Jump to content

HELP ME PLEASE !My computer has a virus in the Task Scheduler how do I get rid of it?


mdv_1999

Recommended Posts

Im having issues with a popup window that covers the entire screen everytime I start up the computer. It states that its with the FBI and that Im in some sort of violation of the law because of piracy, copyright issues...something to that nature. It states that I need to pay fine of 200.00 with a Green Dot MoneyPak card or else futher consequences will ensue. Im unable to access the desktop, taskbar, nor start menu when this screen is up. I was able to access regedit through Safemode with Command Prompt and I disabled the Task Scheduler. This is a temporary fix for now, but I downloaded Autoruns and needed assistance removing this virus/malware along with any unnecessaery and unwanted programs that starts up when I login the computer. Attached is a screenshot of autoruns on the everything tab.

I also ran Malwarebytes while I was on SafeMode with Command prompt. Log posted below:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.14.07

Windows 7 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Sleep :: SLEEP-PC [administrator]

9/14/2012 8:03:58 PM

mbam-log-2012-09-14 (20-03-58).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 351936

Time elapsed: 31 minute(s), 41 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

post-114813-0-50707700-1347690027.jpg

Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please try this if you can. You will need to use Safe Mode.

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

By the way, just to give you some background on recent issues, besides this new FBI MoneyPak virus, within the past two months I've also had the internet security virus, and the security shield virus, and at a point of time had a constant redirect issue. I believe that since the first virus a malicious software attached its self to the pc and overtime so I wanted to completely clear my pc of all issues without having to reset it. Ive also had a Trojan.Dropper.BCMiner, Trojan.Sirefef, Rootkit.0Access that once plagued this computer within the same 2 months. Please help clear it of all current issues, and any attachments to the pc that can have effects down the line.

  • ComboFix log

ComboFix 12-09-14.03 - Sleep 09/15/2012 10:07:12.6.2 - x86 NETWORK

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2013.1610 [GMT -4:00]

Running from: c:\users\Sleep\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

ADS - Windows: deleted 192 bytes in 1 streams.

.

((((((((((((((((((((((((( Files Created from 2012-08-15 to 2012-09-15 )))))))))))))))))))))))))))))))

.

.

2012-09-15 14:11 . 2012-09-15 14:11 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2012-09-15 14:11 . 2012-09-15 14:11 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-09-15 14:11 . 2012-09-15 14:11 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-15 14:11 . 2012-09-15 14:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-09-14 23:52 . 2012-09-14 23:52 -------- d-----w- c:\users\Sleep\AppData\Roaming\Task Scheduler

2012-09-06 15:12 . 2012-09-15 14:11 -------- d-----w- c:\users\Sleep\AppData\Local\temp

2012-09-02 21:26 . 2012-09-02 21:26 -------- d-----w- c:\users\Sleep\AppData\Roaming\Nitro PDF

2012-09-02 21:18 . 2012-07-16 09:13 27144 ----a-w- c:\windows\system32\nitrolocalmon2.dll

2012-09-02 21:18 . 2012-07-16 09:13 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\programdata\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Common Files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\users\Sleep\AppData\Roaming\Downloaded Installations

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\users\Sleep\AppData\Roaming\.mono

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\programdata\.mono

2012-08-29 19:09 . 2000-12-06 02:00 109248 ----a-w- c:\windows\system32\MSWINSCK.OCX

2012-08-29 19:09 . 1999-06-03 12:51 381712 ----a-w- c:\windows\system32\MSWLESS.OCX

2012-08-29 19:09 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL

2012-08-29 19:09 . 1997-07-19 17:55 1347344 ----a-w- c:\windows\system32\MSVBVM50.DLL

2012-08-29 19:09 . 2000-05-22 02:00 115920 ----a-w- c:\windows\system32\MSINET.OCX

2012-08-29 19:09 . 1998-06-24 02:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX

2012-08-22 15:35 . 2012-08-22 17:30 -------- d-----w- c:\programdata\HitmanPro

2012-08-22 10:31 . 2012-08-22 10:31 -------- d-----w- c:\users\Sleep\AppData\Local\{88B67A84-EC44-11E1-8270-B8AC6F996F26}

2012-08-19 07:01 . 2012-08-19 07:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2012-08-18 11:38 . 2012-08-18 11:38 -------- d-----w- c:\users\Sleep\AppData\Local\IsolatedStorage

2012-08-18 11:38 . 2012-08-18 11:38 -------- d-----w- c:\users\Sleep\AppData\Local\C3C_Software

2012-08-18 11:23 . 2012-09-15 06:11 -------- d-----w- c:\program files\Final Impression

2012-08-17 15:21 . 2012-08-18 19:18 -------- d-----w- c:\users\Sleep\AppData\Roaming\FileZilla

2012-08-17 09:51 . 1999-05-15 04:24 97280 ----a-w- c:\windows\system32\vspell32.ocx

2012-08-17 09:51 . 1998-12-18 18:17 164112 ----a-w- c:\windows\system32\temp.005

2012-08-17 09:51 . 1998-12-18 17:27 598288 ----a-w- c:\windows\system32\temp.004

2012-08-17 09:51 . 1998-09-25 04:00 1409024 ----a-w- c:\windows\system32\temp.003

2012-08-17 09:51 . 1998-05-26 21:22 402481 ----a-w- c:\windows\system32\temp.006

2012-08-17 09:51 . 1998-05-07 04:00 174352 ----a-w- c:\windows\system32\temp.007

2012-08-17 09:51 . 1999-07-04 19:55 266293 ----a-w- c:\windows\system32\temp.001

2012-08-17 09:51 . 1998-12-18 17:27 147728 ----a-w- c:\windows\system32\temp.000

2012-08-17 09:51 . 1998-12-18 17:27 17920 ----a-w- c:\windows\system32\temp.002

2012-08-16 18:50 . 2012-08-16 19:20 -------- d-----w- C:\Output

2012-08-16 18:24 . 2012-08-16 18:24 -------- d-----w- c:\users\Sleep\AppData\Roaming\Softplicity

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-07 21:04 . 2012-04-05 23:14 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-22 16:59 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe

2012-08-22 10:32 . 2012-04-05 03:36 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-22 10:32 . 2011-06-10 13:05 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-01 18:13 . 2012-08-01 18:13 35560 ----a-w- c:\windows\system32\drivers\hssdrv6.sys

2012-08-01 18:13 . 2012-08-01 18:13 33512 ----a-w- c:\windows\system32\drivers\taphss.sys

2012-07-18 17:10 . 2012-08-15 04:15 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-16 09:14 . 2012-07-16 09:14 69640 ----a-w- c:\windows\system32\NLSSRV32.EXE

2012-07-04 21:23 . 2012-08-15 04:15 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23 . 2012-08-15 04:15 102912 ----a-w- c:\windows\system32\browser.dll

2012-06-29 00:16 . 2012-08-15 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09 . 2012-08-15 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08 . 2012-08-15 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04 . 2012-08-15 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00 . 2012-08-15 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-07-14 00:17 . 2012-08-12 15:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-09-02_02.30.09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-09-02 21:18 . 2012-09-02 21:18 59904 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86\mfcm90u.dll

+ 2012-09-02 21:18 . 2012-09-02 21:18 59904 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86\mfcm90.dll

+ 2010-01-28 23:43 . 2012-09-15 06:03 51564 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 04:55 . 2012-09-15 06:03 46932 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-12-20 02:42 . 2012-09-15 06:03 16558 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2679692679-3140905069-1768065139-1000_UserData.bin

+ 2012-09-02 21:18 . 2012-07-16 09:13 79368 c:\windows\System32\spool\drivers\w32x86\NitroUI2.dll

+ 2012-09-02 21:18 . 2012-07-16 09:13 43016 c:\windows\System32\spool\drivers\w32x86\NitroGraphics2.dll

+ 2012-09-02 21:18 . 2012-07-16 09:13 79368 c:\windows\System32\spool\drivers\w32x86\3\NitroUI2.dll

+ 2012-09-02 21:18 . 2012-07-16 09:13 43016 c:\windows\System32\spool\drivers\w32x86\3\NitroGraphics2.dll

+ 2011-02-20 03:03 . 2011-02-20 03:03 81744 c:\windows\System32\mfcm100u.dll

+ 2011-02-20 03:03 . 2011-02-20 03:03 81744 c:\windows\System32\mfcm100.dll

+ 2009-07-14 04:34 . 2012-09-05 15:57 80352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

- 2009-07-14 04:34 . 2012-09-01 15:38 80352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

+ 2011-01-29 13:01 . 2012-09-15 00:48 2782 c:\windows\System32\wdi\ERCQueuedResolutions.dat

- 2012-09-01 17:13 . 2012-09-01 17:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-09-15 13:58 . 2012-09-15 13:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-09-01 17:13 . 2012-09-01 17:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2012-09-15 13:58 . 2012-09-15 13:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2010-12-20 16:15 . 2012-09-15 13:47 278054 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin

- 2009-07-14 02:05 . 2012-09-01 17:17 707406 c:\windows\System32\perfh009.dat

+ 2009-07-14 02:05 . 2012-09-15 14:02 707406 c:\windows\System32\perfh009.dat

- 2009-07-14 02:05 . 2012-09-01 17:17 139148 c:\windows\System32\perfc009.dat

+ 2009-07-14 02:05 . 2012-09-15 14:02 139148 c:\windows\System32\perfc009.dat

+ 2011-02-19 04:40 . 2011-02-19 04:40 773968 c:\windows\System32\msvcr100.dll

+ 2011-02-20 03:03 . 2011-02-20 03:03 421200 c:\windows\System32\msvcp100.dll

+ 2012-09-03 23:11 . 2012-09-03 23:11 448984 c:\windows\System32\FNTCACHE.DAT

- 2010-12-18 06:02 . 2012-09-02 00:29 671744 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-12-18 06:02 . 2012-09-15 06:01 671744 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2011-02-20 03:03 . 2011-02-20 03:03 138056 c:\windows\System32\atl100.dll

+ 2012-09-03 23:10 . 2012-09-15 13:57 418368 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2012-09-06 14:19 . 2012-09-06 14:19 536448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2679692679-3140905069-1768065139-500-12288.dat

+ 2012-09-02 21:18 . 2012-09-02 21:18 1162744 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86\mfc90u.dll

+ 2012-09-02 21:18 . 2012-09-02 21:18 1156600 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86\mfc90.dll

+ 2009-07-14 02:03 . 2012-09-14 20:27 7340032 c:\windows\System32\SMI\Store\Machine\schema.dat

- 2009-07-14 02:03 . 2012-09-01 18:47 7340032 c:\windows\System32\SMI\Store\Machine\schema.dat

+ 2011-02-20 03:03 . 2011-02-20 03:03 4422992 c:\windows\System32\mfc100u.dll

+ 2011-02-20 03:03 . 2011-02-20 03:03 4397384 c:\windows\System32\mfc100.dll

- 2012-08-07 17:05 . 2012-09-02 00:29 2097152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2012-08-07 17:05 . 2012-09-15 06:01 2097152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:34 . 2012-09-03 23:13 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

- 2009-07-14 04:34 . 2012-08-30 04:14 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

+ 2012-09-03 23:10 . 2012-09-15 13:57 1418108 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2679692679-3140905069-1768065139-1000-12288.dat

+ 2011-01-15 13:46 . 2011-01-15 13:46 2049536 c:\windows\Installer\8125b.msi

- 2009-07-14 04:41 . 2012-09-02 00:29 16187392 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:41 . 2012-09-15 06:01 16187392 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2012-09-03 23:10 . 2012-09-15 13:57 17736412 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2679692679-3140905069-1768065139-1000-8192.dat

+ 2011-05-25 07:03 . 2012-09-02 21:18 159811342 c:\windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin

+ 2012-09-02 21:17 . 2012-09-02 21:17 175508480 c:\windows\Installer\6069abb.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]

.

c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

HUD 3.6.0.lnk - c:\program files\Fonality\HUD3.6\HUD3.exe [2011-6-7 315392]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Sleep^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Task Scheduler.lnk]

path=c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Scheduler.lnk

backup=c:\windows\pss\Task Scheduler.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]

2008-07-10 04:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]

2008-07-10 04:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]

2007-08-31 14:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task Scheduler]

2012-09-14 23:52 129024 ----a-w- c:\users\Sleep\AppData\Roaming\Task Scheduler\Task Scheduler.exe

.

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]

R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]

R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [x]

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]

R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe [x]

R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [x]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x]

R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 nlem32nt;nlem32nt; [x]

S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

S3 VIACRX86;VIACRX86;c:\windows\system32\DRIVERS\viacr.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

pinetmgr

sscdbus

NWSLP

procexp90

WacomVKHid

usb_rndisx

lhidusb

winpowerrmi

TSHWMDTCP

w200mdfl

radclock

cebdaldr

dm1service

fasttrackinstallerservice

se27unic

ups

ma_cmidi_installerservice

tosrfsnd

GoToAssist

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-15 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 10:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mWindow Title =

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: cch.com

Trusted Zone: cchsfs.com

Trusted Zone: refund-advantage.com\www

Trusted Zone: taxwise.com

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\Sleep\AppData\Roaming\Mozilla\Firefox\Profiles\zhni10w2.default\

FF - prefs.js: network.proxy.type - 0

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-09-15 10:12:51

ComboFix-quarantined-files.txt 2012-09-15 14:12

ComboFix2.txt 2012-09-06 15:17

ComboFix3.txt 2012-09-02 02:34

.

Pre-Run: 264,010,174,464 bytes free

Post-Run: 264,409,018,368 bytes free

.

- - End Of File - - 313C81CB0987CC311A96A8CD8F675E8D

Link to post
Share on other sites

Good morning mdv_1999. :)

By the way, just to give you some background on recent issues, besides this new FBI MoneyPak virus, within the past two months I've also had the internet security virus, and the security shield virus, and at a point of time had a constant redirect issue. I believe that since the first virus a malicious software attached its self to the pc and overtime so I wanted to completely clear my pc of all issues without having to reset it. Ive also had a Trojan.Dropper.BCMiner, Trojan.Sirefef, Rootkit.0Access that once plagued this computer within the same 2 months. Please help clear it of all current issues, and any attachments to the pc that can have effects down the line.

It sounds like you have had your fair share of infections. I will do my best to help you clean your computer. :)

I notice that you are not running an antivirus program. It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. Please download and install one of these excellent free antivirus programs:

AntiVir.

avast!.

Microsoft Security Essentials.

============

Please follow these instructions to remove the remaining malicious entries:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::
    DDS::
    Trusted Zone: cch.com
    Trusted Zone: cchsfs.com
    Trusted Zone: refund-advantage.com\www
    Trusted Zone: taxwise.com
    File::
    c:\windows\system32\temp.005
    c:\windows\system32\temp.004
    c:\windows\system32\temp.003
    c:\windows\system32\temp.006
    c:\windows\system32\temp.007
    c:\windows\system32\temp.001
    c:\windows\system32\temp.000
    c:\windows\system32\temp.002
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

============

Finally, please run this tool.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

===========

In your reply please provide the contents of the following logs:

  • ComboFix.txt.
  • FRST.txt.

Link to post
Share on other sites

  • ComboFix.txt

ComboFix 12-09-15.02 - Sleep 09/16/2012 0:49.7.2 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2013.1353 [GMT -4:00]

Running from: c:\users\Sleep\Downloads\ComboFix.exe

Command switches used :: c:\users\Sleep\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

FILE ::

"c:\windows\system32\temp.000"

"c:\windows\system32\temp.001"

"c:\windows\system32\temp.002"

"c:\windows\system32\temp.003"

"c:\windows\system32\temp.004"

"c:\windows\system32\temp.005"

"c:\windows\system32\temp.006"

"c:\windows\system32\temp.007"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\temp.000

c:\windows\system32\temp.001

c:\windows\system32\temp.002

c:\windows\system32\temp.003

c:\windows\system32\temp.004

c:\windows\system32\temp.005

c:\windows\system32\temp.006

c:\windows\system32\temp.007

.

.

((((((((((((((((((((((((( Files Created from 2012-08-16 to 2012-09-16 )))))))))))))))))))))))))))))))

.

.

2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-09-14 23:52 . 2012-09-14 23:52 -------- d-----w- c:\users\Sleep\AppData\Roaming\Task Scheduler

2012-09-06 15:12 . 2012-09-16 04:57 -------- d-----w- c:\users\Sleep\AppData\Local\temp

2012-09-02 21:26 . 2012-09-02 21:26 -------- d-----w- c:\users\Sleep\AppData\Roaming\Nitro PDF

2012-09-02 21:18 . 2012-07-16 09:13 27144 ----a-w- c:\windows\system32\nitrolocalmon2.dll

2012-09-02 21:18 . 2012-07-16 09:13 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\programdata\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Common Files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\users\Sleep\AppData\Roaming\Downloaded Installations

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\users\Sleep\AppData\Roaming\.mono

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\programdata\.mono

2012-08-29 19:09 . 2000-12-06 02:00 109248 ----a-w- c:\windows\system32\MSWINSCK.OCX

2012-08-29 19:09 . 1999-06-03 12:51 381712 ----a-w- c:\windows\system32\MSWLESS.OCX

2012-08-29 19:09 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL

2012-08-29 19:09 . 1997-07-19 17:55 1347344 ----a-w- c:\windows\system32\MSVBVM50.DLL

2012-08-29 19:09 . 2000-05-22 02:00 115920 ----a-w- c:\windows\system32\MSINET.OCX

2012-08-29 19:09 . 1998-06-24 02:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX

2012-08-22 15:35 . 2012-08-22 17:30 -------- d-----w- c:\programdata\HitmanPro

2012-08-22 10:31 . 2012-08-22 10:31 -------- d-----w- c:\users\Sleep\AppData\Local\{88B67A84-EC44-11E1-8270-B8AC6F996F26}

2012-08-19 07:01 . 2012-08-19 07:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2012-08-18 11:38 . 2012-08-18 11:38 -------- d-----w- c:\users\Sleep\AppData\Local\IsolatedStorage

2012-08-18 11:38 . 2012-08-18 11:38 -------- d-----w- c:\users\Sleep\AppData\Local\C3C_Software

2012-08-18 11:23 . 2012-09-15 06:11 -------- d-----w- c:\program files\Final Impression

2012-08-17 15:21 . 2012-08-18 19:18 -------- d-----w- c:\users\Sleep\AppData\Roaming\FileZilla

2012-08-17 09:51 . 1999-05-15 04:24 97280 ----a-w- c:\windows\system32\vspell32.ocx

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-07 21:04 . 2012-04-05 23:14 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-22 16:59 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe

2012-08-22 10:32 . 2012-04-05 03:36 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-22 10:32 . 2011-06-10 13:05 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-01 18:13 . 2012-08-01 18:13 35560 ----a-w- c:\windows\system32\drivers\hssdrv6.sys

2012-08-01 18:13 . 2012-08-01 18:13 33512 ----a-w- c:\windows\system32\drivers\taphss.sys

2012-07-18 17:10 . 2012-08-15 04:15 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-16 09:14 . 2012-07-16 09:14 69640 ----a-w- c:\windows\system32\NLSSRV32.EXE

2012-07-04 21:23 . 2012-08-15 04:15 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23 . 2012-08-15 04:15 102912 ----a-w- c:\windows\system32\browser.dll

2012-06-29 00:16 . 2012-08-15 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09 . 2012-08-15 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08 . 2012-08-15 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04 . 2012-08-15 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00 . 2012-08-15 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-07-14 00:17 . 2012-08-12 15:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]

.

c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

HUD 3.6.0.lnk - c:\program files\Fonality\HUD3.6\HUD3.exe [2011-6-7 315392]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Sleep^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Task Scheduler.lnk]

path=c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Scheduler.lnk

backup=c:\windows\pss\Task Scheduler.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]

2008-07-10 04:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]

2008-07-10 04:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]

2007-08-31 14:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task Scheduler]

2012-09-14 23:52 129024 ----a-w- c:\users\Sleep\AppData\Roaming\Task Scheduler\Task Scheduler.exe

.

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]

R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 nlem32nt;nlem32nt; [x]

S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]

S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]

S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [x]

S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]

S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe [x]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [x]

S3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x]

S3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

S3 VIACRX86;VIACRX86;c:\windows\system32\DRIVERS\viacr.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

pinetmgr

sscdbus

NWSLP

procexp90

WacomVKHid

usb_rndisx

lhidusb

winpowerrmi

TSHWMDTCP

w200mdfl

radclock

cebdaldr

dm1service

fasttrackinstallerservice

se27unic

ups

ma_cmidi_installerservice

tosrfsnd

GoToAssist

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 10:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mWindow Title =

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\Sleep\AppData\Roaming\Mozilla\Firefox\Profiles\zhni10w2.default\

FF - prefs.js: network.proxy.type - 0

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLANExt.exe

c:\windows\system32\conhost.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Hotspot Shield\HssWPR\hsssrv.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\Hotspot Shield\bin\openvpntray.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2012-09-16 01:00:11 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-16 05:00

ComboFix2.txt 2012-09-15 14:12

ComboFix3.txt 2012-09-06 15:17

ComboFix4.txt 2012-09-02 02:34

.

Pre-Run: 261,048,311,808 bytes free

Post-Run: 263,015,075,840 bytes free

.

- - End Of File - - 051C1DF8AC7ECD674342D7E320D9D930

  • FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-09-2012 02

Ran by SYSTEM at 16-09-2012 01:20:15

Running from F:\

Windows 7 Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)

HKLM\...\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKU\TEMP\...\Run: [RESTART_STICKY_NOTES] C:\Windows\system32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Startup: C:\Users\Sleep\Start Menu\Programs\Startup\HUD 3.6.0.lnk

ShortcutTarget: HUD 3.6.0.lnk -> C:\Program Files\Fonality\HUD3.6\HUD3.exe ()

Startup: C:\Users\Sleep\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 GoToAssist; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)

2 hshld; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [476016 2012-08-02] ()

2 HssSrv; C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe [408944 2012-08-02] (AnchorFree Inc.)

3 HssTrayService; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [78072 2012-08-02] ()

2 HssWd; C:\Program Files\Hotspot Shield\bin\hsswd.exe [387440 2012-08-02] ()

2 ma_cmidi_installerservice; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)

3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [113120 2012-07-13] (Mozilla Foundation)

2 NitroDriverReadSpool2; "C:\Program Files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe" [184840 2012-07-16] (Nitro PDF Software)

2 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]

4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]

2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]

2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

==================== Drivers (Whitelisted) ====================

3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-07-16] (Broadcom Corporation)

1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [35560 2012-08-01] (AnchorFree Inc.)

0 nlem32nt; C:\Windows\System32\Drivers\nlem32nt.sys [69656 2009-12-01] ()

0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [45648 2010-07-12] (Sonic Solutions)

3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-08-01] (AnchorFree Inc)

3 VIACRX86; C:\Windows\System32\DRIVERS\viacr.sys [59392 2009-07-13] (VIA Technologies, Inc. )

3 catchme; \??\C:\ComboFix\catchme.sys [x]

0 TfFsMon; C:\Windows\System32\drivers\TfFsMon.sys [x]

3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [x]

0 TFSysMon; C:\Windows\System32\drivers\TfSysMon.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: pinetmgr -> No Registry Path.

NETSVC: sscdbus -> No Registry Path.

NETSVC: NWSLP -> No Registry Path.

NETSVC: procexp90 -> No Registry Path.

NETSVC: WacomVKHid -> No Registry Path.

NETSVC: usb_rndisx -> No Registry Path.

NETSVC: lhidusb -> No Registry Path.

NETSVC: winpowerrmi -> No Registry Path.

NETSVC: TSHWMDTCP -> No Registry Path.

NETSVC: w200mdfl -> No Registry Path.

NETSVC: radclock -> No Registry Path.

NETSVC: cebdaldr -> No Registry Path.

NETSVC: dm1service -> No Registry Path.

NETSVC: fasttrackinstallerservice -> No Registry Path.

NETSVC: se27unic -> No Registry Path.

NETSVC: ups -> No Registry Path.

NETSVC: ma_cmidi_installerservice -> No Registry Path.

NETSVC: tosrfsnd -> No Registry Path.

NETSVC: GoToAssist -> No Registry Path.

==================== One Month Created Files and Folders ========

2012-09-15 21:13 - 2012-09-16 01:20 - 00000000 ____D C:\FRST

2012-09-15 21:13 - 2012-09-15 21:13 - 00904140 ____A (Farbar) C:\Users\Sleep\Downloads\FRST.exe

2012-09-15 21:00 - 2012-09-15 21:00 - 00013366 ____A C:\ComboFix.txt

2012-09-15 06:04 - 2012-09-15 20:46 - 04754503 ____R (Swearware) C:\Users\Sleep\Downloads\ComboFix.exe

2012-09-14 21:58 - 2012-09-14 22:00 - 00002247 ____A C:\Users\Sleep\Desktop\New Text Document.txt

2012-09-14 18:06 - 2012-09-14 18:06 - 00540921 ____A C:\Users\Sleep\Downloads\Autoruns.zip

2012-09-14 15:52 - 2012-09-14 15:52 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\Task Scheduler

2012-09-03 15:11 - 2012-09-15 20:56 - 00002528 ____A C:\Windows\PFRO.log

2012-09-03 15:11 - 2012-09-03 15:11 - 00448984 ____A C:\Windows\System32\FNTCACHE.DAT

2012-09-02 13:26 - 2012-09-02 13:26 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\Nitro PDF

2012-09-02 13:18 - 2012-07-16 01:13 - 00027144 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalmon2.dll

2012-09-02 13:18 - 2012-07-16 01:13 - 00018440 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalui2.dll

2012-09-02 13:17 - 2012-09-02 13:17 - 00002019 ____A C:\Users\Public\Desktop\Nitro Pro 7.lnk

2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\Downloaded Installations

2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Users\All Users\Nitro PDF

2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Program Files\Nitro PDF

2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Program Files\Common Files\Nitro PDF

2012-09-01 21:00 - 2012-09-15 21:02 - 00002240 ____A C:\Windows\setupact.log

2012-09-01 21:00 - 2012-09-01 21:00 - 00000000 ____A C:\Windows\setuperr.log

2012-09-01 18:22 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe

2012-09-01 18:22 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe

2012-09-01 18:22 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-09-01 18:22 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-09-01 18:22 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-09-01 18:22 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe

2012-09-01 18:22 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe

2012-09-01 18:22 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe

2012-09-01 18:21 - 2012-09-15 21:00 - 00000000 ____D C:\Qoobox

2012-09-01 09:59 - 2012-09-01 09:59 - 00124872 ____A C:\Users\Sleep\AppData\Local\GDIPFONTCACHEV1.DAT

2012-09-01 07:52 - 2012-09-01 07:52 - 02322184 ____A (ESET) C:\Users\Sleep\Downloads\esetsmartinstaller_enu.exe

2012-08-30 18:59 - 2012-08-30 18:59 - 00000000 ____D C:\Users\Sleep\Documents\OneNote Notebooks

2012-08-30 14:17 - 2012-08-30 14:17 - 10900795 ____A ( ) C:\Users\Sleep\Downloads\nemopdfconverter.exe

2012-08-29 17:15 - 2012-08-29 17:15 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\.mono

2012-08-29 17:15 - 2012-08-29 17:15 - 00000000 ____D C:\Users\All Users\.mono

2012-08-29 17:06 - 2012-08-29 17:09 - 05505024 ____A (Wheels4Deals, LLC ) C:\Users\Sleep\Downloads\wheels4_setup.exe

2012-08-29 11:18 - 2012-08-29 11:18 - 00001222 ____A C:\Users\Administrator\Desktop\Craigs List & eBay Export.lnk

2012-08-29 11:09 - 2000-12-05 18:00 - 00109248 ____A (Microsoft Corporation) C:\Windows\System32\MSWINSCK.OCX

2012-08-29 11:09 - 2000-05-21 18:00 - 00115920 ____A (Microsoft Corporation) C:\Windows\System32\MSINET.OCX

2012-08-29 11:09 - 1999-06-03 04:51 - 00381712 ____A (Microsoft Corporation) C:\Windows\System32\MSWLESS.OCX

2012-08-29 11:09 - 1998-06-23 18:00 - 00137000 ____A (Microsoft Corporation) C:\Windows\System32\MSMAPI32.OCX

2012-08-29 11:09 - 1998-06-17 21:00 - 00089360 ____A (Microsoft Corporation) C:\Windows\System32\VB5DB.DLL

2012-08-29 11:09 - 1997-07-19 09:55 - 01347344 ____A (Microsoft Corporation) C:\Windows\System32\MSVBVM50.DLL

2012-08-29 11:01 - 2012-08-29 11:01 - 07642472 ____A (PrimaSoft PC, Inc. ) C:\Users\Sleep\Downloads\cardealp.exe

2012-08-29 10:57 - 2012-08-29 11:02 - 60743063 ____A C:\Users\Sleep\Downloads\DS5_Setup.exe

2012-08-22 07:36 - 2012-08-22 07:36 - 07758424 ____A (SurfRight B.V.) C:\Users\Sleep\Downloads\HitmanPro36.exe

2012-08-22 07:35 - 2012-08-22 09:30 - 00000000 ____D C:\Users\All Users\HitmanPro

2012-08-22 02:32 - 2012-09-15 20:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-22 02:31 - 2012-08-22 02:31 - 00000000 ____D C:\Users\Sleep\AppData\Local\{88B67A84-EC44-11E1-8270-B8AC6F996F26}

2012-08-18 23:01 - 2012-08-18 23:01 - 00000000 ____D C:\Users\Default\AppData\Local\Microsoft Help

2012-08-18 23:01 - 2012-08-18 23:01 - 00000000 ____D C:\Users\Default User\AppData\Local\Microsoft Help

2012-08-18 03:38 - 2012-08-18 03:38 - 00000000 ____D C:\Users\Sleep\AppData\Local\IsolatedStorage

2012-08-18 03:38 - 2012-08-18 03:38 - 00000000 ____D C:\Users\Sleep\AppData\Local\C3C_Software

2012-08-18 03:23 - 2012-09-14 22:11 - 00000000 ____D C:\Program Files\Final Impression

2012-08-18 03:23 - 2012-08-18 03:38 - 00000000 ____D C:\Users\Sleep\Documents\Final Impression

2012-08-18 03:22 - 2012-09-14 22:10 - 11375074 ____A ( ) C:\Users\Sleep\Downloads\fisetup.exe

2012-08-17 22:02 - 2012-08-17 22:02 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia

2012-08-17 07:21 - 2012-08-18 11:18 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\FileZilla

2012-08-17 01:57 - 2012-08-17 07:16 - 00000025 ____A C:\Windows\.prj

2012-08-17 01:51 - 2012-08-17 01:51 - 07209190 ____A C:\Users\Sleep\Downloads\pgbreeze.exe

2012-08-17 01:51 - 1999-05-14 20:24 - 00097280 ____A (Visual Components, Inc.) C:\Windows\System32\vspell32.ocx

==================== 3 Months Modified Files ==================

2012-09-15 21:14 - 2012-07-13 02:04 - 01311349 ____A C:\Windows\WindowsUpdate.log

2012-09-15 21:13 - 2012-09-15 21:13 - 00904140 ____A (Farbar) C:\Users\Sleep\Downloads\FRST.exe

2012-09-15 21:11 - 2010-01-28 15:35 - 00845612 ____A C:\Windows\System32\PerfStringBackup.INI

2012-09-15 21:10 - 2009-07-13 20:34 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-15 21:10 - 2009-07-13 20:34 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-15 21:02 - 2012-09-01 21:00 - 00002240 ____A C:\Windows\setupact.log

2012-09-15 21:02 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-15 21:00 - 2012-09-15 21:00 - 00013366 ____A C:\ComboFix.txt

2012-09-15 20:57 - 2012-08-22 02:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-09-15 20:57 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini

2012-09-15 20:56 - 2012-09-03 15:11 - 00002528 ____A C:\Windows\PFRO.log

2012-09-15 20:46 - 2012-09-15 06:04 - 04754503 ____R (Swearware) C:\Users\Sleep\Downloads\ComboFix.exe

2012-09-15 18:49 - 2011-01-29 04:53 - 00000426 ____A C:\Windows\BRWMARK.INI

2012-09-14 22:10 - 2012-08-18 03:22 - 11375074 ____A ( ) C:\Users\Sleep\Downloads\fisetup.exe

2012-09-14 22:00 - 2012-09-14 21:58 - 00002247 ____A C:\Users\Sleep\Desktop\New Text Document.txt

2012-09-14 18:06 - 2012-09-14 18:06 - 00540921 ____A C:\Users\Sleep\Downloads\Autoruns.zip

2012-09-08 13:30 - 2011-11-29 10:16 - 00050551 ____A C:\Users\Sleep\Documents\ANAG Books '11.xlsx

2012-09-07 13:04 - 2012-04-05 15:14 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-09-03 15:11 - 2012-09-03 15:11 - 00448984 ____A C:\Windows\System32\FNTCACHE.DAT

2012-09-02 13:17 - 2012-09-02 13:17 - 00002019 ____A C:\Users\Public\Desktop\Nitro Pro 7.lnk

2012-09-01 21:00 - 2012-09-01 21:00 - 00000000 ____A C:\Windows\setuperr.log

2012-09-01 09:59 - 2012-09-01 09:59 - 00124872 ____A C:\Users\Sleep\AppData\Local\GDIPFONTCACHEV1.DAT

2012-09-01 07:52 - 2012-09-01 07:52 - 02322184 ____A (ESET) C:\Users\Sleep\Downloads\esetsmartinstaller_enu.exe

2012-08-30 19:04 - 2011-04-12 13:44 - 00000000 ____A C:\Users\Sleep\Documents\Nuance Image Printer Writer Port

2012-08-30 14:17 - 2012-08-30 14:17 - 10900795 ____A ( ) C:\Users\Sleep\Downloads\nemopdfconverter.exe

2012-08-29 17:09 - 2012-08-29 17:06 - 05505024 ____A (Wheels4Deals, LLC ) C:\Users\Sleep\Downloads\wheels4_setup.exe

2012-08-29 11:18 - 2012-08-29 11:18 - 00001222 ____A C:\Users\Administrator\Desktop\Craigs List & eBay Export.lnk

2012-08-29 11:02 - 2012-08-29 10:57 - 60743063 ____A C:\Users\Sleep\Downloads\DS5_Setup.exe

2012-08-29 11:01 - 2012-08-29 11:01 - 07642472 ____A (PrimaSoft PC, Inc. ) C:\Users\Sleep\Downloads\cardealp.exe

2012-08-22 08:59 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe

2012-08-22 07:36 - 2012-08-22 07:36 - 07758424 ____A (SurfRight B.V.) C:\Users\Sleep\Downloads\HitmanPro36.exe

2012-08-22 02:32 - 2012-04-04 19:36 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-08-22 02:32 - 2011-06-10 05:05 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-08-19 23:05 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini

2012-08-17 07:16 - 2012-08-17 01:57 - 00000025 ____A C:\Windows\.prj

2012-08-17 01:51 - 2012-08-17 01:51 - 07209190 ____A C:\Users\Sleep\Downloads\pgbreeze.exe

2012-08-16 11:26 - 2012-08-16 11:26 - 00009235 ____A C:\Users\Sleep\Downloads\2004_converted.html

2012-08-16 10:48 - 2012-08-16 10:48 - 03626414 ____A (Word-Pdf-Convert Software, Inc. ) C:\Users\Sleep\Downloads\free_all_to_image_jpg_jpeg_bmp_tiff_png_converter.exe

2012-08-14 23:02 - 2011-11-24 08:48 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-08-14 06:57 - 2012-08-14 06:57 - 00001110 ____A C:\Users\Public\Desktop\Hotspot Shield Launch.lnk

2012-08-14 06:56 - 2012-08-14 06:56 - 00000000 ____A C:\Windows\System32\cd.dat

2012-08-12 07:56 - 2012-08-12 07:56 - 00001094 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-08-10 08:33 - 2012-08-10 08:33 - 00001755 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-08-01 10:13 - 2012-08-01 10:13 - 00035560 ____A (AnchorFree Inc.) C:\Windows\System32\Drivers\hssdrv6.sys

2012-08-01 10:13 - 2012-08-01 10:13 - 00033512 ____A (AnchorFree Inc) C:\Windows\System32\Drivers\taphss.sys

2012-07-30 00:20 - 2009-07-13 20:53 - 00032640 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-20 06:47 - 2010-12-24 09:38 - 00079106 ____A C:\Users\Sleep\Documents\Client List.xlsx

2012-07-19 08:39 - 2012-01-09 20:27 - 00171381 ____A C:\Users\Sleep\Documents\Client List '11.xlsx

2012-07-19 08:38 - 2011-01-29 04:57 - 00128947 ____A C:\Users\Sleep\Documents\Books '11.xlsx

2012-07-18 09:10 - 2012-08-14 20:15 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-16 01:14 - 2012-07-16 01:14 - 00069640 ____A (Nalpeiron Ltd.) C:\Windows\System32\NLSSRV32.EXE

2012-07-16 01:13 - 2012-09-02 13:18 - 00027144 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalmon2.dll

2012-07-16 01:13 - 2012-09-02 13:18 - 00018440 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalui2.dll

2012-07-15 06:42 - 2011-02-08 07:02 - 02055429 ____A C:\Windows\System32\Drivers\Cat.DB

2012-07-13 02:16 - 2012-07-13 02:16 - 00000000 ____A C:\Windows\System32\SM.lock

2012-07-13 00:43 - 2012-07-13 00:43 - 00000009 ____A C:\END

2012-07-04 13:26 - 2012-08-14 20:15 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-07-04 13:23 - 2012-08-14 20:15 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-07-04 13:23 - 2012-08-14 20:15 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-06-28 16:52 - 2012-08-14 23:01 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-28 16:27 - 2012-08-14 23:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-28 16:16 - 2012-08-14 23:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-28 16:09 - 2012-08-14 23:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-28 16:09 - 2012-08-14 23:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-28 16:08 - 2012-08-14 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-28 16:07 - 2012-08-14 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-28 16:06 - 2012-08-14 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-28 16:04 - 2012-08-14 23:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-28 16:04 - 2012-08-14 23:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-28 16:01 - 2012-08-14 23:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-28 16:01 - 2012-08-14 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-28 16:00 - 2012-08-14 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-28 15:57 - 2012-08-14 23:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

ZeroAccess:

C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e}

C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\L

C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\U

ZeroAccess:

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\L

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\Threat Expert

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\U

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-24 23:45:03

Restore point made on: 2012-08-29 11:03:53

Restore point made on: 2012-08-29 11:09:06

Restore point made on: 2012-08-29 22:12:47

Restore point made on: 2012-08-29 22:14:01

Restore point made on: 2012-09-01 08:42:27

Restore point made on: 2012-09-02 13:17:28

Restore point made on: 2012-09-02 15:59:39

Restore point made on: 2012-09-06 07:07:04

Restore point made on: 2012-09-13 17:25:23

Restore point made on: 2012-09-15 20:47:37

==================== Memory info ===========================

Percentage of memory in use: 21%

Total physical RAM: 2012.8 MB

Available physical RAM: 1572.44 MB

Total Pagefile: 2012.8 MB

Available Pagefile: 1576.58 MB

Total Virtual: 2047.88 MB

Available Virtual: 1965.62 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:244.88 GB) NTFS

3 Drive f: () (Removable) (Total:3.76 GB) (Free:3.76 GB) FAT32

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.94 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 3854 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 283 GB 14 GB

=========================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 283 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3853 MB 31 KB

=========================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 3853 MB Healthy

=========================================================

Last Boot: 2012-09-05 20:01

==================== End Of Log ============================

Link to post
Share on other sites

Hey mdv_1999. :)

Thank you providing FRST.txt. It has located the components of ZeroAccess that need to be removed.

Please download the attached fixlist.txt. Save it on the flashdrive as fixlist.txt

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). Please post the contents in your reply.

What issues remain on your computer?

fixlist.txt

Link to post
Share on other sites

My initial issue. I had to disable Task Scheduler in order to avoid the FBI MoneyPak virus popup. Somehow its attached to it. I also attached a screenshot of AutoRuns on the first post so you can help me uninstall or disable unnecessary/unwanted services.

  • Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 15-09-2012 02

Ran by SYSTEM at 2012-09-16 02:26:28 Run:1

Running from F:\

==============================================

C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e} moved successfully.

C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\L not found.

C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\U not found.

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e} moved successfully.

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\L not found.

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\Threat Expert not found.

C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\U not found.

==== End of Fixlog ====

Link to post
Share on other sites

Hey mdv_1999. :)

So even after running the fix in the last post you are still seeing the popups?

Please download the Kaspersky Virus Removal Tool from here to your Desktop.

  • Double-click the Removal Tool.
  • Click the cog in the upper right corner:

AVPfront.gif

  • Select down to and including your main drive.
  • Once done please select the Automatic scan tab and press Start Scan.

avpsettings.gif

  • Allow AVP to delete all infections found.
  • Once it has finished select the Report tab.
  • Select the Detected threats report from the left and press the Save button.
  • Save it to your Desktop and post the contents in your next reply.

Link to post
Share on other sites

Actually I have yet to reenable the Task Scheduler. Should I?

Heres the thing. My PC was running the Virus Removal Tool and I accidently closed it. So the log below is incomplete. It also detected 3 virus components that said something about Java attachment. By the way lately everytime I reboot my system Java says that an update is available. I normally close it. But once I did click update and it says I already have the current Java.

  • KasperskyVRTlog.txt

Status: Deleted (events: 3)

9/16/2012 11:24:02 AM Deleted Trojan program Trojan.Win32.BHO.cgqs C:\Qoobox\Quarantine\C\Users\Sleep\AppData\Local\Apple Computer\Adobe\cphlzlw.dll.vir High

9/16/2012 11:24:14 AM Deleted Trojan program Trojan.Win32.Diple.flaf C:\Qoobox\Quarantine\C\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\Threat Expert\shmeuv.dll.vir High

9/16/2012 11:24:14 AM Deleted unknown threat UDS:DangerousObject.Multi.Generic C:\TDSSKiller_Quarantine\22.08.2012_12.57.02\zasubsys0000\zafs0000\tsk0001.dta High

Link to post
Share on other sites

<p>I reran Kaspersky. No threats were detected. By the way, the log sent earlier was also my second run of the virus scanner. I accidently closed it the first time during the scan so thats why theres no log about the first 3 Java virus components detected. The log above was the rerun. I hope this isnt to confusing. <img alt=":)" class="bbc_emoticon" height="20" src="http://forums.malwarebytes.org/public/style_emoticons/default/smile.png" title=":)" width="20" />. I had Kaspersky delete them  when found. Would you still be able to help me eradicate any Java issue if theres any left?</p>

<p> </p>

<p> </p>

<ul>

<li>Kaspersky---> No Threats Detected</li>

</ul>

Link to post
Share on other sites

Hey mdv_1999. :)

Please follow these instructions to clean out your temporary files. Please download ATF Cleaner.

Save it to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.

If you use the Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Then, please follow these instructions to clean out your Java Cache:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::
    ClearJavaCache::
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

What issues remain?

Link to post
Share on other sites

Just ran the Kaspersky VPT again. No threats were detected.

By the way, the VPT log posted earlier was also my second run of the virus scanner. I accidently closed it during a scan the first time, so thats why theres no log about the first 3 Java virus components detected. The log above was the rerun. I hope this isnt to confusing. :)

Although I had Kaspersky delete all issues when found. Would you still be able to help me eradicate any Java issue if theres any left?

  • Kaspersky VPT---> No Threats Detected

Link to post
Share on other sites

Nothing at the moment. Should I leave Task Scheduler disabled?

  • ComboFix.txt

ComboFix 12-09-16.01 - Sleep 09/17/2012 9:25.8.2 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2013.1210 [GMT -4:00]

Running from: c:\users\Sleep\Downloads\ComboFix.exe

Command switches used :: c:\users\Sleep\Downloads\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-08-17 to 2012-09-17 )))))))))))))))))))))))))))))))

.

.

2012-09-17 13:31 . 2012-09-17 13:31 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2012-09-17 13:31 . 2012-09-17 13:31 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-17 13:31 . 2012-09-17 13:31 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-09-16 05:13 . 2012-09-16 09:20 -------- d-----w- C:\FRST

2012-09-15 14:47 . 2012-08-02 17:05 490496 ----a-w- c:\windows\system32\d3d10level9.dll

2012-09-14 23:52 . 2012-09-14 23:52 -------- d-----w- c:\users\Sleep\AppData\Roaming\Task Scheduler

2012-09-06 15:12 . 2012-09-17 13:32 -------- d-----w- c:\users\Sleep\AppData\Local\temp

2012-09-02 21:26 . 2012-09-02 21:26 -------- d-----w- c:\users\Sleep\AppData\Roaming\Nitro PDF

2012-09-02 21:18 . 2012-07-16 09:13 27144 ----a-w- c:\windows\system32\nitrolocalmon2.dll

2012-09-02 21:18 . 2012-07-16 09:13 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\programdata\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Common Files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\users\Sleep\AppData\Roaming\Downloaded Installations

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\users\Sleep\AppData\Roaming\.mono

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\programdata\.mono

2012-08-29 19:09 . 2000-12-06 02:00 109248 ----a-w- c:\windows\system32\MSWINSCK.OCX

2012-08-29 19:09 . 1999-06-03 12:51 381712 ----a-w- c:\windows\system32\MSWLESS.OCX

2012-08-29 19:09 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL

2012-08-29 19:09 . 1997-07-19 17:55 1347344 ----a-w- c:\windows\system32\MSVBVM50.DLL

2012-08-29 19:09 . 2000-05-22 02:00 115920 ----a-w- c:\windows\system32\MSINET.OCX

2012-08-29 19:09 . 1998-06-24 02:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX

2012-08-22 15:35 . 2012-08-22 17:30 -------- d-----w- c:\programdata\HitmanPro

2012-08-22 10:31 . 2012-08-22 10:31 -------- d-----w- c:\users\Sleep\AppData\Local\{88B67A84-EC44-11E1-8270-B8AC6F996F26}

2012-08-19 07:01 . 2012-08-19 07:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-07 21:04 . 2012-04-05 23:14 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-22 16:59 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe

2012-08-22 10:32 . 2012-04-05 03:36 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-22 10:32 . 2011-06-10 13:05 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-01 18:13 . 2012-08-01 18:13 35560 ----a-w- c:\windows\system32\drivers\hssdrv6.sys

2012-08-01 18:13 . 2012-08-01 18:13 33512 ----a-w- c:\windows\system32\drivers\taphss.sys

2012-07-18 17:10 . 2012-08-15 04:15 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-16 09:14 . 2012-07-16 09:14 69640 ----a-w- c:\windows\system32\NLSSRV32.EXE

2012-07-04 21:23 . 2012-08-15 04:15 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23 . 2012-08-15 04:15 102912 ----a-w- c:\windows\system32\browser.dll

2012-06-29 00:16 . 2012-08-15 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09 . 2012-08-15 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08 . 2012-08-15 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04 . 2012-08-15 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00 . 2012-08-15 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-07-14 00:17 . 2012-08-12 15:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]

.

c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

HUD 3.6.0.lnk - c:\program files\Fonality\HUD3.6\HUD3.exe [2011-6-7 315392]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Sleep^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Task Scheduler.lnk]

path=c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Scheduler.lnk

backup=c:\windows\pss\Task Scheduler.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]

2008-07-10 04:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]

2008-07-10 04:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]

2007-08-31 14:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task Scheduler]

2012-09-14 23:52 129024 ----a-w- c:\users\Sleep\AppData\Roaming\Task Scheduler\Task Scheduler.exe

.

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]

R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 nlem32nt;nlem32nt; [x]

S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]

S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]

S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [x]

S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]

S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe [x]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [x]

S3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x]

S3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

S3 VIACRX86;VIACRX86;c:\windows\system32\DRIVERS\viacr.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - 90312042

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

pinetmgr

sscdbus

NWSLP

procexp90

WacomVKHid

usb_rndisx

lhidusb

winpowerrmi

TSHWMDTCP

w200mdfl

radclock

cebdaldr

dm1service

fasttrackinstallerservice

se27unic

ups

ma_cmidi_installerservice

tosrfsnd

GoToAssist

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 10:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mWindow Title =

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.1.10.1

FF - ProfilePath - c:\users\Sleep\AppData\Roaming\Mozilla\Firefox\Profiles\zhni10w2.default\

FF - prefs.js: network.proxy.type - 0

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLANExt.exe

c:\windows\system32\conhost.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Hotspot Shield\HssWPR\hsssrv.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\Hotspot Shield\bin\openvpntray.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2012-09-17 09:35:51 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-17 13:35

ComboFix2.txt 2012-09-16 05:00

ComboFix3.txt 2012-09-15 14:12

ComboFix4.txt 2012-09-06 15:17

ComboFix5.txt 2012-09-17 13:24

.

Pre-Run: 261,879,013,376 bytes free

Post-Run: 261,843,267,584 bytes free

.

- - End Of File - - 3947BBFDD9FEF2027DE188C25ADA7B64

Link to post
Share on other sites

Yes it does. Im unable to access the Desktop nor start menu. Pressed ALT+CTRL+DEL accessed the Task Manager, Deleted Task Scheduler under the Processes tab. Program closes, but desktop items, and taskbar doesnt show up. Just a blank screen. I rebooted the computer to SafeMode with Networking logged into System Configuration(msconfig), disabled both Task Scheduler's under the Start-Up tabs(why is there two ??). Rebooted the computer. Everything seems fine when its disabled. But that means this hasnt been resolved just surpressed.

Below is the screen shot of both Task Scheduler

post-114813-0-13465500-1347948786.png

post-114813-0-63639100-1347954130.png

post-114813-0-99935200-1347954409.png

Link to post
Share on other sites

Hey mdv_1999. :)

Please follow these instructions to remove the remaining malicious entries:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::
    File::
    c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Scheduler.lnk
    Folder::
    c:\users\Sleep\AppData\Roaming\Task Scheduler\
    Registry::
    [-HKLM\~\startupfolder\C:^Users^Sleep^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Task Scheduler.lnk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task Scheduler]
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

Does it still remain?

Link to post
Share on other sites

No much better.

  • ComboFix.txt

ComboFix 12-09-18.06 - Sleep 09/18/2012 12:06:49.9.2 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2013.1344 [GMT -4:00]

Running from: c:\users\Sleep\Downloads\ComboFix.exe

Command switches used :: c:\users\Sleep\Downloads\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Scheduler.lnk"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Scheduler.lnk

c:\users\Sleep\AppData\Roaming\Task Scheduler

c:\users\Sleep\AppData\Roaming\Task Scheduler\Task Scheduler.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-08-18 to 2012-09-18 )))))))))))))))))))))))))))))))

.

.

2012-09-18 16:12 . 2012-09-18 16:14 -------- d-----w- c:\users\Sleep\AppData\Local\temp

2012-09-18 16:12 . 2012-09-18 16:12 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-09-18 16:12 . 2012-09-18 16:12 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-18 16:12 . 2012-09-18 16:12 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2012-09-18 16:12 . 2012-09-18 16:12 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-09-17 13:55 . 2012-09-17 13:55 -------- d-----w- c:\program files\Common Files\Java

2012-09-17 13:55 . 2012-09-17 13:55 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-16 05:13 . 2012-09-16 09:20 -------- d-----w- C:\FRST

2012-09-15 14:47 . 2012-08-02 17:05 490496 ----a-w- c:\windows\system32\d3d10level9.dll

2012-09-02 21:26 . 2012-09-02 21:26 -------- d-----w- c:\users\Sleep\AppData\Roaming\Nitro PDF

2012-09-02 21:18 . 2012-07-16 09:13 27144 ----a-w- c:\windows\system32\nitrolocalmon2.dll

2012-09-02 21:18 . 2012-07-16 09:13 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\programdata\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Common Files\Nitro PDF

2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\users\Sleep\AppData\Roaming\Downloaded Installations

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\users\Sleep\AppData\Roaming\.mono

2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\programdata\.mono

2012-08-29 19:09 . 2000-12-06 02:00 109248 ----a-w- c:\windows\system32\MSWINSCK.OCX

2012-08-29 19:09 . 1999-06-03 12:51 381712 ----a-w- c:\windows\system32\MSWLESS.OCX

2012-08-29 19:09 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL

2012-08-29 19:09 . 1997-07-19 17:55 1347344 ----a-w- c:\windows\system32\MSVBVM50.DLL

2012-08-29 19:09 . 2000-05-22 02:00 115920 ----a-w- c:\windows\system32\MSINET.OCX

2012-08-29 19:09 . 1998-06-24 02:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX

2012-08-22 15:35 . 2012-08-22 17:30 -------- d-----w- c:\programdata\HitmanPro

2012-08-22 10:31 . 2012-08-22 10:31 -------- d-----w- c:\users\Sleep\AppData\Local\{88B67A84-EC44-11E1-8270-B8AC6F996F26}

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-17 13:55 . 2012-05-03 12:44 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-09-07 21:04 . 2012-04-05 23:14 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-22 16:59 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe

2012-08-22 10:32 . 2012-04-05 03:36 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-22 10:32 . 2011-06-10 13:05 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-01 18:13 . 2012-08-01 18:13 35560 ----a-w- c:\windows\system32\drivers\hssdrv6.sys

2012-08-01 18:13 . 2012-08-01 18:13 33512 ----a-w- c:\windows\system32\drivers\taphss.sys

2012-07-18 17:10 . 2012-08-15 04:15 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-16 09:14 . 2012-07-16 09:14 69640 ----a-w- c:\windows\system32\NLSSRV32.EXE

2012-07-04 21:23 . 2012-08-15 04:15 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23 . 2012-08-15 04:15 102912 ----a-w- c:\windows\system32\browser.dll

2012-06-29 00:16 . 2012-08-15 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09 . 2012-08-15 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08 . 2012-08-15 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04 . 2012-08-15 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00 . 2012-08-15 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-07-14 00:17 . 2012-08-12 15:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]

.

c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

HUD 3.6.0.lnk - c:\program files\Fonality\HUD3.6\HUD3.exe [2011-6-7 315392]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]

2008-07-10 04:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]

2008-07-10 04:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]

2007-08-31 14:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

.

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]

R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 nlem32nt;nlem32nt; [x]

S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]

S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]

S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [x]

S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]

S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe [x]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [x]

S3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x]

S3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

S3 VIACRX86;VIACRX86;c:\windows\system32\DRIVERS\viacr.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

pinetmgr

sscdbus

NWSLP

procexp90

WacomVKHid

usb_rndisx

lhidusb

winpowerrmi

TSHWMDTCP

w200mdfl

radclock

cebdaldr

dm1service

fasttrackinstallerservice

se27unic

ups

ma_cmidi_installerservice

tosrfsnd

GoToAssist

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 10:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mWindow Title =

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\Sleep\AppData\Roaming\Mozilla\Firefox\Profiles\zhni10w2.default\

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-Task Scheduler - c:\users\Sleep\AppData\Roaming\Task Scheduler\Task Scheduler.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLANExt.exe

c:\windows\system32\conhost.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Hotspot Shield\HssWPR\hsssrv.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\Hotspot Shield\bin\openvpntray.exe

c:\windows\system32\sppsvc.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2012-09-18 12:17:39 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-18 16:17

ComboFix2.txt 2012-09-17 13:35

ComboFix3.txt 2012-09-16 05:00

ComboFix4.txt 2012-09-15 14:12

ComboFix5.txt 2012-09-18 16:05

.

Pre-Run: 261,073,063,936 bytes free

Post-Run: 261,254,696,960 bytes free

.

- - End Of File - - 571A43EC8C192E791C0F8AD1D13D6863

Link to post
Share on other sites

Hey mdv_1999. :)

No much better

Great!

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Hello mdv_1999. :)

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

  • Checkup.txt

Results of screen317's Security Check version 0.99.51

Windows 7 x86 (UAC is enabled)

Out of date service pack!!

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.0.1400

AVG PC Tuneup 2011

CCleaner

Java 6 Update 32

Java 7 Update 7

Adobe Reader X 10.1.3 Adobe Reader out of Date!

Mozilla Firefox 14.0.1 Firefox out of Date!

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Hey mdv_1999. :)

Please do the following updates. Your Windows and Internet Explorer are out of date and by updating to the latest Service Packs you will minimise the risk of future infections through these security patches and fixes.

Service Pack 1 (SP1) is an extremely important update for Vista and Windows 7 and will help reduce the chance of an infection through security patches. I strongly recommend you install this update.

Please open Internet Explorer and follow the instructions below to update Windows:

  • Go to this link: Windows Update
  • Download all the Critical updates, making sure you have selected SP1.
  • Once they have been installed, please revisit Windows Update and select any further Critical updates.

Note:

It will be necessary for you to restart the computer during the updates, and return to the Windows Update site several times before all critical updates are installed.

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections.

======

Next, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

  • Please go to Start>All Programs>Adobe Reader.
  • Open Adobe Reader and navigate to Help>Check for Updates.
  • Please follow the prompts to install the latest version.

Finally, your version of Mozilla Firefox is out of date. Please do the following to update it:

  • Go to Start>All Programs>Mozilla Firefox.
  • Click Firefox>Help>About Firefox.
  • Let it search for any updates and install them when found.
  • Please restart your computer if prompted.

==========

In your next post please let me know how the updates go and if there are any remaining issues on your computer.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.