Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware


  • This topic is locked This topic is locked
28 replies to this topic

#1 Mr. Quasar

Mr. Quasar

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 10 June 2012 - 06:37 PM

Posting this topic by instruction of boopme. Here is the original topic link:

http://www.bleepingcomputer.com/forums/topic456569.html
And my original post from there:

---
Hi all,

Last night while browsing some folders, I noticed a big text file on my desktop called "WARNING," which said the following:

YOUR ID: 286

YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.

STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at [email protected] Indicate your ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.

Q: How I can make sure that you can really decipher my files?

A: You can send ONE any ciphered file on email [email protected]
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.

Q: Where can I purchase a MoneyPak?

A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.

Q: How do I buy a MoneyPak at the store?

A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
the MoneyPak.
https://www.moneypak.com/StoreLocator.aspx - here you find a store near.


There were roughly 486 of these text files - one in every folder I had ever created or altered. But in spite of the gloom-and-doom of the warning, I still had pretty much full access to everything, minus my personal text/doc files and task manager. My text/doc files were now ending in a .crypt extension, and while I can open them, it's just gibberish. So I ran Malwarebytes, nothing. Ran PC Doctor, nothing. Searched around on the Internet for a brief bit, found some not-very-helpful information, and decided to go ahead and do a system restore (yeah, first time ever, probably shouldn't have done that). Ran both PC Doctor and Malwarebytes again, no problems. Task manager works fine, everything seems perfect, but I still can't access any of my text/doc files. Thoughts?

Sorry if this was long, that's just how I am...any clarifications or anything needed, just let me know. Thanks for your time.
---

Wasn't sure if I was supposed to, so I attached Attach.txt, just to be safe. Here is my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Viziren at 18:48:23 on 2012-06-10
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2657 [GMT -4:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Security 360 *Disabled/Outdated* {FAE2835A-B90A-9E7A-85DA-82DBDA7C1E3A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\IObit\IObit Security 360\IS360srv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe
C:\Program Files (x86)\FK_Monitor\freeklogger.exe
C:\Program Files (x86)\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://gamefaqs.com/
uSearch Page =
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - C:\Program Files (x86)\IEPro\iepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - C:\Program Files (x86)\IEPro\IEProRecorder.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [freeklogger.exe] C:\Program Files (x86)\FK_Monitor\freeklogger.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [IObit Security 360] "C:\Program Files (x86)\IObit\IObit Security 360\IS360tray.exe" /autostart
mRun: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
dRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe -update activex
StartupFolder: C:\Users\Viziren\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PROGSE~1.LNK - C:\Program Files (x86)\ProgSense\progsense.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BITMET~1.LNK - C:\Program Files (x86)\Codebox\BitMeter\BitMeter2.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LANCHA~1.LNK - C:\Program Files (x86)\Fomine LAN Chat\LANChat.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - C:\Program Files (x86)\IEPro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - C:\Program Files (x86)\IEPro\iepro.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 12.213.80.61
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA} : DhcpNameServer = 192.168.2.1 12.213.80.61
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA}\130364850393137353634353 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA}\34C45465E45445 : DhcpNameServer = 10.71.5.2 10.0.1.5 10.0.1.6 10.0.1.7
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA}\4703577686360303B6965637D20534D275962756C6563737 : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: IE7Pro BHO: {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files (x86)\IEPro\iepro.dll
BHO-X64: IE7Pro - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Babylon toolbar helper: {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO-X64: Babylon toolbar helper - No File
BHO-X64: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll
BHO-X64: blekko search bar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
BHO-X64: Yontoo Layers - No File
TB-X64: Grab Pro: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files (x86)\IEPro\IEProRecorder.dll
TB-X64: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB-X64: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll
TB-X64: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [IObit Security 360] "C:\Program Files (x86)\IObit\IObit Security 360\IS360tray.exe" /autostart
mRun-x64: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\
FF - prefs.js: browser.search.selectedEngine - Facemoods Search
FF - prefs.js: browser.startup.homepage - hxxp://start.facemoods.com/?a=ddrnw
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=2&q=
FF - prefs.js: browser.search.selectedEngine - Blekko
FF - prefs.js: keyword.URL - hxxp://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=19378022156DB05EDD82594FD44F14EB&q=
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko10.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko11.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko5.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko7.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko8.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko9.dll
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Users\Viziren\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.id - ee8ac1550000000000004a0f6e02e32b
FF - user.js: extensions.BabylonToolbar_i.hardId - ee8ac1550000000000004a0f6e02e32b
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15496
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1720:10:20
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109683
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-5-14 98208]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPWMISVC;HPWMISVC;C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-1-12 19968]
R2 IS360service;IS360service;C:\Program Files (x86)\IObit\IObit Security 360\is360srv.exe [2011-4-16 312152]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-4-26 654408]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-3 483688]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-3 209768]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 CamdAudio;CamdAudio;C:\Windows\system32\drivers\CamdAudio.sys --> C:\Windows\system32\drivers\CamdAudio.sys [?]
S3 cpuz134;cpuz134;C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [2011-5-22 21480]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-10 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S4 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-4-5 103992]
.
=============== Created Last 30 ================
.
2074-05-19 01:44:52 607296 ------w- C:\Program Files (x86)\Microsoft Games\Age of Empires III\deformerdllyD.dll
2012-06-10 07:39:30 -------- d-----w- C:\ProgramData\blekko toolbars
2012-06-10 07:39:06 -------- d-----w- C:\Program Files (x86)\Extension Changer
2012-06-10 07:39:01 -------- d-----w- C:\Program Files (x86)\blekkotb_031
2012-06-10 07:38:58 -------- d-----w- C:\Users\Viziren\AppData\Local\blekkotb_031
2012-06-10 07:38:55 -------- d-----w- C:\ProgramData\Anti-phishing Domain Advisor
2012-06-10 07:24:12 -------- d-----w- C:\Program Files (x86)\mPulis Software
2012-06-05 00:10:34 -------- d-----w- C:\Users\Viziren\AppData\Roaming\BabylonToolbar
2012-06-05 00:10:21 -------- d-----w- C:\Program Files (x86)\BabylonToolbar
2012-06-05 00:09:57 -------- d-----w- C:\Users\Viziren\AppData\Roaming\Babylon
2012-06-05 00:09:57 -------- d-----w- C:\ProgramData\Babylon
2012-06-05 00:09:47 -------- d-----w- C:\ProgramData\Tarma Installer
2012-06-05 00:09:47 -------- d-----w- C:\Program Files (x86)\Yontoo
2012-05-22 21:21:53 -------- d-----w- C:\Program Files (x86)\Fomine LAN Chat
.
==================== Find3M ====================
.
2012-04-24 06:06:53 61440 ----a-w- C:\Windows\SysWow64\nvPhotoshopUtil.dll
2012-04-24 06:06:53 40960 ----a-w- C:\Windows\SysWow64\nvISWOW64.dll
2012-04-24 06:06:53 151552 ----a-w- C:\Windows\SysWow64\nvRegDev.dll
2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-15 08:06:53 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-03-15 08:06:53 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-03-15 08:06:52 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-03-15 08:06:52 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
1999-06-25 15:55:30 149504 ----a-w- C:\Program Files (x86)\UNWISE.EXE
.
============= FINISH: 18:51:13.77 ===============

Attached Files


Edited by Orange Blossom, 10 June 2012 - 07:31 PM.
Corrected link. ~ OB


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 12 June 2012 - 10:02 AM

Hello, Mr. Quasar.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1


P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.








Conduit Toolbar Warning"

I see you have the a Conduit toolbar installed. This often is recognized as trackware and I recommend you remove it.

If you would like to remove it, please go to add/Remove Programs and uninstall Blekko Search Bar.



Step 1


Before we really get into it, I need to ask you to remove IOBit.

I see you have IOBit installed on your computer. This is a known rogue antivirus that steals definitions from legitimate antiviruses. Please read about it here. Before I can help you, please uninstall IOBit via Add/Remove Programs. If you need another antivirus, some good free ones (for personal use) are Avast, Microsoft Security Essentials and Avira AntiVir

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#3 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 12 June 2012 - 12:53 PM

Hello etavares,

First let me say thank you for the help. I wanted to take a second to respond to one point you made;

-Per BitTorrent - I understand that generally speaking BitTorrent is used with files that can potentially track thousands upon thousands of downloaders and uploaders, so I see why it would be dangerous to use. However, my main use of the program is downloading and sharing game modifications with several active communities, and sharing my own DRM-free games with friends. So I guess I want to pose the question, is BitTorrent inherently a security threat, or a tool that carries risk depending on the uses it is put to? At the very least, I will not use it while we are working through this problem.

Both the Blekko Search Bar and IOBit Security came packed in with other software, those have been removed. I have also subscribed to the topic, and will await your next instructions. Thank you for your help so far.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 12 June 2012 - 02:24 PM

Hello, Mr. Quasar.

Did you install another antivirus after you removed IOBit? Without an active antivirus, you can easily get reinfected as we work.

BitTorrent is safe to use when you know what is on the other end. So, if you're using it to share known files iwth people you trust, then it's not an inherent security risk and a great tool for doing just that.





Step 1



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • It gives you the option to add the latest Avast definitions and recommends you do so. Ignore it and click No as it may crash your system or hang up and we don't need that info.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Note: aswMBR will save MBR.dat to your desktop. Do NOT delete it until I tell you your computer is clean. It is a backup of your MBR that we may need later.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#5 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 12 June 2012 - 04:42 PM

Okay, both are done. I do not have any Anitvirus now that IOBit is gone (minus Malware, but that doesn't really count, does it?). I will fix that problem shortly.

There have been no symptoms after running Combofix. Did you want me to paste the log here, or attach it? I'll attach it, since it's so very long. Edit: On second thought, I think I am meant to paste the Combofix log...I'm not sure, I guess I possibly should have asked first :) Here it is, as well:

ComboFix 12-06-12.01 - Viziren 06/12/2012 16:55:55.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2452 [GMT -4:00]
Running from: c:\users\Viziren\Desktop\etavaresCF.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\Retrogamer_2zEI
c:\windows\SysWow64\SET655B.tmp
c:\windows\SysWow64\SET8A8F.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_npf
.
.
((((((((((((((((((((((((( Files Created from 2012-05-12 to 2012-06-12 )))))))))))))))))))))))))))))))
.
.
2074-05-19 01:44 . 2008-03-21 22:46 607296 ------w- c:\program files (x86)\Microsoft Games\Age of Empires III\deformerdllyD.dll
2012-06-12 21:11 . 2012-06-12 21:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-11 04:05 . 2012-06-11 04:05 -------- d-----w- c:\users\Viziren\AppData\Roaming\dvdcss
2012-06-10 07:39 . 2012-06-12 18:16 -------- d-----w- c:\programdata\blekko toolbars
2012-06-10 07:39 . 2012-06-10 07:39 -------- d-----w- c:\program files (x86)\Extension Changer
2012-06-10 07:38 . 2012-06-10 07:41 -------- d-----w- c:\users\Viziren\AppData\Local\blekkotb_031
2012-06-10 07:38 . 2012-06-10 07:38 -------- d-----w- c:\programdata\Anti-phishing Domain Advisor
2012-06-10 07:24 . 2012-06-10 07:24 -------- d-----w- c:\program files (x86)\mPulis Software
2012-06-05 00:10 . 2012-06-10 07:00 -------- d-----w- c:\program files (x86)\BabylonToolbar
2012-06-05 00:10 . 2012-06-05 00:10 237 ----a-w- C:\user.js
2012-06-05 00:09 . 2012-06-10 05:18 -------- d-----w- c:\users\Viziren\AppData\Roaming\Babylon
2012-06-05 00:09 . 2012-06-05 00:09 -------- d-----w- c:\programdata\Babylon
2012-06-05 00:09 . 2012-06-05 00:09 -------- d-----w- c:\programdata\Tarma Installer
2012-06-05 00:09 . 2012-06-05 00:09 -------- d-----w- c:\program files (x86)\Yontoo
2012-05-22 21:21 . 2012-05-22 21:21 -------- d-----w- c:\program files (x86)\Fomine LAN Chat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-24 06:06 . 2012-04-24 05:55 151552 ----a-w- c:\windows\SysWow64\nvRegDev.dll
2012-04-24 06:06 . 2012-04-24 05:55 61440 ----a-w- c:\windows\SysWow64\nvPhotoshopUtil.dll
2012-04-24 06:06 . 2012-04-24 05:55 40960 ----a-w- c:\windows\SysWow64\nvISWOW64.dll
2012-04-04 19:56 . 2011-03-29 17:47 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 02:13 . 2012-03-29 02:13 6144 ----a-r- c:\users\Viziren\AppData\Roaming\Microsoft\Installer\{8F99E711-CE74-4718-BE04-19D1A53A735C}\Icon83F12F734.exe
2012-03-29 02:13 . 2012-03-29 02:13 15360 ----a-r- c:\users\Viziren\AppData\Roaming\Microsoft\Installer\{8F99E711-CE74-4718-BE04-19D1A53A735C}\Icon83F12F738.exe
2012-03-29 02:13 . 2012-03-29 02:13 11264 ----a-r- c:\users\Viziren\AppData\Roaming\Microsoft\Installer\{8F99E711-CE74-4718-BE04-19D1A53A735C}\Icon8F99E711.exe
2012-03-29 02:13 . 2012-03-29 02:13 10752 ----a-r- c:\users\Viziren\AppData\Roaming\Microsoft\Installer\{8F99E711-CE74-4718-BE04-19D1A53A735C}\Icon8255BBAC1.exe
2012-03-15 08:06 . 2012-02-07 18:27 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-03-15 08:06 . 2012-02-07 18:27 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-03-15 08:06 . 2012-02-07 18:27 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-03-15 08:06 . 2012-02-07 18:27 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
1999-06-25 15:55 . 2011-02-26 19:48 149504 ----a-w- c:\program files (x86)\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-11-23 1242448]
"freeklogger.exe"="c:\program files (x86)\FK_Monitor\freeklogger.exe" [2011-10-13 794624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe" [2011-03-12 234656]
.
c:\users\Viziren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ProgSense.lnk - c:\program files (x86)\ProgSense\progsense.exe [2011-8-24 937152]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files (x86)\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]
LAN Chat.lnk - c:\program files (x86)\Fomine LAN Chat\LANChat.exe [2008-2-25 233472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 iaydxdmz;iaydxdmz;c:\windows\system32\drivers\iaydxdmz.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R3 CamdAudio;CamdAudio;c:\windows\system32\drivers\CamdAudio.sys [x]
R3 cpuz134;cpuz134;c:\program files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [2010-07-09 21480]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-04-05 103992]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2010-02-05 98208]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-12 19968]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-12 c:\windows\Tasks\AWC Startup.job
- c:\program files (x86)\IObit\Advanced SystemCare 3\AWC.exe [2011-04-16 17:53]
.
2012-06-11 c:\windows\Tasks\HPCeeScheduleForViziren.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
2012-06-12 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2012-03-02 18:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-02-05 6160928]
"RtkOSD"="c:\program files (x86)\Realtek\Audio\OSD\RtVOsd64.exe" [2010-02-05 995840]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
"combofix"="c:\etavarescf\CF24127.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gamefaqs.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1 12.213.80.61
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
FF - ProfilePath - c:\users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=19378022156DB05EDD82594FD44F14EB&tbp=homepage
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=2&q=
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Babylon: [email protected] - %profile%\extensions\[email protected]
FF - user.js: extensions.BabylonToolbar_i.id - ee8ac1550000000000004a0f6e02e32b
FF - user.js: extensions.BabylonToolbar_i.hardId - ee8ac1550000000000004a0f6e02e32b
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15496
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1720:10
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109683
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~2\UNWISE.EXE
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:ab,be,4f,db,46,0f,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,b9,6f,82,96,94,bc,42,93,c0,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,b9,6f,82,96,94,bc,42,93,c0,d9,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Flip Video\FlipShare\FlipShareService.exe
c:\program files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
.
**************************************************************************
.
Completion time: 2012-06-12 17:26:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-12 21:26
.
Pre-Run: 9,916,428,288 bytes free
Post-Run: 9,727,197,184 bytes free
.
- - End Of File - - D05EBA0C01AA63A2FC0FE440403BB528

And here is the MBR scan log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-12 17:30:32
-----------------------------
17:30:32.464 OS Version: Windows x64 6.1.7600
17:30:32.465 Number of processors: 2 586 0x603
17:30:32.467 ComputerName: VIZIREN-PC UserName: Viziren
17:30:34.963 Initialize success
17:30:47.380 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000061
17:30:47.383 Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 305245MB BusType: 11
17:30:47.408 Disk 0 MBR read successfully
17:30:47.415 Disk 0 MBR scan
17:30:47.420 Disk 0 unknown MBR code
17:30:47.450 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
17:30:47.481 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 290905 MB offset 409600
17:30:47.532 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14036 MB offset 596183040
17:30:47.605 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 624928768
17:30:47.772 Disk 0 scanning C:\Windows\system32\drivers
17:30:56.269 Service scanning
17:31:14.748 Modules scanning
17:31:14.766 Disk 0 trace - called modules:
17:31:14.785 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
17:31:14.799 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80042f2730]
17:31:14.811 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa800427c6f0]
17:31:14.825 5 amdxata.sys[fffff8800107f76b] -> nt!IofCallDriver -> \Device\00000061[0xfffffa800427a9c0]
17:31:14.840 Scan finished successfully
17:31:28.010 Disk 0 MBR has been saved successfully to "C:\Users\Viziren\Desktop\MBR.dat"
17:31:28.021 The log file has been saved successfully to "C:\Users\Viziren\Desktop\aswMBR.txt"


If you prefer either of those posted differently, just let me know. Thanks again for the help.

Edit: Now if I could ask a question here, should I go ahead and uninstall the other IOBit programs as well? I did not realize, I have 3 of them still on my computer (Smart DeFrag, Advanced SystemCare, and Game Booster).

Attached Files


Edited by Mr. Quasar, 12 June 2012 - 04:54 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 12 June 2012 - 05:36 PM

Pasting is perfect. Did you know there appears to be a keylogger installed on your system? Did you put it there? It appears to be the Free Key Monitor.

"freeklogger.exe"="c:\program files (x86)\FK_Monitor\freeklogger.exe" [2011-10-13 794624]


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#7 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 12 June 2012 - 07:00 PM

Okay. And yes, the keylogger is mine. I like to have something to keep track of what I'm doing, I'm forgetful sometimes. It's safe for my own personal use, right?

Also, since the ComboFix, I get a prompt when I open up Internet Explorer asking if I want to set it as my default browser, as well as a prompt saying something along the lines of "You are browsing a secure page." These are both completely normal prompts, they're just not something I've seen since I probably booted up the computer for the first time. Just figured I'd mention it.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 14 June 2012 - 09:24 PM

Hello, Mr. Quasar.

If you installed it intentionally, you're fine. I just wanted to make sure someone around you didn't install it!

Ok,

Please download decrypt_SetSysLog32.zip from Fabian Wosar and save it to your desktop.

Unzip the file, then run it.

The tool will determine the decryption key automatically and perform validations that the files were decrypted correctly. Just in case though it will NOT delete the original .crypt files. If you see one of the following error message it means you most likely got hit by a new variant of the malware:

Could not find decryption key. Maybe a new variant?


An error occurred when trying to decrypt file <source file> to <destination file>!



The following error message though is normal and just indicates that the decrypted file could not be created as it is currently in use (like some LOG files for example):


Exception occurred while processing file <source file>:
Class: EFCreateError - Exception: Cannot create file "<destination file>".
The process cannot access the file because it is being used by another process



Please let me know how it goes.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#9 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 15 June 2012 - 01:54 AM

Hey etavares,

I had actually already tried that tool. In-between this topic being created and your response, my original topic had that link posted, I tried it and was given the "new variant" error. I would have mentioned this, but didn't want to bump the topic, or interrupt during the earlier stages.

I figured I should try again (with your fresh download), since it looks like we cleaned some things up, but I got the same response from the program this time. Cheers.

Edited by Mr. Quasar, 15 June 2012 - 01:54 AM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 16 June 2012 - 06:01 AM

OK, a bit more research shows we may be out of luck and you'll need to restore your files from a backup. There is one chance...the malware saves the encryption key to a file, then it deletes it when it is done. We can hope it's still there. Please click start, type %appdata% and press Enter. You'll see a folder open. Look for ccrypt.txt or ccrypt.txt.enc in there. If so, please attach it. If not, there is still one other chance. Use Shadow Explorer and try to find either one of those two files.

Let me know how it goes.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#11 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 16 June 2012 - 11:55 AM

Ok. After reading a nice long thread on Norton's site, I had come to the conclusion it was unlikely I'd be able to fix the problem. I searched for each of the ccrypt files, neither were there. By %appdata% you wanted me to end up in Roaming, right?

I then tried to use the link provided, but it didn't work, so I just went to ShadowExplorer.com and got it myself. Now when I launch the program everything is just blank. It says on their site that if I have TrueCrypt I need to fix some settings. I don't have TrueCrypt. Then it says I need to check if System Restore is working properly. I'm pretty sure it is. Should I contact them (since that's what it says to do)?

Edit: And lastly, by restoring from a backup, you mean from an external USB or web backup, right? Thanks again for all your help.

Edited by Mr. Quasar, 16 June 2012 - 11:56 AM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 16 June 2012 - 08:04 PM

Hello, Mr. Quasar.

Yes, %appdata% should end up in roaming. Even if it doesn't, %appdata% points to where you should look.

By restoring from a backup, I do mean restoring the files from an external USB or web backup...or eSata, or anywhere you have a copy of the file.

Before we do that, we do need to update many security holes that may have been how you were infected in the first place:


Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 7 Update 4 32-bit version. Note that if you have 64-bit windows, the default is to use a 32-bit browser. If you modified your IE to use the 64-bit version, make sure to also download the 64-bit version.
  • Save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 24
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u29-windows-i586-s.exe to install the newest version. If you downloaded the 64-bit version, make sure to install that as well.




Step 2

Your Adobe Reader software is out of date and has known security holes. Please launch it, go to Help --> Check for Updates and let it update the main program if needed. Updates the languages and/or dictionaries is optional.



Step 3

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#13 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 18 June 2012 - 07:07 PM

Java and Adobe were updated, thanks.

I ran the ESET Online Scanner, here are my results;

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll Win32/Toolbar.Babylon application
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll Win32/Toolbar.Babylon application
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll Win32/Toolbar.Babylon application
C:\Program Files (x86)\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\Viziren\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AV77SRJG\eu[1].js HTML/Iframe.B.Gen virus
C:\Users\Viziren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\13dbd5de-5c4b96bd Java/Exploit.Agent.NCH trojan
C:\Users\Viziren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\535f0b7a-59ee73b7 Java/Agent.DW trojan
C:\Users\Viziren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\535f0b7a-66c1c3f1 Java/Exploit.Agent.NAO trojan
C:\Users\Viziren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\60b3897a-2b57a1c6 Java/Exploit.CVE-2012-0507.AM trojan
C:\Users\Viziren\Desktop\Gig\Files To Keep\Browser Stuff\SoftonicDownloader_for_deepnet-explorer.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Viziren\Desktop\Gig\Files To Keep\Browser Stuff\SoftonicDownloader_for_phaseout.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Viziren\Desktop\Gig\Tradewinds_2\ecltw2.exe probably a variant of Win32/Agent.MBHBYYM trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\upgrade[1].cab a variant of Win32/Adware.OneStep.Z application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\upgrade[1].cab a variant of Win32/Adware.OneStep.Z application

Just awaiting your response. Sorry for the delay. It took about 6 hours, and yesterday was a holiday.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 18 June 2012 - 07:24 PM

Hello, Mr. Quasar.
Before we clean up, I'd like one last DDS log to look at.

There wasn't too much in the ESET log, mostly toolbars. HOwever, there were signs you went to a bad or hacked website in your temp internet files. It happens to legit websites from time to time if their security isn't good enough. THere are also some trojans in your java cache...the kind that can take advantage of non-updated Java. So, make sure to keep it up to date. :)

This one may be a false positive:
C:\Users\Viziren\Desktop\Gig\Tradewinds_2\ecltw2.exe

You can unquarantine it if you trust it. If it's a cracked game or one downloaded from a torrent, I would leave it in the antivirus.



etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#15 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 19 June 2012 - 03:06 AM

Okay, if I might ask, any way for me to check where the bad stuff in the temporary folder came from? I honestly can't recall any risky browsing the last few days, or week for that matter. Tradewinds 2 is my own game, seems like a false positive to me. And I'll make sure to keep Java/Adobe up-to-date, even if it can be a slight inconvenience sometimes (bandwidth caps), clearly I was living on the edge a little too long :) Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.4.0
Run by Viziren at 3:59:20 on 2012-06-19
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.1637 [GMT -4:00]
.
AV: PC Tools Internet Security Anti-Virus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: PC Tools Internet Security Anti-Spyware *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
FW: PC Tools Internet Security Firewall *Enabled* {175D0B73-9F8F-2CA9-8BF1-62277A276DC9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\ShadowExplorer\sesvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files (x86)\FK_Monitor\freeklogger.exe
C:\Program Files (x86)\Codebox\BitMeter\BitMeter2.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\IEPro\MiniDM.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe
C:\Program Files (x86)\PC Tools\PC Tools Security\pctsGui.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://gamefaqs.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - C:\Program Files (x86)\IEPro\iepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - C:\Program Files (x86)\IEPro\IEProRecorder.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [freeklogger.exe] C:\Program Files (x86)\FK_Monitor\freeklogger.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ISTray] "C:\Program Files (x86)\PC Tools\PC Tools Security\pctsGui.exe" /hideGUI
dRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe -update activex
StartupFolder: C:\Users\Viziren\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PROGSE~1.LNK - C:\Program Files (x86)\ProgSense\progsense.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BITMET~1.LNK - C:\Program Files (x86)\Codebox\BitMeter\BitMeter2.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LANCHA~1.LNK - C:\Program Files (x86)\Fomine LAN Chat\LANChat.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - C:\Program Files (x86)\IEPro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - C:\Program Files (x86)\IEPro\iepro.dll
LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 12.213.80.61
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA} : DhcpNameServer = 192.168.2.1 12.213.80.61
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA}\130364850393137353634353 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA}\34C45465E45445 : DhcpNameServer = 10.71.5.2 10.0.1.5 10.0.1.6 10.0.1.7
TCP: Interfaces\{5214C1F0-1EEF-4433-AD76-3E35D8E2D5AA}\4703577686360303B6965637D20534D275962756C6563737 : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: IE7Pro BHO: {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files (x86)\IEPro\iepro.dll
BHO-X64: IE7Pro - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
BHO-X64: Browser Guard BHO - No File
BHO-X64: Babylon toolbar helper: {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO-X64: Babylon toolbar helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: Grab Pro: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files (x86)\IEPro\IEProRecorder.dll
TB-X64: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB-X64: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [ISTray] "C:\Program Files (x86)\PC Tools\PC Tools Security\pctsGui.exe" /hideGUI
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=19378022156DB05EDD82594FD44F14EB&tbp=homepage
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=2&q=
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko10.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko11.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko12.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko5.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko7.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko8.dll
FF - component: C:\Users\Viziren\AppData\Roaming\Mozilla\Firefox\Profiles\bs8hdzx6.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko9.dll
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\npjpi170_04.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Users\Viziren\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Babylon: [email protected] - %profile%\extensions\[email protected]
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.id - ee8ac1550000000000004a0f6e02e32b
FF - user.js: extensions.BabylonToolbar_i.hardId - ee8ac1550000000000004a0f6e02e32b
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15496
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1720:10:20
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109683
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\Windows\system32\drivers\pctDS64.sys --> C:\Windows\system32\drivers\pctDS64.sys [?]
R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\system32\drivers\pctEFA64.sys --> C:\Windows\system32\drivers\pctEFA64.sys [?]
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R0 TfFsMon;TfFsMon;C:\Windows\system32\drivers\TfFsMon.sys --> C:\Windows\system32\drivers\TfFsMon.sys [?]
R0 TfSysMon;TfSysMon;C:\Windows\system32\drivers\TfSysMon.sys --> C:\Windows\system32\drivers\TfSysMon.sys [?]
R1 pctgntdi;pctgntdi;\??\C:\Windows\System32\drivers\pctgntdi64.sys --> C:\Windows\System32\drivers\pctgntdi64.sys [?]
R1 pctNdisLW64;PC Tools NDIS 6 LightWeight filter;C:\Windows\system32\DRIVERS\pctNdisLW64.sys --> C:\Windows\system32\DRIVERS\pctNdisLW64.sys [?]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\system32\Drivers\PCTSD64.sys --> C:\Windows\system32\Drivers\PCTSD64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-5-14 98208]
R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [2012-6-19 575416]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPWMISVC;HPWMISVC;C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-1-12 19968]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-4-26 654408]
R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe [2012-6-19 402336]
R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe [2012-6-19 1118648]
R2 sesvc;ShadowExplorer Service;C:\Program Files (x86)\ShadowExplorer\sesvc.exe [2012-6-16 9216]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-3 483688]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-10 4925184]
R3 PCTBD;PC Tools Browser Defender Driver;C:\Windows\system32\Drivers\PCTBD64.sys --> C:\Windows\system32\Drivers\PCTBD64.sys [?]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;\??\C:\Windows\system32\drivers\pctNdis-PacketFilter64.sys --> C:\Windows\system32\drivers\pctNdis-PacketFilter64.sys [?]
R3 pctplfw;pctplfw;\??\C:\Windows\System32\drivers\pctplfw64.sys --> C:\Windows\System32\drivers\pctplfw64.sys [?]
R3 pctplsg;pctplsg;\??\C:\Windows\System32\drivers\pctplsg64.sys --> C:\Windows\System32\drivers\pctplsg64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-3 209768]
R3 TfNetMon;TfNetMon;\??\C:\Windows\system32\drivers\TfNetMon.sys --> C:\Windows\system32\drivers\TfNetMon.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 CamdAudio;CamdAudio;C:\Windows\system32\drivers\CamdAudio.sys --> C:\Windows\system32\drivers\CamdAudio.sys [?]
S3 cpuz134;cpuz134;C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [2011-5-22 21480]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 ThreatFire;ThreatFire;C:\Program Files (x86)\PC Tools\PC Tools Security\TFEngine\TFService.exe service --> C:\Program Files (x86)\PC Tools\PC Tools Security\TFEngine\TFService.exe service [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S4 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-4-5 103992]
.
=============== Created Last 30 ================
.
2074-05-19 01:44:52 607296 ------w- C:\Program Files (x86)\Microsoft Games\Age of Empires III\deformerdllyD.dll
2012-06-19 07:42:28 -------- d-----w- C:\Users\Viziren\AppData\Roaming\Spam Monitor
2012-06-19 07:42:28 -------- d-----w- C:\Users\Viziren\AppData\Roaming\PC Tools
2012-06-19 07:40:23 85192 ----a-w- C:\Windows\System32\drivers\PCTBD64.sys
2012-06-19 07:40:22 767928 ----a-w- C:\Windows\BDTSupport.dll
2012-06-19 07:40:22 149432 ----a-w- C:\Windows\SGDetectionTool.dll
2012-06-19 07:40:21 2267064 ----a-w- C:\Windows\PCTBDCore.dll
2012-06-19 07:40:21 1681336 ----a-w- C:\Windows\PCTBDRes.dll
2012-06-19 07:39:14 341168 ----a-w- C:\Windows\System32\drivers\pctgntdi64.sys
2012-06-19 07:39:14 145432 ----a-w- C:\Windows\System32\drivers\pctwfpfilter64.sys
2012-06-19 07:39:08 14776 ----a-w- C:\Windows\System32\drivers\pctBTFix64.sys
2012-06-19 07:39:05 706776 ----a-w- C:\Windows\System32\drivers\TfSysMon.sys
2012-06-19 07:39:05 65664 ----a-w- C:\Windows\System32\drivers\TfFsMon.sys
2012-06-19 07:39:05 41968 ----a-w- C:\Windows\System32\drivers\TfNetMon.sys
2012-06-19 07:38:56 77976 ----a-w- C:\Windows\System32\drivers\pctNdisLW64.sys
2012-06-19 07:38:56 181000 ----a-w- C:\Windows\System32\drivers\pctplfw64.sys
2012-06-19 07:38:56 123808 ----a-w- C:\Windows\System32\drivers\pctNdis-PacketFilter64.sys
2012-06-19 07:38:54 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys
2012-06-19 07:38:48 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-06-19 07:06:15 453896 ----a-w- C:\Windows\System32\drivers\pctDS64.sys
2012-06-19 07:06:15 1096176 ----a-w- C:\Windows\System32\drivers\pctEFA64.sys
2012-06-19 07:06:13 426616 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys
2012-06-19 01:40:59 143360 ----a-w- C:\Users\Viziren\stopgpcode.exe
2012-06-18 17:48:39 -------- d-----w- C:\Program Files (x86)\ESET
2012-06-18 17:27:56 772552 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-06-18 17:16:47 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{836ADBD3-53D7-4B26-AE3F-59B9799ECA71}\offreg.dll
2012-06-17 16:22:32 251528 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
2012-06-17 16:22:32 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-06-17 16:21:15 -------- d-----w- C:\ProgramData\PC Tools
2012-06-17 16:21:14 -------- d-----w- C:\Users\Viziren\AppData\Roaming\TestApp
2012-06-16 16:48:02 -------- d-----w- C:\Program Files (x86)\ShadowExplorer
2012-06-16 16:43:09 -------- d-----w- C:\Users\Viziren\AppData\Roaming\www.shadowexplorer.com
2012-06-14 22:29:21 -------- d-----w- C:\Users\Viziren\AppData\Roaming\LoneSurvivor
2012-06-14 15:59:18 -------- d-----w- C:\Program Files (x86)\capy
2012-06-14 15:54:58 -------- d-----w- C:\Program Files (x86)\Bastion
2012-06-14 15:10:33 -------- d-----w- C:\Program Files (x86)\GOG.com
2012-06-13 01:37:02 -------- d-sh--w- C:\$RECYCLE.BIN
2012-06-12 20:52:32 98816 ----a-w- C:\Windows\sed.exe
2012-06-12 20:52:32 518144 ----a-w- C:\Windows\SWREG.exe
2012-06-12 20:52:32 256000 ----a-w- C:\Windows\PEV.exe
2012-06-12 20:52:32 208896 ----a-w- C:\Windows\MBR.exe
2012-06-10 07:39:30 -------- d-----w- C:\ProgramData\blekko toolbars
2012-06-10 07:39:06 -------- d-----w- C:\Program Files (x86)\Extension Changer
2012-06-10 07:38:58 -------- d-----w- C:\Users\Viziren\AppData\Local\blekkotb_031
2012-06-10 07:38:55 -------- d-----w- C:\ProgramData\Anti-phishing Domain Advisor
2012-06-10 07:24:12 -------- d-----w- C:\Program Files (x86)\mPulis Software
2012-06-05 00:10:34 -------- d-----w- C:\Users\Viziren\AppData\Roaming\BabylonToolbar
2012-06-05 00:10:21 -------- d-----w- C:\Program Files (x86)\BabylonToolbar
2012-06-05 00:09:57 -------- d-----w- C:\Users\Viziren\AppData\Roaming\Babylon
2012-06-05 00:09:57 -------- d-----w- C:\ProgramData\Babylon
2012-06-05 00:09:47 -------- d-----w- C:\ProgramData\Tarma Installer
2012-06-05 00:09:47 -------- d-----w- C:\Program Files (x86)\Yontoo
2012-05-22 21:21:53 -------- d-----w- C:\Program Files (x86)\Fomine LAN Chat
.
==================== Find3M ====================
.
2012-06-18 17:27:24 687560 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-04-24 06:06:53 61440 ----a-w- C:\Windows\SysWow64\nvPhotoshopUtil.dll
2012-04-24 06:06:53 40960 ----a-w- C:\Windows\SysWow64\nvISWOW64.dll
2012-04-24 06:06:53 151552 ----a-w- C:\Windows\SysWow64\nvRegDev.dll
2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
1999-06-25 15:55:30 149504 ----a-w- C:\Program Files (x86)\UNWISE.EXE
.
============= FINISH: 4:00:02.00 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users