Fix my PC

[urtreasured]

Quick question, although I think I know the answer, does this infect any of the Apple products?

[flashh4]

No it shouldn't !!

 

There are 2 version of Farbar, only 1 will run on your system !!

[urtreasured]

didn't think so.

[urtreasured]

 Farbar Recovery Scan in process

[flashh4]

Good it will be pretty long !! So if you have to break it up, thats ok !

 

Chuck

[urtreasured]

so far that program has installed two other programs that want money to clear errors?

[flashh4]

No no money !! Remove/delete it !

[flashh4]

Ok lets try this another way !! You should have RougeKiller installed !!

 

Open RogueKiller :     
* Quit all programs that you may have started.
* Please disconnect any USB or external drives from the computer before you run this scan!
* For Vista or Windows 7, right-click and select "Run as Administrator to start"
* For Windows XP, double-click to start.
* Wait until Prescan has finished ...
* Then Click on "Scan" button
* Wait until the Status box shows "Scan Finished"
* click on "delete"
* Wait until the Status box shows "Deleting Finished"
* Click on "Report" and copy/paste the content of the Notepad into your next reply.
* The log should be found in RKreport[1].txt on your Desktop
* Exit/Close RogueKiller+

 

post that log next.

 

Chuck
 

[urtreasured]

While waiting for a reply, I tried it again and it loaded 2 more pay programs.  will follow your next instructions.

[flashh4]

Do you know what programs they wanted you to install ?? I'm sure we will see them in another log later !!

 

Chuck

[urtreasured]

rougue killer in process

[urtreasured]

^{will send list in separate post when rogue killer is complete, may be in the a.m.}

[flashh4]

Ok sounds good !!

 

we will continue tomorrow !

Thanks

[flashh4]

Hey treasured, AFTER the RougeKiller log has been posted, please run these for me.

 

The Combofix program may at times seem frozen but it's just running, so be careful with it is a very powerful program use it exactly as shown in my instructions ! This can take 30 minutes or more to run, so get a cup coffee and wait !

 

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Download ComboFix from this location:

Link 1
 http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Link 2
http://www.infospyware.net/antimalware/combofix


* IMPORTANT !!! Save ComboFix.exe to your Desktop



  * Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

    *  See this Link >>> http://www.bleepingcomputer.com/forums/topic114351.html <<<  for programs that need to be disabled and instruction on how to disable them.
   
    *  Remember to re-enable them when we're done.

    *  Double click on ComboFix.exe & follow the prompts.

    *  As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    *  Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

 Notes:   

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of  ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4.  CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.   

Give it atleast 20-30 minutes to finish if needed.

 Please do not attach the scan results from Combofix. Use copy/paste.  





NEXT
 



Please download Malwarebytes' Anti-Malware to your desktop.


    * Double-click  mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to  Update Malwarebytes' Anti-Malware and  Launch Malwarebytes' Anti-Malware, then click  Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select  Perform quick scan, then click Scan.




When the scan is complete, click  OK, then  Show Results to view the results.



    *  Then click  Remove Selected .
    * When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    * Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    Or via the Logs tab when the application is started.



Please don't attach the scans / logs, use "copy/paste".

 

 

 

Post Next:

1, RougeKiller log first !!!

2. Combofix Log

3. New MalwareBytes log

 

 

Thanks

Chuck

[urtreasured]

RogueKiller V8.7.9 [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 12/02/2013 07:53:58
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[18] : NtAllocateVirtualMemory @ 0x82C936AD -> HOOKED (Unknown @ 0x859A3378)
[Address] SSDT[64] : NtCreateKey @ 0x82C3A170 -> HOOKED (Unknown @ 0x85992D88)
[Address] SSDT[72] : NtCreateProcess @ 0x82CDCF95 -> HOOKED (Unknown @ 0x85992928)
[Address] SSDT[73] : NtCreateProcessEx @ 0x82CDCFE0 -> HOOKED (Unknown @ 0x859A3828)
[Address] SSDT[78] : NtCreateThread @ 0x82CDCDC8 -> HOOKED (Unknown @ 0x859A3648)
[Address] SSDT[123] : NtDeleteKey @ 0x82BFD749 -> HOOKED (Unknown @ 0x85992B80)
[Address] SSDT[126] : NtDeleteValueKey @ 0x82BF8CEA -> HOOKED (Unknown @ 0x859929A0)
[Address] SSDT[255] : NtQueueApcThread @ 0x82BFC889 -> HOOKED (Unknown @ 0x859A33F0)
[Address] SSDT[261] : NtReadVirtualMemory @ 0x82C1DA26 -> HOOKED (Unknown @ 0x859A3288)
[Address] SSDT[267] : NtRenameKey @ 0x82C9F88C -> HOOKED (Unknown @ 0x85992B08)
[Address] SSDT[289] : NtSetContextThread @ 0x82CDE25F -> HOOKED (Unknown @ 0x859A34E0)
[Address] SSDT[303] : NtSetInformationKey @ 0x82C9ED35 -> HOOKED (Unknown @ 0x85992A90)
[Address] SSDT[305] : NtSetInformationProcess @ 0x82C5F9EE -> HOOKED (Unknown @ 0x859A3738)
[Address] SSDT[306] : NtSetInformationThread @ 0x82C442DD -> HOOKED (Unknown @ 0x859A3558)
[Address] SSDT[324] : NtSetValueKey @ 0x82C293FF -> HOOKED (Unknown @ 0x85992A18)
[Address] SSDT[330] : NtSuspendProcess @ 0x82CDE6EF -> HOOKED (Unknown @ 0x859A36C0)
[Address] SSDT[331] : NtSuspendThread @ 0x82BE5945 -> HOOKED (Unknown @ 0x859A3468)
[Address] SSDT[334] : NtTerminateProcess @ 0x82C3C173 -> HOOKED (Unknown @ 0x859A37B0)
[Address] SSDT[335] : NtTerminateThread @ 0x82C67670 -> HOOKED (Unknown @ 0x859A35D0)
[Address] SSDT[358] : NtWriteVirtualMemory @ 0x82C58A2F -> HOOKED (Unknown @ 0x859A3300)
[Address] SSDT[383] : NtCreateUserProcess @ 0x82C14C47 -> HOOKED (Unknown @ 0x859A3210)
[inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36641B66)
[inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36641B66)
[inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36641B66)
[Address] IAT @iexplore.exe (SHGetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6B5278EA)
[Address] IAT @iexplore.exe (SHSetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6B528732)
[Address] IAT @iexplore.exe (SHEnumValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6B527831)
[Address] IAT @iexplore.exe (PathCombineW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6B526533)
[Address] IAT @iexplore.exe (PathIsURLW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6B526E45)
[Address] IAT @iexplore.exe (SHRegGetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6B528235)

¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9160821A ATA Device +++++
--- User ---
[MBR] 31adc4f1c2c6f2b689e347e8abea5d72
[bSP] 2129a2df68e4292f422b12295973d001 : Legit.B MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 10150 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20788110 | Size: 142474 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12022013_075358.txt >>
RKreport[0]_D_12012013_225547.txt;RKreport[0]_S_12022013_074930.txt

[urtreasured]

Just sent you the RK report.   ? will wait to hear from you.  the following programs were installed when I ran that7zip program yesterday: 

 

driver genius
genieo
speedupmypc
slow-pcfixer
winferno- registry power cleaner

Yahoo explorer bar, set it to default

[flashh4]

Treasur did you remove these that were installed ?? If not go to add/remove uninstall any found there !! If you can find them we will remove in a few minutes !!

The install of these was from a different site than where i sent you to get Farbar but it's ok !

 

 

Continue with my last post above please !!

 

Chuck

[urtreasured]

yes I removed them, this morning.  When I ran RK this morning I did not see the same results as yesterday.  I do not have trained eye to even begin to think I know something, but it struck me as odd.

[urtreasured]

starting combofix

[flashh4]

Hi Treasure, no it's not odd when you have been at this as long as i have 11 yrs. And we have to keep up on all the new infections & which tools to use and it goes on and on for us ! The difference is RogueKiller killed it & removed it or most anyway ! We will see soon if it got it all !!

 

Chuck

[urtreasured]

combofix log 1

 

omboFix 13-11-23.02 - Owner 12/02/2013   8:36.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium   6.0.6002.2.1252.1.1033.18.1917.922 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\0.bak
c:\programdata\windows
C:\UNWISE.EXE
c:\windows\system32\FlashPlayerApp.exe
c:\windows\system32\html
c:\windows\system32\images
D:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-02 to 2013-12-02  )))))))))))))))))))))))))))))))
.
.
2013-12-02 15:51 . 2013-12-02 15:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-02 15:20 . 2013-12-02 15:27 -------- d-----w- c:\users\Owner\AppData\Local\CrashDumps
2013-12-02 14:43 . 2013-12-02 14:43 40392 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{724184E6-13DE-4B90-8A87-6EF6F8C4619A}\MpKslea0a2860.sys
2013-12-02 09:03 . 2013-11-08 01:15 7772552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{724184E6-13DE-4B90-8A87-6EF6F8C4619A}\mpengine.dll
2013-12-02 04:36 . 2013-12-02 04:36 -------- d-----w- c:\program files\Surf Canyon
2013-12-02 04:36 . 2013-12-02 04:36 -------- d-----w- c:\users\Owner\AppData\Local\Surf_Canyon
2013-12-02 04:01 . 2013-12-02 04:01 -------- d-----w- c:\programdata\Winferno
2013-12-02 03:56 . 2013-12-02 14:12 -------- d-----w- c:\programdata\Fighters
2013-12-02 03:55 . 2013-12-02 03:55 -------- d-----w- c:\users\Owner\AppData\Roaming\FileAssociationManager
2013-12-02 03:55 . 2013-12-02 03:56 -------- d-----w- c:\program files\FileAssociationManager
2013-12-02 03:54 . 2013-12-02 14:14 -------- d-----w- c:\programdata\Yahoo!
2013-12-02 03:54 . 2013-12-02 03:54 -------- d-----w- c:\windows\system32\css
2013-12-02 03:54 . 2013-12-02 03:54 -------- d-----w- c:\windows\system32\modules
2013-12-02 03:54 . 2013-12-02 03:54 -------- d-----w- c:\windows\system32\js
2013-12-02 03:54 . 2013-12-02 03:54 -------- d-----w- c:\programdata\WeCareReminder
2013-12-01 17:00 . 2013-12-01 17:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-12-01 16:16 . 2013-12-01 16:16 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2013-12-01 16:16 . 2013-12-01 16:16 -------- d-----w- c:\programdata\Malwarebytes
2013-12-01 16:16 . 2013-12-01 16:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-12-01 16:16 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-12-01 15:52 . 2013-12-01 15:52 -------- d-----w- c:\windows\ERUNT
2013-12-01 15:29 . 2013-12-01 15:33 -------- d-----w- C:\AdwCleaner
2013-12-01 08:36 . 2013-11-08 01:15 7772552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-12 23:36 . 2013-10-18 07:48 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EC099350-56EE-477A-A272-B7FE2D190FBE}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 10:21 . 2009-10-03 08:03 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-18 07:48 . 2011-10-11 08:40 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-09-27 16:53 . 2013-09-27 16:53 214696 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-09-27 16:53 . 2011-04-27 21:25 104768 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
"MRT"="c:\windows\system32\MRT.exe" [2013-11-13 80340640]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 03:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2714304592-1191437367-953324204-1000]
"EnableNotificationsRef"=dword:00000003
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2714304592-1191437367-953324204-500]
"EnableNotificationsRef"=dword:00000002
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLEA0A2860
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2714304592-1191437367-953324204-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-28 12:09]
.
2013-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2714304592-1191437367-953324204-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-28 12:09]

[urtreasured]

combofix log 2

 

------- Supplementary Scan -------
.


IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-BigFix - c:\program files\Bigfix\bigfix.exe
MSConfigStartUp-DivX Free Codec - c:\program files\DivX Free Codec\Divx Free Update.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
HKLM_ActiveSetup-ccc-core-static - msiexec
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-02 08:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2013-12-02  08:58:33
ComboFix-quarantined-files.txt  2013-12-02 15:58
.
Pre-Run: 58,518,855,680 bytes free
Post-Run: 58,595,053,568 bytes free
.
- - End Of File - - 953C9B56757160F293AC765214287DD7
D0A37B66A9B60F135B25640CB1AA1477

[urtreasured]

although the log says MS security E. was active, I did deactivate them b4 running combofix.

[urtreasured]

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.01.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18928
Owner :: GMB [administrator]

Protection: Disabled

12/2/2013 9:03:32 AM
MBAM-log-2013-12-02 (09-12-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214434
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Detected: 1
C:\ProgramData\WeCareReminder\ReminderHelper.exe (PUP.Optional.WeCare.A) -> 5800 -> No action taken.

Memory Modules Detected: 1
C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (PUP.Optional.WeCare.A) -> No action taken.

Registry Keys Detected: 14
HKCR\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\IEHelperv250.WeCareReminder.1 (PUP.Optional.WeCare.A) -> No action taken.
HKCR\IEHelperv250.WeCareReminder (PUP.Optional.WeCare.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\CLSID\{6ED0A312-78F5-493C-A90C-5DAF321D0BF8} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\TypeLib\{B3201ABA-7CDE-4C8D-A28D-4316427BD6D1} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\Interface\{B60591CD-AA25-4261-B05A-77826471C0A3} (PUP.Optional.WeCare.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6ED0A312-78F5-493C-A90C-5DAF321D0BF8} (PUP.Optional.WeCare.A) -> No action taken.
HKCR\CLSID\{B60591CD-AA25-4261-B05A-77826471C0A3} (PUP.Optional.WeCare.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 7
C:\ProgramData\WeCareReminder (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\logo (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\defaults (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\defaults\preferences (PUP.Optional.WeCare.A) -> No action taken.

Files Detected: 20
C:\ProgramData\WeCareReminder\ReminderHelper.exe (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\WCAutoUpdate.exe (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\MerchantHash.json (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\cleanwateraction.bmp (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\IEHelperv2.5.0PS.dll (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\IEMenuItem.dll (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\IEMenuItemPS.dll (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\IEToolMenuDisable.exe (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminderro.crx (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome.manifest (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\install.rdf (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\wecarereminder.jar (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\logo\default_serp.gif (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\logo\wecare_logo.bmp (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\httpModifyListener.js (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.idl (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.js (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.xpt (PUP.Optional.WeCare.A) -> No action taken.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\defaults\preferences\wecarereminder.js (PUP.Optional.WeCare.A) -> No action taken.

(end)

[urtreasured]

OK, I deleted all selected and here is the new log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.01.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18928
Owner :: GMB [administrator]

Protection: Disabled

12/2/2013 9:03:32 AM
mbam-log-2013-12-02 (09-03-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214434
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Detected: 1
C:\ProgramData\WeCareReminder\ReminderHelper.exe (PUP.Optional.WeCare.A) -> 5800 -> Delete on reboot.

Memory Modules Detected: 1
C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (PUP.Optional.WeCare.A) -> Delete on reboot.

Registry Keys Detected: 14
HKCR\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\IEHelperv250.WeCareReminder.1 (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\IEHelperv250.WeCareReminder (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{6ED0A312-78F5-493C-A90C-5DAF321D0BF8} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{B3201ABA-7CDE-4C8D-A28D-4316427BD6D1} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\Interface\{B60591CD-AA25-4261-B05A-77826471C0A3} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6ED0A312-78F5-493C-A90C-5DAF321D0BF8} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{B60591CD-AA25-4261-B05A-77826471C0A3} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 7
C:\ProgramData\WeCareReminder (PUP.Optional.WeCare.A) -> Delete on reboot.
C:\ProgramData\WeCareReminder\wecarereminder@bryan (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\logo (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\defaults (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\defaults\preferences (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.

Files Detected: 20
C:\ProgramData\WeCareReminder\ReminderHelper.exe (PUP.Optional.WeCare.A) -> Delete on reboot.
C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (PUP.Optional.WeCare.A) -> Delete on reboot.
C:\ProgramData\WeCareReminder\WCAutoUpdate.exe (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\MerchantHash.json (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\cleanwateraction.bmp (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\IEHelperv2.5.0PS.dll (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\IEMenuItem.dll (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\IEMenuItemPS.dll (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\IEToolMenuDisable.exe (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminderro.crx (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome.manifest (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\install.rdf (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\wecarereminder.jar (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\logo\default_serp.gif (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\chrome\logo\wecare_logo.bmp (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\httpModifyListener.js (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.idl (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.js (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.xpt (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\ProgramData\WeCareReminder\wecarereminder@bryan\defaults\preferences\wecarereminder.js (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.

(end)