Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91803 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Possible root kit infection [Closed]


  • This topic is locked This topic is locked
11 replies to this topic

#1 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 14 July 2014 - 08:03 PM

My computer has been acting unusual lately, such as windows popping up saying I am infected, or need to update a program that are clearly not from my antivirus or any of my programs.  In addition, my husband tried to sign into an account today and it redirected to youtube instead of logging in.  Recently an avast deep scan ran on startup and said we had a root kit.  We didn't finish the scan or try to clean it because I wanted to be sure I got it cleaned properly, so here I am.  :)

 

I remember reading a computer security article when rootkits first came out that said that the writer would absolutely wipe the hard drive and start over if he had a rootkit infection.  Are they able to be removed completely now?  Also, how do I make sure to remove them from every user account? (We use three)

 

Anyway, here is the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16561  BrowserJavaVersion: 10.25.2
Run by jtmeserole at 20:52:27 on 2014-07-14
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2942.1379 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windstream\Diagnostic Tools\HsdService.exe
C:\Program Files\pcreg\pcreg.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windstream\Diagnostic Tools\DiagnosticTools.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_14_0_0_145.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_14_0_0_145.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AppsHat] c:\users\jtmeserole\appdata\local\webplayer\appshat\WebPlayer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windstream Service Agent.exe] "c:\program files\windstream\service agent\Windstream Service Agent.exe" /AUTORUN
mRun: [DiagnosticTools.exe] "c:\program files\windstream\diagnostic tools\DiagnosticTools.exe" /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{13A9F322-A4AD-4491-8D74-E0A80C4B296F} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{DC2E7865-5ADB-466A-9527-0EFA9B7FF184} : DHCPNameServer = 192.168.254.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~2\perfor~1\perfor~1.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\35.0.1916.114\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jtmeserole\appdata\roaming\mozilla\firefox\profiles\ns39aey1.default-1403466522208\
FF - prefs.js: browser.startup.homepage - hxxp://www.ldsscripturemastery.net/en/
FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\program files\windstream\service agent\nprpspa.dll
FF - plugin: c:\users\jtmeserole\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1200112.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_14_0_0_145.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-5-25 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-5-25 175176]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-5-25 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-5-25 369584]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2011-9-7 22312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-5-25 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-5-25 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-5-25 46808]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 HsdService;HsdService;c:\program files\windstream\diagnostic tools\HsdService.exe [2012-1-17 1393976]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-11-22 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-11-22 497320]
R2 pcregservice;pcregservice Service;c:\program files\pcreg\pcreg.exe [2014-4-25 249024]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2011-4-15 1646056]
R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2011-8-14 29184]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
S1 ccSet_NSM;Norton Family Settings Manager;c:\windows\system32\drivers\nsm\0206000.02b\ccSetx86.sys [2012-11-11 134304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
S2 NSM;Norton Family;c:\program files\norton family\engine\2.6.0.43\ccSvcHst.exe [2012-11-11 143928]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.12.27\ccSvcHst.exe [2011-9-30 126392]
S2 sftlist;Application Virtualization Client;"c:\program files\microsoft application virtualization client\sftlist.exe" --> c:\program files\microsoft application virtualization client\sftlist.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-1-26 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [2008-5-27 50560]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
S4 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup 3.0\SymcPCCULaunchSvc.exe [2012-9-22 132056]
S4 ServicepointService;ServicepointService;c:\program files\windstream\service agent\ServicepointService.exe [2012-1-17 10315064]
S4 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
.
=============== Created Last 30 ================
.
2014-07-14 03:18:17    --------    d-----w-    c:\programdata\Big Fish Games
2014-07-11 16:45:02    8140904    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{078f0eae-6d66-469b-9389-118e79f23642}\mpengine.dll
2014-07-10 03:02:35    --------    d-----w-    c:\users\jtmeserole\appdata\local\{0DA04039-5DBB-4327-8F9C-0A11E02A59C6}
2014-07-09 02:08:31    11204096    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-06-23 19:00:20    --------    d-----w-    c:\program files\iPod
2014-06-23 19:00:17    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-06-23 19:00:17    --------    d-----w-    c:\program files\iTunes
2014-06-23 18:53:14    --------    d-----w-    c:\program files\Bonjour
2014-06-23 02:33:41    --------    d-----w-    c:\users\jtmeserole\appdata\roaming\Stencyl
2014-06-23 02:31:41    --------    d-----w-    c:\program files\Stencyl
2014-06-22 19:32:28    --------    d-----w-    c:\users\jtmeserole\appdata\local\PackageAware
2014-06-21 15:20:05    --------    d-----w-    c:\programdata\savInshoup
.
==================== Find3M  ====================
.
2014-07-09 02:08:38    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 02:08:38    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-06-07 00:19:04    2051072    ----a-w-    c:\windows\system32\win32k.sys
2014-06-06 23:12:01    1810432    ----a-w-    c:\windows\system32\jscript9.dll
2014-06-06 23:03:02    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-06-06 23:02:16    1129472    ----a-w-    c:\windows\system32\wininet.dll
2014-06-06 22:57:04    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-06-06 22:56:20    421376    ----a-w-    c:\windows\system32\vbscript.dll
2014-06-06 22:52:42    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2014-06-06 22:51:59    11776    ----a-w-    c:\windows\system32\mshta.exe
2014-06-06 08:59:38    506880    ----a-w-    c:\windows\system32\qedit.dll
2014-05-30 06:53:22    273408    ----a-w-    c:\windows\system32\drivers\afd.sys
2014-04-26 16:01:22    502784    ----a-w-    c:\windows\system32\usp10.dll
.
============= FINISH: 20:52:49.65 ===============
 

Attached Files


    Advertisements

Register to Remove


#2 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 15 July 2014 - 07:01 AM

Hi computerwannabe,

I need a few more scans to formulate a course of action.

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

bullseye_zpse9eaf36e.gif Security Check

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=========================

bullseye_zpse9eaf36e.gif aswMBR

Download aswMBR.exe and save it to your desktop.

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

=========================

In your next post please provide the following:

  • checkup.txt
  • aswMBR.txt
  • attach MBR.zip

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#3 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 18 July 2014 - 07:44 PM

Hi computerwannabe,

Just checking in to see if you still need help?


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#4 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 18 July 2014 - 08:36 PM

Yes, I apologize, my schedule is full.  I will run the scan tomorrow night and post the logs.  Thank you for being willing to help me with this!



#5 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 18 July 2014 - 10:34 PM

:thumbup:


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#6 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 20 July 2014 - 03:44 PM

I tried to upload the MBR.dat file, but it tells me that I am not "permitted to upload this kind of file".

 

Here are the other results:

 

 

 

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-10 12:34:37
-----------------------------
12:34:37.199    OS Version: Windows 6.0.6002 Service Pack 2
12:34:37.199    Number of processors: 2 586 0x203
12:34:37.200    ComputerName: JTMESEROLE-PC  UserName: jtmeserole
12:34:38.753    Initialize success
12:34:48.966    AVAST engine defs: 12051000
12:37:40.842    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
12:37:40.844    Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
12:37:40.860    Disk 0 MBR read successfully
12:37:40.862    Disk 0 MBR scan
12:37:40.866    Disk 0 unknown MBR code
12:37:40.868    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       293688 MB offset 63
12:37:40.899    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        11554 MB offset 601473600
12:37:40.907    Disk 0 scanning sectors +625137345
12:37:40.969    Disk 0 scanning C:\Windows\system32\drivers
12:37:50.179    Service scanning
12:38:12.324    Modules scanning
12:38:17.095    Disk 0 trace - called modules:
12:38:17.108    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys tcpip.sys NETIO.SYS
12:38:17.437    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ddc2a0]
12:38:17.441    3 CLASSPNP.SYS[807268b3] -> nt!IofCallDriver -> [0x85840700]
12:38:17.444    5 acpi.sys[806176bc] -> nt!IofCallDriver -> \Device\00000063[0x85446710]
12:38:18.582    AVAST engine scan C:\Windows
12:38:21.482    AVAST engine scan C:\Windows\system32
12:41:21.612    AVAST engine scan C:\Windows\system32\drivers
12:41:32.953    AVAST engine scan C:\Users\jtmeserole
12:54:31.682    AVAST engine scan C:\ProgramData
13:02:34.101    Scan finished successfully
13:36:56.274    Disk 0 MBR has been saved successfully to "C:\Users\jtmeserole\Documents\MBR.dat"
13:36:56.282    The log file has been saved successfully to "C:\Users\jtmeserole\Documents\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-04 13:38:03
-----------------------------
13:38:03.220    OS Version: Windows 6.0.6002 Service Pack 2
13:38:03.220    Number of processors: 2 586 0x203
13:38:03.221    ComputerName: JTMESEROLE-PC  UserName: jtmeserole
13:38:04.366    Initialize success
13:38:05.386    AVAST engine defs: 13060400
13:38:39.460    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005e
13:38:39.460    Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
13:38:39.663    Disk 0 MBR read successfully
13:38:39.663    Disk 0 MBR scan
13:38:39.663    Disk 0 unknown MBR code
13:38:39.663    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       293688 MB offset 63
13:38:39.710    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        11554 MB offset 601473600
13:38:39.710    Disk 0 scanning sectors +625137345
13:38:39.819    Disk 0 scanning C:\Windows\system32\drivers
13:38:55.325    Service scanning
13:39:14.560    Modules scanning
13:39:31.143    Disk 0 trace - called modules:
13:39:31.159    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
13:39:31.174    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86200ac8]
13:39:31.174    3 CLASSPNP.SYS[807248b3] -> nt!IofCallDriver -> [0x844757e8]
13:39:31.174    5 acpi.sys[806156bc] -> nt!IofCallDriver -> \Device\0000005e[0x84472958]
13:39:31.907    AVAST engine scan C:\Windows
13:39:40.253    AVAST engine scan C:\Windows\system32
13:41:40.470    AVAST engine scan C:\Windows\system32\drivers
13:41:51.998    AVAST engine scan C:\Users\jtmeserole
14:10:15.455    AVAST engine scan C:\ProgramData
14:14:11.602    Disk 0 MBR has been saved successfully to "C:\Users\jtmeserole\Documents\MBR.dat"
14:14:11.602    The log file has been saved successfully to "C:\Users\jtmeserole\Documents\aswMBR.txt"


aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-07-20 15:31:27
-----------------------------
15:31:27.143    OS Version: Windows 6.0.6002 Service Pack 2
15:31:27.143    Number of processors: 2 586 0x203
15:31:27.144    ComputerName: JTMESEROLE-PC  UserName: jtmeserole
15:31:39.739    Initialize success
15:31:39.739    VM: initialized successfully
15:31:39.782    VM: outdated driver version !
15:31:40.157    AVAST engine defs: 14072000
15:32:02.396    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005f
15:32:02.398    Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
15:32:02.515    Disk 0 MBR read successfully
15:32:02.517    Disk 0 MBR scan
15:32:02.521    Disk 0 unknown MBR code
15:32:02.524    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       293688 MB offset 63
15:32:02.562    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        11554 MB offset 601473600
15:32:02.567    Disk 0 scanning sectors +625137345
15:32:02.640    Disk 0 scanning C:\Windows\system32\drivers
15:32:14.661    Service scanning
15:32:36.359    Modules scanning
15:32:59.061    Disk 0 trace - called modules:
15:32:59.080    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
15:32:59.084    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x874e9780]
15:32:59.088    3 CLASSPNP.SYS[807228b3] -> nt!IofCallDriver -> [0x86a405f8]
15:32:59.091    5 acpi.sys[806136bc] -> nt!IofCallDriver -> \Device\0000005f[0x86a40030]
15:32:59.904    AVAST engine scan C:\Windows
15:33:03.790    AVAST engine scan C:\Windows\system32
15:36:51.432    AVAST engine scan C:\Windows\system32\drivers
15:37:07.049    AVAST engine scan C:\Users\jtmeserole
15:52:57.311    File: C:\Users\jtmeserole\AppData\Local\temp\trz5283.tmp  **INFECTED** Win32:Malware-gen
16:15:43.712    AVAST engine scan C:\ProgramData
16:25:21.477    Scan finished successfully
16:28:27.810    Disk 0 MBR has been saved successfully to "C:\Users\jtmeserole\Documents\MBR.dat"
16:28:27.834    The log file has been saved successfully to "C:\Users\jtmeserole\Documents\aswMBR.txt"

 

 

 Results of screen317's Security Check version 0.99.85  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 25  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player     14.0.0.145  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (Firefox,. Firefox out of Date!  
 Google Chrome 34.0.1847.137  
 Google Chrome 35.0.1916.114  
 Google Chrome plugins...  
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
 CheckPoint ZoneAlarm vsmon.exe  
 CheckPoint ZoneAlarm zatray.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 12 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



 



#7 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 20 July 2014 - 08:51 PM

Hi computerwannabe,

At this point I'm not seeing any signs of a rootkit, but let's dig a bit deeper.

bullseye_zpse9eaf36e.gif ComboFix

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

    =========================

    In your next post please provide the following:
    • ComboFix.txt

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#8 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 23 July 2014 - 08:37 PM

Hi computerwannabe,

Just checking in to see if you still need help?
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#9 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 25 July 2014 - 07:54 PM

Sorry for the delay! 

 

 

 

 

ComboFix 14-07-25.01 - jtmeserole 07/25/2014  20:03:33.10.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2942.1595 [GMT -5:00]
Running from: c:\users\jtmeserole\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\deal4Me
c:\programdata\deal4Me\qDPxs8QaX.dat
c:\programdata\deal4Me\qDPxs8QaX.tlb
c:\programdata\savInshoup
c:\programdata\savInshoup\m.dat
c:\programdata\savInshoup\m.tlb
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\abwy9czzz@arfyi.com
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\abwy9czzz@arfyi.com\bootstrap.js
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\abwy9czzz@arfyi.com\chrome.manifest
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\abwy9czzz@arfyi.com\content\bg.js
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\abwy9czzz@arfyi.com\install.rdf
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\liol-vjqb@dadj-jq.co.uk
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\liol-vjqb@dadj-jq.co.uk\bootstrap.js
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\liol-vjqb@dadj-jq.co.uk\chrome.manifest
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\liol-vjqb@dadj-jq.co.uk\content\bg.js
c:\users\safe kids\AppData\Roaming\Mozilla\Firefox\Profiles\zt67ndkp.default\extensions\liol-vjqb@dadj-jq.co.uk\install.rdf
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\abwy9czzz@arfyi.com
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\abwy9czzz@arfyi.com\bootstrap.js
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\abwy9czzz@arfyi.com\chrome.manifest
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\abwy9czzz@arfyi.com\content\bg.js
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\abwy9czzz@arfyi.com\install.rdf
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\liol-vjqb@dadj-jq.co.uk
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\liol-vjqb@dadj-jq.co.uk\bootstrap.js
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\liol-vjqb@dadj-jq.co.uk\chrome.manifest
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\liol-vjqb@dadj-jq.co.uk\content\bg.js
c:\users\school acct\AppData\Roaming\Mozilla\Firefox\Profiles\17waw3k3.default-1394565372783\extensions\liol-vjqb@dadj-jq.co.uk\install.rdf
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-26 to 2014-07-26  )))))))))))))))))))))))))))))))
.
.
2014-07-26 01:18 . 2014-07-26 01:18    --------    d-----w-    c:\users\school acct\AppData\Local\temp
2014-07-26 01:18 . 2014-07-26 01:18    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-07-26 01:18 . 2014-07-26 01:18    --------    d-----w-    c:\users\What\AppData\Local\temp
2014-07-26 01:18 . 2014-07-26 01:18    --------    d-----w-    c:\users\safe kids\AppData\Local\temp
2014-07-26 01:18 . 2014-07-26 01:18    --------    d-----w-    c:\users\s\AppData\Local\temp
2014-07-26 01:18 . 2014-07-26 01:18    --------    d-----w-    c:\users\Nice\AppData\Local\temp
2014-07-25 20:55 . 2014-07-25 20:55    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{B2A79CCD-4465-4E13-96D6-2C8D7521D8F3}\offreg.dll
2014-07-25 20:33 . 2014-07-02 03:11    8217224    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{B2A79CCD-4465-4E13-96D6-2C8D7521D8F3}\mpengine.dll
2014-07-24 01:39 . 2014-07-24 01:40    --------    d-----w-    c:\users\school acct\AppData\Roaming\.minecraft
2014-07-22 22:20 . 2014-07-22 22:20    --------    d-----w-    c:\users\school acct\AppData\Roaming\AVAST Software
2014-07-22 21:02 . 2014-07-22 21:02    --------    d-----w-    c:\users\jtmeserole\AppData\Roaming\AVAST Software
2014-07-20 21:41 . 2014-07-20 21:40    24184    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-07-20 21:40 . 2014-07-20 21:40    43152    ----a-w-    c:\windows\avastSS.scr
2014-07-15 04:07 . 2014-07-15 04:08    --------    d-----w-    c:\users\school acct\AppData\Local\Roblox
2014-07-15 02:37 . 2014-07-15 02:37    --------    d-----w-    c:\users\school acct\AppData\Roaming\NCH Software
2014-07-15 02:27 . 2014-07-15 02:27    --------    d-----w-    c:\users\jtmeserole\AppData\Roaming\PeerNetworking
2014-07-14 03:18 . 2014-07-14 03:18    --------    d-----w-    c:\programdata\Big Fish Games
2014-07-13 23:13 . 2014-07-13 23:13    --------    d-----w-    c:\users\school acct\AppData\Roaming\Stencyl
2014-07-09 02:08 . 2014-07-09 02:08    11204096    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-06-30 22:12 . 2014-06-30 22:12    --------    d-----w-    c:\users\school acct\AppData\Roaming\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-22 21:06 . 2013-05-26 03:30    414520    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2014-07-20 21:40 . 2013-05-26 03:30    779536    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-07-20 21:40 . 2013-05-26 03:30    57800    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2014-07-20 21:40 . 2013-05-26 03:30    192352    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-07-20 21:40 . 2013-05-26 03:30    55112    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2014-07-20 21:40 . 2013-05-26 03:30    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-07-20 21:40 . 2013-05-26 03:30    67824    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-07-20 21:40 . 2013-05-26 03:30    276432    ----a-w-    c:\windows\system32\aswBoot.exe
2014-07-09 02:08 . 2012-06-14 13:07    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-07-09 02:08 . 2011-06-30 17:17    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2010-03-31 16:09 . 2014-05-10 02:14    10437264    ----a-w-    c:\program files\mozilla firefox\plugins\PDFNetC.dll
2010-04-08 18:36 . 2014-05-10 02:14    107760    ----a-w-    c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-07-20 21:40    578240    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-02-11 20924576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-08 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-08 92704]
"Windstream Service Agent.exe"="c:\program files\Windstream\Service Agent\Windstream Service Agent.exe" [2011-10-14 10204472]
"DiagnosticTools.exe"="c:\program files\Windstream\Diagnostic Tools\DiagnosticTools.exe" [2011-04-25 2037048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-04-23 43848]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-05-27 152392]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-07-20 4086432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HsdService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06    958576    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2013-05-08 21:20    41056    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-12-04 15:14    75016    ----a-w-    c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 22:34    54576    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2009-04-04 00:25    1644088    ----a-w-    c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2008-11-20 17:47    62768    ----a-w-    c:\program files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2013-04-04 19:50    887432    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-12-04 05:15    218408    ----a-w-    c:\program files\Cyberlink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-12-04 05:15    218408    ----a-w-    c:\program files\Cyberlink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-12-04 05:15    218408    ----a-w-    c:\program files\Cyberlink\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2009-02-02 21:05    210216    ----a-w-    c:\program files\Cyberlink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-21 05:22    1091912    ----a-w-    c:\program files\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 02:09]
.
2014-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 01:23]
.
2014-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-11 01:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\users\jtmeserole\AppData\Roaming\Mozilla\Firefox\Profiles\ns39aey1.default-1403466522208\
FF - prefs.js: browser.startup.homepage - hxxp://www.ldsscripturemastery.net/en/
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AppsHat - c:\users\jtmeserole\AppData\Local\WebPlayer\AppsHat\WebPlayer.exe
HKLM-Run-ISW - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{5F189DF5-2D05-472B-9091-84D9848AE48B}{dfc86759} - c:\progra~2\PERFOR~1\PERFOR~1.DLL
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-07-25 20:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
.
c:\users\JTMESE~1\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NSM]
"ImagePath"="\"c:\program files\Norton Family\Engine\2.6.0.43\ccSvcHst.exe\" /s \"NSM\" /m \"c:\program files\Norton Family\Engine\2.6.0.43\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.12.27\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(2748)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(828)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2014-07-25  20:21:56
ComboFix-quarantined-files.txt  2014-07-26 01:21
.
Pre-Run: 120,676,466,688 bytes free
Post-Run: 123,303,436,288 bytes free
.
- - End Of File - - E8FDE30FCFB14061451DC2D0455D87C2
81CD5EC01DB0CE57EDD853F82462EF27
 



#10 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 25 July 2014 - 08:13 PM

Hi computerwannabe,

bullseye_zpse9eaf36e.gif Uninstall via Programs and Features

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:

  • Java 7 Update 25
  • Adobe Flash Player 10
  • Adobe Reader 9

=========================

bullseye_zpse9eaf36e.gif Update Java

  • Get the current version of Java (Version 7 Update 65) by going to http://java.com/en/d...d/installed.jsp
  • Select the Verify Java Version button and follow the onscreen instructions to update if necessary.

=========================

You already have the current version of Adobe Flash Player.

=========================

bullseye_zpse9eaf36e.gif Adobe Reader:

Go to http://get.adobe.com.../otherversions/

  • Use the drop down menu's to select your operating system
  • Select your language > Select The current version of Adobe Reader for your language
  • Remove the check mark from the box "Free! McAfee Security Scan Plus"
  • Click the Download button, and follow the onscreen directions to complete the installation.

Please note, depending on your settings, you may have to temporarily disable your antivirus software for the Adobe Reader update.

=========================

bullseye_zpse9eaf36e.gif Update Firefox - current version is 31.0

  • In the upper left corner of your monitor screen you will see an orange Firefox button Firefox-2_zpsa7259ec1.png
  • Click the dropdown menu, slide your mouse cursor over to the Help sub menu.
  • Wait for the Help menu to expand, then click on About Firefox
  • A small window will open similar to the one below.

Firefox-3_zpsc32408ba.png

  • Click on the Update button as shown in the image above.
  • Allow Mozilla Firefox to update, reboot if instructed to do so.

=========================

bullseye_zpse9eaf36e.gif Disk Defragmenter for Vista

  • Open Disk Defragmenter by clicking the Start button, > All Programs, > Accessories, > System Tools and then clicking Disk Defragmenter..
  • If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Click Defragment Now.

Disk Defragmenter might take from several minutes to a few hours to finish, depending on the size and degree of fragmentation of your hard disk. You can still use your computer during the defragmentation process.

Tutorial: http://windows.micro...-your-hard-disk

=========================

bullseye_zpse9eaf36e.gif Reboot

=========================

In your next post please provide the following:

  • How is the computer running at the moment?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#11 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 28 July 2014 - 03:53 AM

Hi computerwannabe,

Just checking in to see if you still need help?
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#12 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 30 July 2014 - 08:08 PM

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users