1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Miner & Root0Access help

Discussion in 'Virus & Other Malware Removal' started by innocentdemon, Dec 27, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    Hi found Rootkit.0Access and Trojan.Dropper.BCMiner on my system after scanning with a Malware scanner. But cant seem to remove it from my system. Need help please....


    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
    Processor: AMD FX(tm)-4100 Quad-Core Processor, AMD64 Family 21 Model 1 Stepping 2
    Processor Count: 4
    RAM: 7918 Mb
    Graphics Card: ATI Radeon HD 5450, 1024 Mb
    Hard Drives: C: Total - 943858 MB, Free - 706151 MB;
    Motherboard: ASUSTeK Computer INC., M5A88-M
    Antivirus: None


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:59:38 AM, on 28/12/2012
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16455)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files (x86)\n52te\razerhid.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\n52te\razertra.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Users\rob\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
    O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
    O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
    O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
    O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    O4 - HKLM\..\Run: [Jomantha] C:\Program Files (x86)\n52te\razerhid.exe
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 10064 bytes



    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16455
    Run by rob at 11:01:12 on 2012-12-28
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.7919.5922 [GMT 11:00]
    .
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files (x86)\n52te\razerhid.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\n52te\razertra.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\rob\Desktop\HijackThis.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    mWinlogon: Userinit = userinit.exe,
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
    mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
    mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    mRun: [Jomantha] C:\Program Files (x86)\n52te\razerhid.exe
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{82F9473C-CC27-4AAA-9933-80D646839A55} : DHCPNameServer = 10.0.0.138
    TCP: Interfaces\{D7490BCB-A38B-4526-A579-B9636FC951F8} : DHCPNameServer = 192.168.0.1
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    x64-DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\rob\AppData\Roaming\Mozilla\Firefox\Profiles\lffv9gx4.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-10-26 204288]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-10-25 361984]
    R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 399432]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 676936]
    R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-12-5 46136]
    R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-5-16 126952]
    R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-5-16 390632]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-6-7 231440]
    R3 JmtFltr;n52te;C:\Windows\System32\drivers\JmtFltr.sys [2012-11-7 46464]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-14 25928]
    R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2011-4-6 1177440]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 aar81xx;aar81xx;C:\Windows\System32\drivers\aar81xx.sys [2010-12-13 389720]
    S3 adp3132;adp3132;C:\Windows\System32\drivers\adp3132.sys [2010-8-10 385072]
    S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-4-1 183560]
    S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-12-5 48488]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
    S3 MegaSR1;MegaSR1;C:\Windows\System32\drivers\MegaSR1.sys [2011-1-28 515152]
    S3 mv91cons;mv91cons;C:\Windows\System32\drivers\mv91cons.sys [2011-4-6 24880]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-1-28 80384]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-1-28 181248]
    S3 OxSer;OxSer;C:\Windows\System32\drivers\OxSer.sys [2011-1-27 98352]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-16 452200]
    S3 Si3531;Si3531;C:\Windows\System32\drivers\Si3531.sys [2010-8-10 333864]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-11-6 1255736]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-12-14 10:31:35 -------- d-----w- C:\Users\rob\AppData\Roaming\Malwarebytes
    2012-12-14 10:31:24 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-12-14 10:31:23 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-12-14 10:31:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-12-05 10:06:09 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-05 10:06:09 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-12-04 13:29:57 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
    2012-12-04 10:23:37 220160 ----a-w- C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll
    2012-12-04 10:23:28 -------- d-----w- C:\Program Files (x86)\Mega Codec Pack
    2012-12-04 07:20:59 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{63DD0CFE-0481-4668-B6A2-55FC8834FFAF}\mpengine.dll
    2012-12-02 03:23:46 -------- d-----w- C:\Users\rob\AppData\Local\Diagnostics
    .
    ==================== Find3M ====================
    .
    2012-11-01 04:35:14 253256 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
    2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys
    2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
    2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
    2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
    2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
    2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
    2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
    2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
    2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
    2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
    2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
    2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
    2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
    2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
    2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
    .
    ============= FINISH: 11:01:29.74 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/11/2012 5:58:48 PM
    System Uptime: 28/12/2012 10:43:07 AM (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | M5A88-M
    Processor: AMD FX(tm)-4100 Quad-Core Processor | AM3R2 | 3600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 922 GiB total, 689.596 GiB free.
    D: is CDROM (UDF)
    E: is Removable
    F: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Realtek PCIe GBE Family Controller
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_84321043&REV_06\4&3A484DD5&0&0050
    Manufacturer: Realtek
    Name: Realtek PCIe GBE Family Controller
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_84321043&REV_06\4&3A484DD5&0&0050
    Service: RTL8167
    .
    ==== System Restore Points ===================
    .
    RP26: 11/12/2012 12:00:01 AM - Scheduled Checkpoint
    RP27: 18/12/2012 11:54:27 PM - Scheduled Checkpoint
    RP28: 26/12/2012 - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    AMD APP SDK Runtime
    AMD Catalyst Install Manager
    AMD Drag and Drop Transcoding
    AMD Fuel
    AMD Media Foundation Decoders
    AMD VISION Engine Control Center
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Applian FLV and Media Player 3.1.1.12
    Bing Bar
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    ccc-utility64
    CCC Help English
    D3DX10
    Guild Wars 2
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 6 Update 26 (64-bit)
    Junk Mail filter update
    LG CyberLink LabelPrint
    LG CyberLink Power2Go
    LG CyberLink PowerBackup
    LG CyberLink YouCam
    LG Power Tools
    Malwarebytes Anti-Malware version 1.65.1.1000
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    Mozilla Firefox 17.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSVCRT_amd64
    n52te Editor
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Ventrilo Client for Windows x64
    VLC media player 2.0.4
    Vuze
    Vuze Remote Toolbar
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR 4.20 (32-bit)
    Yontoo 1.10.03
    .
    ==== Event Viewer Messages From Past Week ========
    .
    28/12/2012 10:43:26 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    28/12/2012 10:43:26 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    28/12/2012 10:43:26 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    28/12/2012 10:43:23 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa800930d810, 0xfffffa800930daf0, 0xfffff8000317f460). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 122812-14461-01.
    28/12/2012 10:43:22 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    28/12/2012 10:11:52 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    28/12/2012 10:11:52 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    28/12/2012 10:11:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    28/12/2012 10:11:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    28/12/2012 10:11:43 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    28/12/2012 10:11:41 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    22/12/2012 7:02:34 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    .
    ==== End Of File ===========================
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Download Farbar Recovery Scan Tool on a clean PC (if possible) and save to a flash drive (memory stick). Use which ever of the folllowing is applicable to your system. (32 or 64 bit)

    Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ <--- 64 bit version Save to USB flash drive

    Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ <--- 32 bit version Save to USB Flash drive

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options I give two methods, use whichever is convenient for you.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Kevin
     
  3. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    thx kevin for the help, here is the log it gave me:


    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-12-2012
    Ran by SYSTEM at 29-12-2012 09:16:09
    Running from H:\
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11842152 2011-05-02] (Realtek Semiconductor)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-10-25] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-07] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-12-14] (CyberLink)
    HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0" [218408 2009-02-17] (CyberLink Corp.)
    HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [222504 2010-04-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [Jomantha] C:\Program Files (x86)\n52te\razerhid.exe [163840 2007-12-11] (Razer USA Ltd.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
    Tcpip\Parameters: [DhcpNameServer] 10.0.0.138

    ==================== Services (Whitelisted) ===================

    2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)

    ==================== Drivers (Whitelisted) =====================

    3 aar81xx; C:\Windows\System32\Drivers\aar81xx.sys [389720 2010-09-20] (Adaptec, Inc.)
    3 adp3132; C:\Windows\System32\Drivers\adp3132.sys [385072 2010-01-27] (Adaptec, Inc.)
    3 JmtFltr; C:\Windows\System32\Drivers\JmtFltr.sys [46464 2007-09-28] ()
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)
    3 MegaSR1; C:\Windows\System32\Drivers\MegaSR1.sys [515152 2010-12-12] (LSI Corporation, Inc.)
    3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [15416 2009-05-13] ()
    3 OxSer; C:\Windows\System32\Drivers\OxSer.sys [98352 2009-09-15] (OEM)
    3 Si3531; C:\Windows\System32\Drivers\Si3531.sys [333864 2009-02-08] (Silicon Image, Inc)
    0 SiFilter; C:\Windows\System32\drivers\SiWinAcc.sys [22568 2009-02-08] (Silicon Image, Inc.)
    0 SiRemFil; C:\Windows\System32\Drivers\SiRemFil.sys [16936 2009-02-08] (Silicon Image, Inc.)
    3 uisp; C:\Windows\System32\Drivers\usbicp.sys [19200 2005-10-20] (Motorola)
    3 vhidmini; C:\Windows\System32\Drivers\vhidmini.sys [13952 2007-09-28] (Windows (R) Codename Longhorn DDK provider)
    3 NmPar; C:\Windows\system32\drivers\NmPar.sys [x]
    3 nmserial; C:\Windows\system32\drivers\nmserial.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-12-29 09:15 - 2012-12-29 09:15 - 00000000 ____D C:\FRST
    2012-12-27 16:24 - 2012-12-27 16:24 - 00509440 ____A (Tech Support Guy System) C:\Users\rob\Desktop\SysInfo.exe
    2012-12-27 16:01 - 2012-12-27 16:01 - 00014844 ____A C:\Users\rob\Desktop\dds.txt
    2012-12-27 16:01 - 2012-12-27 16:01 - 00007630 ____A C:\Users\rob\Desktop\attach.txt
    2012-12-27 15:59 - 2012-12-27 16:00 - 00010066 ____A C:\Users\rob\Desktop\hijackthis.log
    2012-12-27 15:57 - 2012-12-27 15:58 - 00688992 ____R (Swearware) C:\Users\rob\Desktop\dds.scr
    2012-12-27 15:57 - 2012-12-27 15:57 - 00388608 ____A (Trend Micro Inc.) C:\Users\rob\Desktop\HijackThis.exe
    2012-12-27 15:43 - 2012-12-27 15:43 - 343978143 ____A C:\Windows\MEMORY.DMP
    2012-12-27 15:43 - 2012-12-27 15:43 - 00275864 ____A C:\Windows\Minidump\122812-14461-01.dmp
    2012-12-27 15:43 - 2012-12-27 15:43 - 00000000 ____D C:\Windows\Minidump
    2012-12-27 15:14 - 2012-12-27 15:14 - 00000000 ____D C:\Users\rob\Desktop\TrendMicro AntiThreat Toolkit
    2012-12-27 14:54 - 2012-12-27 14:54 - 00000036 ____A C:\Users\rob\AppData\Local\housecall.guid.cache
    2012-12-15 21:07 - 2012-12-15 21:07 - 00002402 ____A C:\Users\rob\Documents\1.ini
    2012-12-14 02:40 - 2012-12-14 02:41 - 00000000 ____D C:\Users\rob\AppData\Roaming\WinRAR
    2012-12-14 02:40 - 2012-12-14 02:40 - 01517376 ____A C:\Users\rob\Downloads\wrar420.exe
    2012-12-14 02:40 - 2012-12-14 02:40 - 00000000 ____D C:\Program Files (x86)\WinRAR
    2012-12-14 02:37 - 2012-12-14 02:38 - 02576825 ____A C:\Users\rob\Downloads\Malwarebytes-Anti-Malware-1.65.1.1000-Final-Keygen_www.PlusCrack.com.rar
    2012-12-14 02:31 - 2012-12-14 02:31 - 00001119 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-12-14 02:31 - 2012-12-14 02:31 - 00000000 ____D C:\Users\rob\AppData\Roaming\Malwarebytes
    2012-12-14 02:31 - 2012-12-14 02:31 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-12-14 02:31 - 2012-12-14 02:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-12-14 02:31 - 2012-09-29 00:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-12-14 02:30 - 2012-12-14 02:30 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\rob\Downloads\mbam-setup-1.65.1.1000.exe
    2012-12-07 02:37 - 2012-12-07 02:37 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2012-12-05 02:06 - 2012-12-28 13:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-12-05 02:06 - 2012-12-13 01:09 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-12-05 02:06 - 2012-12-13 01:09 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-12-04 05:29 - 2012-12-04 05:29 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-12-04 02:23 - 2012-12-04 02:23 - 00000000 ____D C:\Program Files (x86)\Mega Codec Pack
    2012-12-03 23:43 - 2012-12-03 23:43 - 00747720 ____A (OOO Industry) C:\Users\rob\Downloads\Red.Dawn.2012.TS.XviD.MP3-ADTRG_secure.exe
    2012-12-03 23:42 - 2012-12-03 23:42 - 00244904 ____A C:\Users\rob\Downloads\Red_Dawn_2012_TS_XviD_MP3-ADTRG.exe

    ==================== One Month Modified Files and Folders =======

    2012-12-29 09:15 - 2012-12-29 09:15 - 00000000 ____D C:\FRST
    2012-12-28 14:05 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-12-28 14:05 - 2009-07-13 20:51 - 00044381 ____A C:\Windows\setupact.log
    2012-12-28 13:40 - 2009-07-13 21:13 - 00778660 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-12-28 13:08 - 2012-12-05 02:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-12-28 10:32 - 2012-11-04 03:11 - 00000000 ____D C:\Program Files (x86)\Guild Wars 2
    2012-12-28 10:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2012-12-28 10:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
    2012-12-28 03:58 - 2012-11-04 00:16 - 00000000 ____D C:\Users\rob\AppData\Roaming\Applian FLV and Media Player
    2012-12-28 02:48 - 2009-07-13 20:45 - 00021888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-12-28 02:48 - 2009-07-13 20:45 - 00021888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-12-28 01:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-12-27 22:27 - 2010-11-20 19:47 - 00021646 ____A C:\Windows\PFRO.log
    2012-12-27 20:47 - 2012-11-04 01:09 - 00000000 ____D C:\Users\rob\AppData\Roaming\Azureus
    2012-12-27 20:47 - 2012-11-04 01:08 - 00000000 ____D C:\Users\rob\AppData\Roaming\vlc
    2012-12-27 16:24 - 2012-12-27 16:24 - 00509440 ____A (Tech Support Guy System) C:\Users\rob\Desktop\SysInfo.exe
    2012-12-27 16:01 - 2012-12-27 16:01 - 00014844 ____A C:\Users\rob\Desktop\dds.txt
    2012-12-27 16:01 - 2012-12-27 16:01 - 00007630 ____A C:\Users\rob\Desktop\attach.txt
    2012-12-27 16:00 - 2012-12-27 15:59 - 00010066 ____A C:\Users\rob\Desktop\hijackthis.log
    2012-12-27 15:58 - 2012-12-27 15:57 - 00688992 ____R (Swearware) C:\Users\rob\Desktop\dds.scr
    2012-12-27 15:58 - 2012-11-03 22:59 - 00000000 ____D C:\Users\rob\AppData\Local\VirtualStore
    2012-12-27 15:57 - 2012-12-27 15:57 - 00388608 ____A (Trend Micro Inc.) C:\Users\rob\Desktop\HijackThis.exe
    2012-12-27 15:43 - 2012-12-27 15:43 - 343978143 ____A C:\Windows\MEMORY.DMP
    2012-12-27 15:43 - 2012-12-27 15:43 - 00275864 ____A C:\Windows\Minidump\122812-14461-01.dmp
    2012-12-27 15:43 - 2012-12-27 15:43 - 00000000 ____D C:\Windows\Minidump
    2012-12-27 15:43 - 2012-11-03 22:58 - 00000000 ____D C:\users\rob
    2012-12-27 15:14 - 2012-12-27 15:14 - 00000000 ____D C:\Users\rob\Desktop\TrendMicro AntiThreat Toolkit
    2012-12-27 14:54 - 2012-12-27 14:54 - 00000036 ____A C:\Users\rob\AppData\Local\housecall.guid.cache
    2012-12-15 21:07 - 2012-12-15 21:07 - 00002402 ____A C:\Users\rob\Documents\1.ini
    2012-12-14 02:41 - 2012-12-14 02:40 - 00000000 ____D C:\Users\rob\AppData\Roaming\WinRAR
    2012-12-14 02:40 - 2012-12-14 02:40 - 01517376 ____A C:\Users\rob\Downloads\wrar420.exe
    2012-12-14 02:40 - 2012-12-14 02:40 - 00000000 ____D C:\Program Files (x86)\WinRAR
    2012-12-14 02:38 - 2012-12-14 02:37 - 02576825 ____A C:\Users\rob\Downloads\Malwarebytes-Anti-Malware-1.65.1.1000-Final-Keygen_www.PlusCrack.com.rar
    2012-12-14 02:31 - 2012-12-14 02:31 - 00001119 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-12-14 02:31 - 2012-12-14 02:31 - 00000000 ____D C:\Users\rob\AppData\Roaming\Malwarebytes
    2012-12-14 02:31 - 2012-12-14 02:31 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-12-14 02:31 - 2012-12-14 02:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-12-14 02:30 - 2012-12-14 02:30 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\rob\Downloads\mbam-setup-1.65.1.1000.exe
    2012-12-13 01:09 - 2012-12-05 02:06 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-12-13 01:09 - 2012-12-05 02:06 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-12-12 01:52 - 2012-11-04 02:54 - 00000000 ____D C:\Users\rob\Documents\Guild Wars 2
    2012-12-10 23:05 - 2012-11-04 00:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2012-12-07 02:37 - 2012-12-07 02:37 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2012-12-05 01:26 - 2011-12-04 16:04 - 00000000 ____D C:\Users\All Users\Adobe
    2012-12-04 05:29 - 2012-12-04 05:29 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-12-04 02:23 - 2012-12-04 02:23 - 00000000 ____D C:\Program Files (x86)\Mega Codec Pack
    2012-12-04 02:23 - 2012-11-03 22:58 - 01512629 ____A C:\Windows\WindowsUpdate.log
    2012-12-04 02:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
    2012-12-03 23:43 - 2012-12-03 23:43 - 00747720 ____A (OOO Industry) C:\Users\rob\Downloads\Red.Dawn.2012.TS.XviD.MP3-ADTRG_secure.exe
    2012-12-03 23:42 - 2012-12-03 23:42 - 00244904 ____A C:\Users\rob\Downloads\Red_Dawn_2012_TS_XviD_MP3-ADTRG.exe
    2012-12-01 19:40 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries


    ZeroAccess:
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\@
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\L
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\L\[email protected]
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\L\201d3dde
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\L\4cce1f70
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\L\76603ac3
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected]
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected]
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected]
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected]

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-12-10 05:00:10
    Restore point made on: 2012-12-18 04:54:39
    Restore point made on: 2012-12-25 05:00:12

    ==================== Memory info ===========================

    Percentage of memory in use: 9%
    Total physical RAM: 7918.99 MB
    Available physical RAM: 7181.54 MB
    Total Pagefile: 7917.19 MB
    Available Pagefile: 7168.16 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Partitions =============================

    1 Drive c: (OS_Install) (Fixed) (Total:921.74 GB) (Free:678.92 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (ENEMY_AT_THE_GATES_P4) (CDROM) (Total:7.35 GB) (Free:0 GB) UDF
    6 Drive h: () (Removable) (Total:0.99 GB) (Free:0.98 GB) FAT
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 5120 KB
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 Online 1009 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 921 GB 1024 KB
    Partition 2 Primary 9 GB 921 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS_Install NTFS Partition 921 GB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 1C
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    =========================================================

    Partitions of Disk 4:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1009 MB 16 KB

    ==================================================================================

    Disk: 4
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 H FAT Removable 1009 MB Healthy

    =========================================================

    Last Boot: 2012-12-24 05:36

    ==================== End Of Log =============================
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

    Code:
    start
    2012-12-04 05:29 - 2012-12-04 05:29 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710}
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    end
    
    Now please enter System Recovery Options as you did to get the log.

    Run FRST64 or FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next,

    Reboot and continue as follows:

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  5. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2012
    Ran by SYSTEM at 2012-12-29 10:54:03 Run:1
    Running from H:\

    ==============================================

    C:\Windows\SysWOW64\%APPDATA% moved successfully.
    C:\Windows\Installer\{aba0fed2-7ffd-384d-b2e2-494f90017710} moved successfully.
    C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
    C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

    ==== End of Fixlog ====


    ComboFix 12-12-28.02 - rob 29/12/2012 11:01:43.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.7919.6675 [GMT 11:00]
    Running from: c:\users\rob\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-29 17:15 . 2012-12-29 17:15 -------- d-----w- C:\FRST
    2012-12-14 10:31 . 2012-12-14 10:31 -------- d-----w- c:\users\rob\AppData\Roaming\Malwarebytes
    2012-12-14 10:31 . 2012-12-14 10:31 -------- d-----w- c:\programdata\Malwarebytes
    2012-12-14 10:31 . 2012-12-14 10:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-12-14 10:31 . 2012-09-29 08:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-05 10:06 . 2012-12-13 09:09 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-05 10:06 . 2012-12-13 09:09 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-12-04 10:23 . 2012-12-04 10:23 220160 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
    2012-12-04 10:23 . 2012-12-04 10:23 -------- d-----w- c:\program files (x86)\Mega Codec Pack
    2012-12-04 07:20 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{63DD0CFE-0481-4668-B6A2-55FC8834FFAF}\mpengine.dll
    2012-12-02 03:23 . 2012-12-02 03:23 -------- d-----w- c:\users\rob\AppData\Local\Diagnostics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-04 06:59 . 2011-03-28 07:36 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-11-01 04:35 . 2012-11-13 14:47 253256 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
    2012-10-18 18:25 . 2012-11-14 19:26 3149824 ----a-w- c:\windows\system32\win32k.sys
    2012-10-16 08:38 . 2012-11-28 07:18 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38 . 2012-11-28 07:18 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39 . 2012-11-28 07:18 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
    2012-10-09 18:17 . 2012-11-14 19:26 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
    2012-10-09 18:17 . 2012-11-14 19:26 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
    2012-10-09 17:40 . 2012-11-14 19:26 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
    2012-10-09 17:40 . 2012-11-14 19:26 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
    2012-10-08 12:19 . 2012-11-15 16:01 17811968 ----a-w- c:\windows\system32\mshtml.dll
    2012-10-08 11:42 . 2012-11-15 16:01 10925568 ----a-w- c:\windows\system32\ieframe.dll
    2012-10-08 11:31 . 2012-11-15 16:01 2312704 ----a-w- c:\windows\system32\jscript9.dll
    2012-10-08 11:24 . 2012-11-15 16:01 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-10-08 11:23 . 2012-11-15 16:01 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-10-08 11:22 . 2012-11-15 16:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-10-08 11:22 . 2012-11-15 16:01 237056 ----a-w- c:\windows\system32\url.dll
    2012-10-08 11:20 . 2012-11-15 16:01 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-10-08 11:18 . 2012-11-15 16:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-10-08 11:17 . 2012-11-15 16:01 599040 ----a-w- c:\windows\system32\vbscript.dll
    2012-10-08 11:17 . 2012-11-15 16:01 816640 ----a-w- c:\windows\system32\jscript.dll
    2012-10-08 11:15 . 2012-11-15 16:01 729088 ----a-w- c:\windows\system32\msfeeds.dll
    2012-10-08 11:15 . 2012-11-15 16:01 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-10-08 11:13 . 2012-11-15 16:01 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-10-08 11:13 . 2012-11-15 16:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-10-08 11:09 . 2012-11-15 16:01 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-10-08 07:56 . 2012-11-15 16:01 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-10-08 07:48 . 2012-11-15 16:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-10-08 07:47 . 2012-11-15 16:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-10-08 07:44 . 2012-11-15 16:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-10-08 07:43 . 2012-11-15 16:01 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
    2012-10-08 07:40 . 2012-11-15 16:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-10-03 17:56 . 2012-11-14 19:26 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-10-03 17:44 . 2012-11-14 19:26 70656 ----a-w- c:\windows\system32\nlaapi.dll
    2012-10-03 17:44 . 2012-11-14 19:26 303104 ----a-w- c:\windows\system32\nlasvc.dll
    2012-10-03 17:44 . 2012-11-14 19:26 246272 ----a-w- c:\windows\system32\netcorehc.dll
    2012-10-03 17:44 . 2012-11-14 19:26 18944 ----a-w- c:\windows\system32\netevent.dll
    2012-10-03 17:44 . 2012-11-14 19:26 216576 ----a-w- c:\windows\system32\ncsi.dll
    2012-10-03 17:42 . 2012-11-14 19:26 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-10-03 16:42 . 2012-11-14 19:26 18944 ----a-w- c:\windows\SysWow64\netevent.dll
    2012-10-03 16:42 . 2012-11-14 19:26 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
    2012-10-03 16:42 . 2012-11-14 19:26 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
    2012-10-03 16:07 . 2012-11-14 19:26 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuze.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\Vuze_Remote\prxtbVuze.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2012-10-24 00:36 194928 ----a-w- c:\program files (x86)\Yontoo\YontooIEClient.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuze.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
    @="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
    [HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
    2012-12-04 10:23 220160 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-25 343168]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-17 218408]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-19 222504]
    "Jomantha"="c:\program files (x86)\n52te\razerhid.exe" [2007-12-12 163840]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-09 421776]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
    R3 aar81xx;aar81xx;c:\windows\system32\drivers\aar81xx.sys [2010-09-21 389720]
    R3 adp3132;adp3132;c:\windows\system32\drivers\adp3132.sys [2010-01-28 385072]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
    R3 MegaSR1;MegaSR1;c:\windows\system32\drivers\MegaSR1.sys [2010-12-13 515152]
    R3 mv91cons;mv91cons;c:\windows\system32\drivers\mv91cons.sys [2011-03-07 24880]
    R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [x]
    R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\nmserial.sys [x]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-12-10 80384]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-12-10 181248]
    R3 OxSer;OxSer;c:\windows\system32\drivers\OxSer.sys [2009-09-16 98352]
    R3 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [2009-02-08 333864]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-11-05 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-26 204288]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-10-25 361984]
    S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2011-06-23 55424]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\drivers\amdiox64.sys [2010-02-17 46136]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2010-04-21 126952]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2010-04-21 390632]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-06-06 231440]
    S3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [2007-09-28 46464]
    S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2010-12-30 1177440]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-21 452200]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-05 09:09]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-03 11842152]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 10.0.0.138
    FF - ProfilePath - c:\users\rob\AppData\Roaming\Mozilla\Firefox\Profiles\lffv9gx4.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-12-29 11:09:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-12-29 00:09
    .
    Pre-Run: 789,935,501,312 bytes free
    Post-Run: 790,921,555,968 bytes free
    .
    - - End Of File - - E71551402D2ACE3639585AAB9C500E63
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, continue as follows:

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    ClearJavaCache::
    Folder::
    c:\program files (x86)\Yontoo
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Next,

    Run Eset Online Scanner

    **Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

    Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • click on the Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
      Click Start
    • When asked, allow the add/on to be installed
      Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
      Click Scan
    • wait for the virus definitions to be downloaded
    • Wait for the scan to finish
    When the scan is complete

    • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
    If threats were found

    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    close program
    copy and paste the report here

    Post those logs, also give update any any remaining issues or concerns...

    Kevin
     
  7. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    ill post the eset after its finished


    ComboFix 12-12-29.02 - rob 29/12/2012 20:10:58.3.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.7919.6013 [GMT 11:00]
    Running from: c:\users\rob\Desktop\ComboFix.exe
    Command switches used :: c:\users\rob\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\program files (x86)\Yontoo
    c:\program files (x86)\Yontoo\YontooIEClient.dll
    I:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-29 17:15 . 2012-12-29 17:15 -------- d-----w- C:\FRST
    2012-12-29 09:14 . 2012-12-29 09:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-14 10:31 . 2012-12-14 10:31 -------- d-----w- c:\users\rob\AppData\Roaming\Malwarebytes
    2012-12-14 10:31 . 2012-12-14 10:31 -------- d-----w- c:\programdata\Malwarebytes
    2012-12-14 10:31 . 2012-12-14 10:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-12-14 10:31 . 2012-09-29 08:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-05 10:06 . 2012-12-13 09:09 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-05 10:06 . 2012-12-13 09:09 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-12-04 10:23 . 2012-12-04 10:23 220160 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
    2012-12-04 10:23 . 2012-12-04 10:23 -------- d-----w- c:\program files (x86)\Mega Codec Pack
    2012-12-02 03:23 . 2012-12-02 03:23 -------- d-----w- c:\users\rob\AppData\Local\Diagnostics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-04 06:59 . 2011-03-28 07:36 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-11-01 04:35 . 2012-11-13 14:47 253256 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
    2012-10-18 18:25 . 2012-11-14 19:26 3149824 ----a-w- c:\windows\system32\win32k.sys
    2012-10-16 08:38 . 2012-11-28 07:18 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38 . 2012-11-28 07:18 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39 . 2012-11-28 07:18 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
    2012-10-09 18:17 . 2012-11-14 19:26 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
    2012-10-09 18:17 . 2012-11-14 19:26 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
    2012-10-09 17:40 . 2012-11-14 19:26 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
    2012-10-09 17:40 . 2012-11-14 19:26 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
    2012-10-08 12:19 . 2012-11-15 16:01 17811968 ----a-w- c:\windows\system32\mshtml.dll
    2012-10-08 11:42 . 2012-11-15 16:01 10925568 ----a-w- c:\windows\system32\ieframe.dll
    2012-10-08 11:31 . 2012-11-15 16:01 2312704 ----a-w- c:\windows\system32\jscript9.dll
    2012-10-08 11:24 . 2012-11-15 16:01 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-10-08 11:23 . 2012-11-15 16:01 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-10-08 11:22 . 2012-11-15 16:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-10-08 11:22 . 2012-11-15 16:01 237056 ----a-w- c:\windows\system32\url.dll
    2012-10-08 11:20 . 2012-11-15 16:01 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-10-08 11:18 . 2012-11-15 16:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-10-08 11:17 . 2012-11-15 16:01 599040 ----a-w- c:\windows\system32\vbscript.dll
    2012-10-08 11:17 . 2012-11-15 16:01 816640 ----a-w- c:\windows\system32\jscript.dll
    2012-10-08 11:15 . 2012-11-15 16:01 729088 ----a-w- c:\windows\system32\msfeeds.dll
    2012-10-08 11:15 . 2012-11-15 16:01 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-10-08 11:13 . 2012-11-15 16:01 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-10-08 11:13 . 2012-11-15 16:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-10-08 11:09 . 2012-11-15 16:01 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-10-08 07:56 . 2012-11-15 16:01 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-10-08 07:48 . 2012-11-15 16:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-10-08 07:47 . 2012-11-15 16:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-10-08 07:44 . 2012-11-15 16:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-10-08 07:43 . 2012-11-15 16:01 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
    2012-10-08 07:40 . 2012-11-15 16:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-10-03 17:56 . 2012-11-14 19:26 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-10-03 17:44 . 2012-11-14 19:26 70656 ----a-w- c:\windows\system32\nlaapi.dll
    2012-10-03 17:44 . 2012-11-14 19:26 303104 ----a-w- c:\windows\system32\nlasvc.dll
    2012-10-03 17:44 . 2012-11-14 19:26 246272 ----a-w- c:\windows\system32\netcorehc.dll
    2012-10-03 17:44 . 2012-11-14 19:26 18944 ----a-w- c:\windows\system32\netevent.dll
    2012-10-03 17:44 . 2012-11-14 19:26 216576 ----a-w- c:\windows\system32\ncsi.dll
    2012-10-03 17:42 . 2012-11-14 19:26 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-10-03 16:42 . 2012-11-14 19:26 18944 ----a-w- c:\windows\SysWow64\netevent.dll
    2012-10-03 16:42 . 2012-11-14 19:26 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
    2012-10-03 16:42 . 2012-11-14 19:26 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
    2012-10-03 16:07 . 2012-11-14 19:26 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuze.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\Vuze_Remote\prxtbVuze.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    c:\program files (x86)\Yontoo\YontooIEClient.dll [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuze.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
    @="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
    [HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
    2012-12-04 10:23 220160 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-25 343168]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-17 218408]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-19 222504]
    "Jomantha"="c:\program files (x86)\n52te\razerhid.exe" [2007-12-12 163840]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-09 421776]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
    R3 aar81xx;aar81xx;c:\windows\system32\drivers\aar81xx.sys [2010-09-21 389720]
    R3 adp3132;adp3132;c:\windows\system32\drivers\adp3132.sys [2010-01-28 385072]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
    R3 MegaSR1;MegaSR1;c:\windows\system32\drivers\MegaSR1.sys [2010-12-13 515152]
    R3 mv91cons;mv91cons;c:\windows\system32\drivers\mv91cons.sys [2011-03-07 24880]
    R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [x]
    R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\nmserial.sys [x]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-12-10 80384]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-12-10 181248]
    R3 OxSer;OxSer;c:\windows\system32\drivers\OxSer.sys [2009-09-16 98352]
    R3 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [2009-02-08 333864]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-11-05 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-26 204288]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-10-25 361984]
    S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2011-06-23 55424]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\drivers\amdiox64.sys [2010-02-17 46136]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2010-04-21 126952]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2010-04-21 390632]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-06-06 231440]
    S3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [2007-09-28 46464]
    S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2010-12-30 1177440]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-21 452200]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-05 09:09]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-03 11842152]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 10.0.0.138
    FF - ProfilePath - c:\users\rob\AppData\Roaming\Mozilla\Firefox\Profiles\lffv9gx4.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-12-29 20:15:56
    ComboFix-quarantined-files.txt 2012-12-29 09:15
    ComboFix2.txt 2012-12-29 00:09
    .
    Pre-Run: 786,170,970,112 bytes free
    Post-Run: 786,110,844,928 bytes free
    .
    - - End Of File - - C80514532A960C581483755BBC70D5EF
     
  8. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application unable to clean
    C:\FRST\Quarantine\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected] Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected] Win64/Sirefef.AW trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected] probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{aba0fed2-7ffd-384d-b2e2-494f90017710}\U\[email protected] a variant of Win64/Sirefef.AN trojan cleaned by deleting - quarantined
    C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Program Files (x86)\Yontoo\YontooIEClient.dll.vir a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
    C:\Users\rob\Downloads\Red_Dawn_2012_TS_XviD_MP3-ADTRG.exe Win32/Adware.1ClickDownload.K application cleaned by deleting - quarantined
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Download OTM from either of the following links and save to your Desktop:

    http://oldtimer.geekstogo.com/OTM.exe.
    http://www.itxassociates.com/OT-Tools/OTM.com
    http://www.itxassociates.com/OT-Tools/OTM.exe

    Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

    • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files
      C:\Users\All Users\Tarma Installer
      :Commands
      [EmptyTemp]
      
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Next,

    Download Security Check by screen317 from either of the following:
    http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Post those two logs, also let me know if there are any remaining issues or concerns..

    Kevin
     
  10. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    All processes killed
    ========== FILES ==========
    C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Cache folder moved successfully.
    C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} folder moved successfully.
    C:\Users\All Users\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache folder moved successfully.
    C:\Users\All Users\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} folder moved successfully.
    C:\Users\All Users\Tarma Installer folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: rob
    ->Temp folder emptied: 96429 bytes
    ->Temporary Internet Files folder emptied: 12731273 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 72609926 bytes
    ->Flash cache emptied: 8814 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 416874083 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 479.00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 12292012_232058

    Files moved on Reboot...
    File C:\Users\rob\AppData\Local\Temp\hsperfdata_rob\3788 not found!
    C:\Users\rob\AppData\Local\Temp\e4j1BE9.tmp_dir1356742431\exe4jlib.jar moved successfully.
    C:\Users\rob\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...

    Results of screen317's Security Check version 0.99.56
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    Java(TM) 6 Update 26
    Java version out of Date!
    Adobe Flash Player 11.5.502.135
    Mozilla Firefox (17.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    I do not see an Anti-Virus program running, is that correct.. if so install the following:

    To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go here http://www.microsoft.com/security_essentials/ select your Operating System, download, install and follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen. Let me know if tit finds anything from the scan...

    When that completes your version of Java [​IMG] is out of date. Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version of Java components and upgrade the application.

    Upgrading Java:

    Go to http://java.com/en/ and click on "Do I have Java"
    It will check your current version and then offer to update to the latest version
    Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

    ***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.

    Let me know how your system is responding...
     
  12. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    I downloaded MSE and ran a scan, showed no virus on my system. Thank You for your help.:D
    Just one last thing, which program's can i delete?
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.

    It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

    Next,

    • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7 accept UAC
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.
    • This will remove tools we have used and itself.

    Any tools/logs remaining on the Desktop can be deleted.

    Let me know if those steps complete OK, also if you have any remaining issues. If none hit the "Mark Solved" tab at the top of the thread..
     
  14. innocentdemon

    innocentdemon Thread Starter

    Joined:
    Dec 27, 2012
    Messages:
    13
    Thank you for your great help kevin and have a happy new year :)
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Thanks for the reply, yes have a great new year yourself and family....

    If no more issues Here are some tips to reduce the potential for malware infection in the future:

    Make proper use of your antivirus and firewall

    Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

    You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

    Install and use WinPatrol from here http://www.winpatrol.com/download.html This will inform you of any attempted unauthorized changes to your system.

    WinPatrol features explained here http://www.winpatrol.com/features.html

    Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates. (Use stand alone version, not a full install)
    If Java or Adobe are updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed. <--- Very important

    Use a safer web browser

    Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

    FireFox http://www.mozilla.com/en-US/,

    Opera http://www.opera.com/, and

    Chrome http://www.google.com/chrome.

    All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here http://www.bleepingcomputer.com/tutorials/tutorial102.html which will help you to make IE MUCH safer.

    These browser add-ons will help to make your browser safer:

    Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

    Available for Firefox and Internet Explorer.

    Green to go,
    Yellow for caution, and
    Red to stop.


    Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

    These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article:
    http://browsers.about.com/od/addonsplugi2/tp/browser_security_privacy.htm

    Here a couple of links by two security experts that will give some excellent tips and advice.

    So how did I get infected in the first place by Tony Klein

    How to prevent Malware by Miekiemoes

    Finally this link http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

    Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

    It was a pleasure to work with you, take care,

    Kevin
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1082640

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice