Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal of Deal Finder Malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 Jasonmuk

Jasonmuk

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 13 June 2013 - 07:53 AM

Hello.

Can anyone help, my son has downloaded a program called Hamachi, with the install it has added a program i cannot get rid of..

I keep getting a deal finder pop up on the bottom right and centre of my screen. The program is not in my control panel or browser addons. I have added a picture below. If anyone can help that would be great, i have attached the DDS files..

 

 

Thanks

Jason

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16611  BrowserJavaVersion: 10.9.2
Run by Jason at 13:47:19 on 2013-06-13
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.4095.2117 [GMT 1:00]
.
AV: Bitdefender Antivirus *Enabled/Updated* {9B5F5313-CAF9-DD97-C460-E778420237B4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Bitdefender Antispyware *Enabled/Updated* {203EB2F7-ECC3-D219-FED0-DC0A39857D09}
FW: Bitdefender Firewall *Enabled* {A364D236-8096-DCCF-EF3F-4E4DBCD170CF}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\system32\lxcjcoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\ProgramData\TVersity\Media Server\MediaServer.exe
C:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe
C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://search.searchcompletion.com/?si=10197&home=1
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit = userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Plus-HD-2.6: {11111111-1111-1111-1111-110311341140} - C:\Program Files (x86)\Plus-HD-2.6\Plus-HD-2.6-bho.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe Acrobat Create PDF Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [Google Update] "C:\Users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [NPSStartup] <no file>
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - C:\Users\Jason\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091203144706
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-Us/wlscctrl2.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{4D4A18EE-254A-44D5-AA59-2C1C10AEF804} : DHCPNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{8A256F57-EC75-47CA-8165-BF48177CFAE3}\475637474747 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{8A256F57-EC75-47CA-8165-BF48177CFAE3}\D494C4543513937333 : DHCPNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-mStart Page = about:blank
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-BHO: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - <orphaned>
x64-Run: [WrtMon.exe] C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
x64-Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-Run: [Bdagent] C:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\v57hvm2i.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: C:\Program Files\BitDefender\BitDefender 2011\bdaphffext\components\bdaphff3.6.dll
FF - component: C:\Program Files\BitDefender\BitDefender 2011\bdaphffext\components\bdaphff3.dll
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Roblox\Versions\version-1c92e6916e7c4b20\NPRobloxProxy.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Users\Jason\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\Jason\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Jason\AppData\Roaming\TorrentStream\player\npts_plugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - plugin: C:\Windows\SysWOW64\npwmsdrm.dll
FF - ExtSQL: 2013-05-29 16:56; [email protected]; C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF - ExtSQL: 2013-06-13 13:24; {66E978CD-981F-47DF-AC42-E3CF417C1467}; C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\v57hvm2i.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi
FF - ExtSQL: 2019-09-25 22:40; {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}; C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\v57hvm2i.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.hpOld0 - hxxp://www.google.co.uk/
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=Solo&Lan={dfltLng}&gu=91f2a0a76cb349b4847c2ac079f9bbd8&tu=11Ih0008T2B0001&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 1092a293000000000000701a0408a455
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15865
FF - user.js: extensions.zonealarm.vrsn - 1.8.11.11
FF - user.js: extensions.zonealarm.vrsni - 1.8.11.11
FF - user.js: extensions.zonealarm.vrsnTs - 1.8.11.1111:44:13
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 5003
FF - user.js: extensions.zonealarm.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - Solo
FF - user.js: extensions.zonealarm.instlRef - ZLN118408611977768-5003
FF - user.js: extensions.zonealarm.dfltLng -
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.ffxUnstlRst - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm.rvrt - false
FF - user.js: extensions.zonealarm.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=Solo&Lan=&gu=91f2a0a76cb349b4847c2ac079f9bbd8&tu=11Ih0008T2B0001&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.kw_url - hxxp://search.zonealarm.com/search?src=sp&tbid=Solo&Lan=&gu=91f2a0a76cb349b4847c2ac079f9bbd8&tu=11Ih0008T2B0001&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.dnsErr - true
FF - user.js: extensions.zonealarm.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=Solo&Lan=&gu=91f2a0a76cb349b4847c2ac079f9bbd8&tu=11Ih0008T2B0001&sku=&tstsId=&ver=&
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;C:\Windows\System32\drivers\avc3.sys [2013-4-26 718840]
R0 gzflt;gzflt;C:\Windows\System32\drivers\gzflt.sys [2013-3-28 147232]
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;C:\Program Files\Common Files\BitDefender\Bitdefender Firewall\bdfndisf6.sys [2013-4-26 93600]
R1 bdfwfpf;bdfwfpf;C:\Program Files\Common Files\BitDefender\Bitdefender Firewall\bdfwfpf.sys [2012-11-14 103504]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-4 238080]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2011-11-13 21992]
R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\System32\svchost.exe -k netsvcs [2009-7-14 27136]
R2 Garmin Core Update Service;Garmin Core Update Service;C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-3-27 185688]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2013-5-15 2467664]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-12-7 1153368]
R2 SpyroService;Spyro Portal Service;C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe [2011-9-9 48128]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-10-21 2754984]
R2 UPDATESRV;Bitdefender Desktop Update Service;C:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe [2012-11-14 68856]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 96896]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2013-2-25 2426672]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-20 239616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-9 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-4-19 161384]
S3 BDSandBox;BDSandBox;C:\Windows\System32\drivers\bdsandbox.sys [2012-11-14 82384]
S3 FlyUsb;FLY Fusion;C:\Windows\System32\drivers\FlyUsb.sys [2007-6-19 24576]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-12-13 19456]
S3 SRS_ViewSonic;SRS Labs WOW HD ViewSonic;C:\Windows\System32\drivers\SRS_ViewSonic_amd64.sys [2009-11-7 50304]
S3 taphss6;Anchorfree HSS VPN Adapter;C:\Windows\System32\drivers\taphss6.sys [2012-11-15 40712]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-13 57856]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-18 1255736]
S4 BdDesktopParental;Bitdefender Desktop Parental Control;C:\Program Files\Bitdefender\Bitdefender 2013\bdparentalservice.exe [2013-3-28 69392]
.
=============== Created Last 30 ================
.
2013-06-13 06:18:46    1910632    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-06-13 06:18:39    751104    ----a-w-    C:\Windows\System32\win32spl.dll
2013-06-13 06:18:39    492544    ----a-w-    C:\Windows\SysWow64\win32spl.dll
2013-06-13 06:18:32    30720    ----a-w-    C:\Windows\System32\cryptdlg.dll
2013-06-13 06:18:31    24576    ----a-w-    C:\Windows\SysWow64\cryptdlg.dll
2013-06-12 15:13:05    9089416    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-06-11 14:14:01    9460464    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EDD5772B-4676-40F0-A352-D4907FCA1A74}\mpengine.dll
2013-06-09 10:44:33    --------    d-----w-    C:\Program Files (x86)\CheckPoint
2013-06-09 10:43:55    --------    d-----w-    C:\ProgramData\CheckPoint
2013-06-09 10:42:48    --------    d-----w-    C:\Program Files (x86)\Plus-HD-2.6
2013-06-09 10:42:22    --------    d-----w-    C:\Users\Jason\AppData\Local\LogMeIn Hamachi
2013-06-09 10:41:35    --------    d-----w-    C:\Program Files (x86)\LogMeIn Hamachi
2013-05-29 15:43:54    382536    ----a-w-    C:\Windows\System32\drivers\trufos.sys
2013-05-29 15:31:35    --------    d-----w-    C:\Users\Jason\AppData\Roaming\Foxit Software
2013-05-29 15:26:05    --------    d-----w-    C:\ProgramData\regid.1986-12.com.adobe
2013-05-28 02:09:37    --------    d-----w-    C:\Users\Jason\AppData\Local\4A Games
2013-05-22 13:18:05    262552    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-05-22 13:18:00    96664    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-05-22 13:18:00    92056    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\smime3.dll
2013-05-22 13:18:00    865968    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
2013-05-22 13:18:00    272280    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\updater.exe
2013-05-22 13:18:00    19449240    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\xul.dll
2013-05-22 13:18:00    19352    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\xpcom.dll
2013-05-22 13:18:00    170232    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2013-05-22 13:18:00    157080    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\ssl3.dll
2013-05-22 13:18:00    152472    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\softokn3.dll
2013-05-15 08:01:39    983400    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
.
==================== Find3M  ====================
.
2013-06-12 15:13:14    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 15:13:14    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-17 01:25:57    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-05-17 01:25:27    2877440    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-05-17 01:25:26    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-05-17 01:25:26    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-05-17 00:59:03    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-05-17 00:58:10    3958784    ----a-w-    C:\Windows\System32\jscript9.dll
2013-05-17 00:58:08    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-05-17 00:58:08    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-05-14 13:14:01    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-05-14 12:23:25    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-14 09:23:31    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-05-14 08:40:13    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-05-13 05:51:01    184320    ----a-w-    C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00    1464320    ----a-w-    C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00    139776    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40    52224    ----a-w-    C:\Windows\System32\certenc.dll
2013-05-13 04:45:55    140288    ----a-w-    C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55    1160192    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55    103936    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55    1192448    ----a-w-    C:\Windows\System32\certutil.exe
2013-05-13 03:08:10    903168    ----a-w-    C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06    43008    ----a-w-    C:\Windows\SysWow64\certenc.dll
2013-05-02 01:06:08    278800    ------w-    C:\Windows\System32\MpSigStub.exe
2013-04-26 11:56:10    718840    ----a-w-    C:\Windows\System32\drivers\avc3.sys
2013-04-26 11:56:09    593144    ----a-w-    C:\Windows\System32\drivers\avckf.sys
2013-04-25 23:30:32    1505280    ----a-w-    C:\Windows\SysWow64\d3d11.dll
2013-04-17 07:02:06    1230336    ----a-w-    C:\Windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24:46    1424384    ----a-w-    C:\Windows\System32\WindowsCodecs.dll
2013-04-13 05:49:23    135168    ----a-w-    C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19    350208    ----a-w-    C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19    308736    ----a-w-    C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19    111104    ----a-w-    C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16    474624    ----a-w-    C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15    2176512    ----a-w-    C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08    1656680    ----a-w-    C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54    265064    ----a-w-    C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 03:30:50    3153920    ----a-w-    C:\Windows\System32\win32k.sys
2013-03-31 22:52:16    1887232    ----a-w-    C:\Windows\System32\d3d11.dll
2013-03-28 19:39:55    147232    ----a-w-    C:\Windows\System32\drivers\gzflt.sys
2013-03-19 06:04:06    5550424    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58    48640    ----a-w-    C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58    230400    ----a-w-    C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56    43520    ----a-w-    C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13    3968856    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10    3913560    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50    6656    ----a-w-    C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33    112640    ----a-w-    C:\Windows\System32\smss.exe
2010-12-29 15:27:36    299786    ----a-w-    C:\Program Files (x86)\RMPly00.exe
2010-07-08 09:37:14    101544    ----a-w-    C:\Program Files\Common Files\LinkInstaller.exe
.
============= FINISH: 13:49:45.21 ===============
 

 

 

 

 

dealfinder.jpg

Attached Files


Edited by Noviciate, 13 June 2013 - 03:16 PM.
Added DDS from attachment.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 4,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:57 PM

Posted 13 June 2013 - 03:19 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.
 

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:
    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

EDIT: Can you provide me with the link for the download that your son installed as well.


Edited by Noviciate, 13 June 2013 - 03:22 PM.

Logs answered since Christmas Day: 40

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#3 Jasonmuk

Jasonmuk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 14 June 2013 - 07:23 AM

Hello..

 

Thanks for the reply..ok here goes.. text file contains..

 

C:\ProgramData\Spybot - Search & Destroy\Recovery\Complitly.zip    Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\Complitly.zip    Win32/Bagle.gen.zip worm
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\4947299e-494933ff    Java/Exploit.Agent.NJD trojan
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\45cc1e21-6746113c    multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\37fb8867-4ce9f076    a variant of Java/Exploit.CVE-2012-0507.FA trojan
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\5882db7-2f2e98ff    multiple threats

 

 

The webpage he downloaded from was

 

http://hamachi.en.softonic.com/

 

 

Thanks



#4 Noviciate

Noviciate

  • Malware Response Team
  • 4,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:57 PM

Posted 14 June 2013 - 03:11 PM

Good evening. :)

I'll need a little time to play with that download and i'll see what it does to my system and get back to you.


Logs answered since Christmas Day: 40

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 4,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:57 PM

Posted 15 June 2013 - 03:00 PM

Good evening. :)

Click the Start button in the bottom left hand corner, click Control Panel and then Programs and Features. Look in the Installed On column and tell me what programs were installed on the same day as Hamachi.


Logs answered since Christmas Day: 40

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#6 Jasonmuk

Jasonmuk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 16 June 2013 - 01:25 AM

Hamachi was installed 09 - 06 - 2013, no other programs were installed on that date



#7 Jasonmuk

Jasonmuk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 16 June 2013 - 02:03 AM

I managed to find out that the software is from a company called Superfish and that it could be an addition to a browser add-on, so i disabled all add-on's and started them back up one by one..

Bingo..

There was an add-on called Plus HD, in the add-on setting there was no indication of anything else involved with it but disabling  and deleting it has stopped the problem..

Thank you for all your help with this matter...



#8 Noviciate

Noviciate

  • Malware Response Team
  • 4,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:57 PM

Posted 16 June 2013 - 01:52 PM

Good evening. :)

When you run an installer don't allow it to use it's standard settings, instead choose the Custom/Advanced option. For the above installer, if you do that you will see the following offering:

Plus-HD
Automatically convert YouTube videos into High Definiton! Powered by Coupons, Plus-HD will show you coupons and offers when browsing the web. Safe and free to download, Plus HD works with all major browsers and does not affect the performance of your Internet.
Choose your installation option:
(The installer for the downloaded software will start automatically)

In this case it's bundled in with the Softonic Downloader rather than as a part of the actual program you are installing, but you can get "extras" in both cases - it's how people get money from "free" software. Uncheck it when you run the installer and all will be well.

 


Logs answered since Christmas Day: 40

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#9 Jasonmuk

Jasonmuk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 16 June 2013 - 03:25 PM

Thankyou



#10 Noviciate

Noviciate

  • Malware Response Team
  • 4,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:57 PM

Posted 17 June 2013 - 02:07 PM

As this issue appears to have been resolved, this thread is now closed.


Logs answered since Christmas Day: 40

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users