 507776]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-09-12 959176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer3"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys;c:\windows\SYSNATIVE\DRIVERS\motfilt.sys [x]

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys;c:\windows\SYSNATIVE\drivers\intelaud.sys [x]

R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys;c:\windows\SYSNATIVE\DRIVERS\motccgp.sys [x]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys;c:\windows\SYSNATIVE\DRIVERS\motccgpfl.sys [x]

R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys;c:\windows\SYSNATIVE\DRIVERS\Motousbnet.sys [x]

R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys;c:\windows\SYSNATIVE\DRIVERS\motusbdevice.sys [x]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\1506000.020\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMDS64.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\1506000.020\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMEFA64.SYS [x]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys;c:\windows\SYSNATIVE\DRIVERS\thpdrv.sys [x]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]

S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]

S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20141024.001\BHDrvx64.sys;c:\program files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20141024.001\BHDrvx64.sys [x]

S1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\ccSetx64.sys [x]

S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20141030.001\IDSvia64.sys;c:\program files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20141030.001\IDSvia64.sys [x]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\Ironx64.SYS [x]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\N360x64\1506000.020\SYMNETS.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMNETS.SYS [x]

S2 DeviceMonitorService;DeviceMonitorService;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [x]

S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]

S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [x]

S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\21.6.0.32\N360.exe;c:\program files (x86)\Norton 360\Engine\21.6.0.32\N360.exe [x]

S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files (x86)\PC Checkup\SymcPCCULaunchSvc.exe;c:\program files (x86)\PC Checkup\SymcPCCULaunchSvc.exe [x]

S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [x]

S2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [x]

S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]

S2 UDSS;UDSS;c:\program files (x86)\Common Files\Ulead Systems\UDSS\UDSS.exe;c:\program files (x86)\Common Files\Ulead Systems\UDSS\UDSS.exe [x]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys;c:\windows\SYSNATIVE\DRIVERS\CeKbFilter.sys [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]

S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys;c:\windows\SYSNATIVE\DRIVERS\iwdbus.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]

S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]

S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]

start [bU]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-10-29 17:09 1089352 ----a-w- c:\program files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-10-31 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 01:24]

.

2014-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-24 18:59]

.

2014-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-24 18:59]

.

2014-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616022151-183045692-1389677156-1002Core.job

- c:\users\Heathman\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-12 01:07]

.

2014-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616022151-183045692-1389677156-1002UA.job

- c:\users\Heathman\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-12 01:07]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-07-02 167704]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-07-02 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-07-02 416024]

"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [bU]

"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [bU]

"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [bU]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-26 11775592]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [bU]

"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-06-01 1935120]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]

"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe" [bU]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [bU]

"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [bU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\windows\System32\nvinitx.dll

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://start.toshiba.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.254

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]

"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\21.6.0.32\N360.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"

--

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]

"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"

"ImagePath"="\SystemRoot\system32\drivers\N360x64\1506000.020\SYMNETS.SYS"

"TrustedImagePaths"="c:\program files (x86)\Norton 360\Engine\21.6.0.32;c:\program files (x86)\Norton 360\Engine64\21.6.0.32"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.15"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2014-10-31 07:05:27

ComboFix-quarantined-files.txt 2014-10-31 12:05

ComboFix2.txt 2014-10-30 16:23

ComboFix3.txt 2014-10-29 12:43

.

Pre-Run: 313,921,998,848 bytes free

Post-Run: 313,968,910,336 bytes free

.

- - End Of File - - 11B6C64F34586DC4CA1670224672AACC

Share this post


Link to post
Share on other sites

Shut down computer to take it with me. When I started screen said disk need to be checked for consistency and now its saying that it is recovering orphaned files. Chkdsk verifying files. Haven't gotten to the screen to select user.

Share this post


Link to post
Share on other sites

This is automatic chkdsk pefrormed if some violations are detected. Allow this to finish and tell me how it did.

Share this post


Link to post
Share on other sites

Still getting malicious website blocked referencing c:\windows\explorer.exe process every couple of seconds. Also noticed explorer.exe running twice in processes showing high usage.

Share this post


Link to post
Share on other sites

Chkdsk said it was recovering orphaned files and moving them. Then check completed and computer started. Connected to internet and started getting popups. Also got popup notice from malwarebytes telling me the rootkit driver couldn't load and did I want to restart to load or run scan without it.

Share this post


Link to post
Share on other sites

RogueKiller.png Scan with RogueKiller

Please download RogueKiller and save the file to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on RogueKiller.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the pre-scan will be done. It shouldn't take more than 2-3 minutes.
  • Accept the Terms of use.
  • When the Scan button becomes available, please click it. RogueKiller will start a full scan.
  • Let this process run uninterrupted!.
  • When finished, a Report button will become available. Click it. You will be presented with a logfile.

Please include the content of this logfile in your next reply.

Share this post


Link to post
Share on other sites

Here is the log

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Heathman [Administrator]

Mode : Scan -- Date : 10/31/2014 08:47:41

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 22 ¤¤¤

[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-616022151-183045692-1389677156-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.centurylink.net/ -> Found

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-616022151-183045692-1389677156-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.centurylink.net/ -> Found

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-616022151-183045692-1389677156-1002\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-616022151-183045692-1389677156-1002\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 65.164.201.148 65.41.112.28 151.164.14.201 [uNITED STATES (US)] -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 65.164.201.148 65.41.112.28 151.164.14.201 [uNITED STATES (US)] -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 65.164.201.148 65.41.112.28 151.164.14.201 [uNITED STATES (US)] -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DA0890A-2924-4051-9A03-16DBB86235F1} | DhcpNameServer : 65.164.201.148 65.41.112.28 151.164.14.201 [uNITED STATES (US)] -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3DA0890A-2924-4051-9A03-16DBB86235F1} | DhcpNameServer : 65.164.201.148 65.41.112.28 151.164.14.201 [uNITED STATES (US)] -> Found

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3DA0890A-2924-4051-9A03-16DBB86235F1} | DhcpNameServer : 65.164.201.148 65.41.112.28 151.164.14.201 [uNITED STATES (US)] -> Found

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 2 ¤¤¤

[suspicious.Path] \\IHSelfDeleteTASK -- CMD (/C DEL C:\Users\Heathman\AppData\Local\Temp\IHUFC87.tmp.exe) -> Found

[suspicious.Path] \\IHUninstallTrackingTASK -- CMD (/C DEL C:\Users\Heathman\AppData\Local\Temp\IHUC64A.tmp.exe) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤

[C:\windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 48 (Driver: Loaded) ¤¤¤

[iAT:Inl] (explorer.exe) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ SHELL32.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ SHELL32.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ ole32.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ OLEAUT32.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ OLEAUT32.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ EXPLORERFRAME.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ DUser.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ DUI70.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ SETUPAPI.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ PROPSYS.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ iertutil.dll) KERNEL32.dll - GetUserDefaultLocaleName : Unknown @ 0x76ff0298 (jmp 0xfffffffffff84758)

[iAT:Inl] (explorer.exe @ urlmon.dll) WININET.dll - InternetSetCookieExW : Unknown @ 0x7fefd720298 (jmp 0xffffffffffe6b3f8)

[iAT:Inl] (explorer.exe @ OLEACC.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ CLBCatQ.DLL) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ mshtml.dll) KERNEL32.dll - GetSystemDefaultLocaleName : Unknown @ 0x77000298 (jmp 0xfffffffffff94708)

[iAT:Inl] (explorer.exe @ mshtml.dll) KERNEL32.dll - GetUserDefaultLocaleName : Unknown @ 0x76ff0298 (jmp 0xfffffffffff84758)

[iAT:Inl] (explorer.exe @ mshtml.dll) KERNEL32.dll - GetThreadPreferredUILanguages : Unknown @ 0x76fe0298 (jmp 0xfffffffffffbb2c8)

[iAT:Inl] (explorer.exe @ mshtml.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ mshtml.dll) WININET.dll - InternetSetCookieExW : Unknown @ 0x7fefd720298 (jmp 0xffffffffffe6b3f8)

[iAT:Inl] (explorer.exe @ comctl32.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ ieframe.dll) KERNEL32.dll - GetSystemDefaultLocaleName : Unknown @ 0x77000298 (jmp 0xfffffffffff94708)

[iAT:Inl] (explorer.exe @ ieframe.dll) KERNEL32.dll - GetUserDefaultLocaleName : Unknown @ 0x76ff0298 (jmp 0xfffffffffff84758)

[iAT:Inl] (explorer.exe @ ieframe.dll) KERNEL32.dll - GetThreadPreferredUILanguages : Unknown @ 0x76fe0298 (jmp 0xfffffffffffbb2c8)

[iAT:Inl] (explorer.exe @ ieframe.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ ieframe.dll) WINMM.dll - PlaySoundW : Unknown @ 0x7fefb130298 (jmp 0xfffffffffffee154)

[iAT:Inl] (explorer.exe @ ieframe.dll) urlmon.dll - ObtainUserAgentString : Unknown @ 0x7fefee90298 (jmp 0x52b890)

[iAT:Inl] (explorer.exe @ netprofm.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ d2d1.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ jscript9.dll) KERNEL32.dll - GetUserDefaultLocaleName : Unknown @ 0x76ff0298 (jmp 0xfffffffffff84758)

[iAT:Inl] (explorer.exe @ uiautomationcore.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ uiautomationcore.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ Flash64_15_0_0_167.ocx) WINMM.dll - waveOutOpen : Unknown @ 0x7fefb120298 (jmp 0xfffffffffffdc9c8)

[iAT:Inl] (explorer.exe @ Flash64_15_0_0_167.ocx) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ Flash64_15_0_0_167.ocx) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ DSOUND.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ COMDLG32.dll) USER32.dll - SetFocus : Unknown @ 0x77010298 (jmp 0xffffffffffec3078)

[iAT:Inl] (explorer.exe @ mscms.dll) KERNEL32.dll - GetThreadPreferredUILanguages : Unknown @ 0x76fe0298 (jmp 0xfffffffffffbb2c8)

[iAT:Inl] (explorer.exe @ wdmaud.drv) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ wdmaud.drv) WINMM.dll - waveOutOpen : Unknown @ 0x7fefb120298 (jmp 0xfffffffffffdc9c8)

[iAT:Inl] (explorer.exe @ AUDIOSES.DLL) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ msacm32.drv) WINMM.dll - waveOutOpen : Unknown @ 0x7fefb120298 (jmp 0xfffffffffffdc9c8)

[iAT:Inl] (explorer.exe @ MSACM32.dll) WINMM.dll - waveOutOpen : Unknown @ 0x7fefb120298 (jmp 0xfffffffffffdc9c8)

[iAT:Inl] (explorer.exe @ windowscodecs.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ windowscodecsext.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ msxml6.dll) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

[iAT:Inl] (explorer.exe @ MSOXMLMF.DLL) ole32.dll - CoCreateInstance : Unknown @ 0x7fefd3d0298 (jmp 0xfffffffffff28e08)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: Seagate ST95005620AS +++++

--- User ---

[MBR] d0929ba94c8d9e998f573c414fa4cfb5

[bSP] d803be37aa408e04be634fa22ecd844a : HP MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 460012 MB

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 945178624 | Size: 15427 MB

User = LL1 ... OK

User = LL2 ... OK

============================================

RKreport_SCN_10312014_084443.log

Share this post


Link to post
Share on other sites

I have currently a second case like yours, with outgoing queries. Will consult some experts, bare with me. It may take a day or two.

Share this post


Link to post
Share on other sites

OK thank you. Is there anything I should do in the meantime? Clear temp or internet history/temp files? Or leave as us?

Share this post


Link to post
Share on other sites

Leave as it is. Try not to make any changes unless told to do so, I don't know what info will be mandatory for us.

Will keep you posted.

Share this post


Link to post
Share on other sites

Good morning. Just thought I'd check in. Still having issue with explorer.exe. Looking in task manager processes I have severalexplorer.exe and iexplorer.exe *32 processes running at once as well as a large number of Ygzttbopiw.exe *32 processes that have google chrome as the description. Don't know if it's something new or related to the earlier issue. Thanks

Share this post


Link to post
Share on other sites

Yes, I know. Since we have more than one case like this recently, we're discussing it, but no joy at all so far. We're building a checkup plan, hopefully later today I will have some more thing to go with.

 

I'm sorry for the delay, but for now we are unable to identify the culprit.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.