Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

secondclick redirect and catchme.sys question [Solved]

Started by mugratt , Feb 19 2013 08:48 PM

  • This topic is locked This topic is locked

#1
mugratt
Posted 19 February 2013 - 08:48 PM

mugratt

    Member

  • Member
  • PipPip
  • 18 posts
Hi, hope someone can help. I have given this my all prior for asking for help. Used all the cleaners and such. (ie, maleware bytes, super antispyware, tdsskiller, comodo, kaspersy, spybot, spyhunter, trendmicro, etc) The main problem is everythings slow. When I click on a link, I get redirected to another site, but nothing ever loads. If I hit alt and back arrow, the page loads. I notice the same ip alot and also it says secondclick alot in the addy bar. ip is usually 64.15.72.104. I just wanna get rid of this and pray it didnt get my info. I seen when i ran autoruns there was a sys file called catchme. I tried to research and some say its ok because other programs use it, and some say its a malicious keylogger. I tried your previous posts on how to get rid of a redirect, however otm will not download, first came up as maleware from comono, i disabled it and it downloads but nothings there. I run windows 7 ultimate on a acer laptop. Im going to post the otl log and extras, but I cant get otm to follow those listed steps. if any Additional info is required like the autoruns log or something let me know. there was also one in there called prsbdrvr.sys but I couldnt run that one down. a few programs started to go screwy, windows update wouldnt load got that one working but it still errors occasionaly, microsoft security essentials wont update so it wont run, and panda cloud keeps finding the same fakemalware that it removed 2x. I nolonger see it there but it keeps popping up every time i run. Thanks in advance. Theres been alot cleaned off but it still is not right. If you need info quick email me at [email protected] i usually get that right away

Attached Files


Edited by mugratt, 19 February 2013 - 08:56 PM.

  • 0

Advertisements

#2
gringo_pr
Posted 19 February 2013 - 08:56 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello mugratt

Welcome to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
  • 0

#3
mugratt
Posted 20 February 2013 - 11:02 AM

mugratt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
thank you for your quick reply and well explained response. I have ran the 1st two programs you asked for. The first one had some kind of error but then it kept going. the second one worked as it was supposed to im guessing. the roguekiller will not download, i rebooted and tried again after shutting down comodo. and tried getting it from another source. but no luck.did the same thing as the otm file. It downloads and is listed in the browser downloads but theres nothing there. even icon is wrong. Im not sure where the first log posted, maybe It didnt save? I dont want to run it again unless you say. here is the 2 logs from the second program. thanks again in advance

# AdwCleaner v2.112 - Logfile created 02/20/2013 at 11:39:38
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Mugratt - MUGRATT-PC
# Boot Mode : Normal
# Running from : C:\Users\Mugratt\desktop\adwcleaner0.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files\Glarysoft Toolbar
Folder Found : C:\Users\Mugratt\AppData\LocalLow\Toolbar4

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32D47EA5-9473-4CAD-805D-9999F15D5AE2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32D47EA5-9473-4CAD-805D-9999F15D5AE2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{32D47EA5-9473-4CAD-805D-9999F15D5AE2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Found : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Found : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32D47EA5-9473-4CAD-805D-9999F15D5AE2}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32D47EA5-9473-4CAD-805D-9999F15D5AE2}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.glarysoft.com/?src=newtab

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\Mugratt\AppData\Roaming\Mozilla\Firefox\Profiles\oy848bhb.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5902 octets] - [20/02/2013 11:39:38]
AdwCleaner[S1].txt - [321 octets] - [20/02/2013 11:39:15]

########## EOF - C:\AdwCleaner[R1].txt - [6021 octets] ##########




here is after delete


# AdwCleaner v2.112 - Logfile created 02/20/2013 at 11:40:35
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Mugratt - MUGRATT-PC
# Boot Mode : Normal
# Running from : C:\Users\Mugratt\desktop\adwcleaner0.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Glarysoft Toolbar
Folder Deleted : C:\Users\Mugratt\AppData\LocalLow\Toolbar4

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32D47EA5-9473-4CAD-805D-9999F15D5AE2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32D47EA5-9473-4CAD-805D-9999F15D5AE2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32D47EA5-9473-4CAD-805D-9999F15D5AE2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}
Key Deleted : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook
Key Deleted : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7AF277D-1466-4A7B-93AF-B043984A5671}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32D47EA5-9473-4CAD-805D-9999F15D5AE2}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32D47EA5-9473-4CAD-805D-9999F15D5AE2}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464


-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\Mugratt\AppData\Roaming\Mozilla\Firefox\Profiles\oy848bhb.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6090 octets] - [20/02/2013 11:39:38]
AdwCleaner[S1].txt - [321 octets] - [20/02/2013 11:39:15]
AdwCleaner[S2].txt - [6051 octets] - [20/02/2013 11:40:35]

########## EOF - C:\AdwCleaner[S2].txt - [6111 octets] ##########
  • 0

#4
gringo_pr
Posted 20 February 2013 - 11:40 AM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello mugratt

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#5
mugratt
Posted 20 February 2013 - 12:44 PM

mugratt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
combofix will not run, i get this, error opening file for writing c:\32788r22fwjfw\awf.cmd abort retry skip. I tried uninstalling it via combofix /u . then reinstalling. just wont run. The only other things is the downloading problems, it seems to be running better, but i have tried not going online too much with the redirect till this gets resolved. but it hasnt done it yet, lol
  • 0

#6
mugratt
Posted 20 February 2013 - 03:05 PM

mugratt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ok update! after looking around to no avail on how to clean the uninstall. I finally got it to run in safe mode. I then rebooted and re ran it normal. it ran all the way through. I did get one error that popped up that said pev has stopped working, im not sure what that is yet. i had comodo shutdown but it said there was active protection. i ran it anyway. I couldnt find any other way or thing running to shut off but here is the combofix log


ComboFix 12-06-28.03 - Mugratt 02/20/2013 15:40:39.16.1 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3002.2130 [GMT -5:00]
Running from: c:\users\Mugratt\Desktop\ComboFix.exe
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: COMODO Antivirus *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-01-20 to 2013-02-20 )))))))))))))))))))))))))))))))
.
.
2013-02-20 20:52 . 2013-02-20 20:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-02-20 20:52 . 2013-02-20 20:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-20 20:36 . 2013-02-20 20:38 -------- d-----w- C:\32788R22FWJFW
2013-02-20 01:10 . 2013-02-20 01:10 388096 ----a-r- c:\users\Mugratt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-20 01:10 . 2013-02-20 01:10 -------- d-----w- c:\program files\Trend Micro
2013-02-20 00:17 . 2013-02-20 00:24 -------- d-----w- C:\c7d9dd911254c6c9f6d79532193cccee
2013-02-19 22:07 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D344839F-7953-4F68-943A-448DFC652FC9}\mpengine.dll
2013-02-19 22:07 . 2013-02-19 22:07 -------- d-----w- C:\13095ff7a1b3714f10776e22
2013-02-19 21:56 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2013-02-19 14:46 . 2013-02-19 21:56 -------- d-----w- c:\program files\Panda Security
2013-02-19 13:09 . 2012-07-26 03:39 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-02-19 13:09 . 2012-07-26 03:39 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-02-19 13:09 . 2012-07-26 02:46 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-02-19 13:08 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-02-19 13:08 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-02-19 13:08 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-02-19 13:08 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-02-19 13:08 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2013-02-19 13:08 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2013-02-19 13:08 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-02-19 13:06 . 2012-08-24 16:57 247808 ----a-w- c:\windows\system32\schannel.dll
2013-02-19 13:06 . 2012-08-24 17:05 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-02-19 13:06 . 2012-08-24 17:02 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2013-02-19 13:06 . 2012-08-24 16:56 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2013-02-19 13:04 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\system32\esent.dll
2013-02-19 13:03 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2013-02-19 13:00 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2013-02-19 12:57 . 2012-10-09 17:40 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2013-02-19 12:57 . 2012-10-09 17:40 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2013-02-19 12:57 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2013-02-19 12:57 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2013-02-19 00:47 . 2013-02-19 00:51 -------- d-----w- C:\ca3ae6b5f5ab6e2d509f2b
2013-02-18 23:42 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-18 23:42 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-18 22:57 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-02-18 22:57 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-02-18 22:42 . 2013-02-18 22:42 -------- d-----w- c:\program files\MSXML 4.0
2013-02-18 22:30 . 2012-06-02 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-02-18 22:30 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\system32\crypt32.dll
2013-02-18 22:30 . 2012-06-02 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-02-18 22:26 . 2012-09-25 22:47 78336 ----a-w- c:\windows\system32\synceng.dll
2013-02-18 22:25 . 2012-11-23 02:48 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-02-18 22:24 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
2013-02-18 22:23 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
2013-02-18 22:23 . 2013-01-04 04:50 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-02-18 22:15 . 2013-02-20 20:16 -------- d-----w- c:\windows\system32\catroot2
2013-02-18 21:58 . 2013-02-18 21:58 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-02-18 21:54 . 2010-04-27 16:04 381816 ----a-w- c:\windows\system32\PsExec.exe
2013-02-18 19:46 . 2013-02-19 01:02 -------- d-----w- c:\program files\Microsoft Security Client
2013-02-18 19:14 . 2013-02-18 19:14 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-18 17:26 . 2012-12-03 14:53 30888 ----a-w- c:\windows\system32\drivers\DasPtct.SYS
2013-02-14 08:23 . 2013-02-14 08:23 66510 ----a-w- c:\windows\system32\drivers\fvstore.dat
2013-02-13 20:18 . 2013-02-13 20:18 -------- d-----w- C:\VTRoot
2013-02-12 00:51 . 2013-02-20 20:44 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2013-02-12 00:51 . 2013-02-12 00:51 -------- d-s---w- c:\programdata\Shared Space
2013-02-12 00:50 . 2013-02-12 00:50 -------- d-----w- c:\programdata\Comodo
2013-02-12 00:49 . 2013-02-12 00:49 -------- d-----w- c:\programdata\Comodo Downloader
2013-02-12 00:49 . 2013-02-12 00:49 -------- d-----w- c:\program files\COMODO
2013-01-25 03:43 . 2013-01-25 03:43 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-01-25 03:43 . 2013-01-25 03:43 354752 ----a-w- c:\windows\system32\guard32.dll
2013-01-25 03:42 . 2013-01-25 03:42 40656 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-01-25 03:42 . 2013-01-25 03:42 263888 ----a-w- c:\windows\system32\cmdvrt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-19 14:24 . 2012-04-26 01:10 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-19 14:24 . 2012-04-26 01:10 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-17 06:28 . 2012-04-23 18:49 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-17 00:51 . 2013-01-17 00:51 84416 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-01-17 00:51 . 2013-01-17 00:51 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-01-17 00:51 . 2013-01-17 00:51 576768 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-01-17 00:51 . 2013-01-17 00:51 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-12-29 22:06 . 2012-12-29 22:06 110080 ----a-r- c:\users\Mugratt\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2012-12-29 22:06 . 2012-12-29 22:06 110080 ----a-r- c:\users\Mugratt\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2012-12-22 20:08 . 2012-12-22 20:09 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-22 20:08 . 2012-09-09 13:58 859072 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-12-22 20:08 . 2012-04-25 00:21 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-14 21:49 . 2012-06-28 18:09 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-06 00:56 . 2013-02-06 00:56 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7AF277D-1466-4A7B-93AF-B043984A5671}]
2012-12-06 03:05 2669928 ------w- c:\program files\Glarysoft Toolbar\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32D47EA5-9473-4CAD-805D-9999F15D5AE2}"= "c:\program files\Glarysoft Toolbar\tbcore3.dll" [2012-12-06 2669928]
.
[HKEY_CLASSES_ROOT\clsid\{32d47ea5-9473-4cad-805d-9999f15d5ae2}]
[HKEY_CLASSES_ROOT\TBSB05810.TBSB05810.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05810.TBSB05810]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-19 1537320]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-10-02 494112]
"PC Pitstop Optimize Scheduler"="c:\program files\PCPitstop\Optimize\PCPOptimize.exe" [2008-03-26 2577120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-01-25 1430736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R0 PRSBDRVR;Nemesis Link;c:\windows\\SystemRoot\system32\drivers\PRSBDRVR.SYS [x]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [x]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-26 14:24]
.
2013-02-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-01-11 20:58]
.
2013-02-19 c:\windows\Tasks\SpeedyPC Registration3.job
- c:\program files\Common Files\SpeedyPC Software\UUS3\UUS3.dll [2012-11-26 18:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Mugratt\AppData\Roaming\Mozilla\Firefox\Profiles\oy848bhb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://us.search.yahoo.com/search?fr=ytff-comodo&p=
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:7e,85,66,fc,f2,c1,cd,01
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2132)
c:\windows\system32\guard32.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\windows\System32\gameux.dll
c:\windows\system32\mssprxy.dll
c:\windows\System32\cscobj.dll
.
Completion time: 2013-02-20 15:57:42
ComboFix-quarantined-files.txt 2013-02-20 20:57
ComboFix2.txt 2013-02-20 20:33
ComboFix3.txt 2013-02-19 16:22
ComboFix4.txt 2013-01-11 04:33
.
Pre-Run: 99,019,665,408 bytes free
Post-Run: 98,958,626,816 bytes free
.
- - End Of File - - 866790EBB9E04DB762B59F438B685A52
  • 0

#7
gringo_pr
Posted 20 February 2013 - 04:17 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello mugratt

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files\Common Files\SpeedyPC Software

File::
c:\windows\Tasks\SpeedyPC Registration3.job

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo
  • 0

#8
mugratt
Posted 20 February 2013 - 04:34 PM

mugratt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
and another update, sry lol. Well might be flash not working? idk but my gf was trying to buy something online, and the box that popped up wont load the bottom portion with the add to cart link. She thought she was retarded. I finally gave up as well cause we couldnt order. I thought maybe it was firefox, so i went to try IE and found out that it wont load at all. the framework comes up and theres the white screen, then it stops , errors and closes itself. finally went to other laptop and it was fine. also when I tried to redownload flash It redirected. But maybe flash was to blame for that in the first place. Maybe the link is bad with a virus? It started when last time i was having problems I reinstalled it and this started shortly after. site should be good? www.adobe.com/software/flash. 2x cant be coincidence? I dont usually use IE but maybe its related to the problem with windows update, microsoft security essentials, and flash? Id still like to fix it though. thanks again
  • 0

#9
gringo_pr
Posted 20 February 2013 - 04:38 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
uninstall flash and reinstall it to see if it starts working
  • 0

#10
mugratt
Posted 20 February 2013 - 05:05 PM

mugratt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
combofix would not run again, I ran it in safe mode. It finished reboot into normal mode. ran a very long time preparing the log, then errored out alot. Something about the hiv files?? here is the log. I have to go out now, but ill try to look as much as possible tonight at work. ill advise on flash at that point. it does work, just not right. IE is still down as well.

ComboFix 12-06-28.03 - Mugratt 02/20/2013 17:41:50.17.1 - x86 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3002.2098 [GMT -5:00]
Running from: c:\users\Mugratt\Desktop\ComboFix.exe
Command switches used :: c:\users\Mugratt\Desktop\CFScript.txt
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: COMODO Antivirus *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\Tasks\SpeedyPC Registration3.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\SpeedyPC Software
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\ad_generic.jpg
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\close.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\close_md.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\close_mo.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\close_pu.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\close_pu_md.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\close_pu_mo.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\Logo.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\min.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\min_md.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\min_mo.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\progress_glow.png
c:\program files\Common Files\SpeedyPC Software\UUS3\Images\topbar_gradient.png
c:\program files\Common Files\SpeedyPC Software\UUS3\LiteUnzip.dll
c:\program files\Common Files\SpeedyPC Software\UUS3\settings.xml
c:\program files\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe
c:\program files\Common Files\SpeedyPC Software\UUS3\UUS3.dll
c:\windows\Tasks\SpeedyPC Registration3.job
.
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.22209_none_965e9ef5cd9ec94a\kernel32.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-01-20 to 2013-02-20 )))))))))))))))))))))))))))))))
.
.
2013-02-20 22:49 . 2013-02-20 22:52 -------- d-----w- c:\users\Mugratt\AppData\Local\temp
2013-02-20 22:49 . 2013-02-20 22:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-02-20 22:49 . 2013-02-20 22:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-20 01:10 . 2013-02-20 01:10 388096 ----a-r- c:\users\Mugratt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-20 01:10 . 2013-02-20 01:10 -------- d-----w- c:\program files\Trend Micro
2013-02-20 00:17 . 2013-02-20 00:24 -------- d-----w- C:\c7d9dd911254c6c9f6d79532193cccee
2013-02-19 22:07 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D344839F-7953-4F68-943A-448DFC652FC9}\mpengine.dll
2013-02-19 22:07 . 2013-02-19 22:07 -------- d-----w- C:\13095ff7a1b3714f10776e22
2013-02-19 21:56 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2013-02-19 14:46 . 2013-02-19 21:56 -------- d-----w- c:\program files\Panda Security
2013-02-19 13:09 . 2012-07-26 03:39 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-02-19 13:09 . 2012-07-26 03:39 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-02-19 13:09 . 2012-07-26 02:46 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-02-19 13:08 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-02-19 13:08 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-02-19 13:08 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-02-19 13:08 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-02-19 13:08 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2013-02-19 13:08 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2013-02-19 13:08 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-02-19 13:06 . 2012-08-24 16:57 247808 ----a-w- c:\windows\system32\schannel.dll
2013-02-19 13:06 . 2012-08-24 17:05 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-02-19 13:06 . 2012-08-24 17:02 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2013-02-19 13:06 . 2012-08-24 16:56 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2013-02-19 13:04 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\system32\esent.dll
2013-02-19 13:03 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2013-02-19 13:00 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2013-02-19 12:57 . 2012-10-09 17:40 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2013-02-19 12:57 . 2012-10-09 17:40 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2013-02-19 12:57 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2013-02-19 12:57 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2013-02-19 00:47 . 2013-02-19 00:51 -------- d-----w- C:\ca3ae6b5f5ab6e2d509f2b
2013-02-18 23:42 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-18 23:42 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-18 22:57 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-02-18 22:57 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-02-18 22:42 . 2013-02-18 22:42 -------- d-----w- c:\program files\MSXML 4.0
2013-02-18 22:30 . 2012-06-02 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-02-18 22:30 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\system32\crypt32.dll
2013-02-18 22:30 . 2012-06-02 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-02-18 22:26 . 2012-09-25 22:47 78336 ----a-w- c:\windows\system32\synceng.dll
2013-02-18 22:25 . 2012-11-23 02:48 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-02-18 22:24 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
2013-02-18 22:23 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
2013-02-18 22:23 . 2013-01-04 04:50 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-02-18 22:15 . 2013-02-20 20:16 -------- d-----w- c:\windows\system32\catroot2
2013-02-18 21:58 . 2013-02-18 21:58 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-02-18 21:54 . 2010-04-27 16:04 381816 ----a-w- c:\windows\system32\PsExec.exe
2013-02-18 19:46 . 2013-02-19 01:02 -------- d-----w- c:\program files\Microsoft Security Client
2013-02-18 19:14 . 2013-02-18 19:14 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-18 17:26 . 2012-12-03 14:53 30888 ----a-w- c:\windows\system32\drivers\DasPtct.SYS
2013-02-14 08:23 . 2013-02-14 08:23 66510 ----a-w- c:\windows\system32\drivers\fvstore.dat
2013-02-13 20:18 . 2013-02-13 20:18 -------- d-----w- C:\VTRoot
2013-02-12 00:51 . 2013-02-20 22:37 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2013-02-12 00:51 . 2013-02-12 00:51 -------- d-s---w- c:\programdata\Shared Space
2013-02-12 00:50 . 2013-02-12 00:50 -------- d-----w- c:\programdata\Comodo
2013-02-12 00:49 . 2013-02-12 00:49 -------- d-----w- c:\programdata\Comodo Downloader
2013-02-12 00:49 . 2013-02-12 00:49 -------- d-----w- c:\program files\COMODO
2013-01-25 03:43 . 2013-01-25 03:43 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-01-25 03:43 . 2013-01-25 03:43 354752 ----a-w- c:\windows\system32\guard32.dll
2013-01-25 03:42 . 2013-01-25 03:42 40656 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-01-25 03:42 . 2013-01-25 03:42 263888 ----a-w- c:\windows\system32\cmdvrt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-19 14:24 . 2012-04-26 01:10 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-19 14:24 . 2012-04-26 01:10 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-17 06:28 . 2012-04-23 18:49 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-17 00:51 . 2013-01-17 00:51 84416 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-01-17 00:51 . 2013-01-17 00:51 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-01-17 00:51 . 2013-01-17 00:51 576768 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-01-17 00:51 . 2013-01-17 00:51 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-12-29 22:06 . 2012-12-29 22:06 110080 ----a-r- c:\users\Mugratt\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2012-12-29 22:06 . 2012-12-29 22:06 110080 ----a-r- c:\users\Mugratt\AppData\Roaming\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2012-12-22 20:08 . 2012-12-22 20:09 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-22 20:08 . 2012-09-09 13:58 859072 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-12-22 20:08 . 2012-04-25 00:21 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-14 21:49 . 2012-06-28 18:09 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-06 00:56 . 2013-02-06 00:56 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7AF277D-1466-4A7B-93AF-B043984A5671}]
2012-12-06 03:05 2669928 ------w- c:\program files\Glarysoft Toolbar\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32D47EA5-9473-4CAD-805D-9999F15D5AE2}"= "c:\program files\Glarysoft Toolbar\tbcore3.dll" [2012-12-06 2669928]
.
[HKEY_CLASSES_ROOT\clsid\{32d47ea5-9473-4cad-805d-9999f15d5ae2}]
[HKEY_CLASSES_ROOT\TBSB05810.TBSB05810.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05810.TBSB05810]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-19 1537320]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-10-02 494112]
"PC Pitstop Optimize Scheduler"="c:\program files\PCPitstop\Optimize\PCPOptimize.exe" [2008-03-26 2577120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-01-25 1430736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R0 PRSBDRVR;Nemesis Link;c:\windows\\SystemRoot\system32\drivers\PRSBDRVR.SYS [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [x]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-26 14:24]
.
2013-02-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-01-11 20:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Mugratt\AppData\Roaming\Mozilla\Firefox\Profiles\oy848bhb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://us.search.yahoo.com/search?fr=ytff-comodo&p=
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2720)
c:\windows\system32\guard32.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
c:\windows\system32\dhcpcsvc.DLL
c:\windows\System32\QAgent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\COMODO\COMODO Internet Security\cavwp.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Acer\Acer PowerSmart Manager\ePowerTray.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-02-20 18:00:48 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-20 23:00
ComboFix2.txt 2013-02-20 20:57
ComboFix3.txt 2013-02-20 20:33
ComboFix4.txt 2013-02-19 16:22
ComboFix5.txt 2013-02-20 22:40
.
Pre-Run: 99,000,807,424 bytes free
Post-Run: 98,724,536,320 bytes free
.
- - End Of File - - 000928C38DB3F92DBAAD515D9D54AAAC
  • 0

Advertisements

#11
gringo_pr
Posted 20 February 2013 - 05:20 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello mugratt

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737


Then I want you to do the following

  • Start Internet Explorer.
  • click on "safety"
  • click on "Delete Browsing History"
  • make sure all boxes are checked
  • click on "Delete"
  • click on "Tools",
  • click "Internet Options".
  • On the "Advanced" tab, click "Reset"
  • put a check mark next to "Delete Personal Settings"
  • click "Reset" to confirm
  • when complete click the "Close" button
  • restart IE


Gringo
  • 0

#12
mugratt
Posted 20 February 2013 - 08:18 PM

mugratt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
well 1 down!! ie is up. what next boss? lol , how was that scan, and why is combofix giving me [bleep]?
  • 0

#13
gringo_pr
Posted 20 February 2013 - 08:45 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.



Gringo
  • 0

#14
mugratt
Posted 21 February 2013 - 04:35 PM

mugratt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
fss ran but did not create the txt file, it errored. said it could not find the file?? I tried creating one that didnt help . ran it yet again in safe mode and it worked fine. here is the log.

Farbar Service Scanner Version: 20-02-2013
Ran by Mugratt (administrator) on 21-02-2013 at 16:39:29
Running from "C:\Users\Mugratt\desktop"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
The start type of Nsi service is OK.
The ImagePath of Nsi service is OK.
The ServiceDll of Nsi service is OK.

nsiproxy Service is not running. Checking service configuration:
The start type of nsiproxy service is OK.
The ImagePath of nsiproxy service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
There is no connection to network.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-18 17:29] - [2013-01-03 00:05] - 1293672 ____A (Microsoft Corporation) 7C0507D2391AF5933600CBCED799F277

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#15
gringo_pr
Posted 23 February 2013 - 11:29 AM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
That looks good - how are things running now and what else is the matter



gringo
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP