infected with adnxs?

**Juliet** · 2014-09-27, 23:57

JRT was actually clean.

What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note:
For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file...
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan.

*************************************

**NutherStamper** · 2014-09-28, 00:00

Ok ran AdwCleaner again (just a scan and all the same files are there that were there the first time I ran the scan). So what's next?

**Juliet** · 2014-09-28, 00:08

Those files are related to Viewpoint and Viewpoint player.

You can uninstall/delete Viewpoint till finished?

Then run the Eset scanner which was in my last reply.

**NutherStamper** · 2014-09-28, 01:33

Originally Posted by Juliet

Those files are related to Viewpoint and Viewpoint player.

You can uninstall/delete Viewpoint till finished?

Then run the Eset scanner which was in my last reply.

If I uninstall Viewpoint it will just ask to reinstall again everytime I access AOL and I'm not sure my software would run properly without it.

Here's the ESET log:

C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\uninstall.exe Win32/Toolbar.Montiera.B potentially unwanted application
C:\Program Files (x86)\CheckPoint\Install\CUninstaller.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Gateway\Documents\zafwSetupWeb_110_000_038.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Gateway\Documents\zafwSetupWeb_120_104_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Gateway\Documents\zaSetupWeb_101_065_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Gateway\Documents\zaSetup_92_102_000_en.exe a variant of Win32/Toolbar.Conduit.AI potentially unwanted application
C:\Users\Gateway\Downloads\zafwSetupWeb_110_000_504.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Gateway\Downloads\zafwSetupWeb_110_768_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Gateway\Downloads\zaSetupWeb_101_065_000.exe Win32/Toolbar.Conduit potentially unwanted application

It took a while to run.

**Juliet** · 2014-09-28, 04:16

OK
What the scan has shown us is the uninstaller and setup files for Zone Alarm came in bundled with malware.
From what I can find it's probably from the ZA security tool bar.
ZoneAlarm Security Toolbar has been found to be bundled with 3rd party software. If you have not purposefully installed this, you should be safe uninstalling it.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\Program Files (x86)\CheckPoint\Install\CUninstaller.exe
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe
C:\Users\Gateway\Documents\zafwSetupWeb_110_000_038.exe
C:\Users\Gateway\Documents\zafwSetupWeb_120_104_000.exe
C:\Users\Gateway\Documents\zaSetupWeb_101_065_000.exe
C:\Users\Gateway\Documents\zaSetup_92_102_000_en.exe a
C:\Users\Gateway\Downloads\zafwSetupWeb_110_000_504.exe
C:\Users\Gateway\Downloads\zafwSetupWeb_110_768_000.exe
C:\Users\Gateway\Downloads\zaSetupWeb_101_065_000.exe
EmptyTemp:
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

When you post this log please tell me how the computer is now.

**NutherStamper** · 2014-09-28, 14:05

[QUOTE=Juliet;457516]OK
What the scan has shown us is the uninstaller and setup files for Zone Alarm came in bundled with malware.
From what I can find it's probably from the ZA security tool bar.
ZoneAlarm Security Toolbar has been found to be bundled with 3rd party software. If you have not purposefully installed this, you should be safe uninstalling it.

I definitely didn't install it. I usually do not install toolbars of any kind unless it's absolutely necessary to run the software. I find them to be more hassle than they are worth. Ran the fix and the log is below. I only had the adnxs window pop up once on the laptop and it hasn't since. System seems to be ok so let me know where we go from here.

Fix log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-09-2014
Ran by Gateway at 2014-09-28 06:51:57 Run:2
Running from C:\Users\Gateway\Desktop
Loaded Profile: Gateway (Available profiles: Gateway)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Program Files (x86)\CheckPoint\Install\CUninstaller.exe
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe
C:\Users\Gateway\Documents\zafwSetupWeb_110_000_038.exe
C:\Users\Gateway\Documents\zafwSetupWeb_120_104_000.exe
C:\Users\Gateway\Documents\zaSetupWeb_101_065_000.exe
C:\Users\Gateway\Documents\zaSetup_92_102_000_en.exe a
C:\Users\Gateway\Downloads\zafwSetupWeb_110_000_504.exe
C:\Users\Gateway\Downloads\zafwSetupWeb_110_768_000.exe
C:\Users\Gateway\Downloads\zaSetupWeb_101_065_000.exe
EmptyTemp:
End
*****************

Processes closed successfully.
C:\Program Files (x86)\CheckPoint\Install\CUninstaller.exe => Moved successfully.
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe => Moved successfully.
C:\Users\Gateway\Documents\zafwSetupWeb_110_000_038.exe => Moved successfully.
C:\Users\Gateway\Documents\zafwSetupWeb_120_104_000.exe => Moved successfully.
C:\Users\Gateway\Documents\zaSetupWeb_101_065_000.exe => Moved successfully.
"C:\Users\Gateway\Documents\zaSetup_92_102_000_en.exe a" => File/Directory not found.
C:\Users\Gateway\Downloads\zafwSetupWeb_110_000_504.exe => Moved successfully.
C:\Users\Gateway\Downloads\zafwSetupWeb_110_768_000.exe => Moved successfully.
C:\Users\Gateway\Downloads\zaSetupWeb_101_065_000.exe => Moved successfully.
EmptyTemp: => Removed 197.6 MB temporary data.

The system needed a reboot.

==== End of Fixlog ====

**NutherStamper** · 2014-09-28, 14:10

Spoke too soon. I was just checking my e-mail and an adnxs window popped up and I was able to shut it down right away. So obviously something is still there.
Didn't happen most of yesterday so I have no idea what is doing this.

**Juliet** · 2014-09-28, 15:27

I usually do not install toolbars of any kind unless it's absolutely necessary to run the software.

People don't do this on purpose, it comes in as a standard install. Mostly when doing a custom install many items you can opt out of.

Were you using AOL software?, reason I ask, may need to uninstall then reinstall.

If you would please, let's try a different scan.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix

Download ComboFix from here:
Link 1
Link 2
Link 3

Place ComboFix.exe on your Desktop <--Important

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
---------------------------------------------------------------------------------------------
If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...

**NutherStamper** · 2014-09-28, 16:32

[QUOTE=Juliet;457522]People don't do this on purpose, it comes in as a standard install. Mostly when doing a custom install many items you can opt out of.

Were you using AOL software?, reason I ask, may need to uninstall then reinstall.

--Yes I use AOL software to get online. I close it out when I run any scans. If we have to reinstall AOL I would have to download it.

I ran combofix and even though I had Webroot Secure Anywhere disabled Combofix said it was still running (weird). So I went ahead and ran Combofix anyway and then I had to reboot cause I couldn't get zone alarm to come up.
Here's combofix log:

ComboFix 14-09-24.01 - Gateway 09/28/2014 9:04.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3764.2591 [GMT -5:00]
Running from: c:\users\Gateway\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2014-08-28 to 2014-09-28 )))))))))))))))))))))))))))))))
.
.
2014-09-28 14:10 . 2014-09-28 14:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-28 13:59 . 2014-09-28 13:59 111080 ----a-w- c:\windows\system32\drivers\bUvERcaW.sys
2014-09-28 11:53 . 2014-09-28 11:53 111080 ----a-w- c:\windows\system32\drivers\ICPieGzC.sys
2014-09-28 11:44 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A54F7E08-9978-49CB-8495-020AA9FF8247}\mpengine.dll
2014-09-27 23:29 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-09-27 21:41 . 2014-09-27 21:41 111080 ----a-w- c:\windows\system32\drivers\UgqyfSyY.sys
2014-09-27 21:40 . 2014-09-27 21:40 -------- d-----w- c:\programdata\Viewpoint
2014-09-27 21:23 . 2014-09-27 21:23 -------- d-----w- c:\program files (x86)\Viewpoint
2014-09-27 21:22 . 2014-09-27 21:22 111080 ----a-w- c:\windows\system32\drivers\dFcHOCdB.sys
2014-09-27 21:13 . 2014-09-27 21:13 111080 ----a-w- c:\windows\system32\drivers\KxCEIaxm.sys
2014-09-27 21:07 . 2014-09-27 21:07 111080 ----a-w- c:\windows\system32\drivers\yspnfyZk.sys
2014-09-27 11:42 . 2014-09-28 11:52 -------- d-----w- C:\FRST
2014-09-27 10:55 . 2014-09-27 10:55 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-27 10:55 . 2014-05-12 12:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-27 10:55 . 2014-05-12 12:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-27 10:54 . 2014-09-27 10:55 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-09-26 11:12 . 2014-09-17 11:05 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6410BB57-6A43-4486-A4AA-0B94CA991346}\gapaengine.dll
2014-09-25 13:11 . 2014-09-25 13:11 111080 ----a-w- c:\windows\system32\drivers\OVeQxxot.sys
2014-09-25 13:01 . 2014-09-25 13:01 111080 ----a-w- c:\windows\system32\drivers\NsnVqhYY.sys
2014-09-24 16:07 . 2014-09-24 16:07 111080 ----a-w- c:\windows\system32\drivers\gRQyHaVv.sys
2014-09-24 12:14 . 2014-09-24 12:14 111080 ----a-w- c:\windows\system32\drivers\cqVRFPRT.sys
2014-09-20 22:52 . 2014-09-20 22:52 111080 ----a-w- c:\windows\system32\drivers\orzShdkG.sys
2014-09-20 22:40 . 2014-09-20 22:40 111080 ----a-w- c:\windows\system32\drivers\lNmKKXXK.sys
2014-09-20 22:24 . 2014-03-09 21:47 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll
2014-09-20 22:24 . 2014-03-09 21:48 171160 ----a-w- c:\windows\system32\infocardapi.dll
2014-09-20 22:24 . 2014-03-09 21:48 1389208 ----a-w- c:\windows\system32\icardagt.exe
2014-09-20 22:24 . 2014-03-09 21:47 619672 ----a-w- c:\windows\SysWow64\icardagt.exe
2014-09-20 22:24 . 2014-06-30 22:24 8856 ----a-w- c:\windows\system32\icardres.dll
2014-09-20 22:24 . 2014-06-30 22:14 8856 ----a-w- c:\windows\SysWow64\icardres.dll
2014-09-20 22:24 . 2014-06-06 06:16 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe
2014-09-20 22:24 . 2014-06-06 06:12 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-09-20 22:13 . 2014-09-20 22:13 111080 ----a-w- c:\windows\system32\drivers\ILtPGRZV.sys
2014-09-20 22:11 . 2014-09-20 22:11 111080 ----a-w- c:\windows\system32\drivers\NBCkzyDb.sys
2014-09-20 22:03 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-09-20 22:03 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2014-09-20 22:00 . 2014-06-25 02:05 14175744 ----a-w- c:\windows\system32\shell32.dll
2014-09-20 21:59 . 2014-06-06 10:10 624128 ----a-w- c:\windows\system32\qedit.dll
2014-09-20 21:59 . 2014-06-06 09:44 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-09-20 21:59 . 2014-05-30 06:45 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2014-09-20 21:59 . 2014-08-23 02:07 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-09-20 21:59 . 2014-08-23 01:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-09-20 21:59 . 2014-08-23 00:59 3163648 ----a-w- c:\windows\system32\win32k.sys
2014-09-20 21:59 . 2014-07-14 02:02 1216000 ----a-w- c:\windows\system32\rpcrt4.dll
2014-09-20 21:59 . 2014-07-14 01:40 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2014-09-20 21:46 . 2014-09-20 21:46 111080 ----a-w- c:\windows\system32\drivers\SsgbkfyY.sys
2014-09-20 21:43 . 2014-08-17 03:58 526336 ----a-w- c:\windows\system32\ieui.dll
2014-09-16 10:51 . 2014-09-16 10:51 111080 ----a-w- c:\windows\system32\drivers\aWWCvThI.sys
2014-09-03 19:46 . 2014-09-03 19:46 111080 ----a-w- c:\windows\system32\drivers\iVIgRJke.sys
2014-09-03 19:44 . 2014-09-03 19:44 111080 ----a-w- c:\windows\system32\drivers\LixWLhJB.sys
2014-08-31 17:20 . 2014-08-31 17:20 111080 ----a-w- c:\windows\system32\drivers\HwhACASq.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-22 06:42 . 2011-10-27 20:21 278152 ------w- c:\windows\system32\MpSigStub.exe
2014-09-20 13:10 . 2013-06-26 14:27 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-20 13:10 . 2013-06-26 14:27 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-17 11:05 . 2012-02-10 12:24 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-03 19:47 . 2010-06-24 18:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-28 21:09 . 2014-08-28 21:09 111080 ----a-w- c:\windows\system32\drivers\ajOQjQhU.sys
2014-08-27 14:47 . 2014-08-27 14:47 111080 ----a-w- c:\windows\system32\drivers\txAthFaK.sys
2014-08-27 14:46 . 2014-08-27 14:46 111080 ----a-w- c:\windows\system32\drivers\JKzFHMwg.sys
2014-08-23 00:34 . 2014-08-23 00:34 111080 ----a-w- c:\windows\system32\drivers\vCKYeTXc.sys
2014-08-21 13:56 . 2014-08-21 13:56 111080 ----a-w- c:\windows\system32\drivers\SXkkfHGk.sys
2014-08-19 15:44 . 2014-08-19 15:44 111080 ----a-w- c:\windows\system32\drivers\lFDmxCus.sys
2014-08-10 22:23 . 2014-08-10 22:22 111080 ----a-w- c:\windows\system32\drivers\ObnXGiKQ.sys
2014-08-02 18:38 . 2014-08-02 18:38 111080 ----a-w- c:\windows\system32\drivers\OBYIpiCc.sys
2014-07-28 23:55 . 2014-07-28 23:55 111080 ----a-w- c:\windows\system32\drivers\qSWnNbKK.sys
2014-07-25 07:35 . 2014-07-25 07:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 04:47 . 2014-07-25 04:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-20 13:12 . 2014-07-20 13:12 111080 ----a-w- c:\windows\system32\drivers\yOgBZdIV.sys
2014-07-17 23:05 . 2014-07-17 23:05 269008 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2014-07-17 23:05 . 2011-04-27 20:25 125584 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-07-15 09:46 . 2014-07-15 09:46 111080 ----a-w- c:\windows\system32\drivers\WibIrYzv.sys
2014-07-09 01:59 . 2014-07-09 01:59 111080 ----a-w- c:\windows\system32\drivers\wVsNmtRs.sys
2014-07-07 23:18 . 2014-07-07 23:18 111080 ----a-w- c:\windows\system32\drivers\ZIgpNqlB.sys
2014-07-07 23:03 . 2014-07-07 23:03 111080 ----a-w- c:\windows\system32\drivers\qGQAjKTR.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files (x86)\AOL Desktop 9.6\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-08-11 975952]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2013-06-20 73832]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2012-01-16 647120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
R2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCDSRVC{FCB8192B-6C0E95E9-06020101}_0;PCDSRVC{FCB8192B-6C0E95E9-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-07 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-07 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-07 413208]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-29 11101800]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-06-10 324608]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2010-06-11 861216]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-ViewpointMediaPlayer - c:\program files (x86)\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{FCB8192B-6C0E95E9-06020101}_0]
"ImagePath"="\??\c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
@DACL=(02 0000)
@="Bing"
"URL"="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
"DisplayName"="@ieframe.dll,-12512"
"FaviconURL"="http://www.bing.com/favicon.ico"
"SuggestionsURL"="http://api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source?}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-28 09:12:52
ComboFix-quarantined-files.txt 2014-09-28 14:12
.
Pre-Run: 567,993,102,336 bytes free
Post-Run: 567,585,259,520 bytes free
.
- - End Of File - - 0B679BF24F538B1418CD4F7CF901B6D8

**Juliet** · 2014-09-28, 17:24

If Webroot SecureAnywhere security offers a firewall with the application you don't need Zone Alarm too.

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

~~~~~~~~~~~~~~~~~

I see files I cannot get any information on so we will need to have a few scanned.

Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan
click on Browse, and upload the following file for analysis:

c:\windows\system32\drivers\UgqyfSyY.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Also, have the below scanned too.
c:\windows\system32\drivers\bUvERcaW.sys
c:\windows\system32\drivers\yspnfyZk.sys
c:\windows\system32\drivers\NsnVqhYY.sys

Thread: infected with adnxs?

Thread Tools

Display

Posting Permissions