Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus/Trojan AND google, youtube, facebook wepage not found

Started by sascha411 , Feb 07 2013 07:31 PM

  • This topic is locked This topic is locked
14 replies to this topic

#1 sascha411

sascha411

    New Member

  • Members
  • Pip
  • 7 posts

Posted 07 February 2013 - 07:31 PM

Hi All,
 
Since a couple of weeks my Computer has this Virus/Trojan.
 
Basically google.com gets redirected to below page and facebook.com and youtube.com webpage gets not found.
 
 
 
 
I tried several antispyware, malware, ttds programs. I run different antivirus programs... but nothing was found
 
After setting up the system completely new, everything is fine for about 12 hours. Then the same error/virus shows up. 
 
I did format and reinstall Windows 7 three times. Same outcome. 
 
I have no clue, how to get rid of this virus/trojan. Please help.
 
Especially weird is, that after days of work on this, it does disappear, but only to come back like 12 hours later. 
 
Cheers, 
Sascha

 

  • BC Ads
  • BleepingComputer.com

#2 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 07 February 2013 - 11:09 PM


Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-
  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
information and logs
  • In your next post I need the following
    • both reports from DDS
      • report from security check
        • let me know of any problems you may have had
      Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#3 sascha411

sascha411

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 February 2013 - 02:39 AM

Hi Gringo, 

Thanks for your quick reply. - The redirecting occurs and disappears within the day - sometimes up to 12 hours between getting redirected, then working normal again. 

 

Currently - since like 5 hours -  I do not get redirected. But I ran the tests anyways:

 

Security Check:

 

 

Results of screen317's Security Check version 0.99.57  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
COMODO Antivirus                
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java 7 Update 13  
 Java version out of Date! 
 Google Chrome 24.0.1312.57  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Comodo Firewall cmdagent.exe 
 ASUS USBChargeSetting iSeriesCharge.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
 
DDS:
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 10.13.2
Run by Trin at 2:33:53 on 2013-02-08
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4091.1592 [GMT -5:00]
.
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Antivirus *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\windows\system32\svchost.exe -k NetworkService
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\InstantOn\InsOnSrv.exe
C:\windows\SysWOW64\AsusService.exe
C:\Program Files (x86)\Common Files\InstantOn\InsOnWMI.exe
C:\windows\system32\taskhost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\ExpressGateUtil\VAWinService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Asus\LiveUpdate\LiveUpdate.exe
C:\windows\SysWOW64\RunDll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe
C:\ExpressGateUtil\VAWinAgent.exe
C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe
C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe
C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe
C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe
C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\windows\system32\taskhost.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://asus.msn.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - 
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
mRun: [HotkeyMon] AsusSender.exe C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe
mRun: [HotkeyService] AsusSender.exe C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe
mRun: [SuperHybridEngine] AsusSender.exe C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe
mRun: [CapsHook] AsusSender.exe C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe
mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S
mRun: [iSeriesCharge] AsusSender.exe C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe
mRun: [VAWinAgent] C:\ExpressGateUtil\VAWinAgent.exe
mRun: [ASUSPRP] C:\Program Files (x86)\ASUS\APRP\APRP.EXE
mRun: [gbrspcontrol] "C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe" -controlservice -slave
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Trin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\STARTG~1.LNK - C:\Program Files (x86)\Comodo\GeekBuddy\launcher.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: NameServer = 178.32.44.61 176.31.64.141
TCP: Interfaces\{D4F4A877-EB81-4A40-8412-797272B0F35A} : DHCPNameServer = 178.32.44.61 176.31.64.141
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SynAsusAcpi] C:\Program Files (x86)\Synaptics\SynTP\SynAsusAcpi.exe
x64-Run: [LiveUpdate] AsusSender.exe C:\Program Files (x86)\Asus\LiveUpdate\LiveUpdate.exe auto
x64-Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe autorun
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3 
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AiDriver;ASUS Charger Driver;C:\windows\System32\drivers\AiDriver.sys [2011-9-22 14464]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\windows\System32\drivers\cmderd.sys [2013-1-16 23176]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\windows\System32\drivers\cmdguard.sys [2013-1-16 699880]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\windows\System32\drivers\cmdhlp.sys [2013-1-16 48360]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2011-9-20 204288]
R2 ASUS InstantOn;ASUS InstantOn Service;C:\Program Files (x86)\Common Files\InstantOn\InsOnSrv.exe [2011-6-2 64128]
R2 AsusService;Asus Launcher Service;C:\Windows\SysWOW64\AsusService.exe [2011-9-21 224680]
R2 CLPSLauncher;COMODO LPS Launcher;C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe [2013-1-30 70352]
R2 DragonUpdater;COMODO Dragon Update Service;C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2013-1-24 2074256]
R2 GeekBuddyRSP;GeekBuddyRSP Service;C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe [2013-1-15 1851088]
R2 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R2 VideAceWindowsService;VideAceWindowsService;C:\ExpressGateUtil\VAWinService.exe [2011-3-25 91464]
R3 asmthub3;ASMedia USB3 Hub Service;C:\windows\System32\drivers\asmthub3.sys [2011-8-1 129000]
R3 asmtxhci;ASMEDIA XHCI Service;C:\windows\System32\drivers\asmtxhci.sys [2011-8-1 391144]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\windows\System32\drivers\AtihdW76.sys [2011-9-20 115216]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\System32\drivers\btwampfl.sys [2011-9-21 341032]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\System32\drivers\btwl2cap.sys [2011-9-21 39464]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2011-6-13 77936]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 cmdvirth;COMODO Virtual Service Manager;C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-1-24 158928]
S3 fssfltr;fssfltr;C:\windows\System32\drivers\fssfltr.sys [2011-9-21 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\windows\System32\drivers\netr28x.sys [2009-6-10 620544]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2011-2-11 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2011-2-11 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2013-2-7 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-02-08 05:40:20    --------    d-----w-    C:\Users\Trin\AppData\Local\{0C174875-7C6E-4B66-87B3-5D411B6719EA}
2013-02-08 01:01:10    --------    d-----w-    C:\Program Files (x86)\VideoLAN
2013-02-07 21:55:09    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-02-07 21:25:38    98816    ----a-w-    C:\windows\sed.exe
2013-02-07 21:25:38    256000    ----a-w-    C:\windows\PEV.exe
2013-02-07 21:25:38    208896    ----a-w-    C:\windows\MBR.exe
2013-02-07 21:25:04    --------    d-----w-    C:\Combo--Fix
2013-02-07 19:42:45    782240    ----a-w-    C:\windows\SysWow64\deployJava1.dll
2013-02-07 19:42:44    861088    ----a-w-    C:\windows\SysWow64\npDeployJava1.dll
2013-02-07 19:42:03    95648    ----a-w-    C:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-07 18:02:48    5559664    ----a-w-    C:\windows\System32\ntoskrnl.exe
2013-02-07 18:02:45    3968880    ----a-w-    C:\windows\SysWow64\ntkrnlpa.exe
2013-02-07 18:02:44    3914096    ----a-w-    C:\windows\SysWow64\ntoskrnl.exe
2013-02-07 17:53:47    --------    d-----w-    C:\Program Files (x86)\Common Files\Comodo
2013-02-07 08:16:20    --------    d-----w-    C:\Users\Trin\AppData\Roaming\OpenOffice.org
2013-02-07 07:12:56    --------    d-----w-    C:\windows\SysWow64\Wat
2013-02-07 07:12:55    --------    d-----w-    C:\windows\System32\Wat
2013-02-07 02:48:34    --------    d-----w-    C:\Users\Trin\AppData\Local\{88BACE5F-9B03-4EB2-A15C-40D2F526039E}
2013-02-07 02:01:57    --------    d-s---w-    C:\ProgramData\Shared Space
2013-02-07 01:57:47    --------    d-----w-    C:\Program Files\COMODO
2013-02-07 01:57:41    --------    d-----w-    C:\ProgramData\COMODO
2013-02-07 01:57:19    --------    d-----w-    C:\Users\Trin\AppData\Local\Comodo
2013-02-07 01:57:15    56072    ----a-w-    C:\windows\System32\certsentry.dll
2013-02-07 01:57:15    47368    ----a-w-    C:\windows\SysWow64\certsentry.dll
2013-02-07 01:57:01    --------    d-----w-    C:\Program Files (x86)\Comodo
2013-02-07 01:56:58    348160    ----a-w-    C:\windows\SysWow64\msvcr71.dll
2013-02-07 01:56:58    1700352    ----a-w-    C:\windows\SysWow64\gdiplus.dll
2013-02-07 01:56:58    1060864    ----a-w-    C:\windows\SysWow64\mfc71.dll
2013-02-07 01:56:53    --------    d-----w-    C:\ProgramData\Comodo Downloader
2013-02-07 01:36:51    --------    d-----w-    C:\Program Files (x86)\OpenOffice.org 3
2013-02-07 01:20:34    --------    d-----w-    C:\Boot
2013-02-07 00:19:23    2560    ----a-w-    C:\windows\System32\drivers\en-US\wdf01000.sys.mui
2013-02-07 00:19:22    9728    ----a-w-    C:\windows\System32\Wdfres.dll
2013-02-07 00:19:22    785512    ----a-w-    C:\windows\System32\drivers\Wdf01000.sys
2013-02-07 00:19:22    54376    ----a-w-    C:\windows\System32\drivers\WdfLdr.sys
2013-02-06 23:59:59    763424    ----a-w-    C:\Program Files\Internet Explorer\iexplore.exe
2013-02-06 23:56:11    46080    ----a-w-    C:\windows\System32\atmlib.dll
2013-02-06 23:56:11    34304    ----a-w-    C:\windows\SysWow64\atmlib.dll
2013-02-06 23:56:10    367616    ----a-w-    C:\windows\System32\atmfd.dll
2013-02-06 23:56:09    295424    ----a-w-    C:\windows\SysWow64\atmfd.dll
2013-02-06 23:54:15    87040    ----a-w-    C:\windows\System32\drivers\WUDFPf.sys
2013-02-06 23:54:15    198656    ----a-w-    C:\windows\System32\drivers\WUDFRd.sys
2013-02-06 23:54:14    84992    ----a-w-    C:\windows\System32\WUDFSvc.dll
2013-02-06 23:54:14    194048    ----a-w-    C:\windows\System32\WUDFPlatform.dll
2013-02-06 23:54:11    744448    ----a-w-    C:\windows\System32\WUDFx.dll
2013-02-06 23:54:11    45056    ----a-w-    C:\windows\System32\WUDFCoinstaller.dll
2013-02-06 23:54:11    229888    ----a-w-    C:\windows\System32\WUDFHost.exe
2013-02-06 23:49:04    81408    ----a-w-    C:\windows\System32\imagehlp.dll
2013-02-06 23:49:04    23408    ----a-w-    C:\windows\System32\drivers\fs_rec.sys
2013-02-06 23:49:03    159232    ----a-w-    C:\windows\SysWow64\imagehlp.dll
2013-02-06 23:49:02    5120    ----a-w-    C:\windows\SysWow64\wmi.dll
2013-02-06 23:49:02    5120    ----a-w-    C:\windows\System32\wmi.dll
2013-02-06 23:40:04    --------    d-----w-    C:\AMD
2013-02-06 23:39:25    2048    ----a-w-    C:\windows\SysWow64\tzres.dll
2013-02-06 23:39:25    2048    ----a-w-    C:\windows\System32\tzres.dll
2013-02-06 23:37:38    43520    ----a-w-    C:\windows\System32\csrsrv.dll
2013-02-06 23:37:36    1659760    ----a-w-    C:\windows\System32\drivers\ntfs.sys
2013-02-06 23:37:34    515584    ----a-w-    C:\windows\System32\timedate.cpl
2013-02-06 23:37:33    478720    ----a-w-    C:\windows\SysWow64\timedate.cpl
2013-02-06 23:37:32    750592    ----a-w-    C:\windows\System32\win32spl.dll
2013-02-06 23:37:31    492032    ----a-w-    C:\windows\SysWow64\win32spl.dll
2013-02-06 23:35:59    46592    ----a-w-    C:\windows\SysWow64\fpb.rs
2013-02-06 23:33:39    1465344    ----a-w-    C:\windows\System32\XpsPrint.dll
2013-02-06 23:33:38    870912    ----a-w-    C:\windows\SysWow64\XpsPrint.dll
2013-02-06 23:33:11    314880    ----a-w-    C:\windows\SysWow64\webio.dll
2013-02-06 23:33:10    395776    ----a-w-    C:\windows\System32\webio.dll
2013-02-06 23:32:58    3216384    ----a-w-    C:\windows\System32\msi.dll
2013-02-06 23:32:57    2342400    ----a-w-    C:\windows\SysWow64\msi.dll
2013-02-06 23:32:43    1464320    ----a-w-    C:\windows\System32\crypt32.dll
2013-02-06 23:32:41    1159680    ----a-w-    C:\windows\SysWow64\crypt32.dll
2013-02-06 23:32:40    184320    ----a-w-    C:\windows\System32\cryptsvc.dll
2013-02-06 23:32:40    140288    ----a-w-    C:\windows\System32\cryptnet.dll
2013-02-06 23:32:39    140288    ----a-w-    C:\windows\SysWow64\cryptsvc.dll
2013-02-06 23:32:39    103936    ----a-w-    C:\windows\SysWow64\cryptnet.dll
2013-02-06 23:30:52    478208    ----a-w-    C:\windows\System32\dpnet.dll
2013-02-06 23:29:28    273840    ------w-    C:\windows\System32\MpSigStub.exe
2013-02-06 23:28:18    956928    ----a-w-    C:\windows\System32\localspl.dll
2013-02-06 23:28:17    498688    ----a-w-    C:\windows\System32\drivers\afd.sys
2013-02-06 23:28:16    715776    ----a-w-    C:\windows\System32\kerberos.dll
2013-02-06 23:28:16    542208    ----a-w-    C:\windows\SysWow64\kerberos.dll
2013-02-06 23:26:57    --------    d-----w-    C:\ProgramData\Blizzard Entertainment
2013-02-06 23:26:57    --------    d-----w-    C:\Program Files (x86)\Common Files\Blizzard Entertainment
2013-02-06 23:23:57    1499136    ----a-w-    C:\Program Files\Common Files\System\ado\msado15.dll
2013-02-06 23:07:34    --------    d-----w-    C:\Program Files (x86)\Diablo III
2013-02-06 23:05:51    723456    ----a-w-    C:\windows\System32\EncDec.dll
2013-02-06 23:05:51    534528    ----a-w-    C:\windows\SysWow64\EncDec.dll
2013-02-06 23:04:15    77312    ----a-w-    C:\windows\System32\packager.dll
2013-02-06 23:04:15    67072    ----a-w-    C:\windows\SysWow64\packager.dll
2013-02-06 22:47:32    826880    ----a-w-    C:\windows\SysWow64\rdpcore.dll
2013-02-06 22:47:32    23552    ----a-w-    C:\windows\System32\drivers\tdtcp.sys
2013-02-06 22:47:32    1031680    ----a-w-    C:\windows\System32\rdpcore.dll
2013-02-06 22:45:02    8282192    ----a-w-    C:\ProgramData\Microsoft\BingBar\BBSvc\7.1.391.0oemBingBarSetup-Partner.EXE
2013-02-06 22:43:00    --------    d-----w-    C:\Users\Trin\AppData\Local\Google
2013-02-06 22:42:41    --------    d-----w-    C:\Users\Trin\AppData\Local\Deployment
2013-02-06 22:42:41    --------    d-----w-    C:\Users\Trin\AppData\Local\Apps
2013-02-06 22:40:41    --------    d-----r-    C:\Program Files (x86)\Skype
2013-02-06 22:40:02    --------    d-----w-    C:\Program Files\CCleaner
2013-02-06 22:38:58    --------    d-----w-    C:\Program Files (x86)\Microsoft Security Client
2013-02-06 22:38:51    --------    d-----w-    C:\Program Files\Microsoft Security Client
2013-02-06 22:33:25    --------    d-----w-    C:\Users\Trin\AppData\Local\Broadcom
2013-02-06 22:32:57    --------    d-----w-    C:\windows\ConfigSetRoot
2013-02-06 22:32:50    --------    d-----w-    C:\ExpressGateUtil
2013-02-06 22:32:09    2622464    ----a-w-    C:\windows\System32\wucltux.dll
2013-02-06 22:31:59    99840    ----a-w-    C:\windows\System32\wudriver.dll
2013-02-06 22:31:53    36864    ----a-w-    C:\windows\System32\wuapp.exe
2013-02-06 22:31:53    186752    ----a-w-    C:\windows\System32\wuwebv.dll
2013-02-06 22:30:00    --------    d-----w-    C:\Users\Trin\AppData\Local\VirtualStore
2013-01-25 03:43:04    43216    ----a-w-    C:\windows\System32\cmdcsr.dll
2013-01-25 03:43:02    461384    ----a-w-    C:\windows\System32\guard64.dll
2013-01-25 03:43:02    354752    ----a-w-    C:\windows\SysWow64\guard32.dll
2013-01-25 03:42:54    45776    ----a-w-    C:\windows\System32\cmdkbd64.dll
2013-01-25 03:42:54    326352    ----a-w-    C:\windows\System32\cmdvrt64.dll
2013-01-25 03:42:50    40656    ----a-w-    C:\windows\SysWow64\cmdkbd32.dll
2013-01-25 03:42:50    263888    ----a-w-    C:\windows\SysWow64\cmdvrt32.dll
2013-01-17 00:51:46    699880    ----a-w-    C:\windows\System32\drivers\cmdguard.sys
2013-01-17 00:51:46    48360    ----a-w-    C:\windows\System32\drivers\cmdhlp.sys
2013-01-17 00:51:44    23176    ----a-w-    C:\windows\System32\drivers\cmderd.sys
.
==================== Find3M  ====================
.
2013-01-24 21:52:38    40048208    ----a-w-    C:\Diablo-III-Setup-enUS.exe
2012-12-07 13:20:16    441856    ----a-w-    C:\windows\System32\Wpc.dll
2012-12-07 13:15:31    2746368    ----a-w-    C:\windows\System32\gameux.dll
2012-12-07 12:26:17    308736    ----a-w-    C:\windows\SysWow64\Wpc.dll
2012-12-07 12:20:43    2576384    ----a-w-    C:\windows\SysWow64\gameux.dll
2012-12-07 11:20:04    30720    ----a-w-    C:\windows\System32\usk.rs
2012-12-07 11:20:03    43520    ----a-w-    C:\windows\System32\csrr.rs
2012-12-07 11:20:03    23552    ----a-w-    C:\windows\System32\oflc.rs
2012-12-07 11:20:01    45568    ----a-w-    C:\windows\System32\oflc-nz.rs
2012-12-07 11:20:01    44544    ----a-w-    C:\windows\System32\pegibbfc.rs
2012-12-07 11:20:01    20480    ----a-w-    C:\windows\System32\pegi-fi.rs
2012-12-07 11:20:00    20480    ----a-w-    C:\windows\System32\pegi-pt.rs
2012-12-07 11:19:59    20480    ----a-w-    C:\windows\System32\pegi.rs
2012-12-07 11:19:58    46592    ----a-w-    C:\windows\System32\fpb.rs
2012-12-07 11:19:57    40960    ----a-w-    C:\windows\System32\cob-au.rs
2012-12-07 11:19:57    21504    ----a-w-    C:\windows\System32\grb.rs
2012-12-07 11:19:57    15360    ----a-w-    C:\windows\System32\djctq.rs
2012-12-07 11:19:56    55296    ----a-w-    C:\windows\System32\cero.rs
2012-12-07 11:19:55    51712    ----a-w-    C:\windows\System32\esrb.rs
2012-11-30 05:45:35    362496    ----a-w-    C:\windows\System32\wow64win.dll
2012-11-30 05:45:35    243200    ----a-w-    C:\windows\System32\wow64.dll
2012-11-30 05:45:35    13312    ----a-w-    C:\windows\System32\wow64cpu.dll
2012-11-30 05:45:14    215040    ----a-w-    C:\windows\System32\winsrv.dll
2012-11-30 05:43:12    16384    ----a-w-    C:\windows\System32\ntvdm64.dll
2012-11-30 05:41:07    424448    ----a-w-    C:\windows\System32\KernelBase.dll
2012-11-30 04:54:00    5120    ----a-w-    C:\windows\SysWow64\wow32.dll
2012-11-30 04:53:59    274944    ----a-w-    C:\windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48    338432    ----a-w-    C:\windows\System32\conhost.exe
2012-11-30 02:44:06    25600    ----a-w-    C:\windows\SysWow64\setup16.exe
2012-11-30 02:44:04    7680    ----a-w-    C:\windows\SysWow64\instnm.exe
2012-11-30 02:44:04    14336    ----a-w-    C:\windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03    2048    ----a-w-    C:\windows\SysWow64\user.exe
2012-11-30 02:38:59    6144    ---ha-w-    C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59    4608    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59    3584    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59    3072    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:26:31    3149824    ----a-w-    C:\windows\System32\win32k.sys
2012-11-23 03:13:57    68608    ----a-w-    C:\windows\System32\taskhost.exe
2012-11-22 05:44:23    800768    ----a-w-    C:\windows\System32\usp10.dll
2012-11-22 04:45:03    626688    ----a-w-    C:\windows\SysWow64\usp10.dll
2012-11-20 05:48:49    307200    ----a-w-    C:\windows\System32\ncrypt.dll
2012-11-20 04:51:09    220160    ----a-w-    C:\windows\SysWow64\ncrypt.dll
2012-11-14 06:11:44    2312704    ----a-w-    C:\windows\System32\jscript9.dll
2012-11-14 06:04:11    1392128    ----a-w-    C:\windows\System32\wininet.dll
2012-11-14 06:02:49    1494528    ----a-w-    C:\windows\System32\inetcpl.cpl
2012-11-14 05:57:46    599040    ----a-w-    C:\windows\System32\vbscript.dll
2012-11-14 05:57:35    173056    ----a-w-    C:\windows\System32\ieUnatt.exe
2012-11-14 05:52:40    2382848    ----a-w-    C:\windows\System32\mshtml.tlb
2012-11-14 02:09:22    1800704    ----a-w-    C:\windows\SysWow64\jscript9.dll
2012-11-14 01:58:15    1427968    ----a-w-    C:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37    1129472    ----a-w-    C:\windows\SysWow64\wininet.dll
2012-11-14 01:49:25    142848    ----a-w-    C:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27    420864    ----a-w-    C:\windows\SysWow64\vbscript.dll
2012-11-14 01:44:42    2382848    ----a-w-    C:\windows\SysWow64\mshtml.tlb
.
============= FINISH:  2:35:51.05 ===============
 
 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 2/6/2013 5:29:35 PM
System Uptime: 2/7/2013 7:01:53 PM (7 hours ago)
.
Motherboard: ASUSTeK COMPUTER INC. |  | VX6S
Processor: Intel® Atom™ CPU D2700   @ 2.13GHz | CPU 1 | 2128/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 100 GiB total, 54.27 GiB free.
D: is FIXED (NTFS) - 351 GiB total, 66.483 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP14: 2/7/2013 5:13:27 PM - Windows Update
RP15: 2/7/2013 9:32:13 PM - Language Pack Removal
.
==== Installed Programs ======================
.
Acrobat.com
AMD APP SDK Runtime
AMD Media Foundation Decoders
Asmedia ASM104x USB 3.0 Host Controller Driver
ASUS WebStorage
AsusScreensaver
ASUSUpdate for Eee PC
AsusVibe2.0
Atheros Client Installation Program
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
ATI Catalyst Install Manager
Bing Bar
Broadcom Wireless Network Adapter
CapsHook
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Comodo Dragon
COMODO Internet Security
Contrôle ActiveX Windows Live Mesh pour connexions à distance
CyberLink YouCam
D3DX10
Diablo III
Eee Docking 3.10.4
ExpressGateCloud
FontResizer
Galerie de photos Windows Live
Game Park Console
GeekBuddy
Google Chrome
Google Update Helper
Hotkey Service
InstantOn
Java 7 Update 13
Java Auto Updater
Junk Mail filter update
LiveUpdate
LocaleMe
Mesh Runtime
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
MSVCRT
MSVCRT_amd64
OpenOffice.org 3.4.1
Raccolta foto di Windows Live
Realtek High Definition Audio Driver
Skype™ 6.1
Sonic Focus
Super Hybrid Engine
Synaptics Pointing Device Driver
syncables desktop SE
USBCharge+
VLC media player 2.0.5
WIDCOMM Bluetooth Software
Windows Live
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Fotogalerie
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
2/7/2013 7:02:56 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  CFRMD
2/7/2013 7:02:25 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000000a (0x0000000000f8001e, 0x0000000000000002, 0x0000000000000000, 0xfffff800030a5df5). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 020713-26551-01.
2/7/2013 5:37:03 PM, Error: Service Control Manager [7034]  - The COMODO Internet Security Helper Service service terminated unexpectedly.  It has done this 1 time(s).
2/7/2013 4:53:52 PM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
2/7/2013 4:50:54 PM, Error: Application Popup [1060]  - \??\C:\Combo--Fix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
2/6/2013 8:22:43 PM, Error: Service Control Manager [7023]  - 
2/6/2013 7:22:18 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  cdrom
2/6/2013 5:30:27 PM, Error: Service Control Manager [7000]  - The DETECT PS2:  service failed to start due to the following error:  This driver has been blocked from loading
2/6/2013 5:30:27 PM, Error: Application Popup [1060]  - \??\C:\Windows\AP\DetectSys.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
.
==== End Of File ===========================

 

 

Cheers,

Sascha


#4 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 08 February 2013 - 03:06 AM




Hello


These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#5 sascha411

sascha411

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 February 2013 - 12:15 PM

Hi Gringo,

 

Still no signs of redirecting today (which is the longest period in 3 weeks).

 

Here the results of the scans:

 

 

# AdwCleaner v2.111 - Logfile created 02/08/2013 at 12:02:55
# Updated 05/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Trin - TRIN-PC
# Boot Mode : Normal
# Running from : C:\Users\Trin\Downloads\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16457
 
[OK] Registry is clean.
 
-\\ Google Chrome v24.0.1312.57
 
File : C:\Users\Trin\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [654 octets] - [08/02/2013 12:02:55]
 
########## EOF - C:\AdwCleaner[S1].txt - [713 octets] ##########
 
 
Rkill 2.4.6 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 02/08/2013 12:13:01 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 02/08/2013 12:13:50 PM
Execution time: 0 hours(s), 0 minute(s), and 49 seconds(s)
 

#6 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 08 February 2013 - 12:17 PM


Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#7 sascha411

sascha411

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 February 2013 - 01:23 PM

Hi Gringo,

 

Still no signs of the redirecting activity... which is a good thing, I guess.

 

 

 

ComboFix 13-02-07.02 - Trin 02/08/2013  12:44:25.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4091.2546 [GMT -5:00]
Running from: c:\users\Trin\Downloads\Combo--Fix.exe
AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: COMODO Antivirus *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\FullRemove.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-08 to 2013-02-08  )))))))))))))))))))))))))))))))
.
.
2013-02-08 18:01 . 2013-02-08 18:01    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-08 07:55 . 2013-02-08 07:55    --------    d-----w-    c:\program files (x86)\Microsoft.NET
2013-02-08 01:01 . 2013-02-08 01:01    --------    d-----w-    c:\program files (x86)\VideoLAN
2013-02-07 23:53 . 2013-02-08 17:13    76232    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1A4C2F5A-3403-40B2-AA8E-1BEC1E81DA0C}\offreg.dll
2013-02-07 22:16 . 2012-12-16 22:31    67599240    ----a-w-    c:\windows\system32\MRT.exe
2013-02-07 19:42 . 2013-02-07 19:42    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-02-07 19:42 . 2013-02-07 19:41    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-02-07 19:42 . 2013-02-07 19:41    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-02-07 19:42 . 2013-02-07 19:41    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-07 19:41 . 2013-02-07 19:41    --------    d-----w-    c:\program files (x86)\Java
2013-02-07 18:02 . 2012-08-30 18:03    5559664    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-07 18:02 . 2012-08-30 17:12    3968880    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-07 18:02 . 2012-08-30 17:12    3914096    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-07 17:53 . 2013-02-07 17:53    --------    d-----w-    c:\program files (x86)\Common Files\Comodo
2013-02-07 07:12 . 2013-02-07 07:12    --------    d-----w-    c:\windows\SysWow64\Wat
2013-02-07 07:12 . 2013-02-07 07:12    --------    d-----w-    c:\windows\system32\Wat
2013-02-07 02:01 . 2013-02-07 02:03    --------    d-s---w-    c:\programdata\Shared Space
2013-02-07 01:57 . 2013-02-07 01:57    --------    d-----w-    c:\program files\COMODO
2013-02-07 01:57 . 2013-02-07 02:00    --------    d-----w-    c:\programdata\COMODO
2013-02-07 01:57 . 2013-02-07 02:03    56072    ----a-w-    c:\windows\system32\certsentry.dll
2013-02-07 01:57 . 2013-02-07 02:03    47368    ----a-w-    c:\windows\SysWow64\certsentry.dll
2013-02-07 01:57 . 2013-02-07 02:03    --------    d-----w-    c:\program files (x86)\Comodo
2013-02-07 01:56 . 2013-02-07 01:56    348160    ----a-w-    c:\windows\SysWow64\msvcr71.dll
2013-02-07 01:56 . 2013-02-07 01:56    1700352    ----a-w-    c:\windows\SysWow64\gdiplus.dll
2013-02-07 01:56 . 2013-02-07 01:56    1060864    ----a-w-    c:\windows\SysWow64\mfc71.dll
2013-02-07 01:56 . 2013-02-07 01:56    --------    d-----w-    c:\programdata\Comodo Downloader
2013-02-07 01:36 . 2013-02-07 01:37    --------    d-----w-    c:\program files (x86)\OpenOffice.org 3
2013-02-07 01:20 . 2013-02-07 01:20    --------    d-----w-    C:\Boot
2013-02-07 00:24 . 2011-09-22 03:01    --------    d-----w-    c:\users\Default\AppData\Local\ASUS
2013-02-07 00:24 . 2011-09-22 03:01    --------    d-----w-    c:\users\Default\AppData\Local\Adobe
2013-02-07 00:24 . 2011-09-22 02:58    --------    d-----w-    c:\users\Default\AppData\Roaming\ASUS WebStorage
2013-02-07 00:24 . 2011-09-22 02:48    --------    d-----w-    c:\users\Default\AppData\Local\Windows Live
2013-02-07 00:24 . 2011-09-22 02:42    --------    d-----w-    c:\users\Default\AppData\Roaming\ATI
2013-02-07 00:24 . 2011-09-22 02:42    --------    d-----w-    c:\users\Default\AppData\Local\ATI
2013-02-07 00:24 . 2011-09-22 02:36    --------    d-----w-    c:\users\Default\AppData\Roaming\InstallShield
2013-02-07 00:24 . 2011-09-22 02:34    --------    d-----w-    c:\users\Default\AppData\Local\Downloaded Installations
2013-02-07 00:19 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-02-07 00:19 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-02-07 00:19 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-02-07 00:19 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-02-06 23:59 . 2012-11-14 07:11    763424    ----a-w-    c:\program files\Internet Explorer\iexplore.exe
2013-02-06 23:56 . 2012-12-16 17:11    46080    ----a-w-    c:\windows\system32\atmlib.dll
2013-02-06 23:56 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2013-02-06 23:56 . 2012-12-16 14:45    367616    ----a-w-    c:\windows\system32\atmfd.dll
2013-02-06 23:56 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2013-02-06 23:54 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-02-06 23:54 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-02-06 23:54 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-02-06 23:54 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-02-06 23:54 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-02-06 23:54 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2013-02-06 23:54 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-02-06 23:49 . 2012-03-01 06:46    23408    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-02-06 23:49 . 2012-03-01 06:33    81408    ----a-w-    c:\windows\system32\imagehlp.dll
2013-02-06 23:49 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2013-02-06 23:49 . 2012-03-01 06:28    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-02-06 23:49 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2013-02-06 23:40 . 2013-02-06 23:40    --------    d-----w-    C:\AMD
2013-02-06 23:39 . 2012-11-09 05:45    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-02-06 23:39 . 2012-11-09 04:42    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-02-06 23:37 . 2011-10-26 05:21    43520    ----a-w-    c:\windows\system32\csrsrv.dll
2013-02-06 23:37 . 2012-08-31 18:19    1659760    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-02-06 23:37 . 2011-12-30 06:26    515584    ----a-w-    c:\windows\system32\timedate.cpl
2013-02-06 23:37 . 2011-12-30 05:27    478720    ----a-w-    c:\windows\SysWow64\timedate.cpl
2013-02-06 23:37 . 2012-11-09 05:45    750592    ----a-w-    c:\windows\system32\win32spl.dll
2013-02-06 23:37 . 2012-11-09 04:43    492032    ----a-w-    c:\windows\SysWow64\win32spl.dll
2013-02-06 23:35 . 2012-12-07 11:20    30720    ----a-w-    c:\windows\system32\usk.rs
2013-02-06 23:34 . 2012-11-30 05:41    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2013-02-06 23:33 . 2011-03-12 12:08    1465344    ----a-w-    c:\windows\system32\XpsPrint.dll
2013-02-06 23:33 . 2011-03-12 11:23    870912    ----a-w-    c:\windows\SysWow64\XpsPrint.dll
2013-02-06 23:33 . 2011-11-17 05:35    314880    ----a-w-    c:\windows\SysWow64\webio.dll
2013-02-06 23:33 . 2011-11-17 06:35    395776    ----a-w-    c:\windows\system32\webio.dll
2013-02-06 23:33 . 2012-06-09 05:43    14172672    ----a-w-    c:\windows\system32\shell32.dll
2013-02-06 23:32 . 2012-04-07 12:31    3216384    ----a-w-    c:\windows\system32\msi.dll
2013-02-06 23:32 . 2012-04-07 11:26    2342400    ----a-w-    c:\windows\SysWow64\msi.dll
2013-02-06 23:32 . 2012-06-02 05:41    1464320    ----a-w-    c:\windows\system32\crypt32.dll
2013-02-06 23:32 . 2012-06-02 04:36    1159680    ----a-w-    c:\windows\SysWow64\crypt32.dll
2013-02-06 23:32 . 2012-06-02 05:41    184320    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-02-06 23:32 . 2012-06-02 05:41    140288    ----a-w-    c:\windows\system32\cryptnet.dll
2013-02-06 23:32 . 2012-06-02 04:36    140288    ----a-w-    c:\windows\SysWow64\cryptsvc.dll
2013-02-06 23:32 . 2012-06-02 04:36    103936    ----a-w-    c:\windows\SysWow64\cryptnet.dll
2013-02-06 23:30 . 2012-11-02 05:59    478208    ----a-w-    c:\windows\system32\dpnet.dll
2013-02-06 23:29 . 2013-01-30 10:53    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-02-06 23:28 . 2012-05-14 05:26    956928    ----a-w-    c:\windows\system32\localspl.dll
2013-02-06 23:28 . 2011-12-28 03:59    498688    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-02-06 23:28 . 2012-08-11 00:56    715776    ----a-w-    c:\windows\system32\kerberos.dll
2013-02-06 23:28 . 2012-08-10 23:56    542208    ----a-w-    c:\windows\SysWow64\kerberos.dll
2013-02-06 23:26 . 2013-02-06 23:27    --------    d-----w-    c:\programdata\Blizzard Entertainment
2013-02-06 23:26 . 2013-02-06 23:27    --------    d-----w-    c:\program files (x86)\Common Files\Blizzard Entertainment
2013-02-06 23:23 . 2012-06-06 06:05    1499136    ----a-w-    c:\program files\Common Files\System\ado\msado15.dll
2013-02-06 23:07 . 2013-02-06 23:27    --------    d-----w-    c:\program files (x86)\Diablo III
2013-02-06 23:05 . 2011-10-15 06:31    723456    ----a-w-    c:\windows\system32\EncDec.dll
2013-02-06 23:05 . 2011-10-15 05:38    534528    ----a-w-    c:\windows\SysWow64\EncDec.dll
2013-02-06 23:04 . 2011-11-19 14:58    77312    ----a-w-    c:\windows\system32\packager.dll
2013-02-06 23:04 . 2011-11-19 14:01    67072    ----a-w-    c:\windows\SysWow64\packager.dll
2013-02-06 22:47 . 2012-02-17 06:38    1031680    ----a-w-    c:\windows\system32\rdpcore.dll
2013-02-06 22:47 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\SysWow64\rdpcore.dll
2013-02-06 22:47 . 2012-02-17 04:57    23552    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-02-06 22:43 . 2013-02-06 22:46    --------    d-----w-    c:\program files (x86)\Google
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----r-    c:\program files (x86)\Skype
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----w-    c:\programdata\Skype
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----w-    c:\program files\CCleaner
2013-02-06 22:38 . 2013-02-06 22:38    --------    d-----w-    c:\program files (x86)\Microsoft Security Client
2013-02-06 22:38 . 2013-02-06 22:39    --------    d-----w-    c:\program files\Microsoft Security Client
2013-02-06 22:32 . 2013-02-06 22:32    --------    d-----w-    c:\windows\ConfigSetRoot
2013-02-06 22:32 . 2013-02-06 22:41    --------    d-----w-    C:\ExpressGateUtil
2013-02-06 22:32 . 2012-06-02 22:19    44056    ----a-w-    c:\windows\system32\wups2.dll
2013-02-06 22:32 . 2012-06-02 22:19    2428952    ----a-w-    c:\windows\system32\wuaueng.dll
2013-02-06 22:32 . 2012-06-02 22:19    57880    ----a-w-    c:\windows\system32\wuauclt.exe
2013-02-06 22:32 . 2012-06-02 22:15    2622464    ----a-w-    c:\windows\system32\wucltux.dll
2013-02-06 22:31 . 2012-06-02 22:19    38424    ----a-w-    c:\windows\system32\wups.dll
2013-02-06 22:31 . 2012-06-02 22:19    701976    ----a-w-    c:\windows\system32\wuapi.dll
2013-02-06 22:31 . 2012-06-02 22:15    99840    ----a-w-    c:\windows\system32\wudriver.dll
2013-02-06 22:31 . 2012-06-02 20:19    186752    ----a-w-    c:\windows\system32\wuwebv.dll
2013-02-06 22:31 . 2012-06-02 20:15    36864    ----a-w-    c:\windows\system32\wuapp.exe
2013-02-06 22:29 . 2013-02-08 07:24    --------    d-----w-    c:\users\Trin
2013-02-06 22:29 . 2013-02-06 22:29    --------    d-----w-    C:\Recovery
2013-01-25 03:43 . 2013-01-25 03:43    43216    ----a-w-    c:\windows\system32\cmdcsr.dll
2013-01-25 03:43 . 2013-01-25 03:43    461384    ----a-w-    c:\windows\system32\guard64.dll
2013-01-25 03:43 . 2013-01-25 03:43    354752    ----a-w-    c:\windows\SysWow64\guard32.dll
2013-01-25 03:42 . 2013-01-25 03:42    45776    ----a-w-    c:\windows\system32\cmdkbd64.dll
2013-01-25 03:42 . 2013-01-25 03:42    326352    ----a-w-    c:\windows\system32\cmdvrt64.dll
2013-01-25 03:42 . 2013-01-25 03:42    40656    ----a-w-    c:\windows\SysWow64\cmdkbd32.dll
2013-01-25 03:42 . 2013-01-25 03:42    263888    ----a-w-    c:\windows\SysWow64\cmdvrt32.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-06 22:30 . 2011-03-29 01:36    19696    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-11-30 04:45 . 2013-02-06 23:34    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-13 336384]
"SonicMasterTray"="c:\program files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe" [2010-07-10 984400]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"HotkeyMon"="AsusSender.exe" [2011-07-13 34728]
"HotkeyService"="AsusSender.exe" [2011-07-13 34728]
"SuperHybridEngine"="AsusSender.exe" [2011-07-13 34728]
"CapsHook"="AsusSender.exe" [2011-07-13 34728]
"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"iSeriesCharge"="AsusSender.exe" [2011-07-13 34728]
"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-08-12 45448]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-09-22 2984688]
"gbrspcontrol"="c:\program files (x86)\Common Files\Comodo\GeekBuddyRSP.exe" [2013-01-15 1851088]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Trin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-5-21 1127712]
Start GeekBuddy.lnk - c:\program files (x86)\Comodo\GeekBuddy\launcher.exe [2013-1-30 49360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-01-25 158928]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2009-06-10 620544]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-07 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 AiDriver;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiDriver.sys [2010-05-20 14464]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2013-01-17 23176]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2013-01-17 699880]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2013-01-17 48360]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-05-12 204288]
S2 ASUS InstantOn;ASUS InstantOn Service;c:\program files (x86)\Common Files\InstantOn\InsOnSrv.exe [2011-06-02 64128]
S2 AsusService;Asus Launcher Service;c:\windows\SysWOW64\AsusService.exe [2011-07-11 224680]
S2 CLPSLauncher;COMODO LPS Launcher;c:\program files (x86)\Common Files\Comodo\launcher_service.exe [2013-01-30 70352]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [2013-01-24 2074256]
S2 GeekBuddyRSP;GeekBuddyRSP Service;c:\program files (x86)\Common Files\Comodo\GeekBuddyRSP.exe [2013-01-15 1851088]
S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe [2011-03-25 91464]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-08-01 129000]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-08-01 391144]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-11-17 115216]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-05-21 341032]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-05-21 39464]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2011-03-23 77936]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-06 22:46    1607120    ----a-w-    c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-06 22:43]
.
2013-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-06 22:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LiveUpdate"="AsusSender.exe" [2011-07-11 34728]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2011-04-14 467120]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-22 12673128]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-08-22 2277480]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-01-25 1451728]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://asus.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 178.32.44.61 176.31.64.141
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SynAsusAcpi - c:\program files (x86)\Synaptics\SynTP\SynAsusAcpi.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-08  13:10:01
ComboFix-quarantined-files.txt  2013-02-08 18:09
.
Pre-Run: 57,501,716,480 bytes free
Post-Run: 57,314,803,712 bytes free
.
- - End Of File - - 95875CC0788BD5A59B78F766112C7E7A

#8 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 09 February 2013 - 08:26 AM



Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:
 ClearJavaCache::
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
      • let me know of any problems you may have had
        • How is the computer doing now after running the script?
      Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#9 sascha411

sascha411

    New Member

  • Members
  • Pip
  • 7 posts

Posted 09 February 2013 - 12:31 PM

Hi Gringo,

 

No more problems. No redirect. Thank you so much for all your help.

 

Did you see anything in the logfiles, that hinted to the Trojan/Virus ?

 

Cheers,

Sascha

 

 

ComboFix 13-02-07.02 - Trin 02/09/2013  11:56:13.3.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4091.2488 [GMT -5:00]
Running from: c:\users\Trin\Downloads\Combo--Fix.exe
Command switches used :: c:\users\Trin\Desktop\CFScript.txt
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: COMODO Antivirus *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-09 to 2013-02-09  )))))))))))))))))))))))))))))))
.
.
2013-02-09 17:14 . 2013-02-09 17:14    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-09 04:54 . 2013-01-08 02:32    9161176    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FA536C74-627E-4ECC-B17D-F2FAF5D1D40E}\mpengine.dll
2013-02-08 18:15 . 2013-01-08 02:32    9161176    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-02-08 07:55 . 2013-02-08 07:55    --------    d-----w-    c:\program files (x86)\Microsoft.NET
2013-02-08 01:01 . 2013-02-08 01:01    --------    d-----w-    c:\program files (x86)\VideoLAN
2013-02-07 22:16 . 2012-12-16 22:31    67599240    ----a-w-    c:\windows\system32\MRT.exe
2013-02-07 19:42 . 2013-02-07 19:42    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-02-07 19:42 . 2013-02-07 19:41    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-02-07 19:42 . 2013-02-07 19:41    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-02-07 19:42 . 2013-02-07 19:41    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-07 19:41 . 2013-02-07 19:41    --------    d-----w-    c:\program files (x86)\Java
2013-02-07 18:02 . 2012-08-30 18:03    5559664    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-07 18:02 . 2012-08-30 17:12    3968880    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-07 18:02 . 2012-08-30 17:12    3914096    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-07 17:53 . 2013-02-07 17:53    --------    d-----w-    c:\program files (x86)\Common Files\Comodo
2013-02-07 07:12 . 2013-02-07 07:12    --------    d-----w-    c:\windows\SysWow64\Wat
2013-02-07 07:12 . 2013-02-07 07:12    --------    d-----w-    c:\windows\system32\Wat
2013-02-07 02:01 . 2013-02-07 02:03    --------    d-s---w-    c:\programdata\Shared Space
2013-02-07 01:57 . 2013-02-07 01:57    --------    d-----w-    c:\program files\COMODO
2013-02-07 01:57 . 2013-02-07 02:00    --------    d-----w-    c:\programdata\COMODO
2013-02-07 01:57 . 2013-02-07 02:03    56072    ----a-w-    c:\windows\system32\certsentry.dll
2013-02-07 01:57 . 2013-02-07 02:03    47368    ----a-w-    c:\windows\SysWow64\certsentry.dll
2013-02-07 01:57 . 2013-02-07 02:03    --------    d-----w-    c:\program files (x86)\Comodo
2013-02-07 01:56 . 2013-02-07 01:56    348160    ----a-w-    c:\windows\SysWow64\msvcr71.dll
2013-02-07 01:56 . 2013-02-07 01:56    1700352    ----a-w-    c:\windows\SysWow64\gdiplus.dll
2013-02-07 01:56 . 2013-02-07 01:56    1060864    ----a-w-    c:\windows\SysWow64\mfc71.dll
2013-02-07 01:56 . 2013-02-07 01:56    --------    d-----w-    c:\programdata\Comodo Downloader
2013-02-07 01:36 . 2013-02-07 01:37    --------    d-----w-    c:\program files (x86)\OpenOffice.org 3
2013-02-07 01:20 . 2013-02-07 01:20    --------    d-----w-    C:\Boot
2013-02-07 00:24 . 2011-09-22 03:01    --------    d-----w-    c:\users\Default\AppData\Local\ASUS
2013-02-07 00:24 . 2011-09-22 03:01    --------    d-----w-    c:\users\Default\AppData\Local\Adobe
2013-02-07 00:24 . 2011-09-22 02:58    --------    d-----w-    c:\users\Default\AppData\Roaming\ASUS WebStorage
2013-02-07 00:24 . 2011-09-22 02:48    --------    d-----w-    c:\users\Default\AppData\Local\Windows Live
2013-02-07 00:24 . 2011-09-22 02:42    --------    d-----w-    c:\users\Default\AppData\Roaming\ATI
2013-02-07 00:24 . 2011-09-22 02:42    --------    d-----w-    c:\users\Default\AppData\Local\ATI
2013-02-07 00:24 . 2011-09-22 02:36    --------    d-----w-    c:\users\Default\AppData\Roaming\InstallShield
2013-02-07 00:24 . 2011-09-22 02:34    --------    d-----w-    c:\users\Default\AppData\Local\Downloaded Installations
2013-02-07 00:19 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-02-07 00:19 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-02-07 00:19 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-02-07 00:19 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-02-06 23:59 . 2012-11-14 07:11    763424    ----a-w-    c:\program files\Internet Explorer\iexplore.exe
2013-02-06 23:56 . 2012-12-16 17:11    46080    ----a-w-    c:\windows\system32\atmlib.dll
2013-02-06 23:56 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2013-02-06 23:56 . 2012-12-16 14:45    367616    ----a-w-    c:\windows\system32\atmfd.dll
2013-02-06 23:56 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2013-02-06 23:54 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-02-06 23:54 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-02-06 23:54 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-02-06 23:54 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-02-06 23:54 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-02-06 23:54 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2013-02-06 23:54 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-02-06 23:49 . 2012-03-01 06:46    23408    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-02-06 23:49 . 2012-03-01 06:33    81408    ----a-w-    c:\windows\system32\imagehlp.dll
2013-02-06 23:49 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2013-02-06 23:49 . 2012-03-01 06:28    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-02-06 23:49 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2013-02-06 23:40 . 2013-02-06 23:40    --------    d-----w-    C:\AMD
2013-02-06 23:39 . 2012-11-09 05:45    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-02-06 23:39 . 2012-11-09 04:42    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-02-06 23:37 . 2011-10-26 05:21    43520    ----a-w-    c:\windows\system32\csrsrv.dll
2013-02-06 23:37 . 2012-08-31 18:19    1659760    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-02-06 23:37 . 2011-12-30 06:26    515584    ----a-w-    c:\windows\system32\timedate.cpl
2013-02-06 23:37 . 2011-12-30 05:27    478720    ----a-w-    c:\windows\SysWow64\timedate.cpl
2013-02-06 23:37 . 2012-11-09 05:45    750592    ----a-w-    c:\windows\system32\win32spl.dll
2013-02-06 23:37 . 2012-11-09 04:43    492032    ----a-w-    c:\windows\SysWow64\win32spl.dll
2013-02-06 23:35 . 2012-12-07 11:20    30720    ----a-w-    c:\windows\system32\usk.rs
2013-02-06 23:34 . 2012-11-30 05:41    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2013-02-06 23:33 . 2011-03-12 12:08    1465344    ----a-w-    c:\windows\system32\XpsPrint.dll
2013-02-06 23:33 . 2011-03-12 11:23    870912    ----a-w-    c:\windows\SysWow64\XpsPrint.dll
2013-02-06 23:33 . 2011-11-17 05:35    314880    ----a-w-    c:\windows\SysWow64\webio.dll
2013-02-06 23:33 . 2011-11-17 06:35    395776    ----a-w-    c:\windows\system32\webio.dll
2013-02-06 23:33 . 2012-06-09 05:43    14172672    ----a-w-    c:\windows\system32\shell32.dll
2013-02-06 23:32 . 2012-04-07 12:31    3216384    ----a-w-    c:\windows\system32\msi.dll
2013-02-06 23:32 . 2012-04-07 11:26    2342400    ----a-w-    c:\windows\SysWow64\msi.dll
2013-02-06 23:32 . 2012-06-02 05:41    1464320    ----a-w-    c:\windows\system32\crypt32.dll
2013-02-06 23:32 . 2012-06-02 04:36    1159680    ----a-w-    c:\windows\SysWow64\crypt32.dll
2013-02-06 23:32 . 2012-06-02 05:41    184320    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-02-06 23:32 . 2012-06-02 05:41    140288    ----a-w-    c:\windows\system32\cryptnet.dll
2013-02-06 23:32 . 2012-06-02 04:36    140288    ----a-w-    c:\windows\SysWow64\cryptsvc.dll
2013-02-06 23:32 . 2012-06-02 04:36    103936    ----a-w-    c:\windows\SysWow64\cryptnet.dll
2013-02-06 23:30 . 2012-11-02 05:59    478208    ----a-w-    c:\windows\system32\dpnet.dll
2013-02-06 23:29 . 2013-01-30 10:53    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-02-06 23:28 . 2012-05-14 05:26    956928    ----a-w-    c:\windows\system32\localspl.dll
2013-02-06 23:28 . 2011-12-28 03:59    498688    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-02-06 23:28 . 2012-08-11 00:56    715776    ----a-w-    c:\windows\system32\kerberos.dll
2013-02-06 23:28 . 2012-08-10 23:56    542208    ----a-w-    c:\windows\SysWow64\kerberos.dll
2013-02-06 23:26 . 2013-02-06 23:27    --------    d-----w-    c:\programdata\Blizzard Entertainment
2013-02-06 23:26 . 2013-02-06 23:27    --------    d-----w-    c:\program files (x86)\Common Files\Blizzard Entertainment
2013-02-06 23:23 . 2012-06-06 06:05    1499136    ----a-w-    c:\program files\Common Files\System\ado\msado15.dll
2013-02-06 23:07 . 2013-02-06 23:27    --------    d-----w-    c:\program files (x86)\Diablo III
2013-02-06 23:05 . 2011-10-15 06:31    723456    ----a-w-    c:\windows\system32\EncDec.dll
2013-02-06 23:05 . 2011-10-15 05:38    534528    ----a-w-    c:\windows\SysWow64\EncDec.dll
2013-02-06 23:04 . 2011-11-19 14:58    77312    ----a-w-    c:\windows\system32\packager.dll
2013-02-06 23:04 . 2011-11-19 14:01    67072    ----a-w-    c:\windows\SysWow64\packager.dll
2013-02-06 22:47 . 2012-02-17 06:38    1031680    ----a-w-    c:\windows\system32\rdpcore.dll
2013-02-06 22:47 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\SysWow64\rdpcore.dll
2013-02-06 22:47 . 2012-02-17 04:57    23552    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-02-06 22:43 . 2013-02-06 22:46    --------    d-----w-    c:\program files (x86)\Google
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----r-    c:\program files (x86)\Skype
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----w-    c:\programdata\Skype
2013-02-06 22:40 . 2013-02-06 22:40    --------    d-----w-    c:\program files\CCleaner
2013-02-06 22:38 . 2013-02-06 22:38    --------    d-----w-    c:\program files (x86)\Microsoft Security Client
2013-02-06 22:38 . 2013-02-06 22:39    --------    d-----w-    c:\program files\Microsoft Security Client
2013-02-06 22:32 . 2013-02-06 22:32    --------    d-----w-    c:\windows\ConfigSetRoot
2013-02-06 22:32 . 2013-02-06 22:41    --------    d-----w-    C:\ExpressGateUtil
2013-02-06 22:32 . 2012-06-02 22:19    44056    ----a-w-    c:\windows\system32\wups2.dll
2013-02-06 22:32 . 2012-06-02 22:19    2428952    ----a-w-    c:\windows\system32\wuaueng.dll
2013-02-06 22:32 . 2012-06-02 22:19    57880    ----a-w-    c:\windows\system32\wuauclt.exe
2013-02-06 22:32 . 2012-06-02 22:15    2622464    ----a-w-    c:\windows\system32\wucltux.dll
2013-02-06 22:31 . 2012-06-02 22:19    38424    ----a-w-    c:\windows\system32\wups.dll
2013-02-06 22:31 . 2012-06-02 22:19    701976    ----a-w-    c:\windows\system32\wuapi.dll
2013-02-06 22:31 . 2012-06-02 22:15    99840    ----a-w-    c:\windows\system32\wudriver.dll
2013-02-06 22:31 . 2012-06-02 20:19    186752    ----a-w-    c:\windows\system32\wuwebv.dll
2013-02-06 22:31 . 2012-06-02 20:15    36864    ----a-w-    c:\windows\system32\wuapp.exe
2013-02-06 22:29 . 2013-02-08 22:59    --------    d-----w-    c:\users\Trin
2013-02-06 22:29 . 2013-02-06 22:29    --------    d-----w-    C:\Recovery
2013-01-25 03:43 . 2013-01-25 03:43    43216    ----a-w-    c:\windows\system32\cmdcsr.dll
2013-01-25 03:43 . 2013-01-25 03:43    461384    ----a-w-    c:\windows\system32\guard64.dll
2013-01-25 03:43 . 2013-01-25 03:43    354752    ----a-w-    c:\windows\SysWow64\guard32.dll
2013-01-25 03:42 . 2013-01-25 03:42    45776    ----a-w-    c:\windows\system32\cmdkbd64.dll
2013-01-25 03:42 . 2013-01-25 03:42    326352    ----a-w-    c:\windows\system32\cmdvrt64.dll
2013-01-25 03:42 . 2013-01-25 03:42    40656    ----a-w-    c:\windows\SysWow64\cmdkbd32.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-06 22:30 . 2011-03-29 01:36    19696    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-11-30 04:45 . 2013-02-06 23:34    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-13 336384]
"SonicMasterTray"="c:\program files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe" [2010-07-10 984400]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"HotkeyMon"="AsusSender.exe" [2011-07-13 34728]
"HotkeyService"="AsusSender.exe" [2011-07-13 34728]
"SuperHybridEngine"="AsusSender.exe" [2011-07-13 34728]
"CapsHook"="AsusSender.exe" [2011-07-13 34728]
"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"iSeriesCharge"="AsusSender.exe" [2011-07-13 34728]
"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-08-12 45448]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-09-22 2984688]
"gbrspcontrol"="c:\program files (x86)\Common Files\Comodo\GeekBuddyRSP.exe" [2013-01-15 1851088]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Trin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-5-21 1127712]
Start GeekBuddy.lnk - c:\program files (x86)\Comodo\GeekBuddy\launcher.exe [2013-1-30 49360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-01-25 158928]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2009-06-10 620544]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-07 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 AiDriver;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiDriver.sys [2010-05-20 14464]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2013-01-17 23176]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2013-01-17 699880]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2013-01-17 48360]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-05-12 204288]
S2 ASUS InstantOn;ASUS InstantOn Service;c:\program files (x86)\Common Files\InstantOn\InsOnSrv.exe [2011-06-02 64128]
S2 AsusService;Asus Launcher Service;c:\windows\SysWOW64\AsusService.exe [2011-07-11 224680]
S2 CLPSLauncher;COMODO LPS Launcher;c:\program files (x86)\Common Files\Comodo\launcher_service.exe [2013-01-30 70352]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [2013-01-24 2074256]
S2 GeekBuddyRSP;GeekBuddyRSP Service;c:\program files (x86)\Common Files\Comodo\GeekBuddyRSP.exe [2013-01-15 1851088]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe [2011-03-25 91464]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-08-01 129000]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-08-01 391144]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-11-17 115216]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-05-21 341032]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-05-21 39464]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2011-03-23 77936]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-06 22:46    1607120    ----a-w-    c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-06 22:43]
.
2013-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-06 22:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2011-05-25 07:09    227840    ----a-w-    c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SynAsusAcpi"="c:\program files (x86)\Synaptics\SynTP\SynAsusAcpi.exe" [BU]
"LiveUpdate"="AsusSender.exe" [2011-07-11 34728]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2011-04-14 467120]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-22 12673128]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-08-22 2277480]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-01-25 1451728]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://asus.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 5.135.154.162 188.165.58.10
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-09  12:24:59
ComboFix-quarantined-files.txt  2013-02-09 17:24
ComboFix2.txt  2013-02-08 18:10
.
Pre-Run: 59,056,271,360 bytes free
Post-Run: 59,080,892,416 bytes free
.
- - End Of File - - E729FF75F4D2EBC9B37A654CED56B92A

#10 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 09 February 2013 - 02:52 PM



Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Download HijackThis
    • Go Here to download HijackThis program
    • Save HijackThis to your desktop.
    • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
    • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
    • copy and paste hijackthis report into the topic
    "information and logs"
    • In your next post I need the following
      • Log From MBAM
      • report from Hijackthis
      • let me know of any problems you may have had
      • How is the computer doing now?
    Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#11 sascha411

sascha411

    New Member

  • Members
  • Pip
  • 7 posts

Posted 09 February 2013 - 04:16 PM

Hi Gringo,

 

CC - Cleaner done, and attached the 2 file reports:

 

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
 
Database version: v2013.02.09.07
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Trin :: TRIN-PC [administrator]
 
2/9/2013 3:57:39 PM
mbam-log-2013-02-09 (15-57-39).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213328
Time elapsed: 10 minute(s), 24 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:13:13 PM, on 2/9/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16457)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe
C:\ExpressGateUtil\VAWinAgent.exe
C:\windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Trin\Downloads\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [HotkeyMon] AsusSender.exe C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe
O4 - HKLM\..\Run: [HotkeyService] AsusSender.exe C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe
O4 - HKLM\..\Run: [SuperHybridEngine] AsusSender.exe C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe
O4 - HKLM\..\Run: [CapsHook] AsusSender.exe C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe
O4 - HKLM\..\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S
O4 - HKLM\..\Run: [iSeriesCharge] AsusSender.exe C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe
O4 - HKLM\..\Run: [VAWinAgent] C:\ExpressGateUtil\VAWinAgent.exe
O4 - HKLM\..\Run: [ASUSPRP] C:\Program Files (x86)\ASUS\APRP\APRP.EXE
O4 - HKLM\..\Run: [gbrspcontrol] "C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe" -controlservice -slave
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Start GeekBuddy.lnk = C:\Program Files (x86)\Comodo\GeekBuddy\launcher.exe
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASUS InstantOn Service (ASUS InstantOn) - ASUS - C:\Program Files (x86)\Common Files\InstantOn\InsOnSrv.exe
O23 - Service: Asus Launcher Service (AsusService) - Unknown owner - C:\windows\SysWOW64\AsusService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: COMODO LPS Launcher (CLPSLauncher) - Comodo Security Solutions Inc. - C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: COMODO Virtual Service Manager (cmdvirth) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: GeekBuddyRSP Service (GeekBuddyRSP) - Comodo Security Solutions, Inc. - C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: VideAceWindowsService - Unknown owner - C:\ExpressGateUtil\VAWinService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 9927 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 09 February 2013 - 06:41 PM




Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [VAWinAgent] C:\ExpressGateUtil\VAWinAgent.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - Startup: OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
    • NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
  • When the scan is complete
    • If no threats were found
      • put a checkmark in "Uninstall application on close"
      • close program
      • report to me that nothing was found
    • If threats were found
      • click on "list of threats found"
      • click on "export to text file" and save it as ESET SCAN and save to the desktop
      • Click on back
      • put a checkmark in "Uninstall application on close"
      • click on finish
      • close program
      • copy and paste the report here
    Gringo





I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#13 sascha411

sascha411

    New Member

  • Members
  • Pip
  • 7 posts

Posted 09 February 2013 - 09:09 PM

Hey Gringo,

 

- Startup-Apps removed.

- Esec Scan - nothing was found

 

Any signs, as where this Virus/Trojan came from, or where it did hide ?

 

Cheers,

Sascha


#14 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 09 February 2013 - 10:20 PM



Hello

No I can't tell where itr came from

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

:Why we need to remove some of our tools:
  • Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
    They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

    The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.
  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK.
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png
  • :Remove the rest of our tools:

    Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
    • Double-click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.
    • If asked to restart the computer, please do so
    Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

    :The programs you can keep:

    Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.
    • Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

      CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

      Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

    :Security programs:

    One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.
    • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

      Note** If you decide to install MSE you will need to uninstall your present Antivirus
:Security awareness:


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.


The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internetHere is some more reading for you from some of my collegesquoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#15 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 12 February 2013 - 01:12 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·