Apply the fix I mentioned in PM.
Apply the fix I mentioned in PM.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum
Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.
How to use ComboFix
Download ComboFix from here:
Link 1
Link 2
Link 3
Place ComboFix.exe on your Desktop <--Important
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
You can get help on disabling your protection programs here- Double click on ComboFix.exe & follow the prompts.
- You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
- Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
- When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer
---------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled.
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
---------------------------------------------------------------------------------------------- If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
ComboFix 14-12-14.01 - Welch 12/16/2014 17:14:20.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.7365.5699 [GMT -6:00]
Running from: c:\users\Welch\Desktop\ComboFix.exe
AV: Spybot - Search and Destroy *Disabled/Updated* {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-11-16 to 2014-12-16 )))))))))))))))))))))))))))))))
.
.
2014-12-16 23:17 . 2014-12-16 23:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-12-16 22:53 . 2014-12-16 22:53 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABFAB8E6-8BFE-4103-843B-C0F2DB021A7B}\offreg.dll
2014-12-16 15:02 . 2014-12-16 15:02 -------- d-----w- c:\windows\ERUNT
2014-12-16 14:55 . 2014-12-16 21:56 -------- d-----w- C:\AdwCleaner
2014-12-16 11:10 . 2014-12-02 10:26 11870360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABFAB8E6-8BFE-4103-843B-C0F2DB021A7B}\mpengine.dll
2014-12-15 15:03 . 2014-12-15 15:03 -------- d-----w- C:\RegBackup
2014-12-15 14:55 . 2014-12-16 22:02 -------- d-----w- C:\FRST
2014-12-15 14:49 . 2014-12-15 14:49 -------- d-----w- c:\program files (x86)\Tweaking.com
2014-12-11 22:26 . 2013-09-20 16:49 21040 ----a-w- c:\windows\system32\sdnclean64.exe
2014-12-11 22:26 . 2014-12-11 23:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-12-11 22:25 . 2014-12-12 15:04 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2014-12-09 21:52 . 2014-12-09 21:52 -------- d-----w- c:\windows\system32\appraiser
2014-12-09 21:46 . 2014-12-09 21:46 -------- d-----w- c:\program files\CCleaner
2014-12-09 21:35 . 2014-10-18 02:05 4121600 ----a-w- c:\windows\system32\mf.dll
2014-12-09 21:35 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\SysWow64\mf.dll
2014-12-09 20:21 . 2014-12-04 02:50 413184 ----a-w- c:\windows\system32\generaltel.dll
2014-12-09 20:21 . 2014-12-04 02:50 741376 ----a-w- c:\windows\system32\invagent.dll
2014-12-09 20:21 . 2014-12-04 02:50 396800 ----a-w- c:\windows\system32\devinv.dll
2014-12-09 20:21 . 2014-12-04 02:50 227328 ----a-w- c:\windows\system32\aepdu.dll
2014-12-09 20:21 . 2014-12-04 02:50 192000 ----a-w- c:\windows\system32\aepic.dll
2014-12-09 20:21 . 2014-12-04 02:44 1083392 ----a-w- c:\windows\system32\aeinv.dll
2014-12-09 20:21 . 2014-12-01 23:28 1232040 ----a-w- c:\windows\system32\aitstatic.exe
2014-12-09 19:58 . 2014-11-11 03:09 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-12-09 19:57 . 2014-11-11 02:44 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-12-09 19:57 . 2014-11-11 01:46 119296 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-12-09 19:52 . 2014-10-30 02:03 165888 ----a-w- c:\windows\system32\charmap.exe
2014-12-09 19:52 . 2014-10-30 01:45 155136 ----a-w- c:\windows\SysWow64\charmap.exe
2014-12-09 19:52 . 2014-10-03 02:12 310272 ----a-w- c:\windows\system32\WsmWmiPl.dll
2014-12-09 19:52 . 2014-10-03 02:12 2020352 ----a-w- c:\windows\system32\WsmSvc.dll
2014-12-09 19:52 . 2014-10-03 02:12 346624 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2014-12-09 19:52 . 2014-10-03 02:12 181248 ----a-w- c:\windows\system32\WsmAuto.dll
2014-12-09 19:52 . 2014-10-03 02:11 266240 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2014-12-09 19:52 . 2014-10-03 01:45 248832 ----a-w- c:\windows\SysWow64\WSManMigrationPlugin.dll
2014-12-09 19:52 . 2014-10-03 01:45 1177088 ----a-w- c:\windows\SysWow64\WsmSvc.dll
2014-12-09 19:52 . 2014-10-03 01:45 214016 ----a-w- c:\windows\SysWow64\WsmWmiPl.dll
2014-12-09 19:52 . 2014-10-03 01:45 145920 ----a-w- c:\windows\SysWow64\WsmAuto.dll
2014-12-09 19:52 . 2014-10-03 01:44 198656 ----a-w- c:\windows\SysWow64\WSManHTTPConfig.exe
2014-12-09 19:51 . 2014-11-08 03:16 2048 ----a-w- c:\windows\system32\tzres.dll
2014-12-09 19:51 . 2014-11-08 02:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-11-26 15:22 . 2014-12-10 15:05 -------- d-----r- c:\users\Welch\Dropbox
2014-11-26 14:55 . 2014-12-09 17:45 -------- d-----w- c:\users\Welch\AppData\Roaming\Dropbox
2014-11-25 16:57 . 2014-12-11 23:06 -------- d-----w- c:\program files (x86)\On-Screen Takeoff 3
2014-11-25 16:57 . 2014-11-25 16:57 -------- d-----w- c:\program files (x86)\Common Files\Crystal Decisions
2014-11-25 16:57 . 2014-11-25 16:57 -------- d-----w- C:\OCS Documents
2014-11-25 16:57 . 2014-11-25 16:57 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared
2014-11-20 19:57 . 2012-06-01 05:39 14848 ----a-w- c:\windows\system32\wamregps.dll
2014-11-20 19:57 . 2012-06-01 05:36 192000 ----a-w- c:\windows\system32\iisRtl.dll
2014-11-20 19:57 . 2012-06-01 05:36 11264 ----a-w- c:\windows\system32\iisrstap.dll
2014-11-20 19:57 . 2012-06-01 05:35 60928 ----a-w- c:\windows\system32\ahadmin.dll
2014-11-20 19:57 . 2012-06-01 05:34 55296 ----a-w- c:\windows\system32\admwprox.dll
2014-11-20 19:57 . 2012-06-01 05:33 16896 ----a-w- c:\windows\system32\iisreset.exe
2014-11-20 19:57 . 2012-06-01 04:40 10752 ----a-w- c:\windows\SysWow64\wamregps.dll
2014-11-20 19:57 . 2012-06-01 04:37 8192 ----a-w- c:\windows\SysWow64\iisrstap.dll
2014-11-20 19:57 . 2012-06-01 04:37 154624 ----a-w- c:\windows\SysWow64\iisRtl.dll
2014-11-20 19:57 . 2012-06-01 04:35 26624 ----a-w- c:\windows\SysWow64\ahadmin.dll
2014-11-20 19:57 . 2012-06-01 04:35 50688 ----a-w- c:\windows\SysWow64\admwprox.dll
2014-11-20 19:57 . 2012-06-01 04:34 15360 ----a-w- c:\windows\SysWow64\iisreset.exe
2014-11-20 15:15 . 2014-12-03 15:33 -------- d-----w- c:\users\DefaultAppPool
2014-11-20 15:00 . 2014-11-20 15:00 -------- d-----w- c:\windows\SysWow64\BestPractices
2014-11-20 14:59 . 2014-11-20 14:59 -------- d-----w- c:\windows\system32\BestPractices
2014-11-20 14:59 . 2014-11-20 14:59 -------- d-----w- C:\inetpub
2014-11-19 09:15 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-19 09:15 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-19 09:15 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-19 09:15 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-10 02:32 . 2014-05-08 14:24 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-10 02:32 . 2014-05-08 14:24 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-12-09 21:35 . 2014-05-07 20:54 112710672 ----a-w- c:\windows\system32\MRT.exe
2014-12-05 11:04 . 2014-10-07 15:01 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-11-24 20:04 . 2010-11-21 03:27 275080 ------w- c:\windows\system32\MpSigStub.exe
2014-10-25 01:57 . 2014-11-11 21:28 77824 ----a-w- c:\windows\system32\packager.dll
2014-10-25 01:32 . 2014-11-11 21:28 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-18 02:05 . 2014-11-11 21:28 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-18 01:33 . 2014-11-11 21:28 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-10-17 15:56 . 2014-10-17 15:55 32371688 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
2014-10-15 16:12 . 2014-10-15 16:12 379392 ----a-w- c:\windows\system32\subinacl.msi
2014-10-14 02:16 . 2014-11-11 21:41 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 02:13 . 2014-11-11 21:41 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 02:13 . 2014-11-11 21:28 3241984 ----a-w- c:\windows\system32\msi.dll
2014-10-14 02:12 . 2014-11-11 21:41 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 02:09 . 2014-11-11 21:41 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 02:07 . 2014-11-11 21:41 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-10-14 01:50 . 2014-11-11 21:41 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-10-14 01:50 . 2014-11-11 21:28 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-10-14 01:49 . 2014-11-11 21:41 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-10-14 01:47 . 2014-11-11 21:41 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-10-14 01:46 . 2014-11-11 21:41 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-10-10 00:57 . 2014-11-11 21:28 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-10-07 09:06 . 2014-05-08 16:41 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-10-03 02:12 . 2014-11-11 21:36 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-10-03 02:11 . 2014-11-11 21:36 284672 ----a-w- c:\windows\system32\EncDump.dll
2014-10-03 02:11 . 2014-11-11 21:36 680960 ----a-w- c:\windows\system32\audiosrv.dll
2014-10-03 02:11 . 2014-11-11 21:36 440832 ----a-w- c:\windows\system32\AudioEng.dll
2014-10-03 02:11 . 2014-11-11 21:36 296448 ----a-w- c:\windows\system32\AudioSes.dll
2014-10-03 01:44 . 2014-11-11 21:36 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44 . 2014-11-11 21:36 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44 . 2014-11-11 21:36 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
2014-09-25 02:08 . 2014-10-01 07:10 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-01 07:10 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-19 09:42 . 2014-11-11 21:30 210944 ----a-w- c:\windows\system32\wdigest.dll
2014-09-19 09:42 . 2014-11-11 21:30 86528 ----a-w- c:\windows\system32\TSpkg.dll
2014-09-19 09:42 . 2014-11-11 21:30 342016 ----a-w- c:\windows\system32\schannel.dll
2014-09-19 09:42 . 2014-11-11 21:30 309760 ----a-w- c:\windows\system32\ncrypt.dll
2014-09-19 09:42 . 2014-11-11 21:30 314880 ----a-w- c:\windows\system32\msv1_0.dll
2014-09-19 09:42 . 2014-11-11 21:30 22016 ----a-w- c:\windows\system32\credssp.dll
2014-09-19 09:23 . 2014-11-11 21:30 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
2014-09-19 09:23 . 2014-11-11 21:30 65536 ----a-w- c:\windows\SysWow64\TSpkg.dll
2014-09-19 09:23 . 2014-11-11 21:30 248832 ----a-w- c:\windows\SysWow64\schannel.dll
2014-09-19 09:23 . 2014-11-11 21:30 221184 ----a-w- c:\windows\SysWow64\ncrypt.dll
2014-09-19 09:23 . 2014-11-11 21:30 259584 ----a-w- c:\windows\SysWow64\msv1_0.dll
2014-09-19 09:23 . 2014-11-11 21:30 17408 ----a-w- c:\windows\SysWow64\credssp.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-05-08 16:46 222920 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-05-08 16:46 222920 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-05-08 16:46 222920 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2013-11-01 389120]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"Grid"="c:\program files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [2013-11-01 401408]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-11-21 7063832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2013-11-01 766208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-11-20 1021128]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2011-08-02 46952]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2011-08-02 30568]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-11-19 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-07-31 3084288]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2011-4-29 276328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MSICDSetup;MSICDSetup;d:\cdriver64.sys;d:\CDriver64.sys [x]
R3 NTIOLib_1_0_C;NTIOLib_1_0_C;d:\ntiolib_x64.sys;d:\NTIOLib_X64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys;c:\windows\SYSNATIVE\DRIVERS\WSDScan.sys [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S1 SDHookDriver;Hook Test Driver;c:\program files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys;c:\program files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys;c:\windows\SYSNATIVE\DRIVERS\amdhub30.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys;c:\windows\SYSNATIVE\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-05-08 02:32]
.
2014-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-15 20:56]
.
2014-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-15 20:56]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-05-08 16:46 261832 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-05-08 16:46 261832 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-05-08 16:46 261832 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-10-14 18:27 2334928 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-10-14 18:27 2334928 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-10-14 18:27 2334928 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe" [2012-04-11 97280]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.foxnews.com/
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = localhost:21320
Trusted Zone: microsoft.com\www
Trusted Zone: nfl.com\www
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13}: NameServer = 5.135.12.56,199.203.35.78
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_246_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_246_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_246_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_246_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-16 17:19:19
ComboFix-quarantined-files.txt 2014-12-16 23:19
.
Pre-Run: 943,832,678,400 bytes free
Post-Run: 943,642,677,248 bytes free
.
- - End Of File - - 82AFC20130EF67BF90173B8DCD7DBC92
A36C5E4F47E84449FF07ED3517B43A31
Thank you very much!
chessdude
Please download RogueKiller and save it to your desktop.
You can check here if you're not sure if your computer is 32-bit or 64-bit
- Download RogueKiller to your desktop.
- Quit all running programs.
- For Windows XP, double-click to start.
- For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
- Read and accept the EULA (End User Licene Agreement)
- Click Scan to scan the system.
- When the scan completes Close the program > Don't Fix anything!
- Don't run any other options, they're not all bad!!
- Post back the report which should be located on your desktop.
~~~~~~~~~~~~~~~~~~
Malwarebytes Anti-Rootkit
- Download Malwarebytes Anti-Rootkit
- Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
- Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
- Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
- Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
- After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
- Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
- If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.
- Please click by the introduction screen on the Next button to continue.
- Next you will see the Update Database screen.
- Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.
- When the update has finished, click on the Next button.
- Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
- Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.
- When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
- Make sure everything is selected and that the option to create a restore point is checked.
- Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
- Click on Yes button to restart your computer.
- There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
- The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
- For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.
- The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
please post the RogueKiller log
MBAR log
Give me some details as to what the computer is doing now?
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
RogueKiller V10.1.0.0 [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Welch [Administrator]
Mode : Scan -- Date : 12/17/2014 08:19:13
¤¤¤ Processes : 46 ¤¤¤
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
[Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
¤¤¤ Registry : 23 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.foxnews.com/ -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.foxnews.com/ -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] dng8mxi4.default : user_pref("browser.startup.homepage", "http://www.foxnews.com/"); -> Found
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA100 SATA Disk Device +++++
--- User ---
[MBR] 7225687d4c512851e6f0aabb72cde996
[BSP] 23ee35f1e0de87789ba3e0d73699e74e : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 ... OK
User = LL2 ... OK
Thank you very much!
chessdude
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
Account is Administrative
Internet Explorer version: 11.0.9600.17501
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.892000 GHz
Memory total: 7723237376, free: 5033291776
Downloaded database version: v2014.12.17.02
Downloaded database version: v2014.12.14.01
Downloaded database version: v2014.12.06.01
=======================================
Initializing...
------------ Kernel report ------------
12/17/2014 08:22:22
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\amd_sata.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\amd_xata.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\??\C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\ckldrv.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\rtl8192Ce.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\amdxhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbfilter.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\amdhub30.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\dump_amd_sata.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\dc3d.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80077e5060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000067\
Lower Device Object: 0xfffffa80076cf9c0
Lower Device Driver Name: \Driver\amd_sata\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80077e5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8007ba8900, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80077e5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80076d29d0, DeviceName: Unknown, DriverName: \Driver\amd_xata\
DevicePointer: 0xfffffa80076cf9c0, DeviceName: \Device\00000067\, DriverName: \Driver\amd_sata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 3C43E0D3
Partition information:
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable
Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1953314816
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
Done!
Scan finished
=======================================
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
Thank you very much!
chessdude
When I reset internet explorer, and have to reset the settings to default, I can go to my home page, and a deal of the day banner shows on the page as well. This is nasty, deeply rooted. It is still doing these things I mentioned before with no change. Have you found anything in the reports that look suspicious to you? Any recurring after cleaning?
Thank you very much!
chessdude
yeah it is and I have not found the entry point yet.This is nasty, deeply rooted
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
the DNS-settings look suspicious..shows France and Israel IP's, you could check your DNS settings, or allow "roguekiller" to remove the "PUM.DNS" items that it flagged, which i assume would restore windows default settings for DNS..
if you are using custom settings for DNS and you know that they are what they are suppose to be, then you don't need to worry about that..
to check the DNS settings (in "windows" ), go to "control panel" / "network connections" and check the "properties" for the "connections" that you use for connecting to the internet..
~~~~~~~~
Let's see if doing this will have any impact.
Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
Open FRST/FRST64 and press the Fix button just once and wait.start
CloseProcesses:
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~~`
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
- Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.- If TDSSKiller does not run, try renaming it.
- To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
- Click the Start Scan button.
- Do not use the computer during the scan
- If the scan completes with nothing found, click Close to exit.
- If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
- Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
- A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory usually Local Disk C:.
- Copy and paste the contents of that file in your next reply.
~~~~~~~~~~~~~~~~~~~~~~
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.
Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
- Note:
For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.- Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
- Click the blue Run ESET Online Scanner button
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
- Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
- Click on Advanced Settings
- Make sure that the option Remove found threats is unticked.
- Ensure these options are ticked
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Click Start
- Wait for the scan to finish
- When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
- Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
- Close the ESET online scan.
*************************************
please post
Fixlog.txt
TDSSKiller log
ESET log
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
Ran by Welch at 2014-12-17 11:09:10 Run:8
Running from C:\Users\Welch\Desktop
Loaded Profile: Welch (Available profiles: Welch & DefaultAppPool)
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
start
CloseProcesses:
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************
Processes closed successfully.
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
========= netsh winsock reset all =========
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
========= End of CMD: =========
========= netsh int ipv4 reset =========
Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.
========= End of CMD: =========
========= netsh int ipv6 reset =========
Reseting Interface, OK!
Restart the computer to complete this action.
========= End of CMD: =========
EmptyTemp: => Removed 81.8 MB temporary data.
The system needed a reboot.
==== End of Fixlog ====
Thank you very much!
chessdude
Nothing found.
Thank you very much!
chessdude