Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio adverts playing in background virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 Ragdollmafia

Ragdollmafia

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 16 February 2013 - 12:52 PM

Hello everyone,

 

for the last day or two I have been getting audio adverts playing on my computer in the background; they play intermittingly at random intervals.

 

I am not that computer savvy however I have tried using Malwarebytes, Tdsskiller and CCleaner all to no avail as when I restart after the cleanup the ads are still playing.  

 

If anyone can help and let me know what I need to do to get rid of this, I'd greatly appreciate it.

 

Thanks.

 

 



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,532 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:16 PM

Posted 16 February 2013 - 01:11 PM

Hello, lets see if we can find the cause of your problem. smile.png

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
  • Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#3 Ragdollmafia

Ragdollmafia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 16 February 2013 - 02:38 PM

Thanks for the reply Elise, I followed your instructions, here's the results

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by Kate at 19:32:04 on 2013-02-16
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4029.2489 [GMT 0:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = Preserve
mStart Page = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"  /MINIMIZED
uRun: [nbint] rundll32.exe "C:\Users\Kate\AppData\Roaming\nbint.dll",ASetEOFMark
uRun: [erasp] "C:\Windows\System32\rundll32.exe" "C:\Users\Kate\AppData\Roaming\erasp.dll",SetEncoding
uRun: [cocor] "C:\Windows\System32\rundll32.exe" "C:\Users\Kate\AppData\Roaming\cocor.dll",SetItem
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\Kate\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: mswsock.dll
Trusted Zone: line6.net
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{03FF5458-156E-4E52-91CF-9E611F20A5AC} : DHCPNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{03FF5458-156E-4E52-91CF-9E611F20A5AC}\244564F4E4 : DHCPNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{03FF5458-156E-4E52-91CF-9E611F20A5AC}\2445F40756E6A7F6E656 : DHCPNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{7F885B55-8B36-4FEA-8F59-0E4FDA1BC53E} : DHCPNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{7F885B55-8B36-4FEA-8F59-0E4FDA1BC53E}\05C65737E6564775962756C656373723A485558585 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{7F885B55-8B36-4FEA-8F59-0E4FDA1BC53E}\244564F4E4 : DHCPNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{D2E18EBD-F48F-4AF9-8282-415BD4649A90} : DHCPNameServer = 194.168.4.100 194.168.8.100
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~3\browse~1\251005~1.80\{c16c1~1\browse~1.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://www.google.com
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [M-Audio Taskbar Icon] C:\Windows\System32\M-AudioTaskBarIcon.exe
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2012-3-2 25312]
R2 DigiNet;Digidesign Ethernet Support;C:\Windows\System32\drivers\diginet.sys [2012-9-11 23384]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-15 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-15 682344]
R2 NIHardwareService;NIHardwareService;C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2011-12-5 5739008]
R2 PaceLicenseDServices;PACE License Services;C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2012-5-18 2938880]
R2 WSWNA3100;WSWNA3100;C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [2012-3-2 285152]
R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\Windows\System32\drivers\GPWADrv64.sys [2011-11-30 772096]
R3 MAUSBFASTTRACK;Service for M-Audio FastTrack;C:\Windows\System32\drivers\MAudioFastTrack.sys [2010-12-7 187912]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-2-15 24176]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-11-4 239616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\Windows\System32\drivers\bcmwlhigh664.sys [2012-3-2 838136]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-10-18 57856]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 synusb64;eLicenser;C:\Windows\System32\drivers\synusb64.sys [2012-5-14 30352]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-3-4 1255736]
.
=============== File Associations ===============
.
FileExt: .js: JSFile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\Dreamweaver.exe","%1"
.
=============== Created Last 30 ================
.
2013-02-16 15:04:24 -------- d-----w- C:\Program Files\CCleaner
2013-02-16 14:46:34 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-15 20:18:42 -------- d-----w- C:\Users\Kate\AppData\Roaming\Malwarebytes
2013-02-15 20:18:35 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-02-15 20:18:35 -------- d-----w- C:\ProgramData\Malwarebytes
2013-02-15 20:18:35 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-02-15 20:17:49 -------- d-----w- C:\Users\Kate\AppData\Local\Programs
2013-02-15 16:39:37 290835 ----a-w- C:\Users\Kate\AppData\Roaming\cocor.dll
2013-02-15 16:39:15 497171 ----a-w- C:\Users\Kate\AppData\Roaming\erasp.dll
2013-02-15 16:38:26 172032 ----a-w- C:\Users\Kate\AppData\Roaming\nbint.dll
2013-01-23 11:20:58 -------- d-----w- C:\Users\Kate\AppData\Roaming\OpenOffice.org
2013-01-22 22:22:35 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2013-01-20 12:53:52 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2013-01-18 22:33:40 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{942D84C4-E59D-49EC-9CAC-BDA65C090F84}\mpengine.dll
.
==================== Find3M  ====================
.
2013-02-16 14:48:10 328192 ----a-w- C:\Windows\System32\services.exe
2013-02-09 21:34:12 74096 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-09 21:34:12 697712 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-17 17:11:17 50157 ----a-w- C:\Windows\SysWow64\tpvzpsdvzzlg.exe
2012-12-16 16:52:02 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:40:45 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:25:27 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:25:19 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-07 05:41:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 05:35:34 2745856 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 05:04:20 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 04:57:38 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 03:21:08 45568 ----a-w- C:\Windows\SysWow64\oflc-nz.rs
2012-11-30 05:50:00 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:50:00 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:50:00 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:49:28 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:46:35 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 05:43:53 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2012-11-30 05:06:50 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 05:06:49 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:33:03 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:56:36 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:56:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:56:34 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:56:33 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:51:41 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:51:41 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:51:41 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:51:41 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:45:35 3147264 ----a-w- C:\Windows\System32\win32k.sys
2012-11-22 10:32:45 801280 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 09:33:26 627712 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-20 05:55:59 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-20 05:10:07 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-10-09 16:39:06 1055856 ----a-w- C:\Program Files (x86)\VSL Goniometer.dll
2012-10-09 16:38:56 4142704 ----a-w- C:\Program Files (x86)\VSL Hybrid Reverb.dll
2012-10-09 16:38:42 3530352 ----a-w- C:\Program Files (x86)\VSL Convolution Reverb.dll
2012-10-09 16:38:28 1152112 ----a-w- C:\Program Files (x86)\VSL Multiband.dll
2012-10-09 16:38:18 986736 ----a-w- C:\Program Files (x86)\VSL Powerpan.dll
2012-10-09 16:38:08 1100912 ----a-w- C:\Program Files (x86)\VSL Master Equalizer.dll
2012-10-09 16:37:58 1021040 ----a-w- C:\Program Files (x86)\VSL Limiter.dll
2012-10-09 16:37:48 977520 ----a-w- C:\Program Files (x86)\VSL Exciter.dll
2012-10-09 16:37:38 1150064 ----a-w- C:\Program Files (x86)\VSL Equalizer.dll
2012-10-09 16:37:28 1067632 ----a-w- C:\Program Files (x86)\VSL Compressor.dll
2012-10-09 16:37:18 1023088 ----a-w- C:\Program Files (x86)\VSL Analyzer.dll
.
============= FINISH: 19:32:29.85 ===============
 



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,532 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:16 PM

Posted 16 February 2013 - 03:27 PM

There is indeed some malware showing up here that is most likely responsible for the audio alerts, but unfortunately also a rootkit. Before continuing with the cleaning process, read the following.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


We need to run a scan with Combofix:
  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    download.png
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    cf-preparing.jpg
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.

    However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    recovery-console-prompt.jpg

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    cf-log.jpg
  • More information about downloading and using ComboFix can be found here if needed.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#5 Ragdollmafia

Ragdollmafia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 16 February 2013 - 04:33 PM

I decided to do the combofix scan, here's the results

 

ComboFix 13-02-15.01 - Kate 02/16/2013  21:17:16.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4029.2713 [GMT 0:00]
Running from: c:\users\Kate\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Kate\AppData\Roaming\cocor.dll
c:\users\Kate\AppData\Roaming\erasp.dll
c:\users\Kate\AppData\Roaming\nbint.dll
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-16 to 2013-02-16  )))))))))))))))))))))))))))))))
.
.
2013-02-16 21:22 . 2013-02-16 21:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-16 15:04 . 2013-02-16 15:04 -------- d-----w- c:\program files\CCleaner
2013-02-16 14:46 . 2013-02-16 16:33 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-15 20:18 . 2013-02-15 20:18 -------- d-----w- c:\users\Kate\AppData\Roaming\Malwarebytes
2013-02-15 20:18 . 2013-02-15 20:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-02-15 20:18 . 2013-02-15 20:18 -------- d-----w- c:\programdata\Malwarebytes
2013-02-15 20:18 . 2012-12-14 16:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-15 20:17 . 2013-02-15 20:17 -------- d-----w- c:\users\Kate\AppData\Local\Programs
2013-02-07 11:41 . 2013-02-07 11:41 -------- d-----w- c:\users\Administrator
2013-01-23 11:20 . 2013-01-23 11:20 -------- d-----w- c:\users\Kate\AppData\Roaming\OpenOffice.org
2013-01-22 22:22 . 2013-01-22 22:22 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2013-01-20 12:53 . 2013-01-20 12:53 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2013-01-18 22:33 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{942D84C4-E59D-49EC-9CAC-BDA65C090F84}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-09 21:34 . 2012-06-11 19:29 697712 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-09 21:34 . 2012-03-06 20:42 74096 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-17 17:11 . 2012-09-22 16:22 50157 ----a-w- c:\windows\SysWow64\tpvzpsdvzzlg.exe
2012-12-17 10:31 . 2012-10-19 07:54 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-12-17 10:31 . 2012-10-19 07:54 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-12-17 10:31 . 2012-10-19 07:54 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-12-16 16:52 . 2012-12-22 03:00 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:40 . 2012-12-22 03:00 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:25 . 2012-12-22 03:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:25 . 2012-12-22 03:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-13 13:27 . 2012-10-18 17:06 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-12-13 13:27 . 2012-10-18 17:06 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-12-13 13:27 . 2012-10-18 17:06 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-12-13 13:26 . 2012-10-23 18:53 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-12-10 18:51 . 2012-10-18 17:06 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-12-07 05:41 . 2013-01-09 10:38 441856 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 05:35 . 2013-01-09 10:38 2745856 ----a-w- c:\windows\system32\gameux.dll
2012-12-07 05:04 . 2013-01-09 10:38 308736 ----a-w- c:\windows\SysWow64\Wpc.dll
2012-12-07 04:57 . 2013-01-09 10:38 2576384 ----a-w- c:\windows\SysWow64\gameux.dll
2012-12-07 03:45 . 2013-01-09 10:38 43520 ----a-w- c:\windows\system32\csrr.rs
2012-12-07 03:45 . 2013-01-09 10:38 45568 ----a-w- c:\windows\system32\oflc-nz.rs
2012-12-07 03:45 . 2013-01-09 10:38 30720 ----a-w- c:\windows\system32\usk.rs
2012-12-07 03:45 . 2013-01-09 10:38 23552 ----a-w- c:\windows\system32\oflc.rs
2012-12-07 03:45 . 2013-01-09 10:38 44544 ----a-w- c:\windows\system32\pegibbfc.rs
2012-12-07 03:45 . 2013-01-09 10:38 40960 ----a-w- c:\windows\system32\cob-au.rs
2012-12-07 03:45 . 2013-01-09 10:38 21504 ----a-w- c:\windows\system32\grb.rs
2012-12-07 03:45 . 2013-01-09 10:38 20480 ----a-w- c:\windows\system32\pegi-pt.rs
2012-12-07 03:45 . 2013-01-09 10:38 20480 ----a-w- c:\windows\system32\pegi-fi.rs
2012-12-07 03:45 . 2013-01-09 10:38 46592 ----a-w- c:\windows\system32\fpb.rs
2012-12-07 03:45 . 2013-01-09 10:38 20480 ----a-w- c:\windows\system32\pegi.rs
2012-12-07 03:45 . 2013-01-09 10:38 15360 ----a-w- c:\windows\system32\djctq.rs
2012-12-07 03:45 . 2013-01-09 10:38 55296 ----a-w- c:\windows\system32\cero.rs
2012-12-07 03:45 . 2013-01-09 10:38 51712 ----a-w- c:\windows\system32\esrb.rs
2012-12-07 03:21 . 2013-01-09 10:38 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs
2012-12-07 03:21 . 2013-01-09 10:38 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs
2012-12-07 03:21 . 2013-01-09 10:38 43520 ----a-w- c:\windows\SysWow64\csrr.rs
2012-12-07 03:21 . 2013-01-09 10:38 30720 ----a-w- c:\windows\SysWow64\usk.rs
2012-12-07 03:21 . 2013-01-09 10:38 23552 ----a-w- c:\windows\SysWow64\oflc.rs
2012-12-07 03:21 . 2013-01-09 10:38 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs
2012-12-07 03:21 . 2013-01-09 10:38 20480 ----a-w- c:\windows\SysWow64\pegi.rs
2012-12-07 03:21 . 2013-01-09 10:38 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs
2012-12-07 03:21 . 2013-01-09 10:38 46592 ----a-w- c:\windows\SysWow64\fpb.rs
2012-12-07 03:21 . 2013-01-09 10:38 21504 ----a-w- c:\windows\SysWow64\grb.rs
2012-12-07 03:21 . 2013-01-09 10:38 55296 ----a-w- c:\windows\SysWow64\cero.rs
2012-12-07 03:21 . 2013-01-09 10:38 51712 ----a-w- c:\windows\SysWow64\esrb.rs
2012-12-07 03:21 . 2013-01-09 10:38 40960 ----a-w- c:\windows\SysWow64\cob-au.rs
2012-12-07 03:21 . 2013-01-09 10:38 15360 ----a-w- c:\windows\SysWow64\djctq.rs
2012-11-30 05:50 . 2013-01-09 10:37 362496 ----a-w- c:\windows\system32\wow64win.dll
2012-11-30 05:50 . 2013-01-09 10:37 243200 ----a-w- c:\windows\system32\wow64.dll
2012-11-30 05:50 . 2013-01-09 10:37 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2012-11-30 05:49 . 2013-01-09 10:37 215040 ----a-w- c:\windows\system32\winsrv.dll
2012-11-30 05:46 . 2013-01-09 10:37 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2012-11-30 05:43 . 2013-01-09 10:37 424960 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 05:43 . 2013-01-09 10:37 1161216 ----a-w- c:\windows\system32\kernel32.dll
2012-11-30 05:41 . 2013-01-09 10:37 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 05:41 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 05:06 . 2013-01-09 10:37 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2012-11-30 05:06 . 2013-01-09 10:37 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll
2012-11-30 04:56 . 2013-01-09 10:37 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 04:56 . 2013-01-09 10:37 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-10-18 17:12 220632 ----a-w- c:\users\Kate\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-10-18 17:12 220632 ----a-w- c:\users\Kate\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-10-18 17:12 220632 ----a-w- c:\users\Kate\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-03-02 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-03-16 296056]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
.
c:\users\Kate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WNA3100\WNA3100.exe [2012-3-2 4577760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 WSWNA3100;WSWNA3100;c:\program files (x86)\NETGEAR\WNA3100\WifiSvc.exe [2010-08-26 285152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys [2009-11-06 838136]
R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\Drivers\GPWADrv64.sys [2011-11-30 772096]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-04 1255736]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 25312]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2012-09-11 23384]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2011-12-05 5739008]
S2 PaceLicenseDServices;PACE License Services;c:\program files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2012-05-18 2938880]
S3 MAUSBFASTTRACK;Service for M-Audio FastTrack;c:\windows\system32\DRIVERS\MAudioFastTrack.sys [2010-12-07 187912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-21 239616]
S3 synusb64;eLicenser;c:\windows\system32\DRIVERS\synusb64.sys [2011-12-14 30352]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-01 14:09 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-11 21:34]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-02 14:42]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-02 14:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-10-18 17:12 244696 ----a-w- c:\users\Kate\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-10-18 17:12 244696 ----a-w- c:\users\Kate\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-10-18 17:12 244696 ----a-w- c:\users\Kate\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-08 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-08 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-08 365592]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-28 8312352]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2010-12-07 798728]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: line6.net
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-uTorrent - c:\program files (x86)\uTorrent\uTorrent.exe
Wow6432Node-HKCU-Run-nbint - c:\users\Kate\AppData\Roaming\nbint.dll
Wow6432Node-HKCU-Run-erasp - c:\users\Kate\AppData\Roaming\erasp.dll
Wow6432Node-HKCU-Run-cocor - c:\users\Kate\AppData\Roaming\cocor.dll
SafeBoot-44981723.sys
WebBrowser-{3BBD3C14-4C16-4989-8366-95BC9179779D} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-KTDrumTrigger_is1 - c:\program files (x86)\KTfx\KTDrumTrigger\unins000.exe
AddRemove-Native Instruments - Rig Kontrol 3 Driver - c:\program files (x86)\Native Instruments\Rig Kontrol 3 Driver\uninst.exe Software\Native Instruments\Rig Kontrol 3 Driver\Setup
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-281821174-122739506-4247044529-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-281821174-122739506-4247044529-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\ExpressFiles\EFUpdater.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2013-02-16  21:28:06 - machine was rebooted
ComboFix-quarantined-files.txt  2013-02-16 21:28
.
Pre-Run: 735,482,933,248 bytes free
Post-Run: 735,181,611,008 bytes free
.
- - End Of File - - 838AA257557183DAAEA668421E30B091



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,532 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:16 PM

Posted 17 February 2013 - 02:24 AM

It looks like that did the trick. smile.png How is everything running at this point?
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#7 Ragdollmafia

Ragdollmafia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 17 February 2013 - 09:05 AM

I haven't noticed any audio ads since so I think your right.

 

Thank you soo much for your time and effort, I really appreciate it. :)



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,532 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:16 PM

Posted 17 February 2013 - 09:47 AM

Lets make sure everything is as it should be. :)

Please rerun DDS and this time check the option for attach.txt, post attach.txt in your next reply.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#9 Ragdollmafia

Ragdollmafia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 17 February 2013 - 10:15 AM

Ok I've followed the instructions, I hope I zipped the file right.

Attached Files



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,532 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:16 PM

Posted 17 February 2013 - 10:24 AM

That looks all good, lets do one last scan before calling it clean. smile.png
You also need to install an Antivirus.

INSTALL ANTIVIRUS
---------------------------
I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#11 Ragdollmafia

Ragdollmafia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 19 February 2013 - 02:37 PM

C:\Windows\SysWOW64\tpvzpsdvzzlg.exe Win32/Adware.RON.FSV application 
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Application Data\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Application Data\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Documents and Settings\Kate\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Documents and Settings\Kate\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Users\Kate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Users\Kate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Users\Kate\AppData\Local\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Users\Kate\AppData\Local\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Users\Kate\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Users\Kate\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Windows.old\Users\Kate\Local Settings\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan 
C:\Windows.old\Users\Kate\Local Settings\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan 
C:\Program Files (x86)\ExpressFiles\uninstall.exe a variant of Win32/ExpressFiles.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Kate\AppData\Roaming\cocor.dll.vir a variant of Win32/Medfos.KO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Kate\AppData\Roaming\erasp.dll.vir a variant of Win32/Medfos.KQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Kate\AppData\Roaming\nbint.dll.vir a variant of Win32/Medfos.KM trojan cleaned by deleting - quarantined
C:\Users\Kate\AppData\Local\98075fd5-28f0-425b-a8c5-6722a3417532.crx JS/Redirector.NCG trojan deleted - quarantined
C:\Users\Kate\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\2a4321d5-63232741 Java/Exploit.CVE-2013-0422.BQ trojan cleaned by deleting - quarantined
C:\Users\Kate\Documents\IZotope Ozone.rar a variant of Win32/Keygen.AD application deleted - quarantined
C:\Users\Kate\Downloads\installer_adobe_flash_player_English.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Users\Kate\Downloads\installer_realplayer_English.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Users\Kate\Downloads\Solid State Logic Duende Native Plug-in Suite v3.6.6 VST VST3 RTAS\SSL Duende Native Setup (32-bit).exe multiple threats cleaned by deleting - quarantined
C:\Windows\System32\tpvzpsdvzzlg.exe Win32/Adware.RON.FSV application cleaned by deleting - quarantined
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8IYLGHWZ\itcpbrbsizhzj[1].pdf JS/Exploit.Pdfka.PFS.Gen trojan cleaned by deleting - quarantined
C:\Windows.old\Documents and Settings\Kate\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y3NXST9F\3301b[1].pdf JS/Exploit.Pdfka.PHV trojan cleaned by deleting - quarantined



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,532 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:16 PM

Posted 19 February 2013 - 02:42 PM

That looks good. You may have noticed a lot of PDF exploits in the results. Exploits for programs like Java and Adobe Reader are common sources of infection. be careful what you download (see also the prevention advice below).

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.png

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.

      run-box.jpg
    • This will remove Combofix and other tools we used from your computer.
  • You can delete any other tool or log by simply deleting them.
  • Please read the following advice on how to prevent reinfecting your PC:
    • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
  • Some more links you might find of interest:Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#13 Ragdollmafia

Ragdollmafia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 20 February 2013 - 09:42 AM

I deleted combofix and read your information, once again I can't thank you enough for your time and help. :)



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,532 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:16 PM

Posted 20 February 2013 - 09:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users