Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Bombarded with unwanted ads and popups and web page ads... [Solved]

Started by quasarn01 , Jul 29 2013 03:20 PM

This topic is locked

#1
quasarn01

Posted 29 July 2013 - 03:20 PM

Member

Member
56 posts

For the past couple of days I've been bombarded with all sorts of ads such as popup ads, ads that create a new tab in firefox that are unwanted, and ads all over websites that shouldn't be there... A lot of these ads seem to be originating from something called AD CHOICES... My daughter used my computer for a couple of days and it seems she may have either downloaded something or visited a site(s) that has infected my computer with malware or viruses... Below is a copy of the OTL report...

***********************************************************

OTL logfile created on: 7 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Michael\Downloads
Professional (Version = 6.2.9200) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16635)
Locale: 00000409 | Country: United States | Language: ENU | Date Format:

2.99 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 56.16% Memory free
5.99 Gb Paging File | 4.49 Gb Available in Paging File | 74.97% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.42 Gb Total Space | 332.01 Gb Free Space | 71.34% Space Free | Partition Type: NTFS

Computer Name: MICHAEL | User Name: Michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013 (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013 (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2013 (Power Software Ltd) -- C:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2013 (OldTimer Tools) -- C:\Users\Michael\Downloads\OTL(1).exe
PRC - [2013 (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2013 (Microsoft Corporation) -- C:\Windows\System32\taskhostex.exe
PRC - [2013 (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2013 (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2013 (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013 (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013 (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013 (IvoSoft) -- C:\Program Files\Classic Shell\ClassicStartMenu.exe
PRC - [2013 (IvoSoft) -- C:\Program Files\Classic Shell\ClassicShellService.exe
PRC - [2013 (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
PRC - [2013 (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012 (Nitro PDF Software) -- C:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exe
PRC - [2012 (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012 (Microsoft Corporation) -- C:\Windows\sppsvc.exe
PRC - [2012 (Microsoft Corporation) -- C:\Windows\System32\dasHost.exe
PRC - [2012 (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2009 (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe

========== Modules (No Company Name) ==========

MOD - [2013 () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_8_800_94.dll
MOD - [2013 () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011 () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010 () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

========== Services (SafeList) ==========

SRV - [2013 (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013 (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013 (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2013 (Secunia) [On_Demand | Stopped] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
SRV - [2013 (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013 (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\wlidsvc.dll -- (wlidsvc)
SRV - [2013 (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2013 (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\TimeBrokerServer.dll -- (TimeBroker)
SRV - [2013 (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\SystemEventsBrokerServer.dll -- (SystemEventsBroker)
SRV - [2013 (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\netprofmsvc.dll -- (netprofm)
SRV - [2013 (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lsm.dll -- (LSM)
SRV - [2013 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\DeviceSetupManager.dll -- (DsmSvc)
SRV - [2013 (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\bisrv.dll -- (BrokerInfrastructure)
SRV - [2013 (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\AudioEndpointBuilder.dll -- (AudioEndpointBuilder)
SRV - [2013 (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013 (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2013 (IvoSoft) [Auto | Running] -- C:\Program Files\Classic Shell\ClassicShellService.exe -- (ClassicShellService)
SRV - [2013 (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013 (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012 (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exe -- (NitroDriverReadSpool8)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\WSService.dll -- (WSService)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wiarpc.dll -- (WiaRpc)
SRV - [2012 (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wcmsvc.dll -- (Wcmsvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\icsvc.dll -- (vmicvss)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\icsvc.dll -- (vmictimesync)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\icsvc.dll -- (vmicshutdown)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\icsvc.dll -- (vmicrdv)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\icsvc.dll -- (vmickvpexchange)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\icsvc.dll -- (vmicheartbeat)
SRV - [2012 (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\vaultsvc.dll -- (VaultSvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\svsvc.dll -- (svsvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2012 (Microsoft Corporation) [Auto | Running] -- C:\Windows\sppsvc.exe -- (SLSvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\spool\drivers\w32x86\3\PrintConfig.dll -- (PrintNotify)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\NcdAutoSetup.dll -- (NcdAutoSetup)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\NcaSvc.dll -- (NcaSvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2012 (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\keyiso.dll -- (KeyIso)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\fhsvc.dll -- (fhsvc)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\efssvc.dll -- (EFS)
SRV - [2012 (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\das.dll -- (DeviceAssociationService)
SRV - [2012 (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AUInstallAgent.dll -- (AllUserInstallAgent)
SRV - [2012 (Intuit Inc.) [Disabled | Running] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2011 (Apache Software Foundation) [Disabled | Stopped] -- C:\Program Files\Ubiquiti Networks\AirControl\bin\aircontrol.exe -- (AirControl)
SRV - [2009 (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{216E80DB-8E34-4C14-88BD-5C291C37BFCC}\MpKslfda3f5b0.sys -- (MpKslfda3f5b0)
DRV - File not found [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{216E80DB-8E34-4C14-88BD-5C291C37BFCC}\MpKsl98e0e827.sys -- (MpKsl98e0e827)
DRV - [2013 (Secunia) [File_System | On_Demand | Stopped] -- C:\Windows\System32\Drivers\psi_mf_x86.sys -- (PSI)
DRV - [2013 (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\Rt630x86.sys -- (RTL8168)
DRV - [2013 (Power Software Ltd) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2013 (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\System32\Drivers\WdFilter.sys -- (WdFilter)
DRV - [2013 (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\WdBoot.sys -- (WdBoot)
DRV - [2013 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\USBXHCI.SYS -- (USBXHCI)
DRV - [2013 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\USBHUB3.SYS -- (USBHUB3)
DRV - [2013 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\UCX01000.SYS -- (UCX01000)
DRV - [2013 (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\tpm.sys -- (TPM)
DRV - [2013 (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\storahci.sys -- (storahci)
DRV - [2013 (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\spaceport.sys -- (spaceport)
DRV - [2013 (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\pdc.sys -- (pdc)
DRV - [2013 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\msgpiowin32.sys -- (msgpiowin32)
DRV - [2013 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BthAvrcpTg.sys -- (BthAvrcpTg)
DRV - [2013 (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\Drivers\mbam.sys -- (MBAMProtector)
DRV - [2012 (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\Thotkey.sys -- (Thotkey)
DRV - [2012 (VIA Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\VSTXRAID.SYS -- (VSTXRAID)
DRV - [2012 (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\WpdUpFltr.sys -- (WpdUpFltr)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\wpcfltr.sys -- (wpcfltr)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\winusb.sys -- (WinUsb)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\wfplwfs.sys -- (WFPLWFS)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\vmbus.sys -- (vmbus)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\VerifierExt.sys -- (VerifierExt)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\uaspstor.sys -- (UASPStor)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\terminpt.sys -- (terminpt)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\storvsc.sys -- (storvsc)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\vmstorfl.sys -- (storflt)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SpbCx.sys -- (SpbCx)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SerCx.sys -- (SerCx)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\sdstor.sys -- (sdstor)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\vms3cap.sys -- (s3cap)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2012 (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\npsvctrig.sys -- (npsvctrig)
DRV - [2012 (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\Drivers\Ndu.sys -- (Ndu)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\NdisImPlatform.sys -- (NdisImPlatform)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\mslldp.sys -- (MsLldp)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\mshidumdf.sys -- (mshidumdf)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\kdnic.sys -- (kdnic)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\HyperVideo.sys -- (HyperVideo)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\hyperkbd.sys -- (hyperkbd)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\hidi2c.sys -- (hidi2c)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\msgpioclx.sys -- (GPIOClx0101)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\vmgencounter.sys -- (gencounter)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\fxppm.sys -- (FxPPM)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\EhStorTcgDrv.sys -- (EhStorTcgDrv)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\EhStorClass.sys -- (EhStorClass)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\dmvsc.sys -- (dmvsc)
DRV - [2012 (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\Drivers\dam.sys -- (dam)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\condrv.sys -- (condrv)
DRV - [2012 (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\cnghwassist.sys -- (cnghwassist)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\clfs.sys -- (CLFS)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BthhfHid.sys -- (bthhfhid)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\bthhfenum.sys -- (BthHFEnum)
DRV - [2012 (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\BasicRender.sys -- (BasicRender)
DRV - [2012 (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\BasicDisplay.sys -- (BasicDisplay)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\acpitime.sys -- (acpitime)
DRV - [2012 (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\acpipagr.sys -- (acpipagr)
DRV - [2012 (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\acpiex.sys -- (acpiex)
DRV - [2012 (Marvell Semiconductor, Inc.) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\mvumis.sys -- (mvumis)
DRV - [2012 (LSI) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\3ware.sys -- (3ware)
DRV - [2012 (LSI Corporation) [Kernel | Boot | Stopped] -- C:\Windows\System32\Drivers\lsi_sss.sys -- (LSI_SSS)
DRV - [2012 (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2012 (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\netwlv32.sys -- (netwlv32)
DRV - [2009 (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\tdcmdpst.sys -- (tdcmdpst)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE10SR
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...Box&FORM=IE10SR
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.foxnews.com/"
FF - prefs.js..extensions.enabledAddons: exif_viewer%40mozilla.doslash.org:2.00
FF - prefs.js..extensions.enabledAddons: artur.dubovoy%40gmail.com:3.9.3
FF - prefs.js..extensions.enabledAddons: %7Bbee6eb20-01e0-ebd1-da83-080329fb9a3a%7D:1.36
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Plus Web Player Plug-In,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nitropdf.com/NitroPDF: C:\Program Files\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.7: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2013
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013

[2013
[2013
[2013
[2013
[2013 () (No name found) -- C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\temto84b.default\extensions\4sharedCopyLinks.xpi.tmp
[2013 () (No name found) -- C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\temto84b.default\extensions\[email protected]
[2013 () (No name found) -- C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\temto84b.default\extensions\[email protected]
[2013
[2013
[2013
[2013
[2013
[2013

O1 HOSTS File: () - C:\Windows\System32\Drivers\etc\hosts
O2 - BHO: (DownloadTerms) - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\Michael\AppData\Local\DownloadTerms\temp.dat ()
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (ExplorerBHO Class) - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
O2 - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (ClassicIE9BHO Class) - {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIE9DLL_32.dll (IvoSoft)
O3 - HKLM\..\Toolbar: (Classic Explorer Bar) - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
O3 - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [AirControlMonitor] C:\Program Files\Ubiquiti Networks\AirControl\bin\aircontrol.exe (Apache Software Foundation)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe (DivX, LLC)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [Driver Genius] File not found
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (Power Software Ltd)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableCursorSuppression = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Show RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Classic IE9 Settings - {56753E59-AF1D-4FBA-9E15-31557124ADA2} - C:\Program Files\Classic Shell\ClassicIE9_32.exe (IvoSoft)
O9 - Extra Button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.0.1 8.8.8.8 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{43E4084F-16C0-42A9-8B52-7F642DF3287D}: DhcpNameServer = 10.1.0.1 8.8.8.8 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8F0F8A4E-29FC-4529-A2C6-7725E929927A}: DhcpNameServer = 10.1.0.1 8.8.8.8 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\WINDOWS\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012 () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = "E:\setup.exe"
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013 (Realtek ) -- C:\WINDOWS\System32\drivers\Rt630x86.sys
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2018 () -- C:\WINDOWS\System32\slmgr.vbs
[2013 () -- C:\Users\Public\Desktop\VLC media player.lnk
[2013 () -- C:\swapfile.sys
[2013 () -- C:\WINDOWS\System32\perfh009.dat
[2013 () -- C:\WINDOWS\System32\perfc009.dat
[2013 () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2013 () -- C:\WINDOWS\MEMORY.DMP
[2013 () -- C:\WINDOWS\System32\mbr.exe
[2013 () -- C:\Users\Michael\Desktop\MBR.dat
[2013 () -- C:\Users\Michael\Documents\Invoice_1639_from_Atlas_Technology_Group_LLC.pdf
[2013 () -- C:\hiberfil.sys
[2013 () -- C:\Users\Michael\Documents\For centuries.odt
[2013 () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013 () -- C:\Users\Michael\Documents\Fishing License Mary Ann expire 2-28-14.pdf
[2013 () -- C:\Users\Michael\Documents\Fishing License expire 2-28-14.pdf
[2013 () -- C:\END
[2013 () -- C:\Users\Michael\Desktop\Driver Genius.lnk
[2013 () -- C:\Users\Public\Desktop\Canon MX320 series On-screen Manual.lnk
[2013 () -- C:\WINDOWS\bootstat.dat
[2013 () -- C:\WINDOWS\tasks\AutoKMS.job
[2013 () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013 () -- C:\Users\Public\Desktop\VLC media player.lnk
[2013 () -- C:\WINDOWS\System32\drivers\RTEQEX0.dat
[2013 () -- C:\WINDOWS\System32\OEMLicense.dll
[2013 () -- C:\Users\Michael\Desktop\Ocx Steup.msi
[2013 () -- C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
[2013 () -- C:\WINDOWS\MEMORY.DMP
[2013 () -- C:\WINDOWS\System32\mbr.exe
[2013 () -- C:\Users\Michael\Desktop\MBR.dat
[2013 () -- C:\Users\Michael\Desktop\JWSearch tool.exe
[2013 () -- C:\Users\Michael\Documents\Invoice_1639_from_Atlas_Technology_Group_LLC.pdf
[2013 () -- C:\WINDOWS\System32\HisiDVFW.dll
[2013 () -- C:\Users\Michael\Documents\For centuries.odt
[2013 () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013 () -- C:\Users\Michael\Documents\Fishing License Mary Ann expire 2-28-14.pdf
[2013 () -- C:\Users\Michael\Documents\Fishing License expire 2-28-14.pdf
[2013 () -- C:\END
[2013 () -- C:\Users\Michael\Desktop\Driver Genius.lnk
[2013 () -- C:\WINDOWS\AutoKMS.ini
[2013 () -- C:\WINDOWS\System32\ApnDatabase.xml
[2012 () -- C:\WINDOWS\System32\WpcNBModel.bin
[2012 () -- C:\WINDOWS\System32\staticurllist.bin
[2012 () -- C:\WINDOWS\System32\srms.dat
[2012 () -- C:\WINDOWS\System32\settings.dat
[2012 () -- C:\WINDOWS\System32\perfi009.dat
[2012 () -- C:\WINDOWS\System32\perfh009.dat
[2012 () -- C:\WINDOWS\System32\perfd009.dat
[2012 () -- C:\WINDOWS\System32\perfc009.dat
[2012 () -- C:\WINDOWS\System32\NOISE.DAT
[2012 () -- C:\WINDOWS\System32\mlang.dat
[2012 () -- C:\WINDOWS\mib.bin
[2012 () -- C:\WINDOWS\System32\dssec.dat
[2012 () -- C:\WINDOWS\System32\BWContextHandler.dll
[2012 () -- C:\WINDOWS\System32\BthpanContextHandler.dll
[2012 () -- C:\WINDOWS\bootstat.dat

========== ZeroAccess Check ==========

[2010 () -- C:\$Recycle.bin\S-1-5-21-2856520543-2365380021-2580953766-1001\$RLA183I.001\Prefetch\l.reg
[2010 () -- C:\$Recycle.bin\S-1-5-21-2856520543-2365380021-2580953766-1001\$RLA183I.001\Prefetch\n.reg
[2010 () -- C:\$Recycle.bin\S-1-5-21-2856520543-2365380021-2580953766-1001\$RNLZXRI.000\Prefetch\l.reg
[2010 () -- C:\$Recycle.bin\S-1-5-21-2856520543-2365380021-2580953766-1001\$RNLZXRI.000\Prefetch\n.reg
[2010 () -- C:\$Recycle.bin\S-1-5-21-2856520543-2365380021-2580953766-1001\$RPJ7GKS.000\Prefetch\l.reg
[2010 () -- C:\$Recycle.bin\S-1-5-21-2856520543-2365380021-2580953766-1001\$RPJ7GKS.000\Prefetch\n.reg
[2013 () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012 (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2012 (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2012 (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013
[2013

========== Purity Check ==========

< End of report >

#2
gringo_pr

Posted 29 July 2013 - 07:13 PM

Trusted Helper

Malware Removal
7,268 posts

Hello quasarn01

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

#3
quasarn01

Posted 29 July 2013 - 08:17 PM

Member

Topic Starter
Member
56 posts

Below are my two reports... I accessed the web and went to several websites and it seems that most, if not all, the ads are gone... Hopefully, it's fixed, but, it may be too early to tell...

# AdwCleaner v2.306 - Logfile created 07/29/2013 at 21:40:29
# Updated 19/07/2013 by Xplode
# Operating system : Windows 8 Pro (32 bits)
# User : Michael - MICHAEL
# Boot Mode : Normal
# Running from : C:\Users\Michael\Desktop\AdwCleaner(1).exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\END

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\temto84b.default\prefs.js

C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\temto84b.default\user.js ... Deleted !

[OK] File is clean.

File : C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\hy027qr5.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1052 octets] - [11/05/2013 16:49:36]
AdwCleaner[R2].txt - [1077 octets] - [12/05/2013 10:09:21]
AdwCleaner[S1].txt - [2297 octets] - [11/05/2013 11:37:16]
AdwCleaner[S2].txt - [1113 octets] - [12/05/2013 10:06:34]
AdwCleaner[S3].txt - [2494 octets] - [29/07/2013 21:40:29]

########## EOF - C:\AdwCleaner[S3].txt - [2554 octets] ##########
*************************************************************************

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.8 (07.29.2013:2)
OS: Windows 8 Pro x86
Ran by Michael on Mon 07/29/2013 at 22:05:48.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\driver genius

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Michael\appdata\local\downloadterms"
Successfully deleted: [Folder] "C:\Program Files\driver-soft"

~~~ FireFox

Successfully deleted: [Folder] "C:\Program Files\Mozilla Firefox\extensions\[email protected]"
Successfully deleted: [Folder] C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\temto84b.default\extensions\[email protected]
Emptied folder: C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\temto84b.default\minidumps [31 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 07/29/2013 at 22:08:18.02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#4
gringo_pr

Posted 29 July 2013 - 08:38 PM

Trusted Helper

Malware Removal
7,268 posts

Hello quasarn01

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

#5
quasarn01

Posted 30 July 2013 - 01:27 AM

Member

Topic Starter
Member
56 posts

Below is the ComboFix Report... I've been checking the performance out and it seems to be running good now... Haven't had any ads or popups occur yet....

ComboFix 13-07-27.01 - Michael 07/29/2013 22:57:19.1.2 - x86
Microsoft Windows 8 Pro 6.2.9200.0.1252.1.1033.18.3062.2143 [GMT -4:00]
Running from: c:\users\Michael\Desktop\ComboFix.exe
AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\{87D149CC-D0C1-45AD-BFE4-F5605AD20D11}.xps
c:\users\Michael\Documents\wuauclt.exe
c:\windows\$NtUninstallKB58939$
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2013-06-28 to 2013-07-30 )))))))))))))))))))))))))))))))
.
.
2013-07-30 03:13 . 2013-07-30 03:13 29904 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C867E7F-8D54-4123-8C4E-A4A0083DEFD5}\MpKslcb285cac.sys
2013-07-30 03:10 . 2013-07-30 03:13 -------- d-----w- c:\users\Michael\AppData\Local\temp
2013-07-30 03:10 . 2013-07-30 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-30 03:10 . 2013-07-30 03:10 -------- d-----w- c:\users\Mike\AppData\Local\temp
2013-07-30 02:57 . 2013-07-30 02:57 29904 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C867E7F-8D54-4123-8C4E-A4A0083DEFD5}\MpKsl4462ddd4.sys
2013-07-30 02:05 . 2013-07-30 02:05 -------- d-----w- c:\windows\ERUNT
2013-07-29 22:25 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C867E7F-8D54-4123-8C4E-A4A0083DEFD5}\mpengine.dll
2013-07-28 17:37 . 2013-07-28 17:59 -------- d-----w- C:\mbar
2013-07-28 17:01 . 2013-07-28 16:59 89088 ----a-w- c:\windows\system32\mbr.exe
2013-07-28 11:11 . 2013-07-28 11:11 -------- d-----w- c:\windows\LastGood
2013-07-27 14:22 . 2013-07-27 14:23 -------- d-----w- C:\Asteroid
2013-07-23 15:36 . 2013-07-28 11:09 -------- d-----w- c:\users\Michael\AppData\Roaming\vlc
2013-07-23 15:35 . 2013-07-23 15:35 -------- d-----w- c:\program files\VideoLAN
2013-07-23 15:33 . 2013-07-28 11:24 -------- d-----w- c:\users\Michael\AppData\Roaming\DivX
2013-07-23 15:31 . 2013-07-23 15:32 -------- d-----w- c:\program files\Common Files\DivX Shared
2013-07-23 15:29 . 2013-07-23 15:32 -------- d-----w- c:\program files\DivX
2013-07-23 15:28 . 2013-07-23 15:32 -------- d-----w- c:\programdata\DivX
2013-07-17 20:43 . 2013-06-15 02:21 77528 ----a-w- c:\windows\system32\RtNicProp32.dll
2013-07-17 20:43 . 2013-06-15 02:21 689880 ----a-w- c:\windows\system32\drivers\Rt630x86.sys
2013-07-13 16:13 . 2013-07-13 16:13 -------- d--h--w- c:\programdata\CanonIJScan
2013-07-12 18:42 . 2013-07-12 18:42 6129024 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-07-12 18:42 . 2013-07-12 18:42 6129024 ----a-w- c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-07-11 15:25 . 2013-06-16 22:33 816896 ----a-w- c:\windows\system32\drivers\ndis.sys
2013-07-11 07:15 . 2013-07-11 07:20 -------- d-----w- c:\windows\system32\MRT
2013-07-11 04:49 . 2013-04-11 04:12 1086976 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-11 04:49 . 2013-04-11 04:12 1413632 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2013-07-11 04:49 . 2013-04-11 04:12 1303552 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-11 04:49 . 2013-04-11 04:12 1063936 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 04:49 . 2013-04-11 04:12 1029632 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-07 17:27 . 2013-07-07 17:27 -------- d--h--w- c:\programdata\CanonIJEGV
2013-07-07 16:57 . 2013-07-13 16:13 -------- d-----w- c:\users\Michael\AppData\Roaming\Canon
2013-07-01 23:54 . 2013-07-01 23:54 -------- d-----w- C:\download
2013-07-01 23:47 . 2013-07-01 23:47 -------- d-----w- c:\users\Michael\AppData\Local\bhw
2013-07-01 23:46 . 2013-07-01 23:46 -------- d-----w- c:\program files\S3 Ripper
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2018-08-27 06:11 . 2012-06-02 14:33 132165 ----a-w- c:\windows\system32\slmgr.vbs
2013-06-28 13:52 . 2013-06-28 13:52 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-28 13:52 . 2013-06-28 13:52 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-28 13:52 . 2013-06-28 13:52 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-27 22:04 . 2013-04-13 18:32 78200 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-27 22:04 . 2013-04-13 18:32 693112 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-20 15:38 . 2013-06-20 15:38 146648 ----a-w- c:\windows\system32\drivers\48230029.sys
2013-05-23 23:27 . 2013-06-12 08:19 1075200 ----a-w- c:\windows\system32\gdi32.dll
2013-05-15 22:37 . 2013-06-12 08:19 44032 ----a-w- c:\windows\system32\UXInit.dll
2013-05-15 02:24 . 2013-06-12 08:18 793088 ----a-w- c:\windows\system32\autochk.exe
2013-05-15 02:24 . 2013-06-12 08:18 482816 ----a-w- c:\windows\system32\untfs.dll
2013-05-14 09:23 . 2013-06-12 08:19 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-04 05:54 . 2013-06-12 08:18 103176 ----a-w- c:\windows\system32\AuthHost.exe
2013-05-04 05:37 . 2013-06-12 08:18 52056 ----a-w- c:\windows\system32\wuauclt.exe
2013-05-04 05:20 . 2013-06-12 08:18 362240 ----a-w- c:\windows\system32\drivers\USBHUB3.SYS
2013-05-04 05:20 . 2013-06-12 08:18 238336 ----a-w- c:\windows\system32\drivers\spaceport.sys
2013-05-04 04:58 . 2013-06-12 08:18 34304 ----a-w- c:\windows\system32\wuapp.exe
2013-05-04 04:58 . 2013-06-12 08:18 1150976 ----a-w- c:\windows\system32\VSSVC.exe
2013-05-04 04:58 . 2013-06-12 08:18 758784 ----a-w- c:\windows\system32\Magnify.exe
2013-05-04 04:58 . 2013-06-12 08:18 2561536 ----a-w- c:\windows\system32\wuaueng.dll
2013-05-04 04:58 . 2013-06-12 08:18 1555456 ----a-w- c:\windows\system32\wucltux.dll
2013-05-04 04:58 . 2013-06-12 08:18 215040 ----a-w- c:\windows\system32\WUSettingsProvider.dll
2013-05-04 04:58 . 2013-06-12 08:18 83968 ----a-w- c:\windows\system32\wudriver.dll
2013-05-04 04:58 . 2013-06-12 08:18 125952 ----a-w- c:\windows\system32\wuwebv.dll
2013-05-04 04:58 . 2013-06-12 08:18 621056 ----a-w- c:\windows\system32\wuapi.dll
2013-05-04 04:57 . 2013-06-12 08:18 10788864 ----a-w- c:\windows\system32\Windows.UI.Xaml.dll
2013-05-04 04:57 . 2013-06-12 08:18 247296 ----a-w- c:\windows\system32\ubpm.dll
2013-05-04 04:57 . 2013-06-12 08:18 1049600 ----a-w- c:\windows\system32\sysmain.dll
2013-05-04 04:57 . 2013-06-12 08:18 303616 ----a-w- c:\windows\system32\stobject.dll
2013-05-04 04:57 . 2013-06-12 08:18 146944 ----a-w- c:\windows\system32\storewuauth.dll
2013-05-04 04:57 . 2013-06-12 08:18 73728 ----a-w- c:\windows\system32\psmsrv.dll
2013-05-04 04:57 . 2013-06-12 08:18 18432 ----a-w- c:\windows\system32\npmproxy.dll
2013-05-04 04:57 . 2013-06-12 08:18 371200 ----a-w- c:\windows\system32\netprofmsvc.dll
2013-05-04 04:57 . 2013-06-12 08:18 151040 ----a-w- c:\windows\system32\netplwiz.dll
2013-05-04 04:57 . 2013-06-12 08:18 115712 ----a-w- c:\windows\system32\netprofm.dll
2013-05-04 04:57 . 2013-06-12 08:18 14336 ----a-w- c:\windows\system32\muifontsetup.dll
2013-05-04 04:56 . 2013-06-12 08:18 411136 ----a-w- c:\windows\system32\mfmp4srcsnk.dll
2013-05-04 04:56 . 2013-06-12 08:18 582144 ----a-w- c:\windows\system32\gpprefcl.dll
2013-05-04 04:56 . 2013-06-12 08:18 449536 ----a-w- c:\windows\system32\DevicePairing.dll
2013-05-04 04:56 . 2013-06-12 08:18 92160 ----a-w- c:\windows\system32\biwinrt.dll
2013-05-04 04:56 . 2013-06-12 08:18 2035712 ----a-w- c:\windows\system32\authui.dll
2013-05-04 04:56 . 2013-06-12 08:18 309760 ----a-w- c:\windows\system32\BCP47Langs.dll
2013-05-04 04:56 . 2013-06-12 08:18 143360 ----a-w- c:\windows\system32\bisrv.dll
2013-05-04 04:56 . 2013-06-12 08:18 975360 ----a-w- c:\windows\system32\AppXDeploymentServer.dll
2013-05-04 04:56 . 2013-06-12 08:18 554496 ----a-w- c:\windows\system32\AppXDeploymentExtensions.dll
2013-05-04 04:55 . 2013-06-12 08:18 389632 ----a-w- c:\windows\system32\intl.cpl
2013-05-04 04:10 . 2013-06-12 08:18 14848 ----a-w- c:\windows\system32\rars.rs
2013-05-04 04:06 . 2013-06-12 08:18 320512 ----a-w- c:\windows\system32\drivers\rdbss.sys
2013-05-02 15:28 . 2013-04-13 17:42 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-02 08:11 . 2012-07-26 06:53 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-04-13 03:28 611840 ----a-w- c:\program files\Classic Shell\ClassicExplorer32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-03 19603048]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2013-07-03 108624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2013-01-27 337432]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-21 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-21 150552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"AirControlMonitor"="c:\program files\Ubiquiti Networks\AirControl\bin\aircontrol.exe" [2011-02-07 74240]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2013-05-20 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-03 162408]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_x86.sys [2013-04-18 16024]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2013-04-18 1227800]
R3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys [2012-07-26 155136]
R4 AirControl;Ubiquiti AirControl;c:\program files\Ubiquiti Networks\AirControl\bin\aircontrol.exe [2011-02-07 74240]
R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-08-23 13672]
S1 MpKsl4462ddd4;MpKsl4462ddd4;c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C867E7F-8D54-4123-8C4E-A4A0083DEFD5}\MpKsl4462ddd4.sys [2013-07-30 29904]
S1 MpKslcb285cac;MpKslcb285cac;c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C867E7F-8D54-4123-8C4E-A4A0083DEFD5}\MpKslcb285cac.sys [2013-07-30 29904]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\Nitro\Pro 8\NitroPDFDriverService8.exe [2012-12-13 196616]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2013-04-18 659992]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-07-12 3289472]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 netwlv32;@netwlv32.inf, %NIC_Service_DispName_VISTA%; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netwlv32.sys [x]
S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x86.sys [2013-06-15 689880]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2012-12-18 19:08 215264 ----a-w- c:\program files\Adobe\Reader 11.0\Esl\AiodLite.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-13 08:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Show RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: DhcpNameServer = 10.1.0.1 8.8.8.8 192.168.1.1
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\temto84b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - ExtSQL: 2013-07-23 11:32; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Driver Genius_is1 - c:\program files\Driver-Soft\DriverGenius\unins000.exe
AddRemove-{BAA41CE3-5CAC-A56F-DF2D-2D631D09155A} - c:\progra~2\INSTAL~2\{C9AAB~1\Setup.exe
AddRemove-{F2F8B4AF-4692-C4F9-2576-5EEC1C2E0C46} - c:\progra~2\INSTAL~2\{CB4D3~1\Setup.exe
AddRemove-DownloadTerms - c:\users\Michael\AppData\Local\DownloadTerms\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2600)
c:\windows\SYSTEM32\igd10umd32.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\igfxrENU.lrc
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Classic Shell\ClassicShellService.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\dashost.exe
c:\windows\sppsvc.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\taskhostex.exe
c:\program files\Classic Shell\ClassicStartMenu.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-07-29 23:24:56 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-30 03:24
.
Pre-Run: 380,971,327,488 bytes free
Post-Run: 380,915,011,584 bytes free
.
- - End Of File - - AD2B02DF43835C25A9A8F5E749ECCECC
445CEDAF18B640B607C7D11B34E8EC15

#6
gringo_pr

Posted 30 July 2013 - 02:06 AM

Trusted Helper

Malware Removal
7,268 posts

Hello quasarn01

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
•Internet access
•Windows Update
•Windows Firewall9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

Please download aswMBR to your desktop.

Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

When you are complete please send me both reports

Gringo

Hello XXX

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

#7
quasarn01

Posted 30 July 2013 - 07:45 AM

Member

Topic Starter
Member
56 posts

I ran Malwarebytes Anti-Rootkit twice and no infections were found either time and no report was created... The aswMBR and the Combofix reports are below... Internet access, Windows Update, and Windows Firewall all appear to be working good... Also, seems that the popups and unwanted ads may be gone for now...

*********************************************************************************
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-28 13:59:19
-----------------------------
13:59:19.941 OS Version: Windows 6.2.9200
13:59:19.941 Number of processors: 2 586 0xF0D
13:59:19.957 ComputerName: MICHAEL UserName: Michael
13:59:21.486 Initialize success
14:01:26.706 AVAST engine defs: 13072800
14:01:37.845 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
14:01:37.845 Disk 0 Vendor: ST500LM012_HN-M500MBB 2AR10001 Size: 476940MB BusType: 3
14:01:38.001 Disk 0 MBR read successfully
14:01:38.001 Disk 0 MBR scan
14:01:38.032 Disk 0 Windows 7 default MBR code
14:01:38.079 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 350 MB offset 2048
14:01:38.141 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476588 MB offset 718848
14:01:38.188 Disk 0 scanning sectors +976771072
14:01:38.407 Disk 0 scanning C:\WINDOWS\system32\drivers
14:01:59.498 Service scanning
14:02:17.688 Service MpKsl0b51dedf C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{216E80DB-8E34-4C14-88BD-5C291C37BFCC}\MpKsl0b51dedf.sys **LOCKED** 32
14:02:43.366 Modules scanning
14:02:49.809 Disk 0 trace - called modules:
14:02:50.355 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
14:02:50.371 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x856e8030]
14:02:50.386 3 CLASSPNP.SYS[82534300] -> nt!IofCallDriver -> [0x84764878]
14:02:50.386 5 ACPI.sys[82cd849a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x851af870]
14:02:51.213 AVAST engine scan C:\WINDOWS
14:02:54.396 AVAST engine scan C:\WINDOWS\system32
14:08:10.369 AVAST engine scan C:\WINDOWS\system32\drivers
14:08:33.465 AVAST engine scan C:\Users\Michael
14:19:32.832 AVAST engine scan C:\ProgramData
14:22:02.550 Scan finished successfully
14:27:28.295 Disk 0 MBR fix error
14:27:49.942 Disk 0 MBR has been saved successfully to "C:\Users\Michael\Desktop\MBR.dat"
14:27:50.020 The log file has been saved successfully to "C:\Users\Michael\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-30 04:43:00
-----------------------------
04:43:00.919 OS Version: Windows 6.2.9200
04:43:00.935 Number of processors: 2 586 0xF0D
04:43:00.982 ComputerName: MICHAEL UserName: Michael
04:43:06.582 Initialize success
04:45:20.411 AVAST engine defs: 13072901
04:45:33.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
04:45:33.468 Disk 0 Vendor: ST500LM012_HN-M500MBB 2AR10001 Size: 476940MB BusType: 3
04:45:33.640 Disk 0 MBR read successfully
04:45:33.640 Disk 0 MBR scan
04:45:33.780 Disk 0 Windows 7 default MBR code
04:45:33.827 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 350 MB offset 2048
04:45:33.936 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476588 MB offset 718848
04:45:34.030 Disk 0 scanning sectors +976771072
04:45:34.373 Disk 0 scanning C:\WINDOWS\system32\drivers
04:46:26.591 Service scanning
04:47:10.344 Service MpKsl560e4a63 C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1638A201-8231-4B7C-80BB-5E4E1238FE8B}\MpKsl560e4a63.sys **LOCKED** 32
04:48:17.573 Modules scanning
04:48:29.991 Disk 0 trace - called modules:
04:48:30.537 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
04:48:30.537 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85cd3568]
04:48:30.537 3 CLASSPNP.SYS[8b179300] -> nt!IofCallDriver -> [0x84d64890]
04:48:30.553 5 ACPI.sys[8acb149a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x857af870]
04:48:34.577 AVAST engine scan C:\WINDOWS
04:48:50.280 AVAST engine scan C:\WINDOWS\system32
04:55:06.709 AVAST engine scan C:\WINDOWS\system32\drivers
04:55:41.965 AVAST engine scan C:\Users\Michael
05:11:02.484 AVAST engine scan C:\ProgramData
05:14:21.544 Scan finished successfully
05:31:57.051 Disk 0 MBR has been saved successfully to "C:\Users\Michael\Desktop\MBR.dat"
05:31:57.160 The log file has been saved successfully to "C:\Users\Michael\Desktop\aswMBR.txt"

*****************************************************************
ComboFix 13-07-30.02 - Michael 07/30/2013 5:36.2.2 - x86
Microsoft Windows 8 Pro 6.2.9200.0.1252.1.1033.18.3062.2021 [GMT -4:00]
Running from: c:\users\Michael\Desktop\ComboFix.exe
Command switches used :: c:\users\Michael\Desktop\CFScript.txt
AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-06-28 to 2013-07-30 )))))))))))))))))))))))))))))))
.
.
2013-07-30 09:47 . 2013-07-30 09:47 -------- d-----w- c:\users\Mike\AppData\Local\temp
2013-07-30 09:47 . 2013-07-30 09:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-30 08:43 . 2013-07-30 08:43 29904 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1638A201-8231-4B7C-80BB-5E4E1238FE8B}\MpKsl560e4a63.sys
2013-07-30 08:41 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1638A201-8231-4B7C-80BB-5E4E1238FE8B}\mpengine.dll
2013-07-30 03:25 . 2013-07-30 09:47 -------- d-----w- c:\users\Michael\AppData\Local\temp
2013-07-30 02:05 . 2013-07-30 02:05 -------- d-----w- c:\windows\ERUNT
2013-07-28 17:37 . 2013-07-30 08:35 -------- d-----w- C:\mbar
2013-07-28 17:01 . 2013-07-28 16:59 89088 ----a-w- c:\windows\system32\mbr.exe
2013-07-28 11:11 . 2013-07-28 11:11 -------- d-----w- c:\windows\LastGood
2013-07-27 14:22 . 2013-07-27 14:23 -------- d-----w- C:\Asteroid
2013-07-23 15:36 . 2013-07-28 11:09 -------- d-----w- c:\users\Michael\AppData\Roaming\vlc
2013-07-23 15:35 . 2013-07-23 15:35 -------- d-----w- c:\program files\VideoLAN
2013-07-23 15:33 . 2013-07-28 11:24 -------- d-----w- c:\users\Michael\AppData\Roaming\DivX
2013-07-23 15:31 . 2013-07-23 15:32 -------- d-----w- c:\program files\Common Files\DivX Shared
2013-07-23 15:29 . 2013-07-23 15:32 -------- d-----w- c:\program files\DivX
2013-07-23 15:28 . 2013-07-23 15:32 -------- d-----w- c:\programdata\DivX
2013-07-17 20:43 . 2013-06-15 02:21 77528 ----a-w- c:\windows\system32\RtNicProp32.dll
2013-07-17 20:43 . 2013-06-15 02:21 689880 ----a-w- c:\windows\system32\drivers\Rt630x86.sys
2013-07-13 16:13 . 2013-07-13 16:13 -------- d--h--w- c:\programdata\CanonIJScan
2013-07-12 18:42 . 2013-07-12 18:42 6129024 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-07-12 18:42 . 2013-07-12 18:42 6129024 ----a-w- c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-07-11 15:25 . 2013-06-16 22:33 816896 ----a-w- c:\windows\system32\drivers\ndis.sys
2013-07-11 07:15 . 2013-07-11 07:20 -------- d-----w- c:\windows\system32\MRT
2013-07-11 04:49 . 2013-04-11 04:12 1086976 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-11 04:49 . 2013-04-11 04:12 1413632 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2013-07-11 04:49 . 2013-04-11 04:12 1303552 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-11 04:49 . 2013-04-11 04:12 1063936 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 04:49 . 2013-04-11 04:12 1029632 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-07 17:27 . 2013-07-07 17:27 -------- d--h--w- c:\programdata\CanonIJEGV
2013-07-07 16:57 . 2013-07-13 16:13 -------- d-----w- c:\users\Michael\AppData\Roaming\Canon
2013-07-01 23:54 . 2013-07-01 23:54 -------- d-----w- C:\download
2013-07-01 23:47 . 2013-07-01 23:47 -------- d-----w- c:\users\Michael\AppData\Local\bhw
2013-07-01 23:46 . 2013-07-01 23:46 -------- d-----w- c:\program files\S3 Ripper
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2018-08-27 06:11 . 2012-06-02 14:33 132165 ----a-w- c:\windows\system32\slmgr.vbs
2013-06-28 13:52 . 2013-06-28 13:52 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-28 13:52 . 2013-06-28 13:52 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-28 13:52 . 2013-06-28 13:52 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-27 22:04 . 2013-04-13 18:32 78200 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-27 22:04 . 2013-04-13 18:32 693112 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-20 15:38 . 2013-06-20 15:38 146648 ----a-w- c:\windows\system32\drivers\48230029.sys
2013-05-23 23:27 . 2013-06-12 08:19 1075200 ----a-w- c:\windows\system32\gdi32.dll
2013-05-15 22:37 . 2013-06-12 08:19 44032 ----a-w- c:\windows\system32\UXInit.dll
2013-05-15 02:24 . 2013-06-12 08:18 793088 ----a-w- c:\windows\system32\autochk.exe
2013-05-15 02:24 . 2013-06-12 08:18 482816 ----a-w- c:\windows\system32\untfs.dll
2013-05-14 09:23 . 2013-06-12 08:19 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-04 05:54 . 2013-06-12 08:18 103176 ----a-w- c:\windows\system32\AuthHost.exe
2013-05-04 05:37 . 2013-06-12 08:18 52056 ----a-w- c:\windows\system32\wuauclt.exe
2013-05-04 05:20 . 2013-06-12 08:18 362240 ----a-w- c:\windows\system32\drivers\USBHUB3.SYS
2013-05-04 05:20 . 2013-06-12 08:18 238336 ----a-w- c:\windows\system32\drivers\spaceport.sys
2013-05-04 04:58 . 2013-06-12 08:18 34304 ----a-w- c:\windows\system32\wuapp.exe
2013-05-04 04:58 . 2013-06-12 08:18 1150976 ----a-w- c:\windows\system32\VSSVC.exe
2013-05-04 04:58 . 2013-06-12 08:18 758784 ----a-w- c:\windows\system32\Magnify.exe
2013-05-04 04:58 . 2013-06-12 08:18 2561536 ----a-w- c:\windows\system32\wuaueng.dll
2013-05-04 04:58 . 2013-06-12 08:18 1555456 ----a-w- c:\windows\system32\wucltux.dll
2013-05-04 04:58 . 2013-06-12 08:18 215040 ----a-w- c:\windows\system32\WUSettingsProvider.dll
2013-05-04 04:58 . 2013-06-12 08:18 83968 ----a-w- c:\windows\system32\wudriver.dll
2013-05-04 04:58 . 2013-06-12 08:18 125952 ----a-w- c:\windows\system32\wuwebv.dll
2013-05-04 04:58 . 2013-06-12 08:18 621056 ----a-w- c:\windows\system32\wuapi.dll
2013-05-04 04:57 . 2013-06-12 08:18 10788864 ----a-w- c:\windows\system32\Windows.UI.Xaml.dll
2013-05-04 04:57 . 2013-06-12 08:18 247296 ----a-w- c:\windows\system32\ubpm.dll
2013-05-04 04:57 . 2013-06-12 08:18 1049600 ----a-w- c:\windows\system32\sysmain.dll
2013-05-04 04:57 . 2013-06-12 08:18 303616 ----a-w- c:\windows\system32\stobject.dll
2013-05-04 04:57 . 2013-06-12 08:18 146944 ----a-w- c:\windows\system32\storewuauth.dll
2013-05-04 04:57 . 2013-06-12 08:18 73728 ----a-w- c:\windows\system32\psmsrv.dll
2013-05-04 04:57 . 2013-06-12 08:18 18432 ----a-w- c:\windows\system32\npmproxy.dll
2013-05-04 04:57 . 2013-06-12 08:18 371200 ----a-w- c:\windows\system32\netprofmsvc.dll
2013-05-04 04:57 . 2013-06-12 08:18 151040 ----a-w- c:\windows\system32\netplwiz.dll
2013-05-04 04:57 . 2013-06-12 08:18 115712 ----a-w- c:\windows\system32\netprofm.dll
2013-05-04 04:57 . 2013-06-12 08:18 14336 ----a-w- c:\windows\system32\muifontsetup.dll
2013-05-04 04:56 . 2013-06-12 08:18 411136 ----a-w- c:\windows\system32\mfmp4srcsnk.dll
2013-05-04 04:56 . 2013-06-12 08:18 582144 ----a-w- c:\windows\system32\gpprefcl.dll
2013-05-04 04:56 . 2013-06-12 08:18 449536 ----a-w- c:\windows\system32\DevicePairing.dll
2013-05-04 04:56 . 2013-06-12 08:18 92160 ----a-w- c:\windows\system32\biwinrt.dll
2013-05-04 04:56 . 2013-06-12 08:18 2035712 ----a-w- c:\windows\system32\authui.dll
2013-05-04 04:56 . 2013-06-12 08:18 309760 ----a-w- c:\windows\system32\BCP47Langs.dll
2013-05-04 04:56 . 2013-06-12 08:18 143360 ----a-w- c:\windows\system32\bisrv.dll
2013-05-04 04:56 . 2013-06-12 08:18 975360 ----a-w- c:\windows\system32\AppXDeploymentServer.dll
2013-05-04 04:56 . 2013-06-12 08:18 554496 ----a-w- c:\windows\system32\AppXDeploymentExtensions.dll
2013-05-04 04:55 . 2013-06-12 08:18 389632 ----a-w- c:\windows\system32\intl.cpl
2013-05-04 04:10 . 2013-06-12 08:18 14848 ----a-w- c:\windows\system32\rars.rs
2013-05-04 04:06 . 2013-06-12 08:18 320512 ----a-w- c:\windows\system32\drivers\rdbss.sys
2013-05-02 15:28 . 2013-04-13 17:42 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-02 08:11 . 2012-07-26 06:53 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-04-13 03:28 611840 ----a-w- c:\program files\Classic Shell\ClassicExplorer32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-03 19603048]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2013-07-03 108624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2013-01-27 337432]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-21 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-21 150552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"AirControlMonitor"="c:\program files\Ubiquiti Networks\AirControl\bin\aircontrol.exe" [2011-02-07 74240]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2013-05-20 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R4 AirControl;Ubiquiti AirControl;c:\program files\Ubiquiti Networks\AirControl\bin\aircontrol.exe [2011-02-07 74240]
R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-08-23 13672]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2012-12-18 19:08 215264 ----a-w- c:\program files\Adobe\Reader 11.0\Esl\AiodLite.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-13 08:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Show RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: DhcpNameServer = 10.1.0.1 8.8.8.8 192.168.1.1
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\temto84b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - ExtSQL: 2013-07-23 11:32; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5604)
c:\windows\SYSTEM32\igd10umd32.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\igfxrENU.lrc
.
Completion time: 2013-07-30 05:55:01
ComboFix-quarantined-files.txt 2013-07-30 09:54
ComboFix2.txt 2013-07-30 03:25
.
Pre-Run: 378,818,736,128 bytes free
Post-Run: 378,632,540,160 bytes free
.
- - End Of File - - 1FF9693F446EA5DA6E45D5779801DD66
445CEDAF18B640B607C7D11B34E8EC15

#8
gringo_pr

Posted 30 July 2013 - 11:35 AM

Trusted Helper

Malware Removal
7,268 posts

Hello quasarn01

I would like to see a report that combofix makes.

extra combofix report

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

click ok

copy and paste the report into this topic for me to review

Gringo

#9
quasarn01

Posted 30 July 2013 - 11:40 AM

Member

Topic Starter
Member
56 posts

µTorrent
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03)
Advanced Office Password Recovery
Aiseesoft Total Video Converter Platinum 6.3.28
Any Video Converter Professional v3.5.3 Premium Full
Artisteer 4
Audio Editor Deluxe v9.5.1
Canon MP Navigator EX 2.1
Canon MX320 series MP Drivers
Classic Shell
Collect Client
CuteFTP 9
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DivX Setup
FileASSASSIN
Intel® Graphics Media Accelerator Driver
IP Camera Viewer 1.0
Jasc Paint Shop Pro 9
Java 7 Update 25
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 22.0 (x86 en-US)
Mozilla Maintenance Service
Nitro Pro 8
PowerISO
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
RoboForm 7-9-0-0 (All Users)
S3 Ripper 2.0
Secunia PSI (3.0.0.7009)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Skype Click to Call
Skype™ 6.5
Synaptics Pointing Device Driver
TOSHIBA Disc Creator
TurboTax 2012
TurboTax 2012 WinPerFedFormset
TurboTax 2012 WinPerReleaseEngine
TurboTax 2012 WinPerTaxSupport
TurboTax 2012 wrapper
Ubiquiti AirControl (remove only)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
VC80CRTRedist - 8.0.50727.6195
VLC media player 2.0.7
WinRAR 4.20 (32-bit)
Word List Expert 2.0.1

#10
gringo_pr

Posted 30 July 2013 - 04:13 PM

Trusted Helper

Malware Removal
7,268 posts

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files

This small application you may want to keep and use once a week to keep the computer clean.

Download CCleaner from here CCleaner
Run the installer to install the application.
When it gives you the option to install Yahoo toolbar uncheck the box next to it.
Run CCleaner. default settings are fine
Click Run Cleaner.
Close CCleaner.

: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis program
Save HijackThis to your desktop.
Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
copy and paste hijackthis report into the topic

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

#11
quasarn01

Posted 30 July 2013 - 04:44 PM

Member

Topic Starter
Member
56 posts

Had no problems running the two programs... Below is the two reports... Computer still seems to be running fine... So farr, no ads or popups...

*************************************************************
Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.30.10

Windows 8 x86 NTFS
Internet Explorer 10.0.9200.16635
Michael :: MICHAEL [administrator]

Protection: Enabled

7/30/2013
mbam-log-2013-07-30 (18-28-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230316
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Michael\Downloads\S3RipperSetup.exe (PUP.Optional.4Squared) -> Quarantined and deleted successfully.

(end)

******************************************************
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at , on
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v10.0 (10.00.9200.16537)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\taskhostex.exe
C:\WINDOWS\system32\taskhost.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Michael\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../?LinkId=255141
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: ClassicIE9BHO Class - {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIE9DLL_32.dll
O3 - Toolbar: &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE -startup
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AirControlMonitor] "C:\Program Files\Ubiquiti Networks\AirControl\bin\aircontrol.exe" //MS//AirControl
O4 - HKLM\..\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Show RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: (no name) - {56753E59-AF1D-4FBA-9E15-31557124ADA2} - C:\Program Files\Classic Shell\ClassicIE9_32.exe
O9 - Extra 'Tools' menuitem: Classic IE9 Settings - {56753E59-AF1D-4FBA-9E15-31557124ADA2} - C:\Program Files\Classic Shell\ClassicIE9_32.exe
O9 - Extra button: (no name) - {64964764-1101-4bbd-8891-B56B1A53B9B3} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
O9 - Extra button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Classic Shell Service (ClassicShellService) - IvoSoft - C:\Program Files\Classic Shell\ClassicShellService.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NitroPDFDriverCreatorReadSpool8 (NitroDriverReadSpool8) - Nitro PDF Software - C:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 8601 bytes

#12
gringo_pr

Posted 30 July 2013 - 07:22 PM

Trusted Helper

Malware Removal
7,268 posts

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis (rightclick and run as admin)
Click on the Scan button
Put a check beside all of the items listed below (if present):
- O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE -startup
  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  O4 - HKLM\..\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe
  O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the add/on to be installed
- Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

When the scan is complete

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

If threats were found
click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish
close program
copy and paste the report here

Gringo

#13
quasarn01

Posted 31 July 2013 - 01:27 AM

Member

Topic Starter
Member
56 posts

C:\TRAVEL E\Office 2010 Toolkit.exe a variant of MSIL/HackKMS.A application
C:\TRAVEL E\Mary Ann\Downloads\MusicSetup.exe Win32/Toolbar.Crawler.A application
C:\TRAVEL E\Microsoft Office 2010 Activator\Office 2010 Toolkit.exe a variant of MSIL/HackKMS.A application
C:\Users\Michael\AppData\Local\Toshiba Drivers Update Utility For Windows 7\driverlib.dll Win32/DriverBoss.B application
C:\Users\Michael\AppData\Local\Toshiba Drivers Update Utility For Windows 7\liveupdate.7z.exe Win32/DriverBoss.B application
C:\Users\Michael\Downloads\CodecPerformerSetup.exe a variant of Win32/InstallBrain.AJ application
C:\Users\Michael\Downloads\Setup(1).exe a variant of Win32/Adware.iBryte.G application
C:\Users\Michael\Downloads\toshiba-drivers-update-utility.exe Win32/DriverBoss.B application
C:\Users\Michael\Downloads\CuteFTP Pro 9\Crack\Patch\Patch_CuteFtp.exe a variant of Win32/HackTool.Patcher.T application
C:\Users\Michael\Downloads\Microsoft Office 2010 Activator\Office 2010 Toolkit.exe a variant of MSIL/HackKMS.A application

#14
gringo_pr

Posted 31 July 2013 - 09:26 AM

Trusted Helper

Malware Removal
7,268 posts

Hello quasarn01

There are some minor things in your online scan that should be removed.

delete files

Copy all text in the code box (below)...to Notepad.

@echo off
del /f /s /q "C:\TRAVEL E\Office 2010 Toolkit.exe"
del /f /s /q "C:\TRAVEL E\Mary Ann\Downloads\MusicSetup.exe"
del /f /s /q "C:\TRAVEL E\Microsoft Office 2010 Activator\Office 2010 Toolkit.exe"
del /f /s /q "C:\Users\Michael\AppData\Local\Toshiba Drivers Update Utility For Windows 7\driverlib.dll"
del /f /s /q "C:\Users\Michael\AppData\Local\Toshiba Drivers Update Utility For Windows 7\liveupdate.7z.exe"
del /f /s /q "C:\Users\Michael\Downloads\CodecPerformerSetup.exe"
del /f /s /q "C:\Users\Michael\Downloads\Setup(1).exe"
del /f /s /q "C:\Users\Michael\Downloads\toshiba-drivers-update-utility.exe"
del /f /s /q "C:\Users\Michael\Downloads\CuteFTP Pro 9\Crack\Patch\Patch_CuteFtp.exe"
del /f /s /q "C:\Users\Michael\Downloads\Microsoft Office 2010 Activator\Office 2010 Toolkit.exe"
del %0

Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
It should look like this: <--XP<--vista
Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal.
The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK.

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

turn off all active protection software
push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box ComboFix /Uninstall and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

As Java seems to get exploited on a daily basis I advise to disable java in your web browsers - How to disable java in your web browsers - Disable Java

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as 'perfect security'. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->