Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack - IHavenet.com


  • This topic is locked This topic is locked
11 replies to this topic

#1 Matthias Abele

Matthias Abele

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 06 November 2012 - 03:20 AM

Hi !

I have big problems with some kind of rootkit. Google searches are being hijacked to ihavenet and other sites. Windows security center and defender is disabled and can't be reenabled. Already scanned with MBAM, Avira, ESET Online, Trend Micro Housecall, TDSSKiller and others. No results. Actually the first scan of Combofix found and removed some kind of crap. Already tried rewriting MBR. Browser hijack is still active.

Any Ideas?

DDS (Ver_2012-11-05.02) - NTFS_AMD64
Internet Explorer: 9.0.8112.16450
Run by antiloop at 8:59:23 on 2012-11-06
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.39.1040.18.2038.120 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files (x86)\Samsung\Kies\Kies.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\PDF24\pdf24.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Users\antiloop\Downloads\EmsisoftEmergencyKit\start.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit = userinit.exe
uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
uRun: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun: [PDFPrint] C:\Program Files (x86)\PDF24\pdf24.exe
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {6C9FCC55-345C-4206-9146-235D0A7DB260} - hxxp://10.4.141.174/cgi-bin/X86VMon.cab
DPF: {B53A0806-51C7-4DC2-B7D7-5C011F45D7D6} - hxxp://10.4.141.174/cgi-bin/Playback.cab
DPF: {EF991872-9158-4570-A7FF-E7DBB6A4B8E9} - hxxp://10.4.141.175/iqweb.ocx
TCP: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{872BC948-25B3-4861-B0AF-1884655434D4} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{A4942A2F-6874-4F9F-BC14-23AD59A26516} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{AD13CED2-36C7-47F6-99A9-79F39E5F305B} : DHCPNameServer = 8.8.8.8 8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\antiloop\AppData\Roaming\Mozilla\Firefox\Profiles\2f2ngqal.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 4001
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 4001
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 4001
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 4001
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 4001
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Users\antiloop\AppData\Roaming\Mozilla\Firefox\Profiles\2f2ngqal.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: C:\Users\antiloop\AppData\Roaming\Mozilla\Firefox\Profiles\2f2ngqal.default\extensions\[email protected]\plugins\npLMI64.dll
FF - plugin: C:\Users\antiloop\AppData\Roaming\Mozilla\Firefox\Profiles\2f2ngqal.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: C:\Users\antiloop\AppData\Roaming\Mozilla\Firefox\Profiles\2f2ngqal.default\extensions\[email protected]\plugins\npNTRplugin2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - ExtSQL: 2012-11-05 08:39; [email protected]; C:\Users\antiloop\AppData\Roaming\Mozilla\Firefox\Profiles\2f2ngqal.default\extensions\[email protected]
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-10-24 27800]
R2 AntiVirSchedulerService;Avira Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-10-24 84256]
R2 AntiVirService;Avira Echtzeit-Scanner;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-10-24 108320]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-10-24 99248]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-9-27 375208]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2010-5-31 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2012-10-24 72216]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-9-24 1328736]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2012-9-24 656480]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-10-24 2848168]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2006-12-21 300032]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2011-12-16 17976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-10-19 160944]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 netw5v64;Driver scheda Intel® Wireless WiFi Link serie 5000 per Windows Vista a 64 bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 pwdrvio;pwdrvio;C:\Windows\System32\pwdrvio.sys [2012-10-26 19032]
S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2012-10-26 12384]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-24 19456]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2012-10-24 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-24 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-10-24 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Servizio Windows Activation Technologies;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-25 1255736]
.
=============== Created Last 30 ================
.
2012-11-05 10:54:43 -------- d-----w- C:\Users\antiloop\AppData\Roaming\Canneverbe Limited
2012-11-05 10:54:43 -------- d-----w- C:\ProgramData\Canneverbe Limited
2012-11-05 07:29:29 -------- d-----w- C:\Program Files (x86)\ESET
2012-11-05 06:46:26 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-04 20:38:58 -------- d-----w- C:\Users\antiloop\AppData\Local\temp
2012-11-02 06:52:19 -------- d-----w- C:\Windows\System32\appmgmt
2012-11-02 00:24:28 -------- d-----w- C:\Windows\Downloaded Installations
2012-11-02 00:24:16 -------- d-----w- C:\Program Files\ThinkVantage Fingerprint Software
2012-11-02 00:23:44 -------- d-----w- C:\SWTOOLS
2012-11-01 23:34:55 -------- d-----w- C:\Users\antiloop\AppData\Local\ATI
2012-11-01 23:34:21 0 ----a-w- C:\Windows\ativpsrm.bin
2012-11-01 18:28:10 -------- d-----w- C:\Program Files\AuthenTec
2012-11-01 10:12:52 -------- d-----w- C:\Users\antiloop\AppData\Roaming\Foxit Software
2012-10-29 19:17:45 -------- d-----w- C:\Users\antiloop\AppData\Roaming\CoreFTP
2012-10-29 15:08:16 -------- d-----w- C:\Users\antiloop\AppData\Local\Samsung
2012-10-29 15:08:14 -------- d-----w- C:\Users\antiloop\AppData\Roaming\Samsung
2012-10-29 15:03:52 4659712 ----a-w- C:\Windows\SysWow64\Redemption.dll
2012-10-29 15:03:42 821824 ----a-w- C:\Windows\SysWow64\dgderapi.dll
2012-10-29 15:03:42 -------- d-----w- C:\Program Files (x86)\MarkAny
2012-10-29 15:03:20 -------- d-----w- C:\ProgramData\Samsung
2012-10-29 15:03:20 -------- d-----w- C:\Program Files (x86)\Samsung
2012-10-29 14:55:48 -------- d-----w- C:\Users\antiloop\AppData\Local\Downloaded Installations
2012-10-28 12:12:35 98816 ----a-w- C:\Windows\sed.exe
2012-10-28 12:12:35 256000 ----a-w- C:\Windows\PEV.exe
2012-10-28 12:12:35 208896 ----a-w- C:\Windows\MBR.exe
2012-10-28 11:50:58 -------- d-----w- C:\Users\antiloop\AppData\Roaming\Malwarebytes
2012-10-28 11:50:50 -------- d-----w- C:\ProgramData\Malwarebytes
2012-10-28 11:50:49 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-10-28 11:50:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-10-28 11:48:33 81934 ----a-w- C:\Windows\gmt.exe
2012-10-28 11:48:33 -------- d-----w- C:\Program Files (x86)\GmapTool
2012-10-28 11:43:12 86016 --sha-r- C:\Windows\SysWow64\virtdisk9.dll
2012-10-27 13:37:12 -------- d-----w- C:\Users\antiloop\AppData\Local\PDF24
2012-10-27 09:54:02 -------- d-----w- C:\Program Files (x86)\DB Software Laboratory
2012-10-27 07:15:19 -------- d-----w- C:\Users\antiloop\AppData\Local\Brice_Lambson
2012-10-27 07:04:00 -------- d-----w- C:\Users\antiloop\AppData\Roaming\SpiderOak
2012-10-27 07:03:52 -------- d-----w- C:\Program Files (x86)\CoreFTP
2012-10-27 07:03:37 -------- d-----w- C:\Program Files\Image Resizer for Windows
2012-10-27 07:03:37 -------- d-----w- C:\Program Files (x86)\Image Resizer for Windows
2012-10-27 07:03:35 -------- d-----w- C:\ProgramData\Package Cache
2012-10-27 07:03:30 -------- d-----w- C:\Program Files (x86)\SpiderOak
2012-10-26 17:57:56 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E3503D3B-128A-4632-A635-CA9F8315C34A}\mpengine.dll
2012-10-26 06:45:11 2966720 ----a-w- C:\Windows\System32\pwNative.exe
2012-10-26 06:45:11 19032 ------w- C:\Windows\System32\pwdrvio.sys
2012-10-26 06:45:11 12384 ------w- C:\Windows\System32\pwdspio.sys
2012-10-26 06:45:05 -------- d-----w- C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 7.6.1
2012-10-26 06:03:56 -------- d-----w- C:\Windows\WindowsMobile
2012-10-25 16:51:09 163056 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin
2012-10-25 13:25:12 -------- d-----w- C:\Users\antiloop\AppData\Roaming\IrfanView
2012-10-25 13:25:12 -------- d-----w- C:\Program Files (x86)\IrfanView
2012-10-25 09:45:23 -------- d-----w- C:\Program Files (x86)\QNAP
2012-10-25 09:16:45 -------- d-----w- C:\Users\antiloop\.thumbnails
2012-10-25 09:07:32 -------- d-----w- C:\Users\antiloop\AppData\Local\fontconfig
2012-10-25 09:07:30 -------- d-----w- C:\Users\antiloop\.gimp-2.8
2012-10-25 09:07:29 -------- d-----w- C:\Users\antiloop\AppData\Local\gegl-0.2
2012-10-25 08:20:02 99840 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\LXKPTPRC.DLL
2012-10-25 07:07:10 -------- d-----w- C:\Program Files\Lexmark Network TWAIN Driver
2012-10-25 07:07:10 -------- d-----w- C:\Program Files (x86)\Lexmark Network TWAIN Driver
2012-10-25 07:07:05 -------- d-----w- C:\Program Files (x86)\Lexmark
2012-10-25 07:05:23 -------- d-----w- C:\ProgramData\Lexmark Universal v2 XL
2012-10-25 07:04:15 262144 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\LMUD1P4C.DLL
2012-10-25 07:03:50 906752 ----a-w- C:\Windows\System32\lexlog.dll
2012-10-25 07:03:50 446464 ----a-w- C:\Windows\SysWow64\lexlog.dll
2012-10-25 07:03:49 -------- d-----w- C:\Program Files\Lexmark Universal v2
2012-10-25 07:03:49 -------- d-----w- C:\Program Files (x86)\Lexmark Universal v2
2012-10-25 07:03:25 -------- d-----w- C:\ProgramData\UD1
2012-10-25 07:02:46 729600 ----a-w- C:\Windows\System32\LMUD1Pcomc.dll
2012-10-25 07:02:46 430080 ----a-w- C:\Windows\SysWow64\LMUD1P32comc.dll
2012-10-25 07:02:46 289280 ----a-w- C:\Windows\System32\LMUD1Pinpa.dll
2012-10-25 07:02:45 2945536 ----a-w- C:\Windows\System32\LMUD1Plang.dll
2012-10-25 06:46:21 -------- d-----w- C:\Program Files (x86)\PDF24
2012-10-25 05:56:08 -------- d-----w- C:\Windows\PCHEALTH
2012-10-25 05:52:28 -------- d-----w- C:\Users\antiloop\AppData\Local\Microsoft Help
2012-10-25 05:44:18 -------- d-----w- C:\Program Files\Wireshark
2012-10-25 05:43:59 96224 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2012-10-25 05:43:59 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-10-25 05:43:59 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-10-25 05:43:59 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-10-25 05:43:59 261600 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2012-10-25 05:43:59 2560480 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-10-25 05:43:59 192600 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-10-25 05:43:59 157272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2012-10-25 05:43:59 124384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-10-25 05:43:59 115168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-10-25 01:28:01 -------- d-----w- C:\Windows\SysWow64\Wat
2012-10-25 01:28:01 -------- d-----w- C:\Windows\System32\Wat
2012-10-25 01:27:51 -------- d-----w- C:\Windows\SysWow64\wbem\en-US
2012-10-25 01:27:51 -------- d-----w- C:\Windows\System32\wbem\en-US
2012-10-25 01:11:18 294912 ----a-w- C:\Windows\System32\browserchoice.exe
2012-10-25 01:01:41 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-10-25 01:01:41 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-10-25 01:01:41 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-10-25 01:01:41 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-10-25 01:01:41 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-10-24 21:51:00 -------- d-----w- C:\Program Files\Synaptics
2012-10-24 21:47:14 -------- d-----w- C:\Program Files (x86)\Analog Devices
2012-10-24 21:22:28 -------- d-----w- C:\Program Files\CONEXANT
2012-10-24 21:14:31 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-10-24 21:11:28 -------- d-----w- C:\Users\antiloop\AppData\Roaming\LibreOffice
2012-10-24 21:06:47 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
2012-10-24 21:05:59 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2012-10-24 21:04:57 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-10-24 21:03:21 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-10-24 21:03:21 67072 ----a-w- C:\Windows\splwow64.exe
2012-10-24 21:03:21 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-10-24 21:03:21 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-10-24 21:03:10 -------- d-----w- C:\Windows\Panther
2012-10-24 21:02:33 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-10-24 21:02:33 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-10-24 21:02:33 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-10-24 21:02:33 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-10-24 21:02:33 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-10-24 20:59:58 -------- d-----w- C:\Program Files\GIMP 2
2012-10-24 20:57:49 -------- d-----w- C:\Users\antiloop\AppData\Roaming\Avira
2012-10-24 20:54:03 77312 ----a-w- C:\Windows\System32\packager.dll
2012-10-24 20:54:03 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-10-24 20:54:03 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-10-24 20:54:03 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-10-24 20:53:51 -------- d-----w- C:\Users\antiloop\AppData\Local\Macromedia
2012-10-24 20:52:23 99248 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-10-24 20:52:23 27800 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2012-10-24 20:52:22 -------- d-----w- C:\ProgramData\Avira
2012-10-24 20:52:22 -------- d-----w- C:\Program Files (x86)\Avira
2012-10-24 20:44:14 -------- d-----w- C:\Program Files (x86)\MySQL
2012-10-24 20:44:13 -------- d-----w- C:\ProgramData\MySQL
2012-10-24 20:43:34 -------- d-----r- C:\Program Files (x86)\Skype
2012-10-24 20:41:31 -------- d-----w- C:\Program Files (x86)\PHP
2012-10-24 20:39:56 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2012-10-24 20:38:03 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2012-10-24 20:35:27 -------- d-----w- C:\Users\antiloop\AppData\Local\Secunia PSI
2012-10-24 20:35:20 -------- d-----w- C:\Program Files (x86)\Secunia
2012-10-24 20:33:45 -------- d-----w- C:\Program Files (x86)\LibreOffice 3.5
2012-10-24 20:32:07 -------- d-----w- C:\Users\antiloop\AppData\Local\LogMeIn
2012-10-24 20:32:07 -------- d-----w- C:\ProgramData\LogMeIn
2012-10-24 20:32:04 59808 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\LMIproc.dll
2012-10-24 20:32:04 34720 ----a-w- C:\Windows\System32\LMIport.dll
2012-10-24 20:32:03 87488 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2012-10-24 20:32:03 72216 ----a-w- C:\Windows\System32\drivers\LMIRfsDriver.sys
2012-10-24 20:32:02 80800 ----a-w- C:\Windows\System32\LMIinit.dll
2012-10-24 20:31:50 -------- d-----w- C:\Program Files (x86)\LogMeIn
2012-10-24 20:30:38 -------- d-----w- C:\Users\antiloop\AppData\Roaming\inkscape
2012-10-24 20:27:08 -------- d-----w- C:\Users\antiloop\AppData\Roaming\TeamViewer
2012-10-24 20:27:02 -------- d-----w- C:\Program Files (x86)\WinPcap
2012-10-24 20:25:54 -------- d-----w- C:\Program Files\WinPcap
2012-10-24 20:25:43 -------- d-----w- C:\Users\antiloop\AppData\Local\Thunderbird
2012-10-24 20:25:33 -------- d-----w- C:\Program Files (x86)\TeamViewer
2012-10-24 20:24:38 -------- d-----w- C:\Program Files (x86)\WinSCP
2012-10-24 20:24:10 -------- d-----w- C:\Program Files (x86)\RealVNC
2012-10-24 20:24:01 -------- d-----w- C:\Users\antiloop\AppData\Local\Google
2012-10-24 20:24:01 -------- d-----w- C:\Program Files (x86)\uTorrent
2012-10-24 20:23:38 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-10-24 20:23:30 -------- d-----w- C:\Program Files (x86)\Mozilla Thunderbird.bak
2012-10-24 20:22:50 -------- d-----w- C:\Users\antiloop\AppData\Roaming\uTorrent
2012-10-24 20:19:48 916456 ----a-w- C:\Windows\System32\deployJava1.dll
2012-10-24 20:19:48 1034216 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-10-24 20:19:31 -------- d-----w- C:\Program Files (x86)\Inkscape
2012-10-24 20:19:20 -------- d-----w- C:\Program Files (x86)\Nmap
2012-10-24 20:18:00 -------- d---a-w- C:\work
2012-10-24 20:16:54 -------- d-----r- C:\Users\antiloop\Dropbox
2012-10-24 20:14:59 -------- d-----w- C:\Program Files (x86)\Foxit Software
2012-10-24 20:14:13 1002008 ----a-w- C:\Windows\SysWow64\igxpun.exe
2012-10-24 20:14:13 -------- d-----w- C:\Windows\SysWow64\x64
2012-10-24 20:14:04 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-24 20:14:04 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-24 20:13:41 -------- d-----w- C:\Users\antiloop\AppData\Roaming\DAEMON Tools Lite
2012-10-24 20:13:38 -------- d-----w- C:\ProgramData\DAEMON Tools Lite
2012-10-24 20:13:15 -------- d-----w- C:\Program Files (x86)\EasyPHP-5.3.9
2012-10-24 20:13:06 -------- d-sh--w- C:\Windows\Installer
2012-10-24 20:13:03 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-10-24 20:13:03 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-10-24 20:13:03 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-10-24 20:12:49 -------- d-----w- C:\Users\antiloop\AppData\Roaming\Dropbox
2012-10-24 20:12:22 -------- d-----w- C:\Program Files\CCleaner
2012-10-24 20:11:56 -------- d-----w- C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)
2012-10-24 20:09:40 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-10-24 20:09:37 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-10-24 20:09:35 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-10-24 20:09:35 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-10-24 20:07:58 -------- d-sh--we C:\Programmi
2012-10-24 20:07:58 -------- d-sh--we C:\ProgramData\Preferiti
2012-10-24 20:07:58 -------- d-sh--we C:\ProgramData\Modelli
2012-10-24 20:07:58 -------- d-sh--we C:\ProgramData\Menu Avvio
2012-10-24 20:07:58 -------- d-sh--we C:\ProgramData\Documenti
2012-10-24 20:07:58 -------- d-sh--we C:\ProgramData\Dati applicazioni
2012-10-24 20:07:58 -------- d-sh--we C:\Program Files\File comuni
2012-10-24 20:07:58 -------- d-----w- C:\Recovery
.
==================== Find3M ====================
.
2012-09-26 19:57:16 90112 ----a-w- C:\Windows\MAMCityDownload.ocx
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:13:17 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 18:05:03 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-08-24 18:04:18 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-08-24 18:03:09 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-24 16:57:40 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-08-24 16:57:40 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-08-24 16:57:37 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-08-24 16:53:35 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-08-23 14:13:11 243200 ----a-w- C:\Windows\System32\rdpudd.dll
2012-08-23 14:12:16 29696 ----a-w- C:\Windows\System32\drivers\terminpt.sys
2012-08-23 14:10:20 19456 ----a-w- C:\Windows\System32\drivers\rdpvideominiport.sys
2012-08-23 14:08:26 30208 ----a-w- C:\Windows\System32\drivers\TsUsbGD.sys
2012-08-23 14:07:35 57856 ----a-w- C:\Windows\System32\drivers\TsUsbFlt.sys
2012-08-23 13:47:20 46592 ----a-w- C:\Windows\SysWow64\MsRdpWebAccess.dll
2012-08-23 13:46:20 16896 ----a-w- C:\Windows\SysWow64\wksprtPS.dll
2012-08-23 13:41:52 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
2012-08-23 13:40:56 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2012-08-23 13:24:57 15360 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2012-08-23 13:20:40 54272 ----a-w- C:\Windows\System32\MsRdpWebAccess.dll
2012-08-23 13:18:14 37376 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2012-08-23 13:17:54 18432 ----a-w- C:\Windows\System32\wksprtPS.dll
2012-08-23 13:06:58 43520 ----a-w- C:\Windows\System32\TsUsbGDCoInstaller.dll
2012-08-23 12:52:53 44032 ----a-w- C:\Windows\System32\tsgqec.dll
2012-08-23 11:20:06 62976 ----a-w- C:\Windows\System32\TSWbPrxy.exe
2012-08-23 11:15:57 269312 ----a-w- C:\Windows\SysWow64\aaclient.dll
2012-08-23 11:14:09 384000 ----a-w- C:\Windows\System32\wksprt.exe
2012-08-23 11:12:17 192000 ----a-w- C:\Windows\SysWow64\rdpendp_winip.dll
2012-08-23 10:54:24 322560 ----a-w- C:\Windows\System32\aaclient.dll
2012-08-23 10:51:14 228864 ----a-w- C:\Windows\System32\rdpendp_winip.dll
2012-08-23 10:39:24 1048064 ----a-w- C:\Windows\SysWow64\mstsc.exe
2012-08-23 10:22:22 1123840 ----a-w- C:\Windows\System32\mstsc.exe
2012-08-23 09:51:57 3174912 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-08-23 08:19:01 4916224 ----a-w- C:\Windows\SysWow64\mstscax.dll
2012-08-23 08:13:07 5773824 ----a-w- C:\Windows\System32\mstscax.dll
2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-15 16:12:10 20000 ----a-w- C:\Windows\System32\tccoinst.dll
2012-08-15 16:12:10 1014440 ----a-w- C:\Windows\System32\drivers\UMDF\tcwbf.dll
2012-08-15 16:12:10 1002728 ----a-w- C:\Windows\System32\WinUsbCoinstaller2.dll
2012-08-15 16:12:08 2152176 ----a-w- C:\Windows\System32\WudfUpdate_01009.dll
2012-08-11 00:56:03 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-08-10 23:56:14 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
.
============= FINISH: 8:59:46,12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:55 PM

Posted 06 November 2012 - 08:58 AM

please post the ComboFix log(s)


NEXT


please run the following:


Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 Matthias Abele

Matthias Abele
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 06 November 2012 - 09:08 AM

For now the ComboFix Logs... in the meantime I'll run the FRST64 tool

Thanks!

Attached Files


Edited by Matthias Abele, 06 November 2012 - 09:08 AM.


#4 Matthias Abele

Matthias Abele
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 06 November 2012 - 09:50 AM

Here are the other two files...

thanks!

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:55 PM

Posted 06 November 2012 - 10:13 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
2012-10-28 12:43 - 2012-11-06 15:32 - 00000324 ____A C:\Windows\Tasks\Cwzkjdzqur.job
2012-10-28 12:43 - 2012-10-28 12:43 - 00086016 _RASH C:\Windows\SysWOW64\virtdisk9.dll
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Please re-run ComboFix, allow it to update if it asks to do so, remember to disable your security programs, post the fresh log.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#6 Matthias Abele

Matthias Abele
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 06 November 2012 - 11:01 AM

Ok, no redirects anymore. Security center stays enabled. No Problems so far.

Thanks a lot! If you ever come to Italy give me a call, I'll invite you for a glass of Vino Rosso

Attached Files



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:55 PM

Posted 06 November 2012 - 11:07 AM

sounds good :)

we just have a couple more scans to run to make certain there are no leftovers, so stay with me till i give the 'all clean"

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#8 Matthias Abele

Matthias Abele
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 07 November 2012 - 01:17 AM

Back again - sorry for the delay, ESET took some hours to complete. No detections, Eset didnt give me a log file.


Thanks again!

Attached Files



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:55 PM

Posted 07 November 2012 - 07:03 AM

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS and the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#10 Matthias Abele

Matthias Abele
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 07 November 2012 - 08:44 AM

everything is ok, thanks for your support!

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:55 PM

Posted 07 November 2012 - 09:08 AM

you are welcome

stay safe :hello:

~CB
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,348 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:55 PM

Posted 07 November 2012 - 09:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users