Malware Infection

**Rebos** · 2013-03-06, 16:38

C:\$RECYCLE.BIN\S-1-5-21-3704117945-1433447086-1109901018-1000\$R0DBQK9.exe Win32/OpenCandy application deleted - quarantined
C:\Users\Jayne\Documents\Downloads\Setup.exe a variant of Win32/Adware.iBryte.D application cleaned by deleting - quarantined
C:\Windows\System32\DBBK\0345C2B71520FAE5344695FF84E28B0F a variant of Win32/Adware.iBryte.D application cleaned by deleting - quarantined

**fbfbfb** · 2013-03-06, 23:39

Hello, Rebos.

Thank you for the logs. These logs appear to be clean. Please work through this next step:

Very Important!

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix and can cause unpredictable results.

Please open Notepad:

Start > Run.
Type notepad in the Open field
Click OK.
Copy and paste the text inside the code box below:

Code:

DDS::
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Save this as CFScript.txt to your desktop and change the "Save as type" to All Files.
Drag the CFScript.txt into ComboFix.exe as shown in the screenshot below:

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, ComboFix will produce a log for you. Copy and paste the contents of the log in your next reply.

WARNING

Do not mouse-click ComboFix's window while it is running. This may cause it to stall.
Do not attempt to surf the internet while ComboFix is scanning.

Very Important! Make sure you re-enable your security programs when ComboFix is finished.

Rebos, to better assess the condition of your system, could you please let me know how it is running now, and if there are any further issues?

____ In Training at WTT Classroom ____

**fbfbfb** · 2013-03-08, 17:29

Hello, Rebos.

Do you still need help with your machine?

**Rebos** · 2013-03-08, 18:38

System running fine. Can you please explain what thsi next step will do

thanks

**fbfbfb** · 2013-03-09, 03:51

Hello, Rebos.

Glad your system is running fine.

This next step will ensure that Google Sidewiki is removed from your system. Google shut down Sidewiki in 2011 due to controversies over abusive comments and defamation of sites and products left by internet users.

Your log detected the presence of Sidewiki in your system. It is always wise to delete remnants of programs that were not properly removed to avoid build up of system clutter which is often a cause of slowdowns and other system errors.

Then, to complete cleanup of your system, we would like to walk you through a bit of housekeeping. While working to restore your computer’s functionality, we used several tools: DDS, ComboFix, JRT, and AdwCleaner, all of which produced logs. We would like to ensure that these tools and logs are also properly removed from your system as they are no longer needed.

**Rebos** · 2013-03-10, 20:00

ComboFix 13-03-10.02 - Jayne 10/03/2013 17:38:59.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3069.1571 [GMT 0:00]
Running from: c:\users\Jayne\Desktop\ComboFix.exe
Command switches used :: c:\users\Jayne\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-02-10 to 2013-03-10 )))))))))))))))))))))))))))))))
.
.
2013-03-10 18:09 . 2013-03-10 18:09 -------- d-----w- c:\users\Max\AppData\Local\temp
2013-03-10 18:09 . 2013-03-10 18:09 -------- d-----w- c:\users\Denis\AppData\Local\temp
2013-03-10 18:09 . 2013-03-10 18:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-09 13:55 . 2013-03-09 13:54 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-06 16:30 . 2013-03-06 16:30 -------- d-----w- c:\users\Jayne\AppData\Roaming\Betting Assistant For Betdaq
2013-03-06 16:29 . 2013-03-06 16:29 -------- d-----w- c:\program files\Betting Assistant For Betdaq
2013-03-06 15:53 . 2013-02-28 08:36 368248 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-06 15:53 . 2013-02-28 08:36 29880 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 15:53 . 2013-02-28 08:36 49832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-03-06 15:53 . 2013-02-28 08:36 765808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-06 15:53 . 2013-02-28 08:36 62448 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-06 15:53 . 2013-02-28 08:36 163784 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-06 15:53 . 2013-02-28 08:36 49320 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 15:53 . 2013-02-28 08:36 66408 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 15:53 . 2013-02-28 08:35 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-06 15:52 . 2013-02-28 08:36 41664 ----a-w- c:\windows\avastSS.scr
2013-03-06 15:52 . 2013-03-06 15:52 -------- d-----w- c:\program files\AVAST Software
2013-03-06 15:50 . 2013-03-06 15:52 -------- d-----w- c:\programdata\AVAST Software
2013-03-06 10:56 . 2013-03-06 10:56 -------- d-----w- c:\program files\ESET
2013-03-06 10:44 . 2013-03-06 10:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-06 10:44 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-06 09:19 . 2013-03-06 09:19 -------- d-----w- c:\windows\ERUNT
2013-03-06 09:19 . 2013-03-06 09:19 -------- d-----w- C:\JRT
2013-03-06 08:05 . 2013-03-06 08:05 -------- d-----w- c:\users\Jayne\AppData\Local\Avg2013
2013-03-05 17:55 . 2013-03-10 18:10 -------- d-----w- c:\users\Jayne\AppData\Local\temp
2013-03-02 15:37 . 2013-03-06 08:09 -------- d-----w- c:\programdata\MFAData
2013-03-02 15:37 . 2013-03-02 15:37 -------- d-----w- c:\users\Jayne\AppData\Local\MFAData
2013-03-02 12:07 . 2013-02-21 18:11 83168 ----a-w- c:\windows\system32\PCloudCleanerService.EXE
2013-03-02 12:07 . 2013-03-10 18:08 -------- d-----w- c:\windows\system32\DBBK
2013-03-02 12:07 . 2013-01-04 15:34 9464 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2013-03-02 12:07 . 2013-01-04 15:34 9464 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2013-03-02 12:07 . 2013-01-04 15:34 59640 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2013-03-02 12:07 . 2013-01-04 15:34 31480 ----a-w- c:\windows\system32\drivers\DasPtct.SYS
2013-03-02 12:07 . 2013-01-04 15:34 28024 ----a-w- c:\windows\system32\drivers\PRSBDRVR.SYS
2013-03-02 12:07 . 2013-01-04 15:34 27896 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2013-03-02 12:07 . 2013-01-04 15:34 237816 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2013-03-02 12:07 . 2011-03-11 13:26 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2013-03-02 12:07 . 2013-01-04 15:34 21240 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2013-03-02 11:55 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C5FC1602-3C05-41F4-A487-B85E93356C7D}\mpengine.dll
2013-03-02 11:51 . 2013-03-02 11:51 -------- d-----w- c:\program files\Panda Security
2013-02-23 13:05 . 2013-02-23 13:05 -------- d-----w- c:\users\Default\AppData\Local\Trusteer
2013-02-21 17:51 . 2013-02-21 17:51 -------- d-----w- c:\users\Jayne\AppData\Roaming\Malwarebytes
2013-02-21 17:50 . 2013-02-21 17:50 -------- d-----w- c:\programdata\Malwarebytes
2013-02-21 11:40 . 2013-02-21 11:40 -------- d-----w- c:\program files\Trusteer
2013-02-20 17:10 . 2013-02-20 17:10 -------- d-----w- c:\users\Jayne\AppData\Roaming\f-secure
2013-02-20 17:09 . 2013-02-20 17:09 -------- d-----w- c:\programdata\F-Secure
2013-02-16 13:29 . 2013-02-16 13:45 -------- d-----w- c:\users\Jayne\AppData\Roaming\Anvisoft
2013-02-16 13:28 . 2013-02-16 13:28 -------- d-----w- c:\programdata\Anvisoft
2013-02-16 13:28 . 2013-02-16 13:45 -------- d-----w- c:\program files\Anvisoft
2013-02-15 22:31 . 2013-02-15 22:31 186432 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-02-13 14:02 . 2013-02-13 14:05 -------- d-----w- c:\programdata\Ad-Aware Antivirus
2013-02-13 14:02 . 2013-02-13 14:02 -------- d-----w- c:\users\Jayne\AppData\Roaming\LavasoftStatistics
2013-02-13 13:56 . 2013-02-13 13:56 -------- d-----w- c:\programdata\Lavasoft
2013-02-13 13:56 . 2013-02-13 16:53 -------- d-----w- c:\program files\Ad-Aware Antivirus
2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2013-02-13 13:55 . 2013-02-13 13:55 -------- d-----w- c:\program files\Toolbar Cleaner
2013-02-13 13:54 . 2013-02-13 14:05 -------- d-----w- c:\users\Jayne\AppData\Roaming\Ad-Aware Antivirus
2013-02-13 09:19 . 2013-02-13 09:19 102008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-09 13:54 . 2012-08-23 09:19 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-09 13:54 . 2010-05-29 08:23 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-02 13:22 . 2012-07-28 09:05 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-02 13:22 . 2011-05-20 08:15 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-17 01:28 . 2009-10-04 07:28 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-07 09:58 . 2013-01-07 09:58 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-02-28 08:35 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Jayne\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Jayne\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Jayne\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eye-Fi"="c:\program files\Windows Photo Gallery\Helper\EyeFiHelper.exe" [2011-12-21 3961464]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-02-28 4767304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Jayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
Dropbox.lnk - c:\users\Jayne\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-18 13:08 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 22:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Denis^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Denis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Denis^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk]
path=c:\users\Denis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk
backup=c:\windows\pss\Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2008-01-25 05:42 167936 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-11-02 07:51 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 23:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-07-03 12:29 3563520 ----a-w- c:\windows\System32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-10-04 12:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-17 14:19 136176 ----atw- c:\users\Denis\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 02:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 12:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 17:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2012-03-08 17:50 4280184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-16 09:27 13793824 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2009-06-16 09:27 92704 ----a-w- c:\windows\System32\nvhotkey.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2008-03-04 05:05 36864 ----a-w- c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-12-21 09:58 184320 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-04-16 21:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 17:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-12-03 04:28 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 08:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
2006-11-02 12:35 176128 ----a-w- c:\windows\System32\wpcumi.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Jayne\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"doubleTwist"=c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-06 15:40 1630672 ----a-w- c:\program files\Google\Chrome\Application\25.0.1364.152\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 13:22]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:59]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:59]
.
2013-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1001Core.job
- c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-24 13:14]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1001UA.job
- c:\users\Max\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-24 13:14]
.
2013-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1002Core.job
- c:\users\Denis\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-22 14:19]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3704117945-1433447086-1109901018-1002UA.job
- c:\users\Denis\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-22 14:19]
.
2013-03-10 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Hardware Helper_is1 - c:\program files\Driver-Soft\HardwareHelper\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-10 18:10
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(860)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
- - - - - - - > 'Explorer.exe'(3136)
c:\users\Jayne\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2013-03-10 18:13:12
ComboFix-quarantined-files.txt 2013-03-10 18:12
ComboFix2.txt 2013-03-05 17:55
.
Pre-Run: 3,435,749,376 bytes free
Post-Run: 3,551,739,904 bytes free
.
- - End Of File - - F8EC6BE5DD21E9DE69108F4378B3BD59

Here we

**fbfbfb** · 2013-03-11, 01:35

Hello, Rebos.

Thank you for submitting the ComboFix log. It appears that Google Sidewiki is still present. Let's try this:

Remove your Google Toolbar completely. This will delete Sidewiki as it is an add-on.
Then, if you choose, you can reinstall Google Toolbar. Sidewiki should no longer be present since Google removed it from its add-on list.

Please let me know if this has solved this issue, and we will move forward with our housekeeping.

____ In Training at WTT Classroom ____

**fbfbfb** · 2013-03-13, 00:55

Are you still with me, Rebos?

**Rebos** · 2013-03-13, 09:28

Very Much So sorry work got in the way.

I have deleted chrome and re installed it

**fbfbfb** · 2013-03-13, 23:55

Hello, Rebos.

Thank you for getting back to me.

I am understanding that Sidewiki is no longer on your system, correct? If so, let's go ahead with our cleanup.

Please work through the following steps to ensure that unnecessary programs and files have been removed and your system is up-to-date.

Please uninstall Combofix.

Click Start > In the Search field, enter combofix /uninstal. Please note that there is a space between combofix and /uninstall.
Click Enter. The Open File security warning will appear asking if you are sure you want to run ComboFix. Please click the Run button to start the program. This will uninstall Combofix and anything associated with it.
When ComboFix has finished uninstalling, delete the ComboFix.exe program from your computer.

Tool Removal

You no longer need the following tools. Please delete these and any logs from your machine: DDS, JRT, and AdwCleaner. You can keep Malwarebytes for future use if you choose.

If you wish to uninstall ESET Online Scanner, please do the following:

Click Start and select Control Panel.
Click the Uninstall a Program option found under the Programs category.
Select the ESET Online Scanner.
Click Remove.
A restart may be required to complete uninstallation.

Clean Up Temp Files

Please download TFC by OldTimer to your desktop.

Close any open windows.
Double click the TFC icon to run the program.
TFC will close all open programs itself in order to run.
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish.
Once complete, it should automatically reboot your machine.
If your computer does not automatically reboot, manually reboot to ensure a complete clean.

Update Java

To improve your software's performance or stability, please remove any older versions of Java and update to the latest version.

Download JavaRa to your desktop HERE and unzip it to its own folder.
Run JavaRa.exe, choose the language of your choice, and click Select.
Click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search
Click on the Open Webpage button, and download and install the latest Java Runtime Environment (JRE) version for your computer.

Update Internet Explorer

Download the latest version of Internet Explorer HERE.

Turn On Automatic Updates

To turn on Automatic Updates:

Click Start > Control Panel > Automatic Updates. The Automatic Updates window will open.
Click Automatic (recommended) and select a day and time for the updates to be installed.

Note: Your computer must be turned on at the scheduled time for updates to be installed. However, Windows recognizes when you are online and uses your internet connection to find updates that apply to your computer, and notifies you when the updates are downloaded. You can install the updates as soon as they are finished downloading.

Adobe Updates

Adobe Reader

To improve the funtionaility and security your software, please update Adobe Reader HERE. Updates safeguard your system against malicious attacks through PDF files.

Adobe Flash

To improve the funtionaility and security of your software, please update Adobe Flash HERE.

Update Anti-Virus Software

New variants of malware are increasing daily making your computer very susceptible to attacks without updated protection. Check for any updates to your AVAST antivirus software.

Recommended Reading

To maintain a clean and healthy system, please take the time to read through the following informative articles:

The Dangers of P2P File Sharing HERE
How to Prevent Malware by Miekiemoes HERE
So How Did I Get Infected In the First Place? By Tony Klein HERE
Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams HERE
Help! My computer is Slow – How to improve system performance after malware removal by Miekiemoes HERE
Create Strong Passwords by Microsoft HERE
PC Safety and Security – What do I need to do? by Glaswegian HERE

Rebos, if you have no further issues, please take a moment to respond to this thread one last time so that I can mark it resolved.

____ In Training at WTT Classroom ____

Thread: Malware Infection

Thread Tools

Display