Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
CPU usage 100% with multiple instances of cmd.exe, dllhost.exe, msiexec.exe, utorrentie.exe.
Message
<blockquote data-quote="CheckMarc" data-source="post: 458658" data-attributes="member: 46548"><p>ComboFix 15-12-12.01 - Administrator 12/13/2015 16:46:54.1.2 - x86</p><p>Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3295.1701 [GMT -5:00]</p><p>Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe</p><p>AV: Avira Antivirus *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>c:\docume~1\alluse~1\applic~1\aspnet_wp_86.exe</p><p>c:\documents and settings\All Users\Application Data\128B5E5E.EX</p><p>c:\documents and settings\All Users\Application Data\6835D632.EX</p><p>c:\documents and settings\All Users\Application Data\7B571D05.EX</p><p>c:\documents and settings\All Users\Application Data\aspnet_wp_86.exe</p><p>c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs</p><p>.</p><p>.</p><p>((((((((((((((((((((((((( Files Created from 2015-11-13 to 2015-12-13 )))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>2015-12-13 12:23 . 2015-12-13 12:23 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\SlimWare Utilities Inc</p><p>2015-12-10 23:22 . 2015-12-10 23:28 -------- d-----w- C:\FRST</p><p>2015-12-10 23:14 . 2015-12-10 23:14 -------- d-----w- C:\found.000</p><p>2015-12-10 23:07 . 2015-12-10 23:10 -------- d-----w- C:\AdwCleaner</p><p>2015-12-09 15:13 . 2015-12-09 23:45 -------- d---a-w- C:\TMRescueDisk</p><p>2015-12-09 10:17 . 2015-12-09 10:17 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\F-Secure</p><p>2015-12-09 10:17 . 2015-12-09 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure</p><p>2015-12-09 10:13 . 2015-12-09 10:21 -------- d-----w- c:\documents and settings\Marc\Application Data\QuickScan</p><p>2015-12-09 07:31 . 2015-12-09 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98}</p><p>2015-12-09 07:31 . 2015-12-09 07:31 -------- d-----w- c:\program files\Common Files\IObit</p><p>2015-12-09 04:17 . 2015-12-09 04:17 377344 ----a-w- c:\windows\RegBootClean.exe</p><p>2015-12-08 18:28 . 2015-12-08 18:30 -------- d-----w- c:\documents and settings\Administrator.BEDROOM</p><p>2015-12-08 07:42 . 2015-12-08 07:42 -------- d-----w- c:\program files\Common Files\AV</p><p>2015-12-07 20:45 . 2015-12-07 20:45 -------- d-sh--w- c:\windows\system32\%APPDATA%</p><p>2015-12-06 20:45 . 2015-12-06 20:45 601408 ----a-w- c:\windows\system32\drivers\timntr.sys</p><p>2015-12-06 20:45 . 2015-12-06 20:45 125472 ----a-w- c:\windows\system32\drivers\vididr.sys</p><p>2015-12-06 20:45 . 2015-12-06 20:45 83392 ----a-w- c:\windows\system32\drivers\vsflt53.sys</p><p>2015-12-06 20:45 . 2015-12-06 20:45 169088 ----a-w- c:\windows\system32\drivers\snapman.sys</p><p>2015-12-06 20:45 . 2015-12-06 20:45 -------- d-----w- d:\program files\Acronis</p><p>2015-12-06 20:45 . 2015-12-06 20:45 -------- d-----w- c:\program files\Common Files\Acronis</p><p>2015-12-06 20:06 . 2015-12-06 20:06 -------- d-----w- d:\program files\ADATA</p><p>2015-12-05 07:34 . 2015-12-05 07:34 -------- d-----w- d:\program files\CPUID</p><p>2015-12-02 11:29 . 2015-12-02 11:29 -------- d-----w- c:\windows\system32\winrm</p><p>2015-12-02 11:29 . 2015-12-02 11:29 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$</p><p>2015-12-02 11:29 . 2015-12-02 11:29 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\yfupa</p><p>2015-11-30 04:52 . 2015-11-30 04:52 -------- d-----w- c:\windows\Performance</p><p>2015-11-30 04:51 . 2015-11-30 04:51 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\Microsoft Corporation</p><p>2015-11-30 04:51 . 2015-11-30 04:51 -------- d-----w- d:\program files\Microsoft Windows 7 Upgrade Advisor</p><p>2015-11-26 15:12 . 2015-11-26 15:12 -------- d--h--w- c:\windows\system32\GroupPolicy</p><p>2015-11-25 17:02 . 2015-11-25 17:02 -------- d-----w- c:\documents and settings\Marc\Application Data\NVIDIA</p><p>2015-11-24 06:44 . 2015-12-05 06:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\tor</p><p>2015-11-23 19:50 . 2015-12-13 21:53 -------- d-----w- c:\documents and settings\Marc\Application Data\BrowserMe</p><p>2015-11-23 14:34 . 2015-11-23 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA</p><p>2015-11-23 14:34 . 2015-12-09 08:08 -------- d-----w- c:\documents and settings\UpdatusUser</p><p>2015-11-23 14:33 . 2015-11-23 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation</p><p>2015-11-23 14:31 . 2012-08-31 03:10 65536 ----a-w- c:\windows\system32\OpenCL.dll</p><p>2015-11-23 14:30 . 2015-11-23 14:33 -------- d-----w- d:\program files\NVIDIA Corporation</p><p>.</p><p>.</p><p>.</p><p>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>2015-12-02 11:53 . 2012-10-18 15:35 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe</p><p>2015-12-02 11:53 . 2012-03-14 17:33 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl</p><p>2015-10-15 09:05 . 2014-09-26 21:55 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys</p><p>2015-09-25 14:41 . 2013-08-06 05:05 108448 ----a-w- c:\windows\system32\drivers\avgntflt.sys</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>*Note* empty entries & legit default entries are not shown</p><p>REGEDIT4</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]</p><p>@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]</p><p>@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]</p><p>@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]</p><p>@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]</p><p>@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]</p><p>@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]</p><p>@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]</p><p>@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>.</p><p>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"WinResSync"="c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs" [X]</p><p>"BrowserMe"="c:\documents and settings\Marc\Application Data\BrowserMe\ChromeUpdate.exe" [2015-11-23 26025472]</p><p>"mount.exe"="d:\program files\gipo@utilities\fileutilities.3\mount.exe" [2008-04-11 374272]</p><p>"KiesPreload"="d:\program files\samsung\kies\kies.exe" [2012-12-20 1476104]</p><p>"KiesAirMessage"="d:\program files\samsung\kies\kiesairmessage.exe" [2012-12-18 578560]</p><p>"GetWindowText"="d:\program files\getwindowtext\getwindowtext.exe" [2013-08-17 45056]</p><p>"uTorrent"="c:\documents and settings\Marc\Application Data\uTorrent\uTorrent.exe" [2015-12-04 2026520]</p><p>"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]</p><p>"FUFAXRCV"="d:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2012-02-29 502912]</p><p>"FUFAXSTM"="d:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2012-02-29 863360]</p><p>"RTHDCPL"="RTHDCPL.EXE" [2012-06-06 20065936]</p><p>"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]</p><p>"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-08-30 15512424]</p><p>"NvMediaCenter"="NvMCTray.dll" [2012-08-30 108392]</p><p>"DivXUpdate"="d:\program files\divx\divx update\divxupdate.exe" [2011-07-28 1259376]</p><p>"tvncontrol"="d:\program files\tightvnc\tvnserver.exe" [2012-04-27 1168400]</p><p>"EEventManager"="d:\program files\epson software\event manager\eeventmanager.exe" [2012-01-26 1058400]</p><p>"nwiz"="d:\program files\nvidia corporation\nview\nwiz.exe" [2012-08-31 1634112]</p><p>"TrueImageMonitor.exe"="d:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-06-06 2637520]</p><p>"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-06-06 395192]</p><p>.</p><p>[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]</p><p>"WinResSync"="c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs" [X]</p><p>.</p><p>[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]</p><p>"WinResSync"="c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs" [X]</p><p>"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe" [2015-07-18 1155760]</p><p>.</p><p>c:\documents and settings\Marc\Start Menu\Programs\Startup\</p><p>4t Tray Minimizer.lnk - d:\program files\4t Tray Minimizer\4t-min.exe -tray [2011-12-19 1848832]</p><p>Dialog Helper.lnk - d:\program files\VCOM\PowerDesk\pddlghlp.exe /s [2005-10-4 40960]</p><p>MagicDisc.lnk - d:\program files\MagicDisc\MagicDisc.exe [2014-3-7 576000]</p><p>SpeedFan (2).lnk - d:\program files\SpeedFan\speedfan.exe [2015-2-20 4841120]</p><p>.</p><p>c:\documents and settings\All Users\Start Menu\Programs\Startup\</p><p>Printkey2000.lnk - d:\program files\PrintKey2000\Printkey2000.exe [2011-12-19 869376]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]</p><p>"SoftwareSASGeneration"= 1 (0x1)</p><p>.</p><p>[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]</p><p>"DisableTaskMgr"= 1 (0x1)</p><p>.</p><p>[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]</p><p>path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk</p><p>backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup</p><p>HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aspnet_wp_86</p><p>HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserMe</p><p>HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz</p><p>HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray</p><p>HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{59c4462d-a177-4d44-a95b-deda1be79844}</p><p>HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5dfbeba9-9f22-463d-8c95-c861911810a2}</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]</p><p>2010-04-07 18:00 5758976 ----a-w- d:\program files\eMule\emule.exe</p><p>.</p><p>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]</p><p>"EnableFirewall"= 0 (0x0)</p><p>.</p><p>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</p><p>"%windir%\\system32\\sessmgr.exe"=</p><p>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</p><p>"d:\\program files\\TightVNC\\vncviewer.exe"=</p><p>"c:\\Documents and Settings\\Marc\\Application Data\\Dropbox\\bin\\Dropbox.exe"=</p><p>"d:\\Program Files\\TightVNC\\tvnserver.exe"=</p><p>"c:\\WINDOWS\\system32\\muzapp.exe"=</p><p>"c:\\Documents and Settings\\Marc\\Application Data\\uTorrent\\uTorrent.exe"=</p><p>"d:\\program files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=</p><p>.</p><p>R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [12/6/2015 3:45 PM 125472]</p><p>R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [12/6/2015 3:45 PM 83392]</p><p>R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/18/2011 4:00 PM 13696]</p><p>R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [12/18/2011 6:10 PM 6272]</p><p>R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\windows\system32\drivers\HWiNFO32.SYS [1/31/2015 2:15 AM 23840]</p><p>R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]</p><p>R2 EpsonCustomerParticipation;EpsonCustomerParticipation;d:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [5/10/2012 2:00 PM 539744]</p><p>R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [1/3/2013 12:54 PM 122000]</p><p>R2 tvnserver;TightVNC Server;d:\program files\TightVNC\tvnserver.exe [4/26/2012 8:44 PM 1168400]</p><p>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/26/2014 4:52 PM 23256]</p><p>S2 LiveUpdateSvc;LiveUpdate;d:\program files\IObit\LiveUpdate\LiveUpdate.exe [11/14/2013 12:29 AM 2934048]</p><p>S2 MBAMScheduler;MBAMScheduler;d:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [9/26/2014 4:52 PM 1871160]</p><p>S2 MBAMService;MBAMService;d:\program files\Malwarebytes Anti-Malware\mbamservice.exe [9/26/2014 4:52 PM 1133880]</p><p>S3 ADATA ToolBox Service;ADATA ToolBox Service;d:\program files\ADATA\SSD ToolBox\ToolBoxSvc.exe [12/6/2015 3:06 PM 2257920]</p><p>S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/12/2013 1:39 PM 1691480]</p><p>S3 cmudaxp;ASUS Xonar DG Audio Interface;c:\windows\system32\drivers\cmudaxp.sys --> c:\windows\system32\drivers\cmudaxp.sys [?]</p><p>S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [10/5/2012 3:17 PM 83168]</p><p>S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [9/26/2014 4:55 PM 98520]</p><p>S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 3:12 PM 341504]</p><p>S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [10/5/2012 3:17 PM 181344]</p><p>.</p><p>Contents of the 'Scheduled Tasks' folder</p><p>.</p><p>2015-12-13 c:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job</p><p>- c:\windows\system32\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe [2015-07-18 12:56]</p><p>.</p><p>2015-12-13 c:\windows\Tasks\Adobe Flash Player Updater.job</p><p>- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-18 11:53]</p><p>.</p><p>2015-12-13 c:\windows\Tasks\Opera scheduled Autoupdate 1436058277.job</p><p>- d:\program files\Opera\launcher.exe [2015-07-05 15:27]</p><p>.</p><p>.</p><p>------- Supplementary Scan -------</p><p>.</p><p>uStart Page = <a href="https://www.google.com/" target="_blank">Google</a></p><p>IE: LastPass - file://d:\program files\LastPass\context.html?cmd=lastpass</p><p>IE: LastPass Fill Forms - file://d:\program files\LastPass\context.html?cmd=fillforms</p><p>TCP: Interfaces\{7C60BEAB-C9CE-481B-A94A-9B920A1048A7}: NameServer = 68.94.156.1,68.94.157.1</p><p>.</p><p>- - - - ORPHANS REMOVED - - - -</p><p>.</p><p>HKLM-Run-aspnet_wp_86 - c:\docume~1\alluse~1\applic~1\aspnet_wp_86.exe</p><p>c:\documents and settings\Marc\Start Menu\Programs\Startup\PartMetBackup.lnk - d:\program files\Java\jre7\bin\javaw.exe -cp "d:\program files\MetFileRegenerator\mfr3.jar" com.bws42.mfr.PartMetBackup --loop --cwd "d:\program files\eMule"</p><p>AddRemove-Google Chrome - c:\documents and settings\Marc\Local Settings\Application Data\Google\Chrome\Application\47.0.2526.80\Installer\setup.exe</p><p>.</p><p>.</p><p>.</p><p>**************************************************************************</p><p>.</p><p>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, <a href="http://www.gmer.net" target="_blank">GMER - Rootkit Detector and Remover</a></p><p>Rootkit scan 2015-12-13 16:53</p><p>Windows 5.1.2600 Service Pack 3 NTFS</p><p>.</p><p>scanning hidden processes ... </p><p>.</p><p>scanning hidden autostart entries ...</p><p>.</p><p>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</p><p> BrowserMe = c:\documents and settings\Marc\Application Data\BrowserMe\ChromeUpdate.exe???????????????????????????????????????????????????????</p><p>.</p><p>scanning hidden files ... </p><p>.</p><p>scan completed successfully</p><p>hidden files: 0</p><p>.</p><p>**************************************************************************</p><p>.</p><p>--------------------- LOCKED REGISTRY KEYS ---------------------</p><p>.</p><p>[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]</p><p>@Denied: (2) (LocalSystem)</p><p>"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,</p><p> d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,33,c3,cc,84,27,d0,4d,ad,ee,27,\</p><p>"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,</p><p> d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,33,c3,cc,84,27,d0,4d,ad,ee,27,\</p><p>.</p><p>[HKEY_USERS\S-1-5-21-842925246-746137067-839522115-1003_Classes\CLSID\{24E11561-BB4D-465A-9ABB-B813F94C578A}\InprocServer32]</p><p>@Denied: (C D 2 3 6) (Everyone)</p><p>@Allowed: (Read) (S-1-5-21-842925246-746137067-839522115-1003)</p><p>"ThreadingModel"="Apartment"</p><p>@="c:\\Documents and Settings\\All Users\\Application Data\\{EBDDF8E9-4948-4EF2-9EBA-18B34523534F}\\browser.dll"</p><p>.</p><p>[HKEY_USERS\S-1-5-21-842925246-746137067-839522115-1003_Classes\Drive\ShellEx\FolderExtensions\{24E11561-BB4D-465A-9ABB-B813F94C578A}]</p><p>@Denied: (C D 2 3 6) (Everyone)</p><p>@Allowed: (Read) (S-1-5-21-842925246-746137067-839522115-1003)</p><p>"DriveMask"=dword:ffffffff</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{24E11561-BB4D-465A-9ABB-B813F94C578A}\InprocServer32]</p><p>@Denied: (C D 2 3 6) (Everyone)</p><p>"ThreadingModel"="Apartment"</p><p>@="c:\\Documents and Settings\\All Users\\Application Data\\{EBDDF8E9-4948-4EF2-9EBA-18B34523534F}\\browser.dll"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="FlashBroker"</p><p>"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_245_ActiveX.exe,-101"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]</p><p>"Enabled"=dword:00000001</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]</p><p>@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_245_ActiveX.exe"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Drive\shellex\FolderExtensions\{24E11561-BB4D-465A-9ABB-B813F94C578A}]</p><p>@Denied: (C D 2 3 6) (Everyone)</p><p>"DriveMask"=dword:ffffffff</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="IFlashBroker6"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]</p><p>@="{00020424-0000-0000-C000-000000000046}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>"Version"="1.0"</p><p>.</p><p>--------------------- DLLs Loaded Under Running Processes ---------------------</p><p>.</p><p>- - - - - - - > 'winlogon.exe'(1060)</p><p>c:\windows\system32\Ati2evxx.dll</p><p>.</p><p>- - - - - - - > 'explorer.exe'(5788)</p><p>c:\windows\system32\WININET.dll</p><p>d:\program files\4t Tray Minimizer\ShellEh552.dll</p><p>d:\program files\VCOM\PowerDesk\pddlghlp.dll</p><p>d:\program files\NVIDIA Corporation\nview\nview.dll</p><p>d:\program files\TightVNC\screenhooks32.dll</p><p>c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll</p><p>c:\documents and settings\All Users\Application Data\{EBDDF8E9-4948-4EF2-9EBA-18B34523534F}\browser.dll</p><p>c:\windows\system32\ieframe.dll</p><p>c:\windows\system32\webcheck.dll</p><p>c:\windows\system32\WPDShServiceObj.dll</p><p>c:\windows\system32\PortableDeviceTypes.dll</p><p>c:\windows\system32\PortableDeviceApi.dll</p><p>.</p><p>------------------------ Other Running Processes ------------------------</p><p>.</p><p>c:\windows\system32\Ati2evxx.exe</p><p>c:\windows\system32\Ati2evxx.exe</p><p>c:\program files\Common Files\Acronis\Schedule2\schedul2.exe</p><p>c:\windows\system32\nvsvc32.exe</p><p>d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe</p><p>d:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe</p><p>c:\windows\RTHDCPL.EXE</p><p>c:\windows\system32\RunDLL32.exe</p><p>c:\windows\system32\rundll32.exe</p><p>d:\program files\4t Tray Minimizer\4t-min.exe</p><p>d:\program files\VCOM\PowerDesk\pddlghlp.exe</p><p>d:\program files\IObit\IObit Uninstaller\UninstallMonitor.exe</p><p>d:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe</p><p>c:\documents and settings\Marc\Application Data\uTorrent\updates\3.4.5_41372\utorrentie.exe</p><p>c:\documents and settings\Marc\Application Data\uTorrent\updates\3.4.5_41372\utorrentie.exe</p><p>d:\program files\Internet Explorer\iexplore.exe</p><p>d:\program files\Internet Explorer\iexplore.exe</p><p>d:\program files\Internet Explorer\iexplore.exe</p><p>d:\program files\Internet Explorer\iexplore.exe</p><p>c:\windows\system32\dllhost.exe</p><p>.</p><p>**************************************************************************</p><p>.</p><p>Completion time: 2015-12-13 16:58:17 - machine was rebooted</p><p>ComboFix-quarantined-files.txt 2015-12-13 21:58</p><p>.</p><p>Pre-Run: 2,721,890,304 bytes free</p><p>Post-Run: 3,576,606,720 bytes free</p><p>.</p><p>WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe</p><p>[boot loader]</p><p>timeout=2</p><p>default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS</p><p>[operating systems]</p><p>c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons</p><p>UnsupportedDebug="do not select this" /debug</p><p>multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer</p><p>.</p><p>- - End Of File - - BF9E3A326CB9F44F36A5858A2B2F0164</p><p>8F558EB6672622401DA993E1E865C861</p></blockquote><p></p>
[QUOTE="CheckMarc, post: 458658, member: 46548"] ComboFix 15-12-12.01 - Administrator 12/13/2015 16:46:54.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3295.1701 [GMT -5:00] Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe AV: Avira Antivirus *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\docume~1\alluse~1\applic~1\aspnet_wp_86.exe c:\documents and settings\All Users\Application Data\128B5E5E.EX c:\documents and settings\All Users\Application Data\6835D632.EX c:\documents and settings\All Users\Application Data\7B571D05.EX c:\documents and settings\All Users\Application Data\aspnet_wp_86.exe c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs . . ((((((((((((((((((((((((( Files Created from 2015-11-13 to 2015-12-13 ))))))))))))))))))))))))))))))) . . 2015-12-13 12:23 . 2015-12-13 12:23 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\SlimWare Utilities Inc 2015-12-10 23:22 . 2015-12-10 23:28 -------- d-----w- C:\FRST 2015-12-10 23:14 . 2015-12-10 23:14 -------- d-----w- C:\found.000 2015-12-10 23:07 . 2015-12-10 23:10 -------- d-----w- C:\AdwCleaner 2015-12-09 15:13 . 2015-12-09 23:45 -------- d---a-w- C:\TMRescueDisk 2015-12-09 10:17 . 2015-12-09 10:17 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\F-Secure 2015-12-09 10:17 . 2015-12-09 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2015-12-09 10:13 . 2015-12-09 10:21 -------- d-----w- c:\documents and settings\Marc\Application Data\QuickScan 2015-12-09 07:31 . 2015-12-09 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98} 2015-12-09 07:31 . 2015-12-09 07:31 -------- d-----w- c:\program files\Common Files\IObit 2015-12-09 04:17 . 2015-12-09 04:17 377344 ----a-w- c:\windows\RegBootClean.exe 2015-12-08 18:28 . 2015-12-08 18:30 -------- d-----w- c:\documents and settings\Administrator.BEDROOM 2015-12-08 07:42 . 2015-12-08 07:42 -------- d-----w- c:\program files\Common Files\AV 2015-12-07 20:45 . 2015-12-07 20:45 -------- d-sh--w- c:\windows\system32\%APPDATA% 2015-12-06 20:45 . 2015-12-06 20:45 601408 ----a-w- c:\windows\system32\drivers\timntr.sys 2015-12-06 20:45 . 2015-12-06 20:45 125472 ----a-w- c:\windows\system32\drivers\vididr.sys 2015-12-06 20:45 . 2015-12-06 20:45 83392 ----a-w- c:\windows\system32\drivers\vsflt53.sys 2015-12-06 20:45 . 2015-12-06 20:45 169088 ----a-w- c:\windows\system32\drivers\snapman.sys 2015-12-06 20:45 . 2015-12-06 20:45 -------- d-----w- d:\program files\Acronis 2015-12-06 20:45 . 2015-12-06 20:45 -------- d-----w- c:\program files\Common Files\Acronis 2015-12-06 20:06 . 2015-12-06 20:06 -------- d-----w- d:\program files\ADATA 2015-12-05 07:34 . 2015-12-05 07:34 -------- d-----w- d:\program files\CPUID 2015-12-02 11:29 . 2015-12-02 11:29 -------- d-----w- c:\windows\system32\winrm 2015-12-02 11:29 . 2015-12-02 11:29 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$ 2015-12-02 11:29 . 2015-12-02 11:29 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\yfupa 2015-11-30 04:52 . 2015-11-30 04:52 -------- d-----w- c:\windows\Performance 2015-11-30 04:51 . 2015-11-30 04:51 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\Microsoft Corporation 2015-11-30 04:51 . 2015-11-30 04:51 -------- d-----w- d:\program files\Microsoft Windows 7 Upgrade Advisor 2015-11-26 15:12 . 2015-11-26 15:12 -------- d--h--w- c:\windows\system32\GroupPolicy 2015-11-25 17:02 . 2015-11-25 17:02 -------- d-----w- c:\documents and settings\Marc\Application Data\NVIDIA 2015-11-24 06:44 . 2015-12-05 06:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\tor 2015-11-23 19:50 . 2015-12-13 21:53 -------- d-----w- c:\documents and settings\Marc\Application Data\BrowserMe 2015-11-23 14:34 . 2015-11-23 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA 2015-11-23 14:34 . 2015-12-09 08:08 -------- d-----w- c:\documents and settings\UpdatusUser 2015-11-23 14:33 . 2015-11-23 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation 2015-11-23 14:31 . 2012-08-31 03:10 65536 ----a-w- c:\windows\system32\OpenCL.dll 2015-11-23 14:30 . 2015-11-23 14:33 -------- d-----w- d:\program files\NVIDIA Corporation . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2015-12-02 11:53 . 2012-10-18 15:35 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2015-12-02 11:53 . 2012-03-14 17:33 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2015-10-15 09:05 . 2014-09-26 21:55 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2015-09-25 14:41 . 2013-08-06 05:05 108448 ----a-w- c:\windows\system32\drivers\avgntflt.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"] @="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"] @="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"] @="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"] @="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinResSync"="c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs" [X] "BrowserMe"="c:\documents and settings\Marc\Application Data\BrowserMe\ChromeUpdate.exe" [2015-11-23 26025472] "mount.exe"="d:\program files\gipo@utilities\fileutilities.3\mount.exe" [2008-04-11 374272] "KiesPreload"="d:\program files\samsung\kies\kies.exe" [2012-12-20 1476104] "KiesAirMessage"="d:\program files\samsung\kies\kiesairmessage.exe" [2012-12-18 578560] "GetWindowText"="d:\program files\getwindowtext\getwindowtext.exe" [2013-08-17 45056] "uTorrent"="c:\documents and settings\Marc\Application Data\uTorrent\uTorrent.exe" [2015-12-04 2026520] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440] "FUFAXRCV"="d:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2012-02-29 502912] "FUFAXSTM"="d:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2012-02-29 863360] "RTHDCPL"="RTHDCPL.EXE" [2012-06-06 20065936] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-08-30 15512424] "NvMediaCenter"="NvMCTray.dll" [2012-08-30 108392] "DivXUpdate"="d:\program files\divx\divx update\divxupdate.exe" [2011-07-28 1259376] "tvncontrol"="d:\program files\tightvnc\tvnserver.exe" [2012-04-27 1168400] "EEventManager"="d:\program files\epson software\event manager\eeventmanager.exe" [2012-01-26 1058400] "nwiz"="d:\program files\nvidia corporation\nview\nwiz.exe" [2012-08-31 1634112] "TrueImageMonitor.exe"="d:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-06-06 2637520] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-06-06 395192] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "WinResSync"="c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs" [X] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "WinResSync"="c:\documents and settings\Marc\Application Data\Microsoft\Protect\3bbe8467d5d0ab5ae8ee.rs" [X] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe" [2015-07-18 1155760] . c:\documents and settings\Marc\Start Menu\Programs\Startup\ 4t Tray Minimizer.lnk - d:\program files\4t Tray Minimizer\4t-min.exe -tray [2011-12-19 1848832] Dialog Helper.lnk - d:\program files\VCOM\PowerDesk\pddlghlp.exe /s [2005-10-4 40960] MagicDisc.lnk - d:\program files\MagicDisc\MagicDisc.exe [2014-3-7 576000] SpeedFan (2).lnk - d:\program files\SpeedFan\speedfan.exe [2015-2-20 4841120] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Printkey2000.lnk - d:\program files\PrintKey2000\Printkey2000.exe [2011-12-19 869376] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SoftwareSASGeneration"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aspnet_wp_86 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserMe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{59c4462d-a177-4d44-a95b-deda1be79844} HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5dfbeba9-9f22-463d-8c95-c861911810a2} . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart] 2010-04-07 18:00 5758976 ----a-w- d:\program files\eMule\emule.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\program files\\TightVNC\\vncviewer.exe"= "c:\\Documents and Settings\\Marc\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "d:\\Program Files\\TightVNC\\tvnserver.exe"= "c:\\WINDOWS\\system32\\muzapp.exe"= "c:\\Documents and Settings\\Marc\\Application Data\\uTorrent\\uTorrent.exe"= "d:\\program files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= . R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [12/6/2015 3:45 PM 125472] R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [12/6/2015 3:45 PM 83392] R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/18/2011 4:00 PM 13696] R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [12/18/2011 6:10 PM 6272] R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\windows\system32\drivers\HWiNFO32.SYS [1/31/2015 2:15 AM 23840] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144] R2 EpsonCustomerParticipation;EpsonCustomerParticipation;d:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [5/10/2012 2:00 PM 539744] R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [1/3/2013 12:54 PM 122000] R2 tvnserver;TightVNC Server;d:\program files\TightVNC\tvnserver.exe [4/26/2012 8:44 PM 1168400] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/26/2014 4:52 PM 23256] S2 LiveUpdateSvc;LiveUpdate;d:\program files\IObit\LiveUpdate\LiveUpdate.exe [11/14/2013 12:29 AM 2934048] S2 MBAMScheduler;MBAMScheduler;d:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [9/26/2014 4:52 PM 1871160] S2 MBAMService;MBAMService;d:\program files\Malwarebytes Anti-Malware\mbamservice.exe [9/26/2014 4:52 PM 1133880] S3 ADATA ToolBox Service;ADATA ToolBox Service;d:\program files\ADATA\SSD ToolBox\ToolBoxSvc.exe [12/6/2015 3:06 PM 2257920] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/12/2013 1:39 PM 1691480] S3 cmudaxp;ASUS Xonar DG Audio Interface;c:\windows\system32\drivers\cmudaxp.sys --> c:\windows\system32\drivers\cmudaxp.sys [?] S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [10/5/2012 3:17 PM 83168] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [9/26/2014 4:55 PM 98520] S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 3:12 PM 341504] S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [10/5/2012 3:17 PM 181344] . Contents of the 'Scheduled Tasks' folder . 2015-12-13 c:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job - c:\windows\system32\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe [2015-07-18 12:56] . 2015-12-13 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-18 11:53] . 2015-12-13 c:\windows\Tasks\Opera scheduled Autoupdate 1436058277.job - d:\program files\Opera\launcher.exe [2015-07-05 15:27] . . ------- Supplementary Scan ------- . uStart Page = [URL="https://www.google.com/"]Google[/URL] IE: LastPass - file://d:\program files\LastPass\context.html?cmd=lastpass IE: LastPass Fill Forms - file://d:\program files\LastPass\context.html?cmd=fillforms TCP: Interfaces\{7C60BEAB-C9CE-481B-A94A-9B920A1048A7}: NameServer = 68.94.156.1,68.94.157.1 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-aspnet_wp_86 - c:\docume~1\alluse~1\applic~1\aspnet_wp_86.exe c:\documents and settings\Marc\Start Menu\Programs\Startup\PartMetBackup.lnk - d:\program files\Java\jre7\bin\javaw.exe -cp "d:\program files\MetFileRegenerator\mfr3.jar" com.bws42.mfr.PartMetBackup --loop --cwd "d:\program files\eMule" AddRemove-Google Chrome - c:\documents and settings\Marc\Local Settings\Application Data\Google\Chrome\Application\47.0.2526.80\Installer\setup.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [URL="http://www.gmer.net"]GMER - Rootkit Detector and Remover[/URL] Rootkit scan 2015-12-13 16:53 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run BrowserMe = c:\documents and settings\Marc\Application Data\BrowserMe\ChromeUpdate.exe??????????????????????????????????????????????????????? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,33,c3,cc,84,27,d0,4d,ad,ee,27,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,33,c3,cc,84,27,d0,4d,ad,ee,27,\ . [HKEY_USERS\S-1-5-21-842925246-746137067-839522115-1003_Classes\CLSID\{24E11561-BB4D-465A-9ABB-B813F94C578A}\InprocServer32] @Denied: (C D 2 3 6) (Everyone) @Allowed: (Read) (S-1-5-21-842925246-746137067-839522115-1003) "ThreadingModel"="Apartment" @="c:\\Documents and Settings\\All Users\\Application Data\\{EBDDF8E9-4948-4EF2-9EBA-18B34523534F}\\browser.dll" . [HKEY_USERS\S-1-5-21-842925246-746137067-839522115-1003_Classes\Drive\ShellEx\FolderExtensions\{24E11561-BB4D-465A-9ABB-B813F94C578A}] @Denied: (C D 2 3 6) (Everyone) @Allowed: (Read) (S-1-5-21-842925246-746137067-839522115-1003) "DriveMask"=dword:ffffffff . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{24E11561-BB4D-465A-9ABB-B813F94C578A}\InprocServer32] @Denied: (C D 2 3 6) (Everyone) "ThreadingModel"="Apartment" @="c:\\Documents and Settings\\All Users\\Application Data\\{EBDDF8E9-4948-4EF2-9EBA-18B34523534F}\\browser.dll" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_245_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_245_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Drive\shellex\FolderExtensions\{24E11561-BB4D-465A-9ABB-B813F94C578A}] @Denied: (C D 2 3 6) (Everyone) "DriveMask"=dword:ffffffff . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1060) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(5788) c:\windows\system32\WININET.dll d:\program files\4t Tray Minimizer\ShellEh552.dll d:\program files\VCOM\PowerDesk\pddlghlp.dll d:\program files\NVIDIA Corporation\nview\nview.dll d:\program files\TightVNC\screenhooks32.dll c:\documents and settings\Marc\Application Data\Dropbox\bin\DropboxExt.24.dll c:\documents and settings\All Users\Application Data\{EBDDF8E9-4948-4EF2-9EBA-18B34523534F}\browser.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\windows\system32\nvsvc32.exe d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe d:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\RTHDCPL.EXE c:\windows\system32\RunDLL32.exe c:\windows\system32\rundll32.exe d:\program files\4t Tray Minimizer\4t-min.exe d:\program files\VCOM\PowerDesk\pddlghlp.exe d:\program files\IObit\IObit Uninstaller\UninstallMonitor.exe d:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\documents and settings\Marc\Application Data\uTorrent\updates\3.4.5_41372\utorrentie.exe c:\documents and settings\Marc\Application Data\uTorrent\updates\3.4.5_41372\utorrentie.exe d:\program files\Internet Explorer\iexplore.exe d:\program files\Internet Explorer\iexplore.exe d:\program files\Internet Explorer\iexplore.exe d:\program files\Internet Explorer\iexplore.exe c:\windows\system32\dllhost.exe . ************************************************************************** . Completion time: 2015-12-13 16:58:17 - machine was rebooted ComboFix-quarantined-files.txt 2015-12-13 21:58 . Pre-Run: 2,721,890,304 bytes free Post-Run: 3,576,606,720 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer . - - End Of File - - BF9E3A326CB9F44F36A5858A2B2F0164 8F558EB6672622401DA993E1E865C861 [/QUOTE]
Insert quotes…
Verification
Post reply
Top