Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 33

Thread: Malware I think

  1. #21
    Member
    Join Date
    Jul 2012
    Posts
    32
    Points
    0

    Default

    "Silent Runners.vbs", revision 69.2, Silent Runners - Adware? Disinfect, don't reformat!
    Operating System: Microsoft® Windows Vista™ Home Premium Service Pack 2 (32-bit)
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    AvastUI.exe = "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui [AVAST Software]
    TkBellExe = "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot [RealNetworks, Inc.]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

    {8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\(Default) = avast! Online Security
    -> {HKLM...CLSID} = avast! Online Security
    \InProcServer32\(Default) = C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [AVAST Software]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

    00avast\(Default) = {472083B0-C522-11CF-8763-00608CC02F24}
    -> {HKLM...CLSID} = avast
    \InProcServer32\(Default) = C:\Program Files\AVAST Software\Avast\ashShell.dll [AVAST Software]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

    {A70C977A-BF00-412C-90B7-034C51DA2439} = NvCpl DesktopContext Class
    -> {HKLM...CLSID} = DesktopContext Class
    \InProcServer32\(Default) = C:\Program Files\NVIDIA Corporation\Display\nvui.dll [NVIDIA Corporation]

    {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} = NVIDIA Play On My TV Context Menu Extension
    -> {HKLM...CLSID} = NVIDIA CPL Context Menu Extension
    \InProcServer32\(Default) = C:\Windows\system32\nvshext.dll [NVIDIA Corporation]

    {472083B0-C522-11CF-8763-00608CC02F24} = avast
    -> {HKLM...CLSID} = avast
    \InProcServer32\(Default) = C:\Program Files\AVAST Software\Avast\ashShell.dll [AVAST Software]

    {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = Shell Extensions for RealOne Player
    -> {HKLM...CLSID} = RealOne Player Context Menu Class
    \InProcServer32\(Default) = c:\program files\real\realplayer\rpshell.dll [RealNetworks, Inc.]

    {DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} = Logitech Setpoint Extension
    -> {HKLM...CLSID} = KbLogiExt Class
    \InProcServer32\(Default) = C:\Program Files\Logitech\SetPointP\kbcplext.dll [Logitech, Inc.]

    {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} = iTunes
    -> {HKLM...CLSID} = iTunes
    \InProcServer32\(Default) = C:\Program Files\iTunes\iTunesMiniPlayer.dll [Apple Inc.]

    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

    avast\(Default) = {472083B0-C522-11CF-8763-00608CC02F24}
    -> {HKLM...CLSID} = avast
    \InProcServer32\(Default) = C:\Program Files\AVAST Software\Avast\ashShell.dll [AVAST Software]

    {CA8ACAFA-5FBB-467B-B348-90DD488DE003}\(Default) = SUPERAntiSpyware Context Menu
    -> {HKLM...CLSID} = SASContextMenu Class
    \InProcServer32\(Default) = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL [SUPERAntiSpyware.com]

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

    00avast\(Default) = {472083B0-C522-11CF-8763-00608CC02F24}
    -> {HKLM...CLSID} = avast
    \InProcServer32\(Default) = C:\Program Files\AVAST Software\Avast\ashShell.dll [AVAST Software]

    MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
    -> {HKLM...CLSID} = MBAMShlExt Class
    \InProcServer32\(Default) = C:\Program Files\Malwarebytes Anti-Malware\mbamext.dll [Malwarebytes]

    {CA8ACAFA-5FBB-467B-B348-90DD488DE003}\(Default) = SUPERAntiSpyware Context Menu
    -> {HKLM...CLSID} = SASContextMenu Class
    \InProcServer32\(Default) = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL [SUPERAntiSpyware.com]

    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

    {CA8ACAFA-5FBB-467B-B348-90DD488DE003}\(Default) = SUPERAntiSpyware Context Menu
    -> {HKLM...CLSID} = SASContextMenu Class
    \InProcServer32\(Default) = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL [SUPERAntiSpyware.com]

    HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

    NvCplDesktopContext\(Default) = {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}
    -> {HKLM...CLSID} = NVIDIA CPL Context Menu Extension
    \InProcServer32\(Default) = C:\Windows\system32\nvshext.dll [NVIDIA Corporation]

    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info
    -> {HKLM...CLSID} = PDF Shell Extension
    \InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll [Adobe Systems, Inc.]

    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

    avast\(Default) = {472083B0-C522-11CF-8763-00608CC02F24}
    -> {HKLM...CLSID} = avast
    \InProcServer32\(Default) = C:\Program Files\AVAST Software\Avast\ashShell.dll [AVAST Software]

    MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
    -> {HKLM...CLSID} = MBAMShlExt Class
    \InProcServer32\(Default) = C:\Program Files\Malwarebytes Anti-Malware\mbamext.dll [Malwarebytes]


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    NoDrives = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    NoDrives = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\

    DisableOSUpgrade = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

    EnableLUA = (REG_DWORD) dword:0x00000000
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Run All Administrators In Admin Approval Mode}

    DisableRegistryTools = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    SoftwareSASGeneration = (REG_DWORD) dword:0x00000001
    {unrecognized setting}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    Wallpaper = C:\Users\Public\Pictures\Sample Pictures\tiger_in_snow-1600x900.jpg

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    Wallpaper = C:\Users\Public\Pictures\Sample Pictures\tiger_in_snow-1600x900.jpg


    Windows Portable Device AutoPlay Handlers
    -----------------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

    CTPlayAudioOnArrivalu\
    Provider = Creative MediaSource 5 Player
    InvokeProgID = CTAutoPLu.AudioCDPlayer.1
    InvokeVerb = open
    HKLM\SOFTWARE\Classes\CTAutoPLu.AudioCDPlayer.1\shell\open\command\(Default) = "C:\Program Files\Creative\MediaSource5\CTCMSu.exe" /T=CLASSKEY_AudioCD IN %L PlayNow [Creative Technology Ltd]

    CTPlayMusicFilesOnArrivalu\
    Provider = Creative MediaSource 5 Player
    InvokeProgID = CTAutoPLu.MusicFilesPlayer.1
    InvokeVerb = open
    HKLM\SOFTWARE\Classes\CTAutoPLu.MusicFilesPlayer.1\shell\open\command\(Default) = "C:\Program Files\Creative\MediaSource5\CTCMSu.exe" /PlayNow "%L" [Creative Technology Ltd]

    iTunesBurnCDOnArrival\
    Provider = iTunes
    InvokeProgID = iTunes.BurnCD
    InvokeVerb = burn
    HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L" [Apple Inc.]

    iTunesImportSongsOnArrival\
    Provider = iTunes
    InvokeProgID = iTunes.ImportSongsOnCD
    InvokeVerb = import
    HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L" [Apple Inc.]

    iTunesPlaySongsOnArrival\
    Provider = iTunes
    InvokeProgID = iTunes.PlaySongsOnCD
    InvokeVerb = play
    HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /playCD "%L" [Apple Inc.]

    iTunesShowSongsOnArrival\
    Provider = iTunes
    InvokeProgID = iTunes.ShowSongsOnCD
    InvokeVerb = showsongs
    HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L" [Apple Inc.]

    RPCDBurningOnArrival\
    Provider = RealPlayer
    InvokeProgID = RealPlayer.CDBurn.6
    InvokeVerb = open
    HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /burn "%1" [RealNetworks, Inc.]

    RPDeviceOnArrival\
    Provider = RealPlayer
    ProgID = RealPlayer.HWEventHandler
    HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = {67E76F1D-BDE2-4052-913C-2752366192D2}
    -> {HKLM...CLSID} = RealNetworks Scheduler
    \LocalServer32\(Default) = "c:\program files\real\realplayer\Update\realsched.exe" -autoplay [RealNetworks, Inc.]

    RPDVDBurningOnArrival\
    Provider = RealPlayer
    InvokeProgID = RealPlayer.DVDBurn.6
    InvokeVerb = open
    HKCU\Software\Classes\RealPlayer.DVDBurn.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /burndvd "%1" [RealNetworks, Inc.]

    RPPlayCDAudioOnArrival\
    Provider = RealPlayer
    InvokeProgID = RealPlayer.AudioCD.6
    InvokeVerb = play
    HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /play %1 [RealNetworks, Inc.]

    RPPlayDVDMovieOnArrival\
    Provider = RealPlayer
    InvokeProgID = RealPlayer.DVD.6
    InvokeVerb = play
    HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /dvd %1 [RealNetworks, Inc.]

    RPPlayMediaOnArrival\
    Provider = RealPlayer
    InvokeProgID = RealPlayer.AutoPlay.6
    InvokeVerb = open
    HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /autoplay "%1" [RealNetworks, Inc.]


    Windows Sidebar Gadgets: {++}
    ------------------------

    C:\Users\mark\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
    %PROGRAMFILES%\windows sidebar\gadgets\Clock.gadget
    %PROGRAMFILES%\windows sidebar\gadgets\SlideShow.Gadget
    %PROGRAMFILES%\windows sidebar\gadgets\RSSFeeds.Gadget
    "C:%5CProgram%20Files%5CWindows%20Sidebar%5CShared%20Gadgets%5CaswSidebar.gadget"


    Non-disabled Scheduled Tasks: {++}
    -----------------------------

    C:\Windows\System32\Tasks
    4608 -> launches: wscript.exe C:\Users\mark\AppData\Local\Temp\launchie.vbs //B [MS]
    Adobe Acrobat Update Task -> launches: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [Adobe Systems Incorporated]
    Adobe Flash Player Updater -> launches: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [Adobe Systems Incorporated]
    avast! Emergency Update -> (HIDDEN!) launches: C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [AVAST Software]
    avastBCLRestartS-1-5-21-2578409918-2136055275-2787630165-1000 -> (HIDDEN!) launches: C:\Program Files\Mozilla Firefox\firefox.exe [Mozilla Corporation]
    CCleanerSkipUAC -> launches: "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0) [Piriform Ltd]
    Express FilesUpdate -> launches: C:\Program Files\ExpressFiles\EFUpdater.exe [file not found]
    RealDownloaderDownloaderScheduledTaskS-1-5-21-2578409918-2136055275-2787630165-1000 -> launches: C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe /bgrecordaliveevent [RealNetworks, Inc.]
    RealDownloaderRealUpgradeLogonTaskS-1-5-21-2578409918-2136055275-2787630165-1000 -> launches: C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe /logoncheck [RealNetworks, Inc.]
    RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2578409918-2136055275-2787630165-1000 -> launches: C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe /scheduledcheck [RealNetworks, Inc.]
    RealPlayerRealUpgradeLogonTaskS-1-5-21-2578409918-2136055275-2787630165-1000 -> launches: C:\Program Files\Real\RealUpgrade\RealUpgrade.exe /logoncheck [RealNetworks, Inc.]
    RealPlayerRealUpgradeScheduledTaskS-1-5-21-2578409918-2136055275-2787630165-1000 -> launches: C:\Program Files\Real\RealUpgrade\RealUpgrade.exe /scheduledcheck [RealNetworks, Inc.]
    RealUpgradeLogonTaskS-1-5-21-2578409918-2136055275-2787630165-1000 -> launches: C:\Program Files\Real\RealUpgrade\RealUpgrade.exe /logoncheck [RealNetworks, Inc.]
    RealUpgradeScheduledTaskS-1-5-21-2578409918-2136055275-2787630165-1000 -> launches: C:\Program Files\Real\RealUpgrade\RealUpgrade.exe /scheduledcheck [RealNetworks, Inc.]

    C:\Windows\System32\Tasks\Apple
    AppleSoftwareUpdate -> launches: C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task [Apple Inc.]

    C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
    AD RMS Rights Policy Template Management (Manual) -> launches: {BF5CB148-7C77-4d8a-A53E-D81C70CF743C}
    -> {HKLM...CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
    UninstallDeviceTask -> launches: BthUdTask.exe $(Arg0) [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
    SystemTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
    -> {HKLM...CLSID} = Certificate Services Client Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
    UserTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
    -> {HKLM...CLSID} = Certificate Services Client Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
    UserTask-Roam -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
    -> {HKLM...CLSID} = Certificate Services Client Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
    Consolidator -> launches: %SystemRoot%\System32\wsqmcons.exe [MS]
    OptinNotification -> launches: %SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0 [MS]
    VistaSP1CEIP -> (HIDDEN!) launches: %systemroot%\servicing\vsp1ceip.exe /delete /tn "\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP" /f [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
    ScheduledDefrag -> launches: %windir%\system32\defrag.exe -c -i [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic
    Microsoft-Windows-DiskDiagnosticDataCollector -> (HIDDEN!) launches: %windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
    ehDRMInit -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DRMInit [MS]
    mcupdate -> launches: %SystemRoot%\ehome\mcupdate $(Arg0) -gc [MS]
    OCURActivate -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate [MS]
    OCURDiscovery -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery [MS]
    UpdateRecordPath -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
    HotStart -> launches: {06DA0625-9701-43da-BFD7-FBEEA2180A1E}
    -> {HKLM...CLSID} = HotStart User Agent
    \InProcServer32\(Default) = C:\Windows\System32\HotStartUserAgent.dll [MS]
    TMM -> launches: {35EF4182-F900-4632-B072-8639E4478A61}
    -> {HKLM...CLSID} = Transient Multi-Monitor Manager
    \InProcServer32\(Default) = C:\Windows\System32\TMM.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\MUI
    LPRemove -> launches: %windir%\system32\lpremove.exe [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
    SystemSoundsService -> launches: {2DEA658F-54C1-4227-AF9B-260AB5FC3543}
    -> {HKLM...CLSID} = Microsoft PlaySoundService Class
    \InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
    NAPStatus UI -> launches: {f09878a1-4652-4292-aa63-8c7d4fd7648f}
    -> {HKLM...CLSID} = Nap ITask Handler Implementation
    \InProcServer32\(Default) = C:\Windows\System32\QAgent.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
    ConvertLogEntries -> (HIDDEN!) launches: %windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\RAC
    RACAgent -> (HIDDEN!) launches: %windir%\system32\RacAgent.exe [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
    RemoteAssistanceTask -> (HIDDEN!) launches: %windir%\system32\RAServer.exe /offerraupdate [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Shell
    CrawlStartPages -> launches: {51653423-e62d-4ff7-894a-dabb2b8e21e2}
    -> {HKLM...CLSID} = CrawlStartPages Task Handler
    \InProcServer32\(Default) = C:\Windows\System32\srchadmin.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
    GadgetManager -> launches: {FF87090D-4A9A-4f47-879B-29A80C355D61}
    -> {HKLM...CLSID} = GadgetsManager Class
    \InProcServer32\(Default) = C:\Windows\System32\AuxiliaryDisplayServices.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
    SR -> launches: %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
    IpAddressConflict1 -> launches: rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem [MS]
    IpAddressConflict2 -> launches: rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem [MS]
    WSHReset -> (HIDDEN!) launches: %systemroot%\system32\netsh.exe interface tcp set heuristic wsh=default [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
    MsCtfMonitor -> (HIDDEN!) launches: {01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}
    -> {HKLM...CLSID} = MsCtfMonitor task handler
    \InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
    UPnPHostConfig -> launches: sc.exe config upnphost start= auto [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\WDI
    ResolutionHost -> (HIDDEN!) launches: {900be39d-6be8-461a-bc4d-b0fa71f5ecb1}
    -> {HKLM...CLSID} = DiagnosticInfrastructureCustomHandler
    \InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
    QueueReporting -> launches: %windir%\system32\wermgr.exe -queuereporting [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar
    Reminders - mark -> launches: C:\Program Files\Windows Calendar\WinCal.exe /reminder [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Wired
    GatherWiredInfo -> launches: %windir%\system32\gatherWiredInfo.vbs [null data]

    C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
    GatherWirelessInfo -> launches: %windir%\system32\gatherWirelessInfo.vbs [null data]

    C:\Windows\System32\Tasks\Microsoft\Windows Defender
    MP Scheduled Scan -> (HIDDEN!) launches: c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges [MS]

    C:\Windows\System32\Tasks\WPD
    SqmUpload_S-1-5-21-2578409918-2136055275-2787630165-1000 -> (HIDDEN!) launches: %windir%\system32\rundll32.exe portabledeviceapi.dll,#1 [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
    000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
    000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
    000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
    000000000005\LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll [Apple Inc.]
    000000000006\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
    000000000007\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 26


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    Avast Antivirus, avast! Antivirus, "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [AVAST Software]
    AvastVBox COM Service, AvastVBoxSvc, "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [Avast Software]
    PACE License Services, PaceLicenseDServices, "C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe" -u https://activation.paceap.com/InitiateActivation [PACE Anti-Piracy, Inc.]
    SAS Core Service, !SASCORE, "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [SUPERAntiSpyware.com]


    Safe Mode Drivers & Services (subkey name, subkey default value):
    -----------------------------------------------------------------

    HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

    <<!>> !SASCORE,

    HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

    <<!>> !SASCORE,


    Print Monitors:
    ---------------

    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    BJ Language Monitor3_2\Driver = CNBLM3_2.DLL [CANON INC.]
    Dell 942 Port\Driver = dlbulmpm.DLL [ ]


    ---------- (launch time: 2015-11-16 15:01:45)
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 95 seconds, including 10 seconds for message boxes)

  2. #22
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,175
    Points
    1308

    Default

    Mark,

    Run the fix and let me know if avast stops barking

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Open notepad (Start =>All Programs => Accessories => Notepad).
    Copy/Paste the contents of the code box below into Notepad.
    Code:
    CreateRestorePoint:
    2015-11-10 09:02 - 2015-11-10 09:03 - 00000000 ___HD C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}
    2015-11-10 09:02 - 2015-11-10 09:03 - 00000000 ____D C:\Users\mark\AppData\Local\EukuWmow
    Emptytemp:
    • Click Format and ensure Wordwrap is unchecked.
    • Save as Fixlist.txt to your Desktop (Must be in this location)
    • Run FRST/FRST64 and press the Fix button just once and wait.
    • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.


    Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

    Post the fixlog

  3. #23
    Member
    Join Date
    Jul 2012
    Posts
    32
    Points
    0

    Default

    Quote Originally Posted by zep516 View Post
    Mark,

    Run the fix and let me know if avast stops barking

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Open notepad (Start =>All Programs => Accessories => Notepad).
    Copy/Paste the contents of the code box below into Notepad.
    Code:
    CreateRestorePoint:
    2015-11-10 09:02 - 2015-11-10 09:03 - 00000000 ___HD C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}
    2015-11-10 09:02 - 2015-11-10 09:03 - 00000000 ____D C:\Users\mark\AppData\Local\EukuWmow
    Emptytemp:
    • Click Format and ensure Wordwrap is unchecked.
    • Save as Fixlist.txt to your Desktop (Must be in this location)
    • Run FRST/FRST64 and press the Fix button just once and wait.
    • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.


    Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

    Post the fixlog

  4. #24
    Member
    Join Date
    Jul 2012
    Posts
    32
    Points
    0

    Default

    Well done Sir! So far so good. No Full Screen ads when shutting down system as well. Would you mind if I leave the thread open for another day? Any idea what this was? Thanks again!

    Fix result of Farbar Recovery Scan Tool (x86) Version:16-11-2015
    Ran by mark (2015-11-16 18:15:27) Run:5
    Running from C:\Users\mark\Desktop
    Loaded Profiles: mark (Available Profiles: mark & UpdatusUser)
    Boot Mode: Normal

    ==============================================

    fixlist content:
    *****************
    CreateRestorePoint:
    2015-11-10 09:02 - 2015-11-10 09:03 - 00000000 ___HD C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}
    2015-11-10 09:02 - 2015-11-10 09:03 - 00000000 ____D C:\Users\mark\AppData\Local\EukuWmow
    Emptytemp:
    *****************

    Restore point was successfully created.

    "C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}" folder move:

    Could not move "C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}" => Scheduled to move on reboot.

    C:\Users\mark\AppData\Local\EukuWmow => moved successfully
    EmptyTemp: => 174.8 MB temporary data Removed.

    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-11-16 19:22:24)

    C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C} => is moved successfully

    ==== End of Fixlog 19:22:24 ====

  5. #25
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,175
    Points
    1308

    Default

    Hello,

    Please remove combofix,

    Uninstall Combofix
    • turn off all active protection software
    • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
    • please copy and paste the following into the box ComboFix /Uninstall and click OK.
    • Note the space between the X and the /Uninstall, it needs to be there.


    Not a 100% sure what it was yet, some sort of adware.

    The thread will stay open for a few days, we also need to remove other tools too and we will do that in a day or two.

    Thanks
    Joe

  6. #26
    Member
    Join Date
    Jul 2012
    Posts
    32
    Points
    0

    Default

    Done. Thanks again Joe. I'll wait for your next instructions.
    Mark

  7. #27
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,175
    Points
    1308

    Default

    Lets check a few things with security check.

    Download Security Check by screen317 from http://rocketgrannie.spywareinfoforu...urityCheck.exe
    Save it to your Desktop.
    Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.
    Last edited by zep516; 11-17-2015 at 10:06 PM.

  8. #28
    Member
    Join Date
    Jul 2012
    Posts
    32
    Points
    0

    Default

    Here is the report. Thanks again!

    Results of screen317's Security Check version 1.012 --- 11/09/15
    Windows Vista Service Pack 2 x86 (UAC is disabled!)
    Internet Explorer 9
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    SUPERAntiSpyware
    CCleaner
    Java 8 Update 51
    Java version 32-bit out of Date!
    Adobe Flash Player 19.0.0.226
    Adobe Reader 10.1.16 Adobe Reader out of Date!
    Mozilla Firefox (42.0)
    ````````Process Check: objlist.exe by Laurent````````
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    AVAST Software Avast ng vbox\AvastVBoxSVC.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: %
    ````````````````````End of Log``````````````````````

  9. #29
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,175
    Points
    1308

    Default

    Out of date Adobe Reader installed!

    Your Adobe reader needs updating. You should ensure you use the latest Adobe Acrobat Reader and install any security updates that are released. You can download the latest reader and updates from here.
    Note Important: Please uncheck any optional offers before downloading.


    Your Java is out of date:

    Note
    Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.
    I would uninstall it from the programs an Features menu anything called Java. Start > Control Panel > Programs & Features, uninstall all Java.


    Windows Vista Service Pack 2 x86 (UAC is disabled!)
    You should re-enable UAC.

    User Account Control (UAC) can help prevent unauthorized changes to your computer. UAC notifies you when changes are going to be made to your computer that require administrator-level permission. These types of changes can affect the security of your computer or can affect settings for other people that use the computer. We recommend that you leave UAC on to help make your computer secure.

    Next
    Lets clean up the tools and log files, this will also re-enable UAC.


    Please download DelFix and save the file to your Desktop.
    Double-click DelFix.exe to run the programme.
    Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings


    Click the Run button.
    Post the log report generated.

    We will continue to keep the topic open.

    Thanks
    Joe
    Last edited by zep516; 11-17-2015 at 11:31 PM.

  10. #30
    Member
    Join Date
    Jul 2012
    Posts
    32
    Points
    0

    Default

    Hello again Joe. In the past I was using this computer for digital audio recording and had made a lot of adjustments to optimize it for performance. You can see
    by the specs it is and older unit with little ram. It really helped to eliminate clicks and pops in my recordings. I now have another much better unit and obviously had not rechecked it, so thanks for that. I downloaded Adobe Reader as instructed and ran, said newest version was already installed? Anyway here is the log requested.

    Thanks again,
    Mark

    # DelFix v1.011 - Logfile created 18/11/2015 at 09:06:35
    # Updated 18/08/2015 by Xplode
    # Username : mark - MARK-PC
    # Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)

    ~ Activating UAC ... OK

    ~ Removing disinfection tools ...

    Deleted : C:\FRST
    Deleted : C:\TDSSKiller_Quarantine
    Deleted : C:\AdwCleaner
    Deleted : C:\Users\mark\Desktop\FRST-OlderVersion
    Deleted : C:\ComboFix.txt
    Deleted : C:\TDSSKiller.2.8.16.0_05.08.2014_23.34.45_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_11.01.2014_10.11.11_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_11.08.2013_10.24.33_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_16.03.2015_19.52.53_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_22.07.2013_04.49.53_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_24.05.2013_15.31.08_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_24.05.2013_15.32.54_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_25.06.2013_09.39.45_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_26.10.2013_00.01.40_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_26.10.2013_00.02.14_log.txt
    Deleted : C:\TDSSKiller.2.8.16.0_27.06.2013_04.19.59_log.txt
    Deleted : C:\TDSSKiller.3.0.0.14_26.10.2013_00.03.08_log.txt
    Deleted : C:\TDSSKiller.3.0.0.19_11.01.2014_10.12.03_log.txt
    Deleted : C:\TDSSKiller.3.0.0.40_05.08.2014_23.35.49_log.txt
    Deleted : C:\TDSSKiller.3.0.0.44_05.04.2015_23.08.20_log.txt
    Deleted : C:\TDSSKiller.3.0.0.44_16.03.2015_19.53.50_log.txt
    Deleted : C:\TDSSKiller.3.0.0.44_19.05.2015_23.32.07_log.txt
    Deleted : C:\TDSSKiller.3.0.0.44_25.07.2015_10.18.31_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_01.08.2015_23.12.42_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_03.11.2015_08.30.32_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_10.11.2015_09.43.00_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_10.11.2015_20.28.57_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_13.08.2015_06.08.54_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_14.11.2015_16.55.36_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_14.11.2015_16.59.48_log.txt
    Deleted : C:\TDSSKiller.3.1.0.5_25.07.2015_10.20.07_log.txt
    Deleted : C:\Users\mark\Desktop\adwcleaner_5.020.exe
    Deleted : C:\Users\mark\Desktop\FRST.exe
    Deleted : C:\Users\mark\Desktop\JRT.exe
    Deleted : C:\Users\mark\Desktop\SecurityCheck.exe
    Deleted : C:\Users\mark\Desktop\Silent Runners.zip
    Deleted : C:\Users\mark\Desktop\tdsskiller.exe
    Deleted : C:\Users\mark\Desktop\tdsskiller.zip
    Deleted : HKLM\SOFTWARE\AdwCleaner
    Deleted : HKLM\SOFTWARE\Swearware
    Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis

    ~ Cleaning system restore ...

    Deleted : RP #134 [Restore Point Created by FRST | 11/15/2015 22:51:31]
    Deleted : RP #136 [Restore Point Created by FRST | 11/16/2015 11:26:39]
    Deleted : RP #138 [Restore Point Created by FRST | 11/16/2015 12:26:21]
    Deleted : RP #140 [Restore Point Created by FRST | 11/17/2015 00:15:28]

    New restore point created !

    ~ Resetting system settings ... OK

    ########## - EOF - ##########

Page 3 of 4 FirstFirst 1234 LastLast