Solved Browser Hijacker causing extensive Win8 issues

[sair189]

When we tried doing what you asked, (otl.exe) it stalled like you said, so I quickly rebooted the PC and were forced to update the computer. When I tried to log in, windows 8 was not accepting ANY of our users passwords. Even when we reset them, it came up with the 'incorrect password' screen. We now have no access to the computer at all.
Any suggestions?

 

[Broni]

Try this: http://pcsupport.about.com/od/windows-8/a/reset-password-windows-8.htm

 

[sair189]

We don't have a password reset disk!

 

[Broni]

Did you try
Method 1: SHIFT + Restart

 

[sair189]

Yeah, is that suggesting to do a system restore or a reset?
I'd like to avoid the latter!

 

[sair189]

Plus we don't have any windows 8 OS installation disks

 

[Broni]

You select "Command Prompt" option.

 

[sair189]

I restored back to the 14th of Jan and have had the computer back for a while. Soon we will go through the next step, but I could not do it last weekend as once again I was away.
Do you think the problem could occur again with the next set of updates?

 

[Broni]

I don't think updates caused any issues but I'm glad to see your computer back and running.
Since you used system restore we have to re-run some scans.

Re-run MBAM, RogueKiller and MBAR.
Post all logs.

 

[Broni]

Still with me?

 

[sair189]

It'll be done tomorrow

 

[Broni]

 

[sair189]

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.30.07

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16750
sarah :: DESKTOP [administrator]

30/01/2014 22:26:22
mbam-log-2014-01-30 (22-26-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 294024
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\$RECYCLE.BIN\S-1-5-21-3048388059-1154103495-501387454-1006\$R9S4UFR.exe (PUP.Optional.Tarma) -> Quarantined and deleted successfully.
C:\Users\Fred\Downloads\FlashPlayersetup__3873_i310528780_il155.exe (PUP.Optional.InstallMonetizer) -> Quarantined and deleted successfully.
C:\Users\Fred\Downloads\FlashPlayersetup__3873_i310529831_il155.exe (PUP.Optional.InstallMonetizer) -> Quarantined and deleted successfully.
C:\Users\Fred\Downloads\FlashPlayersetup__3873_i310594541_il155.exe (PUP.Optional.InstallMonetizer) -> Quarantined and deleted successfully.

(end)

 

[sair189]

When I ran roguekiller, the prescan got stuck on 'dllhost.exe' and stayed like so for a long time. I tried Rebooting, running as administrator and reinstalling roguekiller, but it still got stuck. We also disabled the antivirus and closed all other running applications.

 

[Broni]

Try to re-run it from safe mode.

 

[sair189]

How do I do that please

 

[Broni]

See here: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

 

[sair189]

Ran roguekiller in safe mode and it didn't have internet access or let me save the report in notepad, is that normal?

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com


Operating System : Windows 8 (6.2.9200 ) 64 bits version

Started in : Safe mode

User : sarah [Admin rights]

Mode : Remove -- Date : 02/02/2014 21:04:41

| ARK || FAK || MBR |


¤¤¤ Bad processes : 0 ¤¤¤


¤¤¤ Registry Entries : 4 ¤¤¤

[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.


¤¤¤ Scheduled tasks : 0 ¤¤¤


¤¤¤ Startup Entries : 0 ¤¤¤


¤¤¤ Web browsers : 0 ¤¤¤


¤¤¤ Browser Addons : 0 ¤¤¤


¤¤¤ Particular Files / Folders: ¤¤¤


¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤


¤¤¤ External Hives: ¤¤¤


¤¤¤ Infection : ¤¤¤


¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts



127.0.0.1 localhost



¤¤¤ MBR Check: ¤¤¤


+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST2000DM 001-1CH164 SATA Disk Device +++++

--- User ---

[MBR] 0d184cedcc4fb4f4f056db488fe01ef8

[BSP] 41ebde61d0612c43c557ebd459b9938d : Empty MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo

User = LL1 ... OK!

User = LL2 ... OK!


+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Multiple Card Reader USB Device +++++

Error reading User MBR! ([0x15] The device is not ready. )

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )


+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) HP Photosmart D5400 USB Device +++++

Error reading User MBR! ([0x15] The device is not ready. )

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )


Finished : << RKreport[0]_D_02022014_210441.txt >>

RKreport[0]_D_01062014_131804.txt;RKreport[0]_S_01062014_131747.txt;RKreport[0]_S_02022014_210413.txt

 

[Broni]

Go ahead with MBAR.

 

[sair189]

MBAR didn't give me a report, however no malware was found.

 

[Broni]

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  If the connection is not there use restore point you created prior to running Combofix.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

 

[sair189]

ComboFix 14-02-01.01 - sarah 02/02/2014 21:53:17.2.4 - x64
Microsoft Windows 8 6.2.9200.0.1252.44.2057.18.8087.5702 [GMT 0:00]
Running from: c:\users\sarah\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - windows: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Fred\AppData\Local\assembly\tmp
c:\users\Fred\AppData\Local\assembly\tmp\D2KS816E\__AssemblyInfo__.ini
c:\users\Fred\AppData\Local\assembly\tmp\D2KS816E\HPSwitchBoard.DLL
c:\users\George\AppData\Local\assembly\tmp
c:\users\George\AppData\Local\assembly\tmp\7NXMYZIV\__AssemblyInfo__.ini
c:\users\George\AppData\Local\assembly\tmp\7NXMYZIV\HPSeeker.DLL
c:\users\George\AppData\Local\assembly\tmp\EUJYU67J\__AssemblyInfo__.ini
c:\users\George\AppData\Local\assembly\tmp\EUJYU67J\HPSwitchBoard.DLL
c:\users\George\AppData\Local\assembly\tmp\LHLVF949\__AssemblyInfo__.ini
c:\users\George\AppData\Local\assembly\tmp\LHLVF949\HPSeeker.DLL
c:\users\George\AppData\Local\assembly\tmp\MWKXRY0W\__AssemblyInfo__.ini
c:\users\George\AppData\Local\assembly\tmp\MWKXRY0W\HPSwitchBoard.DLL
c:\users\George\AppData\Local\assembly\tmp\V4AT2FQL\__AssemblyInfo__.ini
c:\users\George\AppData\Local\assembly\tmp\V4AT2FQL\HPSwitchBoard.DLL
c:\users\sarah\AppData\Local\assembly\tmp
c:\users\sarah\AppData\Local\assembly\tmp\02U0NWQJ\__AssemblyInfo__.ini
c:\users\sarah\AppData\Local\assembly\tmp\02U0NWQJ\HPSwitchBoard.DLL
c:\users\sarah\AppData\Local\assembly\tmp\K2C65G9P\__AssemblyInfo__.ini
c:\users\sarah\AppData\Local\assembly\tmp\K2C65G9P\HPSeeker.DLL
c:\users\sarah\AppData\Local\assembly\tmp\RQS9A37B\__AssemblyInfo__.ini
c:\users\sarah\AppData\Local\assembly\tmp\RQS9A37B\HPSwitchBoard.DLL
c:\users\sarah\AppData\Local\assembly\tmp\SFZAH8AK\__AssemblyInfo__.ini
c:\users\sarah\AppData\Local\assembly\tmp\SFZAH8AK\HPSwitchBoard.DLL
.
.
((((((((((((((((((((((((( Files Created from 2014-01-02 to 2014-02-02 )))))))))))))))))))))))))))))))
.
.
2014-02-02 22:02 . 2014-02-02 22:02 -------- d-----w- c:\users\George\AppData\Local\temp
2014-02-02 22:02 . 2014-02-02 22:02 -------- d-----w- c:\users\Fred\AppData\Local\temp
2014-02-02 22:02 . 2014-02-02 22:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-02 22:02 . 2014-02-02 22:02 -------- d-----w- c:\users\andre_000\AppData\Local\temp
2014-02-02 21:16 . 2014-02-02 21:16 117464 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-01-28 21:58 . 2014-01-28 21:58 -------- d-----w- c:\programdata\HP
2014-01-22 18:00 . 2013-09-23 13:49 197704 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2014-01-18 15:46 . 2014-01-09 08:02 78296 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-18 15:46 . 2014-01-09 08:02 694240 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-01-16 07:31 . 2014-01-17 01:00 -------- d-----w- c:\programdata\Recovery
2014-01-15 22:53 . 2014-01-15 22:53 -------- d-----w- C:\_OTL
2014-01-14 16:16 . 2014-01-14 16:16 -------- d-----w- c:\users\George\AppData\Local\CrashRpt
2014-01-14 16:15 . 2014-01-16 17:43 -------- d-----w- c:\programdata\Package Cache
2014-01-13 22:28 . 2014-01-13 22:28 -------- d-----w- c:\windows\ERUNT
2014-01-13 22:11 . 2014-01-13 22:13 -------- d-----w- C:\AdwCleaner
2014-01-13 16:37 . 2014-01-13 16:37 -------- d-----w- c:\users\Fred\AppData\Local\CrashDumps
2014-01-06 13:25 . 2014-02-02 21:35 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-06 13:23 . 2014-02-02 21:15 89304 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-01-06 13:16 . 2014-02-02 21:03 22528 ----a-w- c:\windows\system32\drivers\rdpbus.sys.bak
2014-01-06 13:15 . 2014-02-02 21:02 58200 ----a-w- c:\windows\system32\drivers\dam.sys.bak
2014-01-05 19:50 . 2014-01-05 19:50 -------- d-----w- c:\program files (x86)\Ffmpeg For Audacity
2014-01-05 19:40 . 2014-01-05 19:40 -------- d-----w- c:\program files (x86)\Lame For Audacity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-17 12:01 . 2013-06-18 20:16 86054176 ----a-w- c:\windows\system32\MRT.exe
2013-12-19 14:37 . 2013-12-19 14:37 110080 ----a-r- c:\users\sarah\AppData\Roaming\Microsoft\Installer\{CD09642E-061D-4844-BA37-ED1480916404}\IconF7A21AF7.exe
2013-12-19 14:37 . 2013-12-19 14:37 110080 ----a-r- c:\users\sarah\AppData\Roaming\Microsoft\Installer\{CD09642E-061D-4844-BA37-ED1480916404}\IconD7F16134.exe
2013-12-19 14:37 . 2013-12-19 14:37 110080 ----a-r- c:\users\sarah\AppData\Roaming\Microsoft\Installer\{CD09642E-061D-4844-BA37-ED1480916404}\Icon1226A4C5.exe
2013-12-05 16:51 . 2013-06-17 12:24 70112 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-12-05 16:45 . 2013-02-19 12:56 343696 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-12-05 16:44 . 2013-06-17 12:03 184800 ----a-w- c:\windows\system32\mfevtps.exe
2013-12-05 16:41 . 2013-02-19 12:54 782616 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-12-05 16:39 . 2013-06-17 12:24 519576 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-12-05 16:37 . 2013-06-17 12:24 311120 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-12-05 16:36 . 2013-02-19 12:52 179792 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-12-05 16:25 . 2013-06-17 12:24 69344 ----a-w- c:\windows\system32\drivers\mfeelamk.sys
2013-11-26 22:07 . 2013-11-26 22:07 10856 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2013-11-26 22:07 . 2013-11-26 22:07 96112 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2013-11-26 22:07 . 2013-11-26 22:07 411944 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2013-11-23 06:43 . 2013-12-13 00:53 420864 ----a-w- c:\windows\system32\WMPhoto.dll
2013-11-23 05:05 . 2013-12-13 00:53 368640 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-11-06 23:18 . 2013-12-13 00:53 4036608 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-01-01 21:52 222832 ----a-w- c:\users\sarah\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-01-01 21:52 222832 ----a-w- c:\users\sarah\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-01-01 21:52 222832 ----a-w- c:\users\sarah\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-12-11 1564528]
"KiesAirMessage"="c:\program files (x86)\Samsung\Kies\KiesAirMessage.exe" [2013-05-22 578560]
"ANT Agent"="c:\program files (x86)\Garmin\ANT Agent\ANT Agent.exe" [2013-02-15 14731776]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-09-14 59720]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-09-15 59720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BATINDICATOR"="c:\program files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR.exe" [2011-12-14 2068992]
"BATINDICATORHL"="c:\program files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR_HIDList.exe" [2010-07-23 557056]
"OSDTool"="c:\program files (x86)\Hewlett-Packard\HP Keyboard\CNYHKEY.exe" [2012-06-13 2101248]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-09-24 537512]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-12-11 311152]
"BingDesktop"="c:\program files (x86)\Microsoft\BingDesktop\BingDesktop.exe" [2013-06-27 2249352]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-09-24 537512]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-11-02 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\users\sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 324320]
WinTV Recording Status.lnk - c:\program files (x86)\WinTV\WinTV7\WinTVTray.exe [2013-7-2 151040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R0 mfeelamk;McAfee Inc. mfeelamk;c:\windows\system32\drivers\mfeelamk.sys;c:\windows\SYSNATIVE\drivers\mfeelamk.sys [x]
R2 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys;c:\windows\SYSNATIVE\DRIVERS\EsgScanner.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys;c:\windows\SYSNATIVE\DRIVERS\mfencrk.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\System32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 xusb22;Xbox 360 Wireless Receiver Driver Service 22;c:\windows\System32\drivers\xusb22.sys;c:\windows\SYSNATIVE\drivers\xusb22.sys [x]
S0 amd_sata;amd_sata;c:\windows\System32\drivers\amd_sata.sys;c:\windows\SYSNATIVE\drivers\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\System32\drivers\amd_xata.sys;c:\windows\SYSNATIVE\drivers\amd_xata.sys [x]
S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys;c:\windows\SYSNATIVE\drivers\McPvDrv.sys [x]
S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys [x]
S1 MfeASKM;McAfee Application Statistics Device Driver;c:\program files\McAfee\AppStats\MfeASKM.sys;c:\program files\McAfee\AppStats\MfeASKM.sys [x]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys;c:\windows\SYSNATIVE\DRIVERS\MOBK.sys [x]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [x]
S2 HauppaugeTVServer;HauppaugeTVServer;c:\program files (x86)\WinTV\TVServer\HauppaugeTVServer.exe;c:\program files (x86)\WinTV\TVServer\HauppaugeTVServer.exe [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HPConnectedRemote;HP Connected Remote Service;c:\program files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe;c:\program files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
S2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe;c:\program files\McAfee\MSC\McAPExe.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 MfeASUM;McAfee Application Statistics Service;c:\program files\McAfee\AppStats\MfeASUM.exe;c:\program files\McAfee\AppStats\MfeASUM.exe [x]
S2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S2 MOBKbackup;McAfee Online Backup;c:\program files (x86)\McAfee Online Backup\MOBKbackup.exe;c:\program files (x86)\McAfee Online Backup\MOBKbackup.exe [x]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe;c:\windows\SYSNATIVE\NlsSrv32.exe [x]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
S3 hcw17bda;Hauppauge SMS1000-based;c:\windows\system32\drivers\hcw17b64.sys;c:\windows\SYSNATIVE\drivers\hcw17b64.sys [x]
S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C63x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C63x64.sys [x]
S3 libusb0;libusb-win32 - Kernel Driver 04/08/2011 1.2.4.0;c:\windows\system32\DRIVERS\libusb0.sys;c:\windows\SYSNATIVE\DRIVERS\libusb0.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;@oem46.inf,%PID_0825_DD%(UVC);Logitech HD Webcam C270(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys;c:\windows\SYSNATIVE\DRIVERS\mfencbdc.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\System32\drivers\usbfilter.sys;c:\windows\SYSNATIVE\drivers\usbfilter.sys [x]
S3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
apphost REG_MULTI_SZ apphostsvc
iissvcs REG_MULTI_SZ w3svc was
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-29 18:02 1211672 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-17 10:49]
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-17 10:49]
.
2014-02-02 c:\windows\Tasks\HPCeeScheduleForsarah.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 21:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-01-01 21:52 261744 ----a-w- c:\users\sarah\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-01-01 21:52 261744 ----a-w- c:\users\sarah\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-01-01 21:52 261744 ----a-w- c:\users\sarah\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeatsOSDApp"="c:\program files\IDT\WDM\beats64.exe" [2013-08-19 41664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2013-08-19 1703424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-01-28 21720]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\sarah\AppData\Roaming\Mozilla\Firefox\Profiles\f9jbdcic.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxps://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&type=A111GB739&p=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-LAME_is1 - c:\program files (x86)\Audacity 1.3 Beta (Unicode)\unins001.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2014-02-02 22:05:11
ComboFix-quarantined-files.txt 2014-02-02 22:05
ComboFix2.txt 2014-01-08 19:24
.
Pre-Run: 1,600,285,642,752 bytes free
Post-Run: 1,600,001,388,544 bytes free
.
- - End Of File - - 7783142D8A9A0A75E4EC1DBBB6A7B686
5FB38429D5D77768867C76DCBDB35194

 

[Broni]

Looks good.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on Scan button.
• When the scan has finished click on Clean button.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the contents of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[sair189]

Didn't you ask me to do those steps on post 15? Do you want me to do it again?

 

[sair189]

Also, I will have to go soon so may not be able to do any more today.