Sign in to follow this  
Followers 0
merrell056

Java exploit removed, still see ads

20 posts in this topic

Hello! Recently I picked up a virus off of a link on reddit and discovered the following on Microsoft Security Essentials:

Exploit:Java/CVE-2012-4681.TN

Exploit:Java/CVE-2012-4681.TF

Exploit:Java/CVE-2012-4681.TV

Exploit:Java/CVE-2012-4681.TS

I removed them, updated Java and continued browsing only to find I had pop up ads on my Chrome browser. After some research I found I had ads popping up on Chrome, Firefox, IE (32 and 64 bit) and even on my World of Warcraft launcher. I have tried everything that I can think of to find the source. I have tried Adaware, Microsoft SE, Malwarebytes, Spybot, Kaspersky and several other antivirus/malware programs and nothing finds it. According to google searches it appears this is a java vulnerability that is supposed to be fixed in version 7 update 7 however after updating I still have ads. Please help! Below is the requested information from DDS.txt. Attach.txt is attached only because I see in the DDS.txt that it refers to the attach.txt file. Thank you in advance.

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2

Run by Meshugga at 7:04:56 on 2012-09-28

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8169.6451 [GMT -7:00]

.

AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}

SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\PROGRA~2\AD-AWA~1\AdAware.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\DataProxy.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Logitech\SetPointG\SetPointII.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\Meshugga\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Meshugga\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Meshugga\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Meshugga\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Meshugga\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Meshugga\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [Google Update] "C:\Users\Meshugga\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"

mRun: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://192.168.1.3/codebase/DVM_IPCam2.ocx

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{B28B40ED-9057-4684-A805-CECB267068FB} : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{B6255159-A8E2-416E-9C0C-5414BF4D0AED} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{B6255159-A8E2-416E-9C0C-5414BF4D0AED}\1584F64756C616E646350716 : DhcpNameServer = 64.126.4.189 64.126.4.193

TCP: Interfaces\{B6255159-A8E2-416E-9C0C-5414BF4D0AED}\35351363 : DhcpNameServer = 8.8.8.8 8.8.4.4

TCP: Interfaces\{B6255159-A8E2-416E-9C0C-5414BF4D0AED}\35454313 : DhcpNameServer = 10.0.0.1

TCP: Interfaces\{B6255159-A8E2-416E-9C0C-5414BF4D0AED}\35B49584142524F42502055524C494340275C414E4 : DhcpNameServer = 8.8.8.8 8.8.4.4

TCP: Interfaces\{B6255159-A8E2-416E-9C0C-5414BF4D0AED}\8686F6E6F62737 : DhcpNameServer = 107.16.59.1 64.134.255.2 64.134.255.10

TCP: Interfaces\{B6255159-A8E2-416E-9C0C-5414BF4D0AED}\C616175796E64716 : DhcpNameServer = 8.8.8.8 8.8.4.4

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"

mRun-x64: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL

Hosts: 72.29.93.243 www.google-analytics.com.

Hosts: 72.29.93.243 ad-emea.doubleclick.net.

Hosts: 72.29.93.243 www.statcounter.com.

Hosts: 64.27.10.42 www.google-analytics.com.

Hosts: 64.27.10.42 ad-emea.doubleclick.net.

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Meshugga\AppData\Roaming\Mozilla\Firefox\Profiles\sgvhlo1r.default\

FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: C:\Users\Meshugga\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_278.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-10-26 101112]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 Ad-Aware Service;Ad-Aware Service;C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-9-20 1236368]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-3 63928]

R2 HP DS Service;HP DS Service;C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [2010-10-27 13824]

R2 SBAMSvc;Ad-Aware;C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]

R2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?]

R2 SplashtopRemoteService;Splashtop® Remote Service;C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [2012-9-3 548264]

R2 SSUService;Splashtop Software Updater Service;C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-3-14 370504]

R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-5-5 583360]

R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;C:\Windows\system32\DRIVERS\FLxHCIc.sys --> C:\Windows\system32\DRIVERS\FLxHCIc.sys [?]

R3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;C:\Windows\system32\DRIVERS\FLxHCIh.sys --> C:\Windows\system32\DRIVERS\FLxHCIh.sys [?]

R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]

R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]

S3 HPFXBULKLEDM;HPFXBULKLEDM;C:\Windows\system32\drivers\hppdbulkio.sys --> C:\Windows\system32\drivers\hppdbulkio.sys [?]

S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]

S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUVStor.sys --> C:\Windows\system32\Drivers\RtsUVStor.sys [?]

S3 SaiH8000;SaiH8000;C:\Windows\system32\DRIVERS\SaiH8000.sys --> C:\Windows\system32\DRIVERS\SaiH8000.sys [?]

S3 sbhips;sbhips;C:\Windows\system32\drivers\sbhips.sys --> C:\Windows\system32\drivers\sbhips.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2011-8-5 306400]

S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]

.

=============== Created Last 30 ================

.

2012-09-28 01:36:39 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2012-09-28 01:36:39 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2012-09-27 21:05:12 -------- d-----w- C:\Users\Meshugga\AppData\Roaming\LavasoftStatistics

2012-09-27 21:02:20 60536 ----a-w- C:\Windows\System32\drivers\sbhips.sys

2012-09-27 21:02:20 57976 ----a-w- C:\Windows\System32\drivers\sbredrv.sys

2012-09-27 21:02:20 45936 ----a-w- C:\Windows\System32\sbbd.exe

2012-09-27 21:02:18 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus

2012-09-27 21:02:07 -------- d-----w- C:\Users\Meshugga\AppData\Local\Downloaded Installations

2012-09-27 21:01:40 -------- d-----w- C:\ProgramData\blekko toolbars

2012-09-27 21:01:39 -------- d-----w- C:\Users\Meshugga\AppData\Local\adawarebp

2012-09-27 21:01:39 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection

2012-09-27 21:01:34 -------- d-----w- C:\Program Files (x86)\adawaretb

2012-09-27 21:01:33 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner

2012-09-27 20:54:13 -------- d-----w- C:\Users\Meshugga\AppData\Roaming\Ad-Aware Antivirus

2012-09-27 18:48:38 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0C52F5A2-919E-44FF-8AE3-4C7584CCC629}\mpengine.dll

2012-09-27 05:18:39 -------- d-----w- C:\Users\Meshugga\AppData\Local\Macromedia

2012-09-26 15:35:03 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe

2012-09-23 21:50:52 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-09-23 21:49:08 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll

2012-09-13 05:43:03 -------- d-----w- C:\Users\Meshugga\AppData\Roaming\minmaxgames

2012-09-12 16:30:28 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-09-12 16:30:28 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys

2012-09-12 16:30:27 574464 ----a-w- C:\Windows\System32\d3d10level9.dll

2012-09-12 16:30:27 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll

2012-09-12 16:30:26 376688 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-09-12 16:30:26 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-09-12 16:30:26 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-09-07 17:12:22 -------- d-----w- C:\Users\Meshugga\AppData\Local\{646C1DD5-B133-46BD-B38C-18CB744E0217}

2012-09-01 21:25:01 -------- d-----w- C:\Program Files (x86)\Canon

.

==================== Find3M ====================

.

2012-09-27 02:42:29 696240 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-09-27 02:42:28 73136 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-23 21:50:48 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-09-23 21:49:02 916456 ----a-w- C:\Windows\System32\deployJava1.dll

2012-09-23 21:49:02 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll

2012-09-23 00:23:15 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-09-18 04:16:21 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys

2012-09-08 00:04:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-12 17:19:28 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll

2012-07-12 17:19:28 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll

2012-07-12 17:19:28 1060864 ----a-w- C:\Windows\SysWow64\mfc71.dll

2012-07-06 20:07:42 552960 ----a-w- C:\Windows\System32\drivers\bthport.sys

2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll

2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

.

============= FINISH: 7:05:34.33 ===============

Attach.zip

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Share this post


Link to post
Share on other sites

It's saying it found something called Zeroaccess.

Thanks for your help!

RogueKiller V8.1.0 [09/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Meshugga [Admin rights]

Mode : Scan -- Date : 09/28/2012 07:53:12

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[TASK][bLACKLIST DLL] ProgramDataUpdater : C:\Windows\System32\rundll32.exe aepdu.dll,AePduRunUpdate -> FOUND

[TASK][bLACKLIST DLL] Proxy : C:\Windows\System32\rundll32.exe /d acproxy.dll,PerformAutochkOperations -> FOUND

[TASK][bLACKLIST DLL] SR : C:\Windows\System32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation -> FOUND

[TASK][bLACKLIST DLL] IpAddressConflict1 : C:\Windows\System32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem -> FOUND

[TASK][bLACKLIST DLL] IpAddressConflict2 : C:\Windows\System32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

72.29.93.243 www.google-analytics.com.

72.29.93.243 ad-emea.doubleclick.net.

72.29.93.243 www.statcounter.com.

64.27.10.42 www.google-analytics.com.

64.27.10.42 ad-emea.doubleclick.net.

64.27.10.42 www.statcounter.com.

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST95005620AS ATA Device +++++

--- User ---

[MBR] baa84ee69dbfcd9da426b39ea27a274d

[bSP] b8e681ec20f3f51e484d81d4ade624cc : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 22003 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 45064192 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 45268992 | Size: 454835 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST95005620AS ATA Device +++++

--- User ---

[MBR] 03e62ab70b2e6e8b8d9505a7d4c35b9e

[bSP] e6c2cebec9d5914c6fe029aa4b621d92 : Windows Vista/7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[TASK][bLACKLIST DLL] ProgramDataUpdater : C:\Windows\System32\rundll32.exe aepdu.dll,AePduRunUpdate -> FOUND

[TASK][bLACKLIST DLL] Proxy : C:\Windows\System32\rundll32.exe /d acproxy.dll,PerformAutochkOperations -> FOUND

[TASK][bLACKLIST DLL] SR : C:\Windows\System32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation -> FOUND

[TASK][bLACKLIST DLL] IpAddressConflict1 : C:\Windows\System32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem -> FOUND

[TASK][bLACKLIST DLL] IpAddressConflict2 : C:\Windows\System32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\n.) -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3445159540-2488400749-1242385073-1000\$0165b297d61ce7bc47d0bf5130a73568\L --> FOUND

Now click Delete on the right hand column under Options

-----------------

Next click Fix Host on the right hand column under Options

----------------

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

All done. The TDSSKiller found 3 suspicious objects all classified as unsigned files:

HP DS Service

Net Driver HPZ12

Prnl Driver HPZ12

I chose skip. The registry entries were there and it said my hosts file had been repaired. Should I be clean now? I will check and see if I have any ads once I get to work. I have to leave in a few minutes. Thanks for all of your help so far!

Share this post


Link to post
Share on other sites

I still have ads. Here's another RK report:

RogueKiller V8.1.0 [09/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Meshugga [Admin rights]

Mode : Scan -- Date : 09/28/2012 09:32:33

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

72.29.93.243 www.google-analytics.com.

72.29.93.243 ad-emea.doubleclick.net.

72.29.93.243 www.statcounter.com.

64.27.10.42 www.google-analytics.com.

64.27.10.42 ad-emea.doubleclick.net.

64.27.10.42 www.statcounter.com.

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST95005620AS ATA Device +++++

--- User ---

[MBR] baa84ee69dbfcd9da426b39ea27a274d

[bSP] b8e681ec20f3f51e484d81d4ade624cc : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 22003 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 45064192 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 45268992 | Size: 454835 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST95005620AS ATA Device +++++

--- User ---

[MBR] 03e62ab70b2e6e8b8d9505a7d4c35b9e

[bSP] e6c2cebec9d5914c6fe029aa4b621d92 : Windows Vista/7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[5].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

Share this post


Link to post
Share on other sites

Your host file is still corrupt, please go to the link below and click the "Fix it" button.

http://support.microsoft.com/kb/972034

That should restore the original host file.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~

Are you on a wireless network or network?

If so do you have a Network Bridge as shown in the link below:

http://img.photobuck...work_Bridge.png

~~~~~~~~~~~~~~~~~~~~~

Reboot and run another scan with RogueKiller > post the new log.

Let me know, MrC

Share this post


Link to post
Share on other sites

I do not have a network bridge. Only my wifi, LAN and a few VPNs for work.

RK Log:

RogueKiller V8.1.0 [09/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Meshugga [Admin rights]

Mode : Scan -- Date : 09/28/2012 11:16:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

72.29.93.243 www.google-analytics.com.

72.29.93.243 ad-emea.doubleclick.net.

72.29.93.243 www.statcounter.com.

64.27.10.42 www.google-analytics.com.

64.27.10.42 ad-emea.doubleclick.net.

64.27.10.42 www.statcounter.com.

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST95005620AS ATA Device +++++

--- User ---

[MBR] baa84ee69dbfcd9da426b39ea27a274d

[bSP] b8e681ec20f3f51e484d81d4ade624cc : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 22003 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 45064192 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 45268992 | Size: 454835 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST95005620AS ATA Device +++++

--- User ---

[MBR] 03e62ab70b2e6e8b8d9505a7d4c35b9e

[bSP] e6c2cebec9d5914c6fe029aa4b621d92 : Windows Vista/7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[6].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;

RKreport[6].txt

Share this post


Link to post
Share on other sites

Yes, I very rarely work off of an ethernet connection. Most of the time I don't have one available.

Share this post


Link to post
Share on other sites

OK, I want you to run ComboFix but first...........

Please back up the registry:

http://www.geekstogo...ry-using-erunt/

Please create a new system restore point also.

If after running ComboFix you can't connect to the internet, please navigate to

the C:\WINDOWS\ERDNT folder and run ERDNT.exe, this will restore the registry.

Reboot and see how it is.

If that doesn't work....use that system restore point and that will correct the problem.

~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

In the past 20 minutes of web browsing I haven't seen any ads. I will continue to look but for now it appears that the problem is resolved! I will report back later with a confirmation and donation! Thanks MrC!

Share this post


Link to post
Share on other sites

ComboFix 12-09-27.03 - Meshugga 09/28/2012 14:53:42.1.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8169.6465 [GMT -7:00]

Running from: c:\users\Meshugga\Downloads\ComboFix.exe

AV: Lavasoft Ad-Aware *Disabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}

FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}

SP: Lavasoft Ad-Aware *Disabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\programdata\ntuser.dat

c:\windows\SysWow64\URTTemp

c:\windows\SysWow64\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-28 )))))))))))))))))))))))))))))))

.

.

2012-09-28 21:56 . 2012-09-28 21:56 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-28 21:48 . 2012-09-28 21:48 -------- d-----w- c:\program files (x86)\MSXML 4.0

2012-09-28 21:33 . 2012-09-28 21:33 -------- d-----w- c:\program files (x86)\ERUNT

2012-09-28 01:36 . 2012-09-28 03:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-09-28 01:36 . 2012-09-28 01:37 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy

2012-09-27 21:05 . 2012-09-27 21:05 -------- d-----w- c:\users\Meshugga\AppData\Roaming\LavasoftStatistics

2012-09-27 21:02 . 2011-12-19 20:21 45936 ----a-w- c:\windows\system32\sbbd.exe

2012-09-27 21:02 . 2011-12-19 19:44 60536 ----a-w- c:\windows\system32\drivers\sbhips.sys

2012-09-27 21:02 . 2011-10-26 21:23 57976 ----a-w- c:\windows\system32\drivers\sbredrv.sys

2012-09-27 21:02 . 2012-09-27 21:02 -------- d-----w- c:\programdata\Lavasoft

2012-09-27 21:02 . 2012-09-27 21:06 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2012-09-27 21:02 . 2012-09-27 21:02 -------- d-----w- c:\users\Meshugga\AppData\Local\Downloaded Installations

2012-09-27 21:01 . 2012-09-27 21:01 -------- d-----w- c:\programdata\blekko toolbars

2012-09-27 21:01 . 2012-09-28 18:15 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2012-09-27 21:01 . 2012-09-27 21:51 -------- d-----w- c:\users\Meshugga\AppData\Local\adawarebp

2012-09-27 21:01 . 2012-09-27 21:01 -------- d-----w- c:\program files (x86)\adawaretb

2012-09-27 21:01 . 2012-09-27 21:01 -------- d-----w- c:\program files (x86)\Toolbar Cleaner

2012-09-27 20:54 . 2012-09-28 04:35 -------- d-----w- c:\users\Meshugga\AppData\Roaming\Ad-Aware Antivirus

2012-09-27 18:48 . 2012-09-19 07:58 9308616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0C52F5A2-919E-44FF-8AE3-4C7584CCC629}\mpengine.dll

2012-09-27 05:18 . 2012-09-27 05:18 -------- d-----w- c:\users\Meshugga\AppData\Local\Macromedia

2012-09-26 15:35 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

2012-09-23 21:51 . 2012-09-23 21:51 -------- d-----w- c:\program files (x86)\Common Files\Java

2012-09-23 21:50 . 2012-09-23 21:50 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-09-23 21:50 . 2012-09-23 21:50 -------- d-----w- c:\program files (x86)\Java

2012-09-23 21:49 . 2012-09-23 21:49 289768 ----a-w- c:\windows\system32\javaws.exe

2012-09-23 21:49 . 2012-09-23 21:49 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll

2012-09-23 21:49 . 2012-09-23 21:49 189416 ----a-w- c:\windows\system32\javaw.exe

2012-09-23 21:49 . 2012-09-23 21:49 188904 ----a-w- c:\windows\system32\java.exe

2012-09-23 21:49 . 2012-09-23 21:49 -------- d-----w- c:\program files\Java

2012-09-23 00:20 . 2012-09-23 00:20 -------- d-----w- c:\programdata\McAfee

2012-09-13 05:43 . 2012-09-13 05:43 -------- d-----w- c:\users\Meshugga\AppData\Roaming\minmaxgames

2012-09-12 16:30 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys

2012-09-12 16:30 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys

2012-09-12 16:30 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll

2012-09-12 16:30 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll

2012-09-12 16:30 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-09-12 16:30 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys

2012-09-12 16:30 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2012-09-07 17:12 . 2012-09-07 17:12 -------- d-----w- c:\users\Meshugga\AppData\Local\{646C1DD5-B133-46BD-B38C-18CB744E0217}

2012-09-03 00:37 . 2012-09-03 00:37 -------- d-----w- c:\programdata\Logitech

2012-09-01 21:25 . 2012-09-01 21:25 -------- d-----w- c:\program files (x86)\Canon

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-27 02:42 . 2012-05-06 04:56 696240 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-09-27 02:42 . 2012-05-06 04:56 73136 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-23 21:50 . 2012-05-10 02:48 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-09-23 21:49 . 2012-08-08 02:53 916456 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-23 21:49 . 2012-08-08 02:53 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-09-23 00:23 . 2012-05-10 02:48 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-09-18 04:16 . 2012-05-07 18:45 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2012-09-13 05:06 . 2012-05-06 00:44 64462936 ----a-w- c:\windows\system32\MRT.exe

2012-09-08 00:04 . 2012-08-05 12:05 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-18 18:15 . 2012-08-16 00:54 3148800 ----a-w- c:\windows\system32\win32k.sys

2012-07-12 17:19 . 2012-07-12 17:19 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll

2012-07-12 17:19 . 2012-07-12 17:19 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll

2012-07-12 17:19 . 2012-07-12 17:19 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll

2012-07-06 20:07 . 2012-08-16 10:03 552960 ----a-w- c:\windows\system32\drivers\bthport.sys

2012-07-04 22:16 . 2012-08-16 00:54 73216 ----a-w- c:\windows\system32\netapi32.dll

2012-07-04 22:13 . 2012-08-16 00:54 59392 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 22:13 . 2012-08-16 00:54 136704 ----a-w- c:\windows\system32\browser.dll

2012-07-04 21:14 . 2012-08-16 00:54 41984 ----a-w- c:\windows\SysWow64\browcli.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]

@="Ad-Aware Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-10-26 57976]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]

R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys [2011-05-10 22040]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [2011-09-02 76056]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [2011-09-02 15128]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [2010-08-04 290920]

R3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2008-04-04 178560]

R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-12-19 60536]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-06 1255736]

R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-09-20 1236368]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]

S2 HP DS Service;HP DS Service;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe [2010-10-27 13824]

S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2011-11-29 74872]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [2012-09-03 548264]

S2 SSUService;Splashtop Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-03-15 370504]

S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-05-06 583360]

S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys [2010-11-19 210944]

S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys [2010-11-19 49664]

S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [2009-11-18 32344]

S3 MEIx64;Intel® Management Engine Interface ;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 333928]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3445159540-2488400749-1242385073-1000Core.job

- c:\users\Meshugga\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-23 21:54]

.

2012-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3445159540-2488400749-1242385073-1000UA.job

- c:\users\Meshugga\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-23 21:54]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]

"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 8.8.8.8 8.8.4.4

DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://192.168.1.3/codebase/DVM_IPCam2.ocx

FF - ProfilePath - c:\users\Meshugga\AppData\Roaming\Mozilla\Firefox\Profiles\sgvhlo1r.default\

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-45306296.sys

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-SynAsusAcpi - c:\program files (x86)\Synaptics\SynTP\SynAsusAcpi.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-09-28 14:58:14

ComboFix-quarantined-files.txt 2012-09-28 21:58

.

Pre-Run: 138,575,437,824 bytes free

Post-Run: 138,040,496,128 bytes free

.

- - End Of File - - 1F80CBC719B699F5A7A17172B9040D39

Share this post


Link to post
Share on other sites

Looks OK, use it and see how it is.

Let me know.....MrC

Share this post


Link to post
Share on other sites

Thank you so much for your help. This was driving me crazy but after a lot of surfing and testing it looks like I am in the clear. Donated!

Share this post


Link to post
Share on other sites

Great thumbsup.gif

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.