iexplorer keeps replicating creating large files

**blueskygal** · 2014-07-23, 06:18

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.07.22.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Colleen :: COLLEEN-PC [administrator]

7/22/2014 4:55:23 PM
mbar-log-2014-07-22 (16-55-23).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 270027
Time elapsed: 1 hour(s), 13 minute(s), 3 second(s)

Memory Processes Detected: 5
C:\Users\Colleen\AppData\Roaming\Cuanhoe\ufoqd.exe (Trojan.FakeJav) -> 3484 -> Delete on reboot. [c5dc9d033249ad89c1d7bfe0ec15b64a]
C:\Users\Colleen\AppData\Roaming\Ezwuan\wyidwyu.exe (Spyware.Zbot.MSXGen) -> 5728 -> Delete on reboot. [6a37158bfc7f81b5277bb0e9c938ef11]
C:\Users\Colleen\AppData\Roaming\Ezwuan\wyidwyu.exe (Spyware.Zbot.MSXGen) -> 2676 -> Delete on reboot. [6a37158bfc7f81b5277bb0e9c938ef11]
C:\Users\Colleen\AppData\Roaming\Ezwuan\wyidwyu.exe (Spyware.Zbot.MSXGen) -> 3468 -> Delete on reboot. [6a37158bfc7f81b5277bb0e9c938ef11]
C:\Users\Colleen\AppData\Roaming\Ezwuan\wyidwyu.exe (Spyware.Zbot.MSXGen) -> 1664 -> Delete on reboot. [6a37158bfc7f81b5277bb0e9c938ef11]

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Zeyqaqupi (Trojan.FakeJav) -> Data: C:\Users\Colleen\AppData\Roaming\Cuanhoe\ufoqd.exe -> Delete on reboot. [c5dc9d033249ad89c1d7bfe0ec15b64a]
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Tutimox (Spyware.Zbot.MSXGen) -> Data: C:\Users\Colleen\AppData\Roaming\Ezwuan\wyidwyu.exe -> Delete on reboot. [6a37158bfc7f81b5277bb0e9c938ef11]

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 11
C:\Users\Colleen\AppData\Roaming\Cuanhoe\ufoqd.exe (Trojan.FakeJav) -> Delete on reboot. [c5dc9d033249ad89c1d7bfe0ec15b64a]
C:\Users\Colleen\AppData\Roaming\Ezwuan\wyidwyu.exe (Spyware.Zbot.MSXGen) -> Delete on reboot. [6a37158bfc7f81b5277bb0e9c938ef11]
C:\Users\Colleen\AppData\Roaming\Epokzyu\iplozy.exe (Trojan.FakeJav) -> Delete on reboot. [960bb6ea1b60e74f41575b44b34ef60a]
C:\Users\Colleen\AppData\Roaming\Navovy\someazr.exe (Trojan.FakeJav) -> Delete on reboot. [861b6040a8d3c2743a5e752aa06114ec]
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_6245cbb3.exe (Trojan.FakeJav) -> Delete on reboot. [831e5f412259e4528e0a7b2406fbee12]
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_7594fd13.exe (Trojan.FakeJav) -> Delete on reboot. [0d942a76cbb00f27b3e5e3bc5ba66c94]
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_b7ea92bf.exe (Spyware.Zbot.MSXGen) -> Delete on reboot. [0b96346c2a519f97d8cabcddae53ce32]
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_dcfc098d.exe (Spyware.Zbot.MSXGen) -> Delete on reboot. [acf5d5cb7cff67cff3afb8e100013dc3]
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_01f3c46a.exe (Trojan.FakeJav) -> Delete on reboot. [643dedb358230531138519869a677a86]
C:\Windows\Tasks\Security Center Update - 3385068857.job (Trojan.Agent.RvGen) -> Delete on reboot. [3c65b6eac0bbec4a4743a54b2bd85da3]
C:\Windows\Tasks\Security Center Update - 4280870395.job (Trojan.Agent.RvGen) -> Delete on reboot. [524fbbe53546330381097b75af54758b]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

**blueskygal** · 2014-07-23, 06:20

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:21-07-2014
Ran by Colleen at 2014-07-22 19:28:39 Run:1
Running from C:\Users\Colleen\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\...\Run: [sljwnape] => C:\Users\Colleen\AppData\Local\iogossul.exe [147456 2014-07-11] ()
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\...\Run: [cqibmelw] => C:\Users\Colleen\AppData\Local\aeqltsel.exe [131072 2014-06-27] ()
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\...\Run: [gkbqtgfq] => C:\Users\Colleen\AppData\Local\soisaqtj.exe [88064 2014-07-11] ()
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\...\Run: [Ummuyqdayb] => C:\Users\Colleen\AppData\Roaming\Eporgoeb\eqibb.exe [348160 2007-02-24] ()
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\...\InprocServer32: [Default-pngfilt] <==== ATTENTION!
URLSearchHook: HKLM - (No Name) - {9ee802e8-c931-47ab-b570-aa8f791598ca} - No File
URLSearchHook: HKCU - (No Name) - {9ee802e8-c931-47ab-b570-aa8f791598ca} - No File
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1641676
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={E193F4C5-F373-46B8-B35A-B3DEFCDD880B}&mid=c69ac0678e2d6391eb38988c0bd4732a-43718684b57e539fbe5a9a735e71288613c12102&lang=us&ds=AVG&pr=fr&d=2013-06-04 11:40:48&v=15.2.0.5&pid=avg&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1641676
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKCU - No Name - {9EE802E8-C931-47AB-B570-AA8F791598CA} - No File
Toolbar: HKCU - No Name - {A057A204-BACC-4D26-9990-79A187E2698E} - No File
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
2014-07-16 15:10 - 2014-07-16 15:10 - 00087040 _____ () C:\Users\Colleen\AppData\Local\smqnnerw.exe
2014-07-16 15:08 - 2014-07-16 15:08 - 00094216 _____ () C:\Users\Colleen\AppData\Local\atmjwxqq.exe
2014-07-16 15:06 - 2014-07-16 15:06 - 00094216 _____ () C:\Users\Colleen\AppData\Local\qxnqwijv.exe
2014-07-11 15:46 - 2014-07-11 15:46 - 00088064 _____ () C:\Users\Colleen\AppData\Local\soisaqtj.exe
2014-07-11 15:44 - 2014-07-11 15:44 - 00094216 _____ () C:\Users\Colleen\AppData\Local\flqidrgp.exe
2014-06-28 08:19 - 2014-06-28 08:19 - 00114696 _____ () C:\Users\Colleen\AppData\Local\knxdsdhe.exe
2014-06-27 17:29 - 2014-06-27 17:30 - 00000000 ____D () C:\Users\Colleen\AppData\Roaming\Iryhwed
2014-06-27 13:31 - 2014-06-27 13:31 - 00131072 _____ () C:\Users\Colleen\AppData\Local\aeqltsel.exe
2014-06-26 17:59 - 2014-07-11 16:00 - 00147456 _____ () C:\Users\Colleen\AppData\Local\iogossul.exe
2014-06-26 11:12 - 2014-06-26 11:14 - 00000000 ____D () C:\Users\Colleen\AppData\Roaming\Keakil
2014-06-25 11:54 - 2014-06-25 11:54 - 00068609 _____ () C:\Users\Colleen\AppData\Local\ffageekw
2014-07-11 15:04 - 2014-07-11 15:04 - 00081928 _____ (Google Inc.) C:\Users\Colleen\AppData\Local\ljvwdkwk.exe
2014-07-12 10:04 - 2014-07-12 10:04 - 00081928 _____ (Google Inc.) C:\Users\Colleen\AppData\Local\kbiqnamh.exe
C:\Users\Colleen\lametritonus_en.dll
C:\Users\Colleen\lame_enc_en.dll
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_2344ce11.exe
C:\Users\Colleen\AppData\Local\Temp\{5E271BDF-0DFA-41F1-A223-EDC0089639EC}.exe
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\...\Run: [Zeureqte] => C:\Users\Colleen\AppData\Roaming\Imcega\aziwawy.exe [433378 2008-04-06] (Masnesaft Corporation)
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\...\Run: [ikudaofn] => C:\Users\Colleen\AppData\Local\xwaieusa.exe [101376 2014-07-17] ()
2014-07-17 15:14 - 2014-07-17 15:14 - 00000000 ____D () C:\Users\Colleen\AppData\Roaming\Wyezro
2014-07-17 14:55 - 2014-07-17 14:55 - 00000000 ____D () C:\Users\Colleen\AppData\Roaming\Untuyr
2014-07-17 13:38 - 2014-07-17 13:38 - 00101376 _____ () C:\Users\Colleen\AppData\Local\xwaieusa.exe
2014-07-17 13:26 - 2014-07-17 13:26 - 00000000 ____D () C:\Users\Colleen\AppData\Roaming\Imcega
2014-07-16 15:10 - 2014-07-16 15:10 - 00087040 _____ () C:\Users\Colleen\AppData\Local\smqnnerw.exe
2014-07-16 15:08 - 2014-07-16 15:08 - 00094216 _____ () C:\Users\Colleen\AppData\Local\atmjwxqq.exe
2014-07-16 15:06 - 2014-07-16 15:06 - 00094216 _____ () C:\Users\Colleen\AppData\Local\qxnqwijv.exe
2014-07-12 10:04 - 2014-07-12 10:04 - 00081928 _____ (Google Inc.) C:\Users\Colleen\AppData\Local\kbiqnamh.exe
2014-07-11 20:35 - 2014-07-11 20:35 - 00000000 ____D () C:\Users\Colleen\AppData\Roaming\Eporgoeb
2014-07-11 15:04 - 2014-07-11 15:04 - 00081928 _____ (Google Inc.) C:\Users\Colleen\AppData\Local\ljvwdkwk.exe
2014-06-28 08:19 - 2014-06-28 08:19 - 00114696 _____ () C:\Users\Colleen\AppData\Local\knxdsdhe.exe
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_0cddd156.exe
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_2344ce11.exe
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_69fc6670.exe
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_6ce0d775.exe
C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_f395e78b.exe
*****************

HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\Software\Microsoft\Windows\CurrentVersion\Run\\sljwnape => Value not found.
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\Software\Microsoft\Windows\CurrentVersion\Run\\cqibmelw => Value not found.
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\Software\Microsoft\Windows\CurrentVersion\Run\\gkbqtgfq => value deleted successfully.
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ummuyqdayb => Value not found.
'HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\Software\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}' => Key deleted successfully.
HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks\\{9ee802e8-c931-47ab-b570-aa8f791598ca} => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{9ee802e8-c931-47ab-b570-aa8f791598ca} => value deleted successfully.
'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}' => Key deleted successfully.
'HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}'=> Key not found.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}' => Key deleted successfully.
'HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}'=> Key not found.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}' => Key deleted successfully.
'HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}'=> Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => value deleted successfully.
'HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} => value deleted successfully.
'HKCR\CLSID\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
'HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9EE802E8-C931-47AB-B570-AA8F791598CA} => value deleted successfully.
'HKCR\CLSID\{9EE802E8-C931-47AB-B570-AA8F791598CA}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} => value deleted successfully.
'HKCR\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => value deleted successfully.
'HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => value deleted successfully.
'HKCR\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
'HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}' => Key deleted successfully.
"C:\Users\Colleen\AppData\Local\smqnnerw.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\atmjwxqq.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\qxnqwijv.exe" => File/Directory not found.
C:\Users\Colleen\AppData\Local\soisaqtj.exe => Moved successfully.
"C:\Users\Colleen\AppData\Local\flqidrgp.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\knxdsdhe.exe" => File/Directory not found.
C:\Users\Colleen\AppData\Roaming\Iryhwed => Moved successfully.
"C:\Users\Colleen\AppData\Local\aeqltsel.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\iogossul.exe" => File/Directory not found.
C:\Users\Colleen\AppData\Roaming\Keakil => Moved successfully.
C:\Users\Colleen\AppData\Local\ffageekw => Moved successfully.
"C:\Users\Colleen\AppData\Local\ljvwdkwk.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\kbiqnamh.exe" => File/Directory not found.
C:\Users\Colleen\lametritonus_en.dll => Moved successfully.
C:\Users\Colleen\lame_enc_en.dll => Moved successfully.
"C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_2344ce11.exe" => File/Directory not found.
C:\Users\Colleen\AppData\Local\Temp\{5E271BDF-0DFA-41F1-A223-EDC0089639EC}.exe => Moved successfully.
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Zeureqte => Value not found.
HKU\S-1-5-21-2114738196-1747254254-1146559385-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ikudaofn => Value not found.
C:\Users\Colleen\AppData\Roaming\Wyezro => Moved successfully.
C:\Users\Colleen\AppData\Roaming\Untuyr => Moved successfully.
"C:\Users\Colleen\AppData\Local\xwaieusa.exe" => File/Directory not found.
C:\Users\Colleen\AppData\Roaming\Imcega => Moved successfully.
"C:\Users\Colleen\AppData\Local\smqnnerw.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\atmjwxqq.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\qxnqwijv.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\kbiqnamh.exe" => File/Directory not found.
C:\Users\Colleen\AppData\Roaming\Eporgoeb => Moved successfully.
"C:\Users\Colleen\AppData\Local\ljvwdkwk.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\knxdsdhe.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_0cddd156.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_2344ce11.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_69fc6670.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_6ce0d775.exe" => File/Directory not found.
"C:\Users\Colleen\AppData\Local\Temp\UpdateFlashPlayer_f395e78b.exe" => File/Directory not found.

==== End of Fixlog ====

**blueskygal** · 2014-07-23, 06:21

ComboFix 14-07-22.01 - Colleen 07/22/2014 20:21:23.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1160 [GMT -7:00]
Running from: c:\users\Colleen\Desktop\ComboFix.exe
AV: Spybot - Search and Destroy *Disabled/Updated* {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SPL227.tmp
c:\programdata\SPL3BF5.tmp
c:\programdata\SPL41D8.tmp
c:\programdata\SPL4924.tmp
c:\programdata\SPL8263.tmp
c:\programdata\SPL9201.tmp
c:\programdata\SPLAB5B.tmp
c:\programdata\SPLAFA5.tmp
c:\programdata\SPLC69E.tmp
c:\programdata\SPLDA2C.tmp
c:\programdata\SPLE071.tmp
c:\programdata\SPLEC0B.tmp
c:\programdata\SPLEDB3.tmp
c:\programdata\SPLF8B9.tmp
c:\users\Colleen\AppData\Local\suftslwg.exe
c:\users\Colleen\Documents\~WRL3512.tmp
c:\users\Colleen\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-06-23 to 2014-07-23 )))))))))))))))))))))))))))))))
.
.
2014-07-23 03:37 . 2014-07-23 03:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-07-23 02:27 . 2014-07-23 02:27 -------- d-----w- c:\users\Colleen\AppData\Roaming\Uccini
2014-07-23 00:27 . 2014-07-23 00:27 -------- d-----w- c:\users\Colleen\AppData\Roaming\Ewpuzagi
2014-07-22 23:53 . 2014-07-23 02:18 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-07-22 23:53 . 2014-07-22 23:53 113880 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-22 23:50 . 2014-07-22 23:50 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-22 23:46 . 2014-07-23 01:18 -------- d-----w- c:\users\Colleen\AppData\Roaming\Ezwuan
2014-07-22 02:12 . 2014-07-23 01:13 -------- d-----w- c:\users\Colleen\AppData\Roaming\Navovy
2014-07-22 01:56 . 2014-07-23 01:13 -------- d-----w- c:\users\Colleen\AppData\Roaming\Epokzyu
2014-07-22 00:13 . 2014-07-23 01:18 -------- d-----w- c:\users\Colleen\AppData\Roaming\Cuanhoe
2014-07-18 22:12 . 2014-07-22 03:08 -------- d-----w- c:\users\Colleen\AppData\Roaming\Ydukyk
2014-07-18 22:10 . 2014-07-22 03:12 -------- d-----w- c:\users\Colleen\AppData\Roaming\Behymu
2014-07-11 23:02 . 2014-07-11 23:02 -------- d-----w- C:\TDSSKiller_Quarantine
2014-07-10 20:26 . 2014-07-23 02:30 -------- d-----w- C:\FRST
2014-07-01 17:04 . 2014-07-01 17:04 -------- d-----w- c:\program files\ERUNT
2014-06-29 20:07 . 2014-06-29 20:07 110296 ----a-w- c:\windows\system32\drivers\48230029.sys
2014-06-27 23:29 . 2013-09-20 17:49 18968 ----a-w- c:\windows\system32\sdnclean.exe
2014-06-27 23:29 . 2014-06-28 04:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-06-27 23:29 . 2014-06-28 00:14 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-06-27 19:54 . 2014-06-27 21:01 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-11 23:43 . 2013-06-04 18:29 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-11 23:43 . 2013-06-04 18:29 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-26 16:01 . 2014-06-11 01:25 502784 ----a-w- c:\windows\system32\usp10.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Colleen\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2013-04-19 491840]
"HP Deskjet 3510 series (NET)"="c:\program files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe" [2012-10-17 1837672]
"Amazon Cloud Player"="c:\users\Colleen\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe" [2014-05-08 3145536]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2014-04-25 4566984]
"Ykifowuhmia"="c:\users\Colleen\AppData\Roaming\Uccini\tuizu.exe" [2014-03-15 433298]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCJCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-11-21 106496]
"CommonToolkitTray"="c:\program files\Fighters\Tray\FightersTray.exe" [2013-04-29 1497120]
"sfagent"="c:\program files\Fighters\SPAMfighter\sfagent.exe" [2013-06-14 1065504]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"TkBellExe"="c:\program files\Real\realplayer\update\realsched.exe" [2014-03-12 295512]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2014-02-14 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2014-01-10 1861968]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2014-04-25 4101584]
.
c:\users\Colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EfficientPIM.lnk - c:\program files\EfficientPIM\EfficientPIM.exe /startup [2014-2-10 14546088]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BDARemote.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Colleen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Colleen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\users\Colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2006-11-29 04:05 523952 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2012-02-01 17:36 50592 ----a-w- c:\users\Colleen\AppData\Roaming\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-05-08 23:13 103344 ----a-w- c:\program files\Lexmark 8300 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-01-25 03:35 133104 ----atw- c:\users\Colleen\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 03:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-11-28 20:19 52912 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
2006-11-01 16:06 413696 ----a-w- c:\program files\Toshiba\Utilities\HWSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 03:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 20:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 22:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2005-12-16 10:41 188416 ----a-w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCJCATS]
2006-11-21 20:27 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\lxcjtime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcjmon.exe]
2007-05-08 23:09 205744 ----a-w- c:\program files\Lexmark 8300 Series\lxcjmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
2001-07-25 17:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 03:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
2006-07-20 20:45 151552 ----a-w- c:\toshiba\IVP\ISM\pinger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2006-11-09 17:57 3784704 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2006-11-20 20:15 446128 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-07 00:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2006-01-19 00:06 421888 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-20 14:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2006-11-23 01:08 409264 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 15:35 20480 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe [2013-04-18 574272]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-04 23:43]
.
2014-07-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27 21:14]
.
2014-07-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
2014-07-23 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2114738196-1747254254-1146559385-1000.job
- c:\users\Colleen\AppData\Local\Citrix\GoToMeeting\1468\g2mupdate.exe [2014-07-21 23:36]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 06:08]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 06:08]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2114738196-1747254254-1146559385-1000Core.job
- c:\users\Colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-25 03:35]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2114738196-1747254254-1146559385-1000UA.job
- c:\users\Colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-25 03:35]
.
2014-06-28 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-27 21:13]
.
2014-06-28 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-27 21:13]
.
2014-07-23 c:\windows\Tasks\Security Center Update - 3210807196.job
- c:\users\Colleen\AppData\Roaming\Uccini\tuizu.exe [2014-03-15 14:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: sirius.com\www
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Easy Dock - (no file)
HKCU-Run-ckjpbxjx - c:\users\Colleen\AppData\Local\suftslwg.exe
HKLM-Run-Easy Dock - (no file)
HKLM-Run-EfficientPIM - (no file)
SafeBoot-38990000.sys
SafeBoot-92061489.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-TOSCDSPD - TOSCDSPD.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-07-22 20:47
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-07-22 20:53:13
ComboFix-quarantined-files.txt 2014-07-23 03:52
.
Pre-Run: 16,586,452,992 bytes free
Post-Run: 24,511,291,392 bytes free
.
- - End Of File - - 2C1D6FB6AFB48750A2E3342DE26ADCC9
5B5E648D12FCADC244C1EC30318E1EB9

**OCD** · 2014-07-23, 06:44

Hi blueskygal,

ComboFix Script

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the code-box below into it:

Code:

Folder::
c:\users\Colleen\AppData\Roaming\Uccini
c:\users\Colleen\AppData\Roaming\Ewpuzagi
c:\users\Colleen\AppData\Roaming\Ezwuan
c:\users\Colleen\AppData\Roaming\Navovy
c:\users\Colleen\AppData\Roaming\Epokzyu
c:\users\Colleen\AppData\Roaming\Cuanhoe
c:\users\Colleen\AppData\Roaming\Ydukyk
c:\users\Colleen\AppData\Roaming\Behymu

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ykifowuhmia"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt for further review.

=========================

In your next post please provide the following:
ComboFix.txt
How is the computer running at the moment?

**blueskygal** · 2014-07-23, 22:34

ComboFix 14-07-22.01 - Colleen 07/23/2014 13:11:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1144 [GMT -7:00]
Running from: c:\users\Colleen\Desktop\ComboFix.exe
Command switches used :: c:\users\Colleen\Desktop\CFScript.txt
AV: Spybot - Search and Destroy *Disabled/Updated* {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Colleen\AppData\Roaming\Behymu
c:\users\Colleen\AppData\Roaming\Cuanhoe
c:\users\Colleen\AppData\Roaming\Epokzyu
c:\users\Colleen\AppData\Roaming\Ewpuzagi
c:\users\Colleen\AppData\Roaming\Ewpuzagi\ykicipr.exe
c:\users\Colleen\AppData\Roaming\Ezwuan
c:\users\Colleen\AppData\Roaming\Navovy
c:\users\Colleen\AppData\Roaming\Uccini
c:\users\Colleen\AppData\Roaming\Uccini\tuizu.exe
c:\users\Colleen\AppData\Roaming\Ydukyk
.
.
((((((((((((((((((((((((( Files Created from 2014-06-23 to 2014-07-23 )))))))))))))))))))))))))))))))
.
.
2014-07-23 20:24 . 2014-07-23 20:26 -------- d-----w- c:\users\Colleen\AppData\Local\temp
2014-07-23 20:24 . 2014-07-23 20:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-07-22 23:53 . 2014-07-23 02:18 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-07-22 23:53 . 2014-07-22 23:53 113880 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-22 23:50 . 2014-07-22 23:50 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-11 23:02 . 2014-07-11 23:02 -------- d-----w- C:\TDSSKiller_Quarantine
2014-07-10 20:26 . 2014-07-23 02:30 -------- d-----w- C:\FRST
2014-07-01 17:04 . 2014-07-01 17:04 -------- d-----w- c:\program files\ERUNT
2014-06-29 20:07 . 2014-06-29 20:07 110296 ----a-w- c:\windows\system32\drivers\48230029.sys
2014-06-27 23:29 . 2013-09-20 17:49 18968 ----a-w- c:\windows\system32\sdnclean.exe
2014-06-27 23:29 . 2014-06-28 04:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-06-27 23:29 . 2014-06-28 00:14 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-06-27 19:54 . 2014-06-27 21:01 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-11 23:43 . 2013-06-04 18:29 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-11 23:43 . 2013-06-04 18:29 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-26 16:01 . 2014-06-11 01:25 502784 ----a-w- c:\windows\system32\usp10.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Colleen\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2013-04-19 491840]
"HP Deskjet 3510 series (NET)"="c:\program files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe" [2012-10-17 1837672]
"Amazon Cloud Player"="c:\users\Colleen\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe" [2014-05-08 3145536]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2014-04-25 4566984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCJCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-11-21 106496]
"CommonToolkitTray"="c:\program files\Fighters\Tray\FightersTray.exe" [2013-04-29 1497120]
"sfagent"="c:\program files\Fighters\SPAMfighter\sfagent.exe" [2013-06-14 1065504]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"TkBellExe"="c:\program files\Real\realplayer\update\realsched.exe" [2014-03-12 295512]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2014-02-14 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2014-01-10 1861968]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2014-04-25 4101584]
.
c:\users\Colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EfficientPIM.lnk - c:\program files\EfficientPIM\EfficientPIM.exe /startup [2014-2-10 14546088]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BDARemote.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Colleen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Colleen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\users\Colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2006-11-29 04:05 523952 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2012-02-01 17:36 50592 ----a-w- c:\users\Colleen\AppData\Roaming\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-05-08 23:13 103344 ----a-w- c:\program files\Lexmark 8300 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-01-25 03:35 133104 ----atw- c:\users\Colleen\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 03:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-11-28 20:19 52912 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
2006-11-01 16:06 413696 ----a-w- c:\program files\Toshiba\Utilities\HWSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 03:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 20:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 22:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2005-12-16 10:41 188416 ----a-w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCJCATS]
2006-11-21 20:27 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\lxcjtime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcjmon.exe]
2007-05-08 23:09 205744 ----a-w- c:\program files\Lexmark 8300 Series\lxcjmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
2001-07-25 17:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 03:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
2006-07-20 20:45 151552 ----a-w- c:\toshiba\IVP\ISM\pinger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2006-11-09 17:57 3784704 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2006-11-20 20:15 446128 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-07 00:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2006-01-19 00:06 421888 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-20 14:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2006-11-23 01:08 409264 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 15:35 20480 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe [2013-04-18 574272]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-04 23:43]
.
2014-07-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27 21:14]
.
2014-07-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
2014-07-23 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2114738196-1747254254-1146559385-1000.job
- c:\users\Colleen\AppData\Local\Citrix\GoToMeeting\1468\g2mupdate.exe [2014-07-21 23:36]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 06:08]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 06:08]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2114738196-1747254254-1146559385-1000Core.job
- c:\users\Colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-25 03:35]
.
2014-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2114738196-1747254254-1146559385-1000UA.job
- c:\users\Colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-25 03:35]
.
2014-07-23 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-27 21:13]
.
2014-06-28 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-27 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: sirius.com\www
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-07-23 13:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-07-23 13:30:44
ComboFix-quarantined-files.txt 2014-07-23 20:30
ComboFix2.txt 2014-07-23 03:53
.
Pre-Run: 23,699,828,736 bytes free
Post-Run: 24,149,168,128 bytes free
.
- - End Of File - - D7CE8A1CF67E22F27C01D9E97BDDADE4
5B5E648D12FCADC244C1EC30318E1EB9

**blueskygal** · 2014-07-23, 22:47

I rebooted after the last fix and everything seems fine. Calling up the task list i do not see anymore replicating processes!

**OCD** · 2014-07-24, 04:43

Hi blueskygal,

I rebooted after the last fix and everything seems fine. Calling up the task list i do not see anymore replicating processes!

Good, we are making some progress. Let's continue ...

Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware (save it to your desktop).

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Select Scan tab.
Select type of scan to perform:
- Threat Scan < --- Select this type of scan
- Custom Scan
- Hyper Scan
Next click the Scan button.
When the scan is complete, if no malicious items are found you can close the program.
If malicious items are found be sure that everything is checked, and click Quarantine .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

=========================

ESET Online Scanner

*Note:

It is recommended to disable on-board antivirus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your anti-spyware programs.

** You need to run your browser with Administrator Rights, to do so right click your browsers short cut and select "Run as Administrator".

= = = = = = = = = = = = = = = = = = = =

Go here to run ESET Online Scanner

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notification Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.
Push the back button.
Push Finish
Re-enable your Antivirus software.

=========================

In your next post please provide the following:

MBAM log
ESET's log.txt
How's the computer running, any symptoms?

**blueskygal** · 2014-07-24, 23:32

It did detect one pur which was quarantined but i don't think that showed in the report.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/24/2014
Scan Time: 2:04:49 PM
Logfile: mbam txt.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.24.09
Rootkit Database: v2014.07.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Colleen

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 280755
Time Elapsed: 22 min, 13 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

**blueskygal** · 2014-07-25, 01:37

C:\Users\All Users\IObit\ASCDownloader\ASCSetup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\FRST\Quarantine\C\Users\Colleen\AppData\Local\soisaqtj.exe.xBAD a variant of Win32/Kryptik.CGXY trojan cleaned by deleting - quarantined
C:\Program Files\Wisdom-soft AutoScreenRecorder Free\Toolbar.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\ProgramData\IObit\ASCDownloader\ASCSetup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application deleted - quarantined
C:\Qoobox\Quarantine\C\Users\Colleen\AppData\Local\suftslwg.exe.vir Win32/TrojanDownloader.Zortob.F trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Colleen\AppData\Roaming\Ewpuzagi\ykicipr.exe.vir Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Colleen\AppData\Roaming\Uccini\tuizu.exe.vir Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Colleen\Downloads\CodecPackage.exe a variant of Win32/InstallCore.IK potentially unwanted application deleted - quarantined

**blueskygal** · 2014-07-25, 01:43

No replicating processes.. seems to be running slow.

Thread: iexplorer keeps replicating creating large files

Thread Tools

Display

mbar log

fixlog

combofix

Combofix

Status Report

malware bytes scan

ESET Scan - their still with us

Status Check -- Computer

Posting Permissions