Harry Dykins
Posts: 18 +0
(Sorry if this is a bit long I want to try and get as much information across as possible)
Hi, I turned my computer on yesterday and noticed that malwarebytes wasn't running in my quick pick tray. I therefore tried to run it through the start menu and it comes up with "cant find mbam.exe" or something along those lines. I went through explorer and tried to run it manually with the same result. My avira anti-virus then flashed up saying something was attempted to mess up the registry and so went to my spybot anti-malware to run a scan. But spybot.exe was like the malwarebytes not found. So I thought o crap it's a virus disabling all my anti-virus and turned the computer off.
I then ran it in safe mode and found that my glary utilities was still fine and that had an anti-malware scanner and so ran it along with a registry "fixer". I noticed that the registry values for mbam and spybot were listed as broken along with a couple of other programs (audacity etc). So I thought that there was a virus attempting to muck up my registry and so tried to system restore to an earlier date, but couldn't find the rstrui.exe in my system32 folder and so therefore couldnt system restore from safe mode. Instead I ran the microsoft malware malicious sotware removal tool and came up with only 1 infected file and then ran an avira scan and came up with nothing. I then tried to see if this had any effect and booted it up normally (I also downloaded a new spybot version to see if it would be able to find anything before I ran those 2 scans but it seemed to be blocked in the installation). After the reboot, spybot and avira came up and seemed to be working, then disappeared from the quickpick tray and any attempts to restart avira protection and the update was met with access denied and so I quickly turned the computer off before it could do any more damage.
I then booted it up in safe mode and tried all sorts of virus removal software (combofix, FRST, I'm sure there was another one (but not rkill as safe mode was working fine)) but after a restart all my virus software was still offline and nothing would change it. I then booted up pressed f8 and did a system restore but it encountered an error and I restarted the computer. When coming back on it seemed to have rolled back to that restore point and the computer was running fine but my avira and malwarebytes were still dead. I then ran rkill and combofix and then had to uninstall my avira and installed avast instead. However access to malwarebytes is still denied and I cannot uninstall or load the program up. My problem seems similar to this person's thread: https://www.techspot.com/community/topics/virus-cant-install-malwarebytes-access-is-denied.163660/ and I have posted my latest rkill.txt and combofix.txt below. Avast scan is currently running but I'd like to try malwarebytes afterwards so I'd like to know how I could maybe manually uninstall it and whether or not this virus has gone and if not what steps I should take next. Thanks for taking the time to read this huge chunk of text
--------------------------
Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 01/13/2014 04:57:29 PM in x86 mode.
Windows Version: Windows Vista (TM) Home Premium Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Defender Disabled
[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000
Checking Windows Service Integrity:
* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 01/13/2014 04:57:44 PM
Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)
----------------------------------
ComboFix 14-01-13.01 - Harry 13/01/2014 16:41:01.1.4 - x86
Running from: c:\users\Harry\Downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Crack
c:\program files\Crack\AGE3Y.EXE
c:\program files\Crack\IPHLPAPI.DLL
c:\program files\UltimaXeno data\Chars\dizzy4\_desktop.ini
c:\users\Harry\AppData\Roaming\BDL+D
c:\users\Harry\AppData\Roaming\BDL+D\MANGAGAMER.COM\2FBD69B0-79F0-4E42-BD3E-4D7EC9D7C148\____.sys
.
.
((((((((((((((((((((((((( Files Created from 2013-12-13 to 2014-01-13 )))))))))))))))))))))))))))))))
.
.
2014-01-13 16:53 . 2014-01-13 16:53 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-01-13 16:53 . 2014-01-13 16:53 -------- d-----w- c:\users\hedev\AppData\Local\temp
2014-01-13 16:53 . 2014-01-13 16:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-13 13:13 . 2014-01-13 13:15 -------- d-----w- C:\AdwCleaner
2014-01-13 13:05 . 2014-01-13 13:05 -------- d-----w- C:\FRST
2014-01-12 20:54 . 2014-01-13 13:17 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-01-09 16:33 . 2014-01-09 16:33 -------- d-----w- c:\program files\淫獣と魔女とその娘
2014-01-07 15:00 . 2014-01-07 15:00 -------- d-----w- c:\program files\Para IF
2013-12-23 22:10 . 2014-01-14 00:31 -------- d-----w- c:\program files\ステラのセクハラワーキング
2013-12-23 21:15 . 2014-01-14 00:31 -------- d-----w- c:\program files\スプラッタービーチ製品版
2013-12-20 16:10 . 2013-12-20 16:43 -------- d-----w- c:\program files\RJ123150
2013-12-19 16:56 . 2013-12-19 16:56 -------- d-----w- c:\users\Harry\AppData\Local\FLT
2013-12-19 16:56 . 2013-12-19 16:56 -------- d-----w- c:\users\Harry\AppData\Local\CAPCOM
2013-12-19 16:37 . 2013-12-19 16:51 -------- d-----w- c:\program files\Resident Evil Revelations
2013-12-16 16:16 . 2013-12-20 14:48 -------- d-----w- c:\program files\seima
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-17 11:03 . 2012-10-08 16:01 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-17 11:03 . 2011-06-13 17:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-17 10:52 . 2012-10-17 10:10 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-12-17 10:52 . 2012-10-17 10:10 135648 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-11-19 10:12 . 2012-10-17 10:10 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-11-14 22:50 . 2013-12-11 22:33 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-11-14 22:42 . 2013-12-11 22:33 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-11-14 22:42 . 2013-12-11 22:33 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-14 22:38 . 2013-12-11 22:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-14 22:38 . 2013-12-11 22:33 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-14 22:35 . 2013-12-11 22:33 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-30 02:13 . 2008-01-21 02:23 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12 . 2013-12-11 15:57 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-10-30 01:43 . 2013-12-11 15:57 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43 . 2013-12-11 15:57 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35 . 2013-12-11 15:57 2050560 ----a-w- c:\windows\system32\win32k.sys
2013-10-22 07:19 . 2013-12-11 15:57 158208 ----a-w- c:\windows\system32\imagehlp.dll
2013-08-29 14:39 . 2013-10-21 14:40 313864301 ----a-w- c:\program files\ゲーム.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2013-01-24 1521800]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-20 6144000]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-12-17 684600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\users\Harry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DCOM Utilities.url [2014-1-13 53]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2008-06-02 16:26 319488 ----a-w- c:\program files\Acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmpoweringTechnology]
2008-06-02 16:26 319488 ----a-w- c:\program files\Acer\Empowering Technology\Framework.Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-10 23:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2006-11-05 21:48 57344 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-10 23:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4039739818-893874536-596135990-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-13 c:\windows\Tasks\GlaryInitialize 4.job
- c:\program files\Glary Utilities 4\Initialize.exe [2013-11-19 03:53]
.
2014-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-10 20:22]
.
2014-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-10 20:22]
.
2013-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4039739818-893874536-596135990-1000Core.job
- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-23 09:23]
.
2014-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4039739818-893874536-596135990-1000UA.job
- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-23 09:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{B42B70ED-1884-4FEF-9D57-A0BF8F4E4763}: NameServer = 194.168.4.100,194.168.8.100
FF - ProfilePath - c:\users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\ssaydfiv.default-1366918138240\
FF - ExtSQL: !HIDDEN! 2010-10-09 16:20; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.mixidj.tlbrSrchUrl -
FF - user.js: extensions.mixidj.id - 5245e47c0000000000000012175fb7b5
FF - user.js: extensions.mixidj.appId - {A2773ED4-83BD-488A-A186-73590706C916}
FF - user.js: extensions.mixidj.instlDay - 15975
FF - user.js: extensions.mixidj.vrsn - 1.8.18.8
FF - user.js: extensions.mixidj.vrsni - 1.8.18.8
FF - user.js: extensions.mixidj.vrsnTs - 1.8.18.817:31
FF - user.js: extensions.mixidj.prtnrId - mixidj
FF - user.js: extensions.mixidj.prdct - mixidj
FF - user.js: extensions.mixidj.aflt - babsst
FF - user.js: extensions.mixidj.smplGrp - none
FF - user.js: extensions.mixidj.tlbrId - baseyh
FF - user.js: extensions.mixidj.instlRef - sst
FF - user.js: extensions.mixidj.dfltLng - en
FF - user.js: extensions.mixidj.excTlbr - false
FF - user.js: extensions.mixidj.ffxUnstlRst - false
FF - user.js: extensions.mixidj.admin - false
FF - user.js: extensions.mixidj.autoRvrt - false
FF - user.js: extensions.mixidj.rvrt - false
FF - user.js: extensions.mixidj.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-13 16:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4039739818-893874536-596135990-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-4039739818-893874536-596135990-1000\Software\SecuROM\License information*]
"datasecu"=hex:3b,dc,c1,bd,9d,cf,a9,49,e4,6b,83,e2,0a,81,af,f1,32,d3,42,b2,95,
8f,9f,9f,c9,44,39,8f,0a,e3,06,d2,8d,2d,37,8f,54,42,52,17,91,90,48,01,92,9a,\
"rkeysecu"=hex:27,39,7c,ba,9e,09,b3,68,de,af,d1,19,e9,72,17,dc
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-01-13 16:56:33
ComboFix-quarantined-files.txt 2014-01-13 16:56
ComboFix2.txt 2014-01-13 13:45
.
Pre-Run: 16,363,704,320 bytes free
Post-Run: 15,634,432,000 bytes free
.
- - End Of File - - B914340DDB140B9C0458C442EBF81C4E
EF9CDC51B437D322D54016B68F003416
Hi, I turned my computer on yesterday and noticed that malwarebytes wasn't running in my quick pick tray. I therefore tried to run it through the start menu and it comes up with "cant find mbam.exe" or something along those lines. I went through explorer and tried to run it manually with the same result. My avira anti-virus then flashed up saying something was attempted to mess up the registry and so went to my spybot anti-malware to run a scan. But spybot.exe was like the malwarebytes not found. So I thought o crap it's a virus disabling all my anti-virus and turned the computer off.
I then ran it in safe mode and found that my glary utilities was still fine and that had an anti-malware scanner and so ran it along with a registry "fixer". I noticed that the registry values for mbam and spybot were listed as broken along with a couple of other programs (audacity etc). So I thought that there was a virus attempting to muck up my registry and so tried to system restore to an earlier date, but couldn't find the rstrui.exe in my system32 folder and so therefore couldnt system restore from safe mode. Instead I ran the microsoft malware malicious sotware removal tool and came up with only 1 infected file and then ran an avira scan and came up with nothing. I then tried to see if this had any effect and booted it up normally (I also downloaded a new spybot version to see if it would be able to find anything before I ran those 2 scans but it seemed to be blocked in the installation). After the reboot, spybot and avira came up and seemed to be working, then disappeared from the quickpick tray and any attempts to restart avira protection and the update was met with access denied and so I quickly turned the computer off before it could do any more damage.
I then booted it up in safe mode and tried all sorts of virus removal software (combofix, FRST, I'm sure there was another one (but not rkill as safe mode was working fine)) but after a restart all my virus software was still offline and nothing would change it. I then booted up pressed f8 and did a system restore but it encountered an error and I restarted the computer. When coming back on it seemed to have rolled back to that restore point and the computer was running fine but my avira and malwarebytes were still dead. I then ran rkill and combofix and then had to uninstall my avira and installed avast instead. However access to malwarebytes is still denied and I cannot uninstall or load the program up. My problem seems similar to this person's thread: https://www.techspot.com/community/topics/virus-cant-install-malwarebytes-access-is-denied.163660/ and I have posted my latest rkill.txt and combofix.txt below. Avast scan is currently running but I'd like to try malwarebytes afterwards so I'd like to know how I could maybe manually uninstall it and whether or not this virus has gone and if not what steps I should take next. Thanks for taking the time to read this huge chunk of text
--------------------------
Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 01/13/2014 04:57:29 PM in x86 mode.
Windows Version: Windows Vista (TM) Home Premium Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Defender Disabled
[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000
Checking Windows Service Integrity:
* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 01/13/2014 04:57:44 PM
Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)
----------------------------------
ComboFix 14-01-13.01 - Harry 13/01/2014 16:41:01.1.4 - x86
Running from: c:\users\Harry\Downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Crack
c:\program files\Crack\AGE3Y.EXE
c:\program files\Crack\IPHLPAPI.DLL
c:\program files\UltimaXeno data\Chars\dizzy4\_desktop.ini
c:\users\Harry\AppData\Roaming\BDL+D
c:\users\Harry\AppData\Roaming\BDL+D\MANGAGAMER.COM\2FBD69B0-79F0-4E42-BD3E-4D7EC9D7C148\____.sys
.
.
((((((((((((((((((((((((( Files Created from 2013-12-13 to 2014-01-13 )))))))))))))))))))))))))))))))
.
.
2014-01-13 16:53 . 2014-01-13 16:53 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-01-13 16:53 . 2014-01-13 16:53 -------- d-----w- c:\users\hedev\AppData\Local\temp
2014-01-13 16:53 . 2014-01-13 16:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-13 13:13 . 2014-01-13 13:15 -------- d-----w- C:\AdwCleaner
2014-01-13 13:05 . 2014-01-13 13:05 -------- d-----w- C:\FRST
2014-01-12 20:54 . 2014-01-13 13:17 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-01-09 16:33 . 2014-01-09 16:33 -------- d-----w- c:\program files\淫獣と魔女とその娘
2014-01-07 15:00 . 2014-01-07 15:00 -------- d-----w- c:\program files\Para IF
2013-12-23 22:10 . 2014-01-14 00:31 -------- d-----w- c:\program files\ステラのセクハラワーキング
2013-12-23 21:15 . 2014-01-14 00:31 -------- d-----w- c:\program files\スプラッタービーチ製品版
2013-12-20 16:10 . 2013-12-20 16:43 -------- d-----w- c:\program files\RJ123150
2013-12-19 16:56 . 2013-12-19 16:56 -------- d-----w- c:\users\Harry\AppData\Local\FLT
2013-12-19 16:56 . 2013-12-19 16:56 -------- d-----w- c:\users\Harry\AppData\Local\CAPCOM
2013-12-19 16:37 . 2013-12-19 16:51 -------- d-----w- c:\program files\Resident Evil Revelations
2013-12-16 16:16 . 2013-12-20 14:48 -------- d-----w- c:\program files\seima
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-17 11:03 . 2012-10-08 16:01 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-17 11:03 . 2011-06-13 17:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-17 10:52 . 2012-10-17 10:10 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-12-17 10:52 . 2012-10-17 10:10 135648 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-11-19 10:12 . 2012-10-17 10:10 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-11-14 22:50 . 2013-12-11 22:33 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-11-14 22:42 . 2013-12-11 22:33 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-11-14 22:42 . 2013-12-11 22:33 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-14 22:38 . 2013-12-11 22:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-14 22:38 . 2013-12-11 22:33 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-14 22:35 . 2013-12-11 22:33 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-30 02:13 . 2008-01-21 02:23 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12 . 2013-12-11 15:57 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-10-30 01:43 . 2013-12-11 15:57 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43 . 2013-12-11 15:57 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35 . 2013-12-11 15:57 2050560 ----a-w- c:\windows\system32\win32k.sys
2013-10-22 07:19 . 2013-12-11 15:57 158208 ----a-w- c:\windows\system32\imagehlp.dll
2013-08-29 14:39 . 2013-10-21 14:40 313864301 ----a-w- c:\program files\ゲーム.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2013-01-24 1521800]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Harry\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-12-06 15:47 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-20 6144000]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-12-17 684600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\users\Harry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DCOM Utilities.url [2014-1-13 53]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2008-06-02 16:26 319488 ----a-w- c:\program files\Acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmpoweringTechnology]
2008-06-02 16:26 319488 ----a-w- c:\program files\Acer\Empowering Technology\Framework.Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-10 23:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2006-11-05 21:48 57344 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-10 23:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4039739818-893874536-596135990-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-13 c:\windows\Tasks\GlaryInitialize 4.job
- c:\program files\Glary Utilities 4\Initialize.exe [2013-11-19 03:53]
.
2014-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-10 20:22]
.
2014-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-10 20:22]
.
2013-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4039739818-893874536-596135990-1000Core.job
- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-23 09:23]
.
2014-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4039739818-893874536-596135990-1000UA.job
- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-23 09:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{B42B70ED-1884-4FEF-9D57-A0BF8F4E4763}: NameServer = 194.168.4.100,194.168.8.100
FF - ProfilePath - c:\users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\ssaydfiv.default-1366918138240\
FF - ExtSQL: !HIDDEN! 2010-10-09 16:20; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.mixidj.tlbrSrchUrl -
FF - user.js: extensions.mixidj.id - 5245e47c0000000000000012175fb7b5
FF - user.js: extensions.mixidj.appId - {A2773ED4-83BD-488A-A186-73590706C916}
FF - user.js: extensions.mixidj.instlDay - 15975
FF - user.js: extensions.mixidj.vrsn - 1.8.18.8
FF - user.js: extensions.mixidj.vrsni - 1.8.18.8
FF - user.js: extensions.mixidj.vrsnTs - 1.8.18.817:31
FF - user.js: extensions.mixidj.prtnrId - mixidj
FF - user.js: extensions.mixidj.prdct - mixidj
FF - user.js: extensions.mixidj.aflt - babsst
FF - user.js: extensions.mixidj.smplGrp - none
FF - user.js: extensions.mixidj.tlbrId - baseyh
FF - user.js: extensions.mixidj.instlRef - sst
FF - user.js: extensions.mixidj.dfltLng - en
FF - user.js: extensions.mixidj.excTlbr - false
FF - user.js: extensions.mixidj.ffxUnstlRst - false
FF - user.js: extensions.mixidj.admin - false
FF - user.js: extensions.mixidj.autoRvrt - false
FF - user.js: extensions.mixidj.rvrt - false
FF - user.js: extensions.mixidj.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-13 16:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4039739818-893874536-596135990-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-4039739818-893874536-596135990-1000\Software\SecuROM\License information*]
"datasecu"=hex:3b,dc,c1,bd,9d,cf,a9,49,e4,6b,83,e2,0a,81,af,f1,32,d3,42,b2,95,
8f,9f,9f,c9,44,39,8f,0a,e3,06,d2,8d,2d,37,8f,54,42,52,17,91,90,48,01,92,9a,\
"rkeysecu"=hex:27,39,7c,ba,9e,09,b3,68,de,af,d1,19,e9,72,17,dc
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-01-13 16:56:33
ComboFix-quarantined-files.txt 2014-01-13 16:56
ComboFix2.txt 2014-01-13 13:45
.
Pre-Run: 16,363,704,320 bytes free
Post-Run: 15,634,432,000 bytes free
.
- - End Of File - - B914340DDB140B9C0458C442EBF81C4E
EF9CDC51B437D322D54016B68F003416