Page 3 of 8 FirstFirst 1234567 ... LastLast
Results 21 to 30 of 71

Thread: infected with adnxs?

  1. 2014-09-28, 22:28 #21
    NutherStamper
    NutherStamper is offline
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Quote Originally Posted by Juliet View Post
    If Webroot SecureAnywhere security offers a firewall with the application you don't need Zone Alarm too.


    -----Webroot does not contain a firewall. It is just antivirus and malware. I don't leave it on because it really slows down the system. Which is why I went with MS Essentials for anti virus. I use it temporarily every once in a while to clean any temp files that don't get cleared out on browser shut down.------



    I see files I cannot get any information on so we will need to have a few scanned.


    Please go to one of the below sites to scan the following files:
    Virus Total (Recommended)
    jotti.org
    VirScan
    click on Browse, and upload the following file for analysis:

    c:\windows\system32\drivers\UgqyfSyY.sys


    Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
    If it says already scanned -- click "reanalyze now"
    Please post the results in your next reply.

    Also, have the below scanned too.
    c:\windows\system32\drivers\bUvERcaW.sys
    c:\windows\system32\drivers\yspnfyZk.sys
    c:\windows\system32\drivers\NsnVqhYY.sys
    ------- Tried to find these files with Virus Total but could not find them. If I search for them through my start program they are there. They are Webroot Secure Anywhere files. There are tons of them in the drivers file. Not sure what they do, but when I try to search for them through Virus Total they don't show up.

    Here's the latest log: And by the way Webroot is still showing as active everytime I try to run combofix, even though I disabled it.

    ComboFix 14-09-24.01 - Gateway 09/28/2014 14:47:38.2.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3764.2587 [GMT -5:00]
    Running from: c:\users\Gateway\Desktop\ComboFix.exe
    Command switches used :: c:\users\Gateway\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
    AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
    FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
    SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
    SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-08-28 to 2014-09-28 )))))))))))))))))))))))))))))))
    .
    .
    2014-09-28 19:53 . 2014-09-28 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-09-28 19:36 . 2014-09-28 19:36 111080 ----a-w- c:\windows\system32\drivers\UzVfwxBv.sys
    2014-09-28 14:18 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7EF7437A-188B-42B5-A957-E8A31C945974}\mpengine.dll
    2014-09-28 14:17 . 2014-09-28 14:17 111080 ----a-w- c:\windows\system32\drivers\VbdJPgnZ.sys
    2014-09-28 13:59 . 2014-09-28 13:59 111080 ----a-w- c:\windows\system32\drivers\bUvERcaW.sys
    2014-09-28 11:53 . 2014-09-28 11:53 111080 ----a-w- c:\windows\system32\drivers\ICPieGzC.sys
    2014-09-27 23:29 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2014-09-27 21:41 . 2014-09-27 21:41 111080 ----a-w- c:\windows\system32\drivers\UgqyfSyY.sys
    2014-09-27 21:40 . 2014-09-27 21:40 -------- d-----w- c:\programdata\Viewpoint
    2014-09-27 21:23 . 2014-09-27 21:23 -------- d-----w- c:\program files (x86)\Viewpoint
    2014-09-27 21:22 . 2014-09-27 21:22 111080 ----a-w- c:\windows\system32\drivers\dFcHOCdB.sys
    2014-09-27 21:13 . 2014-09-27 21:13 111080 ----a-w- c:\windows\system32\drivers\KxCEIaxm.sys
    2014-09-27 21:07 . 2014-09-27 21:07 111080 ----a-w- c:\windows\system32\drivers\yspnfyZk.sys
    2014-09-27 11:42 . 2014-09-28 11:52 -------- d-----w- C:\FRST
    2014-09-27 10:55 . 2014-09-27 10:55 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-09-27 10:55 . 2014-05-12 12:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-09-27 10:55 . 2014-05-12 12:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-09-27 10:54 . 2014-09-27 10:55 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2014-09-26 11:12 . 2014-09-17 11:05 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6410BB57-6A43-4486-A4AA-0B94CA991346}\gapaengine.dll
    2014-09-25 13:11 . 2014-09-25 13:11 111080 ----a-w- c:\windows\system32\drivers\OVeQxxot.sys
    2014-09-25 13:01 . 2014-09-25 13:01 111080 ----a-w- c:\windows\system32\drivers\NsnVqhYY.sys
    2014-09-24 16:07 . 2014-09-24 16:07 111080 ----a-w- c:\windows\system32\drivers\gRQyHaVv.sys
    2014-09-24 12:14 . 2014-09-24 12:14 111080 ----a-w- c:\windows\system32\drivers\cqVRFPRT.sys
    2014-09-20 22:52 . 2014-09-20 22:52 111080 ----a-w- c:\windows\system32\drivers\orzShdkG.sys
    2014-09-20 22:40 . 2014-09-20 22:40 111080 ----a-w- c:\windows\system32\drivers\lNmKKXXK.sys
    2014-09-20 22:24 . 2014-03-09 21:47 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll
    2014-09-20 22:24 . 2014-03-09 21:48 171160 ----a-w- c:\windows\system32\infocardapi.dll
    2014-09-20 22:24 . 2014-03-09 21:48 1389208 ----a-w- c:\windows\system32\icardagt.exe
    2014-09-20 22:24 . 2014-03-09 21:47 619672 ----a-w- c:\windows\SysWow64\icardagt.exe
    2014-09-20 22:24 . 2014-06-30 22:24 8856 ----a-w- c:\windows\system32\icardres.dll
    2014-09-20 22:24 . 2014-06-30 22:14 8856 ----a-w- c:\windows\SysWow64\icardres.dll
    2014-09-20 22:24 . 2014-06-06 06:16 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe
    2014-09-20 22:24 . 2014-06-06 06:12 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
    2014-09-20 22:13 . 2014-09-20 22:13 111080 ----a-w- c:\windows\system32\drivers\ILtPGRZV.sys
    2014-09-20 22:11 . 2014-09-20 22:11 111080 ----a-w- c:\windows\system32\drivers\NBCkzyDb.sys
    2014-09-20 22:03 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll
    2014-09-20 22:03 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
    2014-09-20 22:00 . 2014-06-25 02:05 14175744 ----a-w- c:\windows\system32\shell32.dll
    2014-09-20 21:59 . 2014-06-06 10:10 624128 ----a-w- c:\windows\system32\qedit.dll
    2014-09-20 21:59 . 2014-06-06 09:44 509440 ----a-w- c:\windows\SysWow64\qedit.dll
    2014-09-20 21:59 . 2014-05-30 06:45 497152 ----a-w- c:\windows\system32\drivers\afd.sys
    2014-09-20 21:59 . 2014-08-23 02:07 404480 ----a-w- c:\windows\system32\gdi32.dll
    2014-09-20 21:59 . 2014-08-23 01:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
    2014-09-20 21:59 . 2014-08-23 00:59 3163648 ----a-w- c:\windows\system32\win32k.sys
    2014-09-20 21:59 . 2014-07-14 02:02 1216000 ----a-w- c:\windows\system32\rpcrt4.dll
    2014-09-20 21:59 . 2014-07-14 01:40 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll
    2014-09-20 21:46 . 2014-09-20 21:46 111080 ----a-w- c:\windows\system32\drivers\SsgbkfyY.sys
    2014-09-20 21:43 . 2014-08-17 03:58 526336 ----a-w- c:\windows\system32\ieui.dll
    2014-09-16 10:51 . 2014-09-16 10:51 111080 ----a-w- c:\windows\system32\drivers\aWWCvThI.sys
    2014-09-03 19:46 . 2014-09-03 19:46 111080 ----a-w- c:\windows\system32\drivers\iVIgRJke.sys
    2014-09-03 19:44 . 2014-09-03 19:44 111080 ----a-w- c:\windows\system32\drivers\LixWLhJB.sys
    2014-08-31 17:20 . 2014-08-31 17:20 111080 ----a-w- c:\windows\system32\drivers\HwhACASq.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-09-22 06:42 . 2011-10-27 20:21 278152 ------w- c:\windows\system32\MpSigStub.exe
    2014-09-20 13:10 . 2013-06-26 14:27 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-09-20 13:10 . 2013-06-26 14:27 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-09-17 11:05 . 2012-02-10 12:24 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2014-09-03 19:47 . 2010-06-24 18:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2014-08-28 21:09 . 2014-08-28 21:09 111080 ----a-w- c:\windows\system32\drivers\ajOQjQhU.sys
    2014-08-27 14:47 . 2014-08-27 14:47 111080 ----a-w- c:\windows\system32\drivers\txAthFaK.sys
    2014-08-27 14:46 . 2014-08-27 14:46 111080 ----a-w- c:\windows\system32\drivers\JKzFHMwg.sys
    2014-08-23 00:34 . 2014-08-23 00:34 111080 ----a-w- c:\windows\system32\drivers\vCKYeTXc.sys
    2014-08-21 13:56 . 2014-08-21 13:56 111080 ----a-w- c:\windows\system32\drivers\SXkkfHGk.sys
    2014-08-19 15:44 . 2014-08-19 15:44 111080 ----a-w- c:\windows\system32\drivers\lFDmxCus.sys
    2014-08-10 22:23 . 2014-08-10 22:22 111080 ----a-w- c:\windows\system32\drivers\ObnXGiKQ.sys
    2014-08-02 18:38 . 2014-08-02 18:38 111080 ----a-w- c:\windows\system32\drivers\OBYIpiCc.sys
    2014-07-28 23:55 . 2014-07-28 23:55 111080 ----a-w- c:\windows\system32\drivers\qSWnNbKK.sys
    2014-07-25 07:35 . 2014-07-25 07:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
    2014-07-25 04:47 . 2014-07-25 04:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
    2014-07-20 13:12 . 2014-07-20 13:12 111080 ----a-w- c:\windows\system32\drivers\yOgBZdIV.sys
    2014-07-17 23:05 . 2014-07-17 23:05 269008 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2014-07-17 23:05 . 2011-04-27 20:25 125584 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2014-07-15 09:46 . 2014-07-15 09:46 111080 ----a-w- c:\windows\system32\drivers\WibIrYzv.sys
    2014-07-09 01:59 . 2014-07-09 01:59 111080 ----a-w- c:\windows\system32\drivers\wVsNmtRs.sys
    2014-07-07 23:18 . 2014-07-07 23:18 111080 ----a-w- c:\windows\system32\drivers\ZIgpNqlB.sys
    2014-07-07 23:03 . 2014-07-07 23:03 111080 ----a-w- c:\windows\system32\drivers\qGQAjKTR.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AOL Fast Start"="c:\program files (x86)\AOL Desktop 9.6\AOL.EXE" [2011-04-25 42320]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-08-11 975952]
    "ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2013-06-20 73832]
    "WRSVC"="c:\program files\Webroot\WRSA.exe" [2012-01-16 647120]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
    R2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
    R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
    R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 PCDSRVC{FCB8192B-6C0E95E9-06020101}_0;PCDSRVC{FCB8192B-6C0E95E9-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
    S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
    S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
    S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
    S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
    S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
    S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
    S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
    S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-07 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-07 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-07 413208]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-29 11101800]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-06-10 324608]
    "Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2010-06-11 861216]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    AddRemove-ViewpointMediaPlayer - c:\program files (x86)\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{FCB8192B-6C0E95E9-06020101}_0]
    "ImagePath"="\??\c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.15"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
    @DACL=(02 0000)
    @="Bing"
    "URL"="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
    "DisplayName"="@ieframe.dll,-12512"
    "FaviconURL"="http://www.bing.com/favicon.ico"
    "SuggestionsURL"="http://api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source?}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-09-28 14:55:09
    ComboFix-quarantined-files.txt 2014-09-28 19:55
    ComboFix2.txt 2014-09-28 14:12
    .
    Pre-Run: 567,657,218,048 bytes free
    Post-Run: 567,343,190,016 bytes free
    .
    - - End Of File - - 82EBEC9278388CBE60974295C7E483C4
  2. 2014-09-29, 01:35 #22
    Juliet
    Juliet is offline
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Not getting the results I was hoping for.

    Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
    Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
    This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

    Click on this link Here to see a list of programs that should be disabled.

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.
    ClearJavaCache::
    Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.



    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    HitmanPro

    • Please download HitmanPro.
    • Launch the program by double clicking on the HitmanPro icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
    • Click on the next button. You must agree with the terms of EULA.
    • Check the box beside "No, I only want to perform a one-time scan to check this computer".
    • Click on the next button.
    • The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
    • When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
    • Click on the next button.
    • Click on the "Export scan results to XML file".
    • Save that file to your desktop and zip and attach it in your next reply.


    ~~~~~~~~~~~~~~~~~~~~~~~~

    Please download Malwarebytes AntiRootkit and save it to your desktop.

    Full instructions how to use MBAR
    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

    • Unzip/unrar MBAR in a folder to your Desktop and MBAM shall run ...

    • Click on Next > then on Update button to download fresh definitions.


    • When database updates click Next

    • In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"


    • If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
    Or if you are sure any entries should be kept, just untick them. A list of infected files will be listed.


    • The Clean up procedure will be Scheduled for process.
    • When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

    >> Please attach the two following logs from the mbar folder:

    system-log.tx and mbar-log-year-month-day (hour-minute-second).txt.
    Also
    HitmanPro log

    please give me an update on how the computer is doing now.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
  3. 2014-09-29, 01:39 #23
    Juliet
    Juliet is offline
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Also

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :folderfind
ib.adnxs.com
:filefind
ib.adnxs.com
:regfind
ib.adnxs.com
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
  4. 2014-09-29, 02:51 #24
    NutherStamper
    NutherStamper is offline
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Ok got everything run I hope:

    -----Ran combofix and you didn't say whether you wanted that log or not so I will send it later in another post.

    ------Ran Hitman Pro: will attach file.

    Malwarebyes Anti Root logs:

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1012

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 10.0.9200.17089

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 2.527000 GHz
    Memory total: 3947360256, free: 2683580416

    Downloaded database version: v2014.09.28.08
    Downloaded database version: v2014.09.19.01
    =======================================
    Initializing...
    ------------ Kernel report ------------
    09/28/2014 19:24:18
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\system32\DRIVERS\MpFilter.sys
    \SystemRoot\System32\drivers\WRkrn.sys
    \SystemRoot\System32\drivers\msrpc.sys
    \SystemRoot\System32\drivers\NETIO.SYS
    \SystemRoot\System32\drivers\NDIS.SYS
    \SystemRoot\System32\drivers\TDI.SYS
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\vsdatant.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\k57nd60a.sys
    \SystemRoot\system32\DRIVERS\athrx.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\mouclass.sys
    \??\C:\Windows\system32\drivers\UBHelper.sys
    \??\C:\Windows\system32\drivers\NTIDrvr.sys
    \SystemRoot\system32\DRIVERS\Impcd.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\wanatw64.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\drivers\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\RTKVHD64.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\IntcDAud.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\drivers\hidusb.sys
    \SystemRoot\system32\drivers\HIDCLASS.SYS
    \SystemRoot\system32\drivers\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\DRIVERS\TurboB.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8004bef060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa800494d050
    Lower Device Driver Name: \Driver\iaStor\
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8004bef060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80070ffc70, DeviceName: Unknown, DriverName: \Driver\WRkrn\
    DevicePointer: 0xfffffa8004befb20, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8004bef060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800494d050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    Done!
    Drive 0
    This is a System drive
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 6A3A6A3A

    Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 37996544

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 37998592 Numsec = 729088
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 38727680 Numsec = 1211534000

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 640135028736 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1250243728-1250263728)...
    Done!
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-37998592-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
    Removal finished


    -----Second log:

    Malwarebytes Anti-Rootkit BETA 1.07.0.1012
    www.malwarebytes.org

    Database version: v2014.09.28.08

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 10.0.9200.17089
    Gateway :: GATEWAY-PC [administrator]

    9/28/2014 7:24:29 PM
    mbar-log-2014-09-28 (19-24-29).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 313600
    Time elapsed: 11 minute(s), 28 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)


    ---------System Look log:
    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:41 on 28/09/2014 by Gateway
    Administrator - Elevation successful
    WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

    ========== folderfind ==========

    Searching for "ib.adnxs.com"
    No folders found.

    ========== filefind ==========

    Searching for "ib.adnxs.com"
    No files found.

    ========== regfind ==========

    Searching for "ib.adnxs.com"
    No data found.

    -= EOF =-


    --------System seems to be running ok but the last time I said that it proved me wrong. No pop ups of late. Can I get rid of some of these logs? My desktop is getting rather full. thanks for the help.
    Attached Files Attached Files
  5. 2014-09-29, 02:53 #25
    NutherStamper
    NutherStamper is offline
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    here's the latest combo fix log. Don't know if you need this or not.

    ComboFix 14-09-24.01 - Gateway 09/28/2014 18:48:02.3.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3764.2807 [GMT -5:00]
    Running from: c:\users\Gateway\Desktop\ComboFix.exe
    Command switches used :: c:\users\Gateway\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
    AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
    FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
    SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
    SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-08-28 to 2014-09-28 )))))))))))))))))))))))))))))))
    .
    .
    2014-09-28 23:53 . 2014-09-28 23:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-09-28 19:59 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{357DB351-4BB7-4964-BCE1-C904B1CE3146}\mpengine.dll
    2014-09-28 19:58 . 2014-09-28 19:58 111080 ----a-w- c:\windows\system32\drivers\yMxFRDLr.sys
    2014-09-28 19:36 . 2014-09-28 19:36 111080 ----a-w- c:\windows\system32\drivers\UzVfwxBv.sys
    2014-09-28 14:17 . 2014-09-28 14:17 111080 ----a-w- c:\windows\system32\drivers\VbdJPgnZ.sys
    2014-09-28 13:59 . 2014-09-28 13:59 111080 ----a-w- c:\windows\system32\drivers\bUvERcaW.sys
    2014-09-28 11:53 . 2014-09-28 11:53 111080 ----a-w- c:\windows\system32\drivers\ICPieGzC.sys
    2014-09-27 23:29 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2014-09-27 21:41 . 2014-09-27 21:41 111080 ----a-w- c:\windows\system32\drivers\UgqyfSyY.sys
    2014-09-27 21:40 . 2014-09-27 21:40 -------- d-----w- c:\programdata\Viewpoint
    2014-09-27 21:23 . 2014-09-27 21:23 -------- d-----w- c:\program files (x86)\Viewpoint
    2014-09-27 21:22 . 2014-09-27 21:22 111080 ----a-w- c:\windows\system32\drivers\dFcHOCdB.sys
    2014-09-27 21:13 . 2014-09-27 21:13 111080 ----a-w- c:\windows\system32\drivers\KxCEIaxm.sys
    2014-09-27 21:07 . 2014-09-27 21:07 111080 ----a-w- c:\windows\system32\drivers\yspnfyZk.sys
    2014-09-27 11:42 . 2014-09-28 11:52 -------- d-----w- C:\FRST
    2014-09-27 10:55 . 2014-09-27 10:55 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-09-27 10:55 . 2014-05-12 12:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-09-27 10:55 . 2014-05-12 12:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-09-27 10:54 . 2014-09-27 10:55 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2014-09-26 11:12 . 2014-09-17 11:05 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6410BB57-6A43-4486-A4AA-0B94CA991346}\gapaengine.dll
    2014-09-25 13:11 . 2014-09-25 13:11 111080 ----a-w- c:\windows\system32\drivers\OVeQxxot.sys
    2014-09-25 13:01 . 2014-09-25 13:01 111080 ----a-w- c:\windows\system32\drivers\NsnVqhYY.sys
    2014-09-24 16:07 . 2014-09-24 16:07 111080 ----a-w- c:\windows\system32\drivers\gRQyHaVv.sys
    2014-09-24 12:14 . 2014-09-24 12:14 111080 ----a-w- c:\windows\system32\drivers\cqVRFPRT.sys
    2014-09-20 22:52 . 2014-09-20 22:52 111080 ----a-w- c:\windows\system32\drivers\orzShdkG.sys
    2014-09-20 22:40 . 2014-09-20 22:40 111080 ----a-w- c:\windows\system32\drivers\lNmKKXXK.sys
    2014-09-20 22:24 . 2014-03-09 21:47 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll
    2014-09-20 22:24 . 2014-03-09 21:48 171160 ----a-w- c:\windows\system32\infocardapi.dll
    2014-09-20 22:24 . 2014-03-09 21:48 1389208 ----a-w- c:\windows\system32\icardagt.exe
    2014-09-20 22:24 . 2014-03-09 21:47 619672 ----a-w- c:\windows\SysWow64\icardagt.exe
    2014-09-20 22:24 . 2014-06-30 22:24 8856 ----a-w- c:\windows\system32\icardres.dll
    2014-09-20 22:24 . 2014-06-30 22:14 8856 ----a-w- c:\windows\SysWow64\icardres.dll
    2014-09-20 22:24 . 2014-06-06 06:16 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe
    2014-09-20 22:24 . 2014-06-06 06:12 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
    2014-09-20 22:13 . 2014-09-20 22:13 111080 ----a-w- c:\windows\system32\drivers\ILtPGRZV.sys
    2014-09-20 22:11 . 2014-09-20 22:11 111080 ----a-w- c:\windows\system32\drivers\NBCkzyDb.sys
    2014-09-20 22:03 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll
    2014-09-20 22:03 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
    2014-09-20 22:00 . 2014-06-25 02:05 14175744 ----a-w- c:\windows\system32\shell32.dll
    2014-09-20 21:59 . 2014-06-06 10:10 624128 ----a-w- c:\windows\system32\qedit.dll
    2014-09-20 21:59 . 2014-06-06 09:44 509440 ----a-w- c:\windows\SysWow64\qedit.dll
    2014-09-20 21:59 . 2014-05-30 06:45 497152 ----a-w- c:\windows\system32\drivers\afd.sys
    2014-09-20 21:59 . 2014-08-23 02:07 404480 ----a-w- c:\windows\system32\gdi32.dll
    2014-09-20 21:59 . 2014-08-23 01:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
    2014-09-20 21:59 . 2014-08-23 00:59 3163648 ----a-w- c:\windows\system32\win32k.sys
    2014-09-20 21:59 . 2014-07-14 02:02 1216000 ----a-w- c:\windows\system32\rpcrt4.dll
    2014-09-20 21:59 . 2014-07-14 01:40 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll
    2014-09-20 21:46 . 2014-09-20 21:46 111080 ----a-w- c:\windows\system32\drivers\SsgbkfyY.sys
    2014-09-20 21:43 . 2014-08-17 03:58 526336 ----a-w- c:\windows\system32\ieui.dll
    2014-09-16 10:51 . 2014-09-16 10:51 111080 ----a-w- c:\windows\system32\drivers\aWWCvThI.sys
    2014-09-03 19:46 . 2014-09-03 19:46 111080 ----a-w- c:\windows\system32\drivers\iVIgRJke.sys
    2014-09-03 19:44 . 2014-09-03 19:44 111080 ----a-w- c:\windows\system32\drivers\LixWLhJB.sys
    2014-08-31 17:20 . 2014-08-31 17:20 111080 ----a-w- c:\windows\system32\drivers\HwhACASq.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-09-22 06:42 . 2011-10-27 20:21 278152 ------w- c:\windows\system32\MpSigStub.exe
    2014-09-20 13:10 . 2013-06-26 14:27 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-09-20 13:10 . 2013-06-26 14:27 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-09-17 11:05 . 2012-02-10 12:24 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2014-09-03 19:47 . 2010-06-24 18:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2014-08-28 21:09 . 2014-08-28 21:09 111080 ----a-w- c:\windows\system32\drivers\ajOQjQhU.sys
    2014-08-27 14:47 . 2014-08-27 14:47 111080 ----a-w- c:\windows\system32\drivers\txAthFaK.sys
    2014-08-27 14:46 . 2014-08-27 14:46 111080 ----a-w- c:\windows\system32\drivers\JKzFHMwg.sys
    2014-08-23 00:34 . 2014-08-23 00:34 111080 ----a-w- c:\windows\system32\drivers\vCKYeTXc.sys
    2014-08-21 13:56 . 2014-08-21 13:56 111080 ----a-w- c:\windows\system32\drivers\SXkkfHGk.sys
    2014-08-19 15:44 . 2014-08-19 15:44 111080 ----a-w- c:\windows\system32\drivers\lFDmxCus.sys
    2014-08-10 22:23 . 2014-08-10 22:22 111080 ----a-w- c:\windows\system32\drivers\ObnXGiKQ.sys
    2014-08-02 18:38 . 2014-08-02 18:38 111080 ----a-w- c:\windows\system32\drivers\OBYIpiCc.sys
    2014-07-28 23:55 . 2014-07-28 23:55 111080 ----a-w- c:\windows\system32\drivers\qSWnNbKK.sys
    2014-07-25 07:35 . 2014-07-25 07:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
    2014-07-25 04:47 . 2014-07-25 04:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
    2014-07-20 13:12 . 2014-07-20 13:12 111080 ----a-w- c:\windows\system32\drivers\yOgBZdIV.sys
    2014-07-17 23:05 . 2014-07-17 23:05 269008 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2014-07-17 23:05 . 2011-04-27 20:25 125584 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2014-07-15 09:46 . 2014-07-15 09:46 111080 ----a-w- c:\windows\system32\drivers\WibIrYzv.sys
    2014-07-09 01:59 . 2014-07-09 01:59 111080 ----a-w- c:\windows\system32\drivers\wVsNmtRs.sys
    2014-07-07 23:18 . 2014-07-07 23:18 111080 ----a-w- c:\windows\system32\drivers\ZIgpNqlB.sys
    2014-07-07 23:03 . 2014-07-07 23:03 111080 ----a-w- c:\windows\system32\drivers\qGQAjKTR.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AOL Fast Start"="c:\program files (x86)\AOL Desktop 9.6\AOL.EXE" [2011-04-25 42320]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-08-11 975952]
    "ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2013-06-20 73832]
    "WRSVC"="c:\program files\Webroot\WRSA.exe" [2012-01-16 647120]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
    R2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
    R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
    R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 PCDSRVC{FCB8192B-6C0E95E9-06020101}_0;PCDSRVC{FCB8192B-6C0E95E9-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
    S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
    S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
    S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
    S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
    S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
    S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
    S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
    S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-07 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-07 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-07 413208]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-29 11101800]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-06-10 324608]
    "Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2010-06-11 861216]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    AddRemove-ViewpointMediaPlayer - c:\program files (x86)\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{FCB8192B-6C0E95E9-06020101}_0]
    "ImagePath"="\??\c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.15"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
    @DACL=(02 0000)
    @="Bing"
    "URL"="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
    "DisplayName"="@ieframe.dll,-12512"
    "FaviconURL"="http://www.bing.com/favicon.ico"
    "SuggestionsURL"="http://api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source?}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-09-28 18:55:30
    ComboFix-quarantined-files.txt 2014-09-28 23:55
    ComboFix2.txt 2014-09-28 19:55
    ComboFix3.txt 2014-09-28 14:12
    .
    Pre-Run: 567,400,054,784 bytes free
    Post-Run: 567,323,672,576 bytes free
    .
    - - End Of File - - 0B1B3DF6207A1C17011E1BB2C3D5A8FD
  6. 2014-09-29, 11:53 #26
    Juliet
    Juliet is offline
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Looking good.

    What you had (ib.adnxs.) which is a browser hijacker. It came in bundled as 3rd party malware. Which software, good question.

    After cleaning up malware the usual steps are to reset all browsers.

    Please reset Google Chrome and check again:
    https://support.google.com/chrome/answer/3296214?hl=en

    Reset your Firefox:
    https://support.mozilla.org/en-US/kb...-most-problems

    Internet Explorer
    How to reset Internet Explorer settings
    Let's get rid of some of these tools and files.

    1. Download Delfix from here
    2. Ensure Remove disinfection tools is ticked
      Also tick:
      • Create registry backup
      • Purge system restore


    3. Click Run




    Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc.

    *******************
    Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

    Go to Start > Run > copy and paste the full text path in the run box

    ComboFix /Uninstall

    Note the space between the x and the /U, it needs to be there.

    *******************

    One last tool to see if a couple of items are outdated.


    Please run this security check for my review.

    Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
  7. 2014-09-29, 15:29 #27
    NutherStamper
    NutherStamper is offline
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    [QUOTE=Juliet;457539]Looking good.

    What you had (ib.adnxs.) which is a browser hijacker. It came in bundled as 3rd party malware. Which software, good question.

    After cleaning up malware the usual steps are to reset all browsers.



    *******************
    Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

    Go to Start > Run > copy and paste the full text path in the run box

    ComboFix /Uninstall

    Note the space between the x and the /U, it needs to be there.

    *******************

    -----Reset IE settings and ran Delfix. Do you need the log from that?

    Cannot do the restore point. Get the error message" Windows cannot find ComboFix Make sure you type the name correctly" Just for the heck of it I typed it in manually making sure I had that space in there. Same thing. Going to run the last step now and will send you the log for that. Now what?
    Thanks for the help!
  8. 2014-09-29, 15:39 #28
    Juliet
    Juliet is offline
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Reset IE settings and ran Delfix. Do you need the log from that?

    Cannot do the restore point. Get the error message" Windows cannot find ComboFix
    I don't need the delfix log, The error message is fine, ComboFix was removed using delfix.

    yes, I do want to see the Security Check log.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
  9. 2014-09-29, 15:41 #29
    NutherStamper
    NutherStamper is offline
    Senior Member
    Join Date
    Apr 2006
    Posts
    153

    Default

    Quote Originally Posted by Juliet View Post
    I don't need the delfix log, The error message is fine, ComboFix was removed using delfix.

    yes, I do want to see the Security Check log.
    Here's the Security Check log:

    Results of screen317's Security Check version 0.99.87
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 10 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    Microsoft Security Essentials
    Webroot SecureAnywhere
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    MVPS Hosts File
    Spybot - Search & Destroy
    Adobe Reader XI
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Spybot Teatimer.exe is disabled!
    CheckPoint ZoneAlarm vsmon.exe
    CheckPoint ZoneAlarm ZAPrivacyService.exe
    CheckPoint ZoneAlarm zatray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 3%
    ````````````````````End of Log``````````````````````
  10. 2014-09-29, 17:56 #30
    Juliet
    Juliet is offline
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Internet Explorer 10 Out of date!
    You need to allow windows update to install the latest version of IE.

    everything else looks good.

    Your good to go, good job!

    Please take the time to read over a few of my preventive tips.

    Computer Security
    http://malwareremoval.com/forum/view...557960#p557960
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Be prepared for CryptoLocker:

    Cryptolocker Ransomware: What You Need To Know

    CryptoLocker Ransomware Information Guide and FAQ

    to help protect your computer in the future I recommend that you get the following free programmes:

    CryptoPrevent install this programme to lock down and prevent crypto ransome ware



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


    Firefox 3
    The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
    *NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

    AdblockPlus
    • AdblockPlus, Surf the web without annoying ads!
    • Blocks banners, pop-ups and video ads - even on Facebook and YouTube
    • Protects your online privacy
    • Two-click installation, It's free!
    • click the icon that corresponds to your browser and download.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
    • Green should be good to go
    • Yellow for caution
    • Red to stop




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    How to prevent Malware: Created by Miekiemoes


    WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
    See this article (http://www.forbes.com/sites/eliseack...-disable-java/
    and this article (http://www.nbcnews.com/technology/te...late-1B7938755

    I would recommend that you completely uninstall Java unless you need it to run an important software.
    In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to...r-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-un...m-the-browser/))


    Avoid P2P

    P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

    Please read these short reports on the dangers of peer-2-peer programs and file sharing.

    *********************************************
    Please read the following safe computing articles..

    Secure My Computer: A Layered Approach


    Free Antivirus-AntiSpyware-Firewall Software

    Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.


    • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
    • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
    • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules