Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with GOffer, MY PCBackUp, JDI BackUp, ikuerjdi.exe and maybe more.


  • This topic is locked This topic is locked
61 replies to this topic

#46 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 01 December 2013 - 04:36 PM

TV9PBf4.png

 

I just don't see it.  All I see is the one for dropbox.



BC AdBot (Login to Remove)

 


#47 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 AM

Posted 01 December 2013 - 08:52 PM


Hello digitalmofo


Lets see if this will run now.

Dr.Web CureIt

Download to the desktop: Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#48 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 02 December 2013 - 03:56 AM

It gives me no choice of short scan or not, one for emergency scan or express scan.  I ran the emergency, and it shuts down the rest of the computer while it runs.  It found 2 reame.txt files, and one file that was in quarantine from adwcleaner.  There were no tabs, so I could not even find "Heuristic analysis."  There was no icon next to anything found, but it did say that it deleted them.  There was also no "file" so I found no way to save a report list.  

 

Still showing up in my notifications, still have the programs running and still having random popups.

 

This was the screen, the whole time.  During the scan, it showed the progress bar and what it found underneath, but nothing else.  I did make sure everything was selected to scan, though.

 

tLbxaRT.png

 

 

Here is my hijackthis logfile.

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:56:03 AM, on 12/2/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16736)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Users\Stormtrooper\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Users\Stormtrooper\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\Stormtrooper\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe
C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Stormtrooper\AppData\Local\Temp\ubf1gjbz.ruo\lkuerjdi.exe
c:\users\stormtrooper\appdata\local\temp\FEFE6C30-2532F0B0-6607ACE4-D3BFAE0C\xi786gi8.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
O4 - HKLM\..\Run: [Super-Charger] C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe
O4 - HKLM\..\Run: [Fast Boot] C:\Program Files (x86)\MSI\Fast Boot\StartFastBoot.exe
O4 - HKLM\..\Run: [WD Drive Unlocker] C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
O4 - HKLM\..\Run: [WD Quick View] C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
O4 - HKCU\..\Run: [F.lux] "C:\Users\Stormtrooper\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Stormtrooper\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: Dropbox.lnk = Stormtrooper\AppData\Roaming\Dropbox\bin\Dropbox.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/select/asusTek_sys_ctrl3.cab
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Integrated Clock Controller Service - Intel® ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: Intel® Capability Licensing Service Interface - Intel® Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: Motorola Device Manager Service (Motorola Device Manager) - Motorola Mobility LLC - C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MSI_ComCenService - MSI - C:\MSI\MSI SUITE\ControlCenter\ComCenService.exe
O23 - Service: MSI_FastBoot - MSI - C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe
O23 - Service: MSI_SuiteCharger - MSI - C:\MSI\MSI SUITE\Super-Charger\SuiteChargeService.exe
O23 - Service: MSI_SuiteFastBoot - MSI - C:\MSI\MSI SUITE\FastBoot\SuiteFastBootService.exe
O23 - Service: MSI_SuperCharger - MSI - C:\Program Files (x86)\MSI\Super-Charger\ChargeService.exe
O23 - Service: MySQL56 - Unknown owner - C:/Program.exe (file missing)
O23 - Service: @C:\Program Files (x86)\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files (x86)\Nero\Update\NASvc.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NPVR Recording Service - Unknown owner - C:\Program Files (x86)\NPVR\NRecord.exe (file missing)
O23 - Service: NVIDIA Streamer Service (NvStreamSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PST Service - Motorola - C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
O23 - Service: RealtekSE - Realtek - C:\Program Files (x86)\ASUS\PCE-N10 WLAN Card Utilities\RtlService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WD Backup (WDBackup) - Western Digital Technologies, Inc. - C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
O23 - Service: WD Drive Manager (WDDriveService) - Western Digital Technologies, Inc. - C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 11418 bytes


#49 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 03 December 2013 - 08:45 PM

Ahh, getting popups again.  :(



#50 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 04 December 2013 - 10:43 PM

bump



#51 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 AM

Posted 04 December 2013 - 10:45 PM


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete
  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#52 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 05 December 2013 - 09:35 AM

ESET SCAN:
 
C:\FRST\Quarantine\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\FRST\Quarantine\rp.dll Win32/AdWare.HotBar.V application
C:\FRST\Quarantine\vrtytdrp.exe a variant of MSIL/Adware.GOffer.B application
C:\Users\Stormtrooper\AppData\Local\Temp\vrtytdrp.exe a variant of MSIL/Adware.GOffer.B application
C:\Users\Stormtrooper\AppData\Local\Temp\3sloaabv.m0b\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\5zduar3u.o3l\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\aqpj142k.xgn\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\dzhzf3ir.fjv\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\ecb4m0xz.uk1\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\eijnqlzg.f1x\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\hvlxqvk5.co3\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\kgdsv3xa.kb3\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\miujp5nc.tsl\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\p1p24vg3.ryi\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\qis1rech.11r\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\qtdewb4w.joj\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\rpewgxaw.sy4\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\seowq35w.25d\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\ubf1gjbz.ruo\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\uukx31qj.3er\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\vayok3m5.mua\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Users\Stormtrooper\AppData\Local\Temp\zbar0fqo.syf\lkuerjdi.exe a variant of MSIL/Adware.GOffer.A application
C:\Windows\System32\rp.dll Win32/AdWare.HotBar.V application
C:\Windows\SysWOW64\rp.dll Win32/AdWare.HotBar.V application
Operating memory a variant of MSIL/Adware.GOffer.A application


#53 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 06 December 2013 - 03:29 AM

Here's what we are fighting.

 

g3BDqLy.png



#54 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 AM

Posted 06 December 2013 - 09:46 AM


Hello digitalmofo

I would like you to download an updated version of combofix.

update combofix
  • Delete the version of combofix you have now on your desktop and download a new one from here**Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

    Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#55 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 06 December 2013 - 07:51 PM

Combofix Log:

 

ComboFix 13-12-06.01 - Stormtrooper 12/06/2013  13:57:27.5.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8143.5791 [GMT -8:00]
Running from: c:\users\Stormtrooper\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-06 to 2013-12-06  )))))))))))))))))))))))))))))))
.
.
2013-12-06 22:05 . 2013-12-06 22:05 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-12-06 22:05 . 2013-12-06 22:05 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-12-06 22:05 . 2013-12-06 22:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-05 23:10 . 2013-11-08 03:12 10285968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{02EC9057-1ECA-4C27-85F9-C97233A42626}\mpengine.dll
2013-12-04 15:21 . 2013-11-08 03:12 10285968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-02 08:54 . 2013-12-02 08:54 388096 ----a-r- c:\users\Stormtrooper\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-12-02 08:54 . 2013-12-02 08:54 -------- d-----w- c:\program files (x86)\Trend Micro
2013-12-02 05:13 . 2013-12-02 06:02 -------- d-----w- c:\users\Stormtrooper\Doctor Web
2013-12-01 02:21 . 2013-12-01 02:21 -------- d-----w- c:\program files\Western Digital
2013-11-30 22:55 . 2013-11-30 22:55 -------- d-----w- c:\programdata\Kaspersky Lab
2013-11-30 02:24 . 2013-11-30 02:24 -------- d-----w- c:\users\Stormtrooper\AppData\Local\Western Digital
2013-11-30 02:24 . 2013-11-30 02:24 -------- d-----w- c:\users\Stormtrooper\AppData\Local\Western_Digital_Technolog
2013-11-30 02:23 . 2013-12-01 02:21 -------- d-----w- c:\program files\Common Files\Western Digital
2013-11-30 02:23 . 2013-12-01 02:21 -------- d-----w- c:\program files (x86)\Western Digital
2013-11-30 02:23 . 2013-12-01 02:21 -------- d-----w- c:\program files (x86)\Common Files\Western Digital
2013-11-30 02:20 . 2013-12-01 02:21 -------- d-----w- c:\programdata\Western Digital
2013-11-29 04:41 . 2013-11-29 04:41 -------- d-----w- c:\program files (x86)\Cisco Systems
2013-11-29 04:22 . 2013-11-29 04:22 -------- d-----w- c:\programdata\Cisco Systems
2013-11-28 04:07 . 2013-12-06 19:12 78336 ----a-w- c:\windows\SysWow64\rp.dll
2013-11-28 03:45 . 2013-12-06 22:05 -------- d-----w- c:\users\Stormtrooper\AppData\Local\Temp
2013-11-28 02:58 . 2013-11-28 03:32 -------- d-----w- C:\FRST
2013-11-26 07:26 . 2013-11-26 07:26 -------- d-----w- c:\program files (x86)\VS Revo Group
2013-11-26 01:11 . 2013-11-26 01:11 -------- d-----w- C:\_OTL
2013-11-24 06:36 . 2013-11-24 06:37 -------- d-----w- c:\users\Stormtrooper\AppData\Local\Kobo
2013-11-24 06:36 . 2013-11-24 06:36 -------- d-----w- c:\program files (x86)\Kobo
2013-11-24 03:38 . 2013-11-24 21:16 -------- d-----w- c:\users\Stormtrooper\AppData\Local\gtk-2.0
2013-11-24 03:38 . 2013-11-24 03:38 -------- d-----w- c:\users\Stormtrooper\.thumbnails
2013-11-24 03:27 . 2013-11-24 03:29 -------- d-----w- c:\program files\GIMP 2
2013-11-23 00:25 . 2013-11-23 00:26 -------- d-----w- c:\users\Stormtrooper\AppData\Local\Amazon
2013-11-20 07:50 . 2013-11-11 15:02 6674208 ----a-w- c:\windows\system32\nvcpl.dll
2013-11-20 07:50 . 2013-11-11 15:02 3490080 ----a-w- c:\windows\system32\nvsvc64.dll
2013-11-20 07:50 . 2013-11-11 15:01 922912 ----a-w- c:\windows\system32\nvvsvc.exe
2013-11-20 07:50 . 2013-11-11 15:01 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-11-20 07:50 . 2013-11-11 15:01 219424 ----a-w- c:\windows\system32\nvmctray.dll
2013-11-20 07:50 . 2013-11-11 15:01 3467927 ----a-w- c:\windows\system32\nvcoproc.bin
2013-11-20 07:50 . 2013-11-14 11:55 61216 ----a-w- c:\windows\system32\OpenCL.dll
2013-11-20 07:50 . 2013-11-14 11:55 53024 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-11-20 07:47 . 2013-11-26 08:19 -------- d-----w- C:\NVIDIA
2013-11-20 01:38 . 2013-11-20 01:38 -------- d-----w- c:\windows\ERUNT
2013-11-19 01:29 . 2013-11-19 01:30 -------- d-----w- C:\_acestream_cache_
2013-11-16 06:53 . 2013-11-16 06:53 -------- d-----w- c:\program files (x86)\AGEIA Technologies
2013-11-16 06:45 . 2013-11-08 20:47 1064224 ----a-w- c:\windows\system32\nvspcap64.dll
2013-11-16 06:45 . 2013-11-08 20:47 955168 ----a-w- c:\windows\SysWow64\nvspcap.dll
2013-11-16 06:43 . 2013-09-27 23:01 39200 ----a-w- c:\windows\system32\drivers\nvvad64v.sys
2013-11-16 06:43 . 2013-09-27 23:01 28960 ----a-w- c:\windows\SysWow64\nvaudcap32v.dll
2013-11-14 11:09 . 2013-10-12 08:45 51712 ----a-w- c:\windows\system32\ie4uinit.exe
2013-11-14 00:25 . 2013-11-14 00:25 -------- d-----w- c:\program files\iPod
2013-11-14 00:25 . 2013-11-14 00:26 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-11-14 00:25 . 2013-11-14 00:26 -------- d-----w- c:\program files\iTunes
2013-11-14 00:25 . 2013-11-14 00:26 -------- d-----w- c:\program files (x86)\iTunes
2013-11-11 16:59 . 2013-11-11 16:59 590112 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2013-11-08 19:12 . 2013-11-08 19:12 -------- d-----w- c:\program files (x86)\FFMPEG
2013-11-08 19:12 . 2013-11-08 19:12 -------- d-----w- c:\programdata\SPEEDbit
2013-11-08 17:39 . 2013-11-11 05:04 -------- d-----w- c:\users\Stormtrooper\AppData\Roaming\BitTorrent
2013-11-08 01:44 . 2013-11-23 23:56 -------- d-----w- c:\users\Stormtrooper\AppData\Local\Spotify
2013-11-08 01:43 . 2013-11-23 23:56 -------- d-----w- c:\users\Stormtrooper\AppData\Roaming\Spotify
2013-11-08 01:12 . 2013-10-17 23:47 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{088CA37D-B476-40E2-88C7-36BD445DEBB9}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 10:21 . 2010-11-21 03:27 267936 ------w- c:\windows\system32\MpSigStub.exe
2013-11-14 11:02 . 2012-05-03 07:31 82896128 ----a-w- c:\windows\system32\MRT.exe
2013-10-17 23:47 . 2012-06-13 03:39 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-10-08 20:05 . 2012-06-10 04:15 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-08 14:50 . 2013-10-25 01:53 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-09-27 23:01 . 2013-07-31 06:19 29984 ----a-w- c:\windows\system32\nvaudcap64v.dll
2013-09-27 17:53 . 2013-09-27 17:53 248240 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-09-27 17:53 . 2012-03-21 03:44 134944 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-09-25 01:23 . 2013-09-25 01:23 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-09-08 02:30 . 2013-10-09 13:54 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:27 . 2013-10-09 13:54 327168 ----a-w- c:\windows\system32\mswsock.dll
2013-09-08 02:03 . 2013-10-09 13:54 231424 ----a-w- c:\windows\SysWow64\mswsock.dll
2012-10-07 19:14 . 2008-06-29 17:31 1229824 ----a-w- c:\program files (x86)\LaunchpadEnhanced.exe
2008-06-29 17:31 . 2008-06-29 17:31 1227264 ----a-w- c:\program files (x86)\LaunchpadEnhanced.exe.old
2008-05-02 04:46 . 2008-05-02 04:46 266240 ----a-w- c:\program files (x86)\MySql.Data.dll
2008-05-02 04:44 . 2008-05-02 04:44 533408 ----a-w- c:\program files (x86)\Xceed.UI.dll
2008-05-02 04:44 . 2008-05-02 04:44 1270688 ----a-w- c:\program files (x86)\Xceed.Grid.dll
2008-05-02 04:44 . 2008-05-02 04:44 516096 ----a-w- c:\program files (x86)\Xceed.Editors.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F.lux"="c:\users\Stormtrooper\AppData\Local\FluxSoftware\Flux\flux.exe" [2013-10-15 1016712]
"Spotify Web Helper"="c:\users\Stormtrooper\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-11-17 1168896]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-21 291648]
"Super-Charger"="c:\program files (x86)\MSI\Super-Charger\Super-Charger.exe" [2012-12-21 507016]
"Fast Boot"="c:\program files (x86)\MSI\Fast Boot\StartFastBoot.exe" [2012-09-19 764472]
"WD Drive Unlocker"="c:\program files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe" [2013-04-01 1694080]
"WD Quick View"="c:\program files (x86)\Western Digital\WD Quick View\WDDMStatus.exe" [2013-11-02 5537136]
.
c:\users\Stormtrooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 NPVR Recording Service;NPVR Recording Service;c:\program files (x86)\NPVR\NRecord.exe;c:\program files (x86)\NPVR\NRecord.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys;c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys;c:\windows\SYSNATIVE\DRIVERS\htcnprot.sys [x]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys;c:\windows\SYSNATIVE\DRIVERS\motodrv.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]
R3 MSICDSetup;MSICDSetup;d:\cdriver64.sys;d:\CDriver64.sys [x]
R3 MySQL56;MySQL56;C:/Program Files/MySQL/MySQL Server 5.6/bin\mysqld --defaults-file=c:\programdata\MySQL\MySQL Server 5.6\my.ini MySQL56;C:/Program Files/MySQL/MySQL Server 5.6/bin\mysqld --defaults-file=c:\programdata\MySQL\MySQL Server 5.6\my.ini MySQL56 [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\program files (x86)\MSI\Live Update 5\NTIOLib_X64.sys;c:\program files (x86)\MSI\Live Update 5\NTIOLib_X64.sys [x]
R3 NTIOLib_1_0_C;NTIOLib_1_0_C;c:\msi\MSI SUITE\NTIOLib_X64.sys;c:\msi\MSI SUITE\NTIOLib_X64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 MSIFileSyncMonitor;MSI FileSync Monitor;c:\msi\MSI SUITE\MSIMonitor\MSIFileSyncMonitor.exe;c:\msi\MSI SUITE\MSIMonitor\MSIFileSyncMonitor.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [x]
S2 MSI_ComCenService;MSI_ComCenService;c:\msi\MSI SUITE\ControlCenter\ComCenService.exe;c:\msi\MSI SUITE\ControlCenter\ComCenService.exe [x]
S2 MSI_FastBoot;MSI_FastBoot;c:\program files (x86)\MSI\Fast Boot\FastBootService.exe;c:\program files (x86)\MSI\Fast Boot\FastBootService.exe [x]
S2 MSI_SuiteCharger;MSI_SuiteCharger;c:\msi\MSI SUITE\Super-Charger\SuiteChargeService.exe;c:\msi\MSI SUITE\Super-Charger\SuiteChargeService.exe [x]
S2 MSI_SuiteFastBoot;MSI_SuiteFastBoot;c:\msi\MSI SUITE\FastBoot\SuiteFastBootService.exe;c:\msi\MSI SUITE\FastBoot\SuiteFastBootService.exe [x]
S2 MSI_SuperCharger;MSI_SuperCharger;c:\program files (x86)\MSI\Super-Charger\ChargeService.exe;c:\program files (x86)\MSI\Super-Charger\ChargeService.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [x]
S2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [x]
S2 RealtekSE;RealtekSE;c:\program files (x86)\ASUS\PCE-N10 WLAN Card Utilities\RtlService.exe;c:\program files (x86)\ASUS\PCE-N10 WLAN Card Utilities\RtlService.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 WDBackup;WD Backup;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [x]
S2 WDDriveService;WD Drive Manager;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [x]
S3 ISCT;Intel® Smart Connect Technology Device Driver;c:\windows\system32\DRIVERS\ISCTD64.sys;c:\windows\SYSNATIVE\DRIVERS\ISCTD64.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]
S3 NTIOLib_1_0_3;NTIOLib_1_0_3;c:\program files (x86)\MSI\Super-Charger\NTIOLib_X64.sys;c:\program files (x86)\MSI\Super-Charger\NTIOLib_X64.sys [x]
S3 NTIOLib_1_0_D;NTIOLib_1_0_D;c:\msi\MSI SUITE\ControlCenter\NTIOLib_X64.sys;c:\msi\MSI SUITE\ControlCenter\NTIOLib_X64.sys [x]
S3 NTIOLib_1_1_S;NTIOLib_1_1_S;c:\msi\MSI SUITE\Super-Charger\NTIOLib_X64.sys;c:\msi\MSI SUITE\Super-Charger\NTIOLib_X64.sys [x]
S3 NTIOLib_FastBoot;NTIOLib_FastBoot;c:\program files (x86)\MSI\Fast Boot\NTIOLib_X64.sys;c:\program files (x86)\MSI\Fast Boot\NTIOLib_X64.sys [x]
S3 NTIOLib_SuiteFB;NTIOLib_SuiteFB;c:\msi\MSI SUITE\FastBoot\NTIOLib_X64.sys;c:\msi\MSI SUITE\FastBoot\NTIOLib_X64.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NTIOLIB_1_0_3
*NewlyCreated* - NTIOLIB_1_0_D
*NewlyCreated* - NTIOLIB_FASTBOOT
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-05 06:49 1210320 ----a-w- c:\program files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 20:05]
.
2013-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-07 06:01]
.
2013-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-07 06:01]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Stormtrooper\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2013-01-16 6963272]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-11-08 1028384]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-24 1266912]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2013-11-08 1064224]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SYSTEM32\blank.htm
Trusted Zone: comodo.com\secure
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
TCP: Interfaces\{AE20AB2F-B7AA-4F81-B690-E67DFCF124CC}: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
FF - ProfilePath - c:\users\Stormtrooper\AppData\Roaming\Mozilla\Firefox\Profiles\0j87h6vt.default\
FF - ExtSQL: 2013-11-24 14:13; [email protected]; c:\users\Stormtrooper\AppData\Roaming\Mozilla\Firefox\Profiles\0j87h6vt.default\extensions\[email protected]
FF - ExtSQL: 2013-11-24 14:14; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Stormtrooper\AppData\Roaming\Mozilla\Firefox\Profiles\0j87h6vt.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-11-27 20:16; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\Stormtrooper\AppData\Roaming\Mozilla\Firefox\Profiles\0j87h6vt.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-11-27 20:16; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\Stormtrooper\AppData\Roaming\Mozilla\Firefox\Profiles\0j87h6vt.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - ExtSQL: 2013-11-27 20:16; [email protected]; c:\users\Stormtrooper\AppData\Roaming\Mozilla\Firefox\Profiles\0j87h6vt.default\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MySQL56]
"ImagePath"="\"C:/Program Files/MySQL/MySQL Server 5.6/bin\mysqld\" --defaults-file=\"c:\programdata\MySQL\MySQL Server 5.6\my.ini\" MySQL56"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MySQL56]
"ImagePath"="\"C:/Program Files/MySQL/MySQL Server 5.6/bin\mysqld\" --defaults-file=\"c:\programdata\MySQL\MySQL Server 5.6\my.ini\" MySQL56"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2751212622-2696776098-2188675485-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9A72C98C-D8C5-24EE-5870-D28537765321}*]
@Allowed: (Read) (RestrictedCode)
"packaanacbeoliopnoihlclbclkdajoj"=hex:6a,61,66,66,6c,61,61,64,6c,6f,6e,61,6d,
   62,66,6a,65,6e,67,70,00,f3
"oaalngnbjkbmfjnlodnlifngpafgbc"=hex:6a,61,6f,66,61,61,66,64,64,64,6e,6c,69,61,
   64,63,67,68,70,70,00,f3
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-12-06  14:06:51
ComboFix-quarantined-files.txt  2013-12-06 22:06
ComboFix2.txt  2013-11-26 04:52
ComboFix3.txt  2013-11-24 22:26
ComboFix4.txt  2013-11-19 07:41
ComboFix5.txt  2013-12-06 21:55
.
Pre-Run: 721,900,744,704 bytes free
Post-Run: 722,038,906,880 bytes free
.
- - End Of File - - A286986E2086CA069F958FFD7B78495D
0792F22BCC85CFD3B28324561FFFCABB


#56 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 06 December 2013 - 07:54 PM

So far, it is running well, no weird processes, but I still have a lot of those programs in my notifications.



#57 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 06 December 2013 - 10:07 PM

Ahh, popups again.



#58 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 08 December 2013 - 03:01 PM

Still yet.

BLizlfW.png



#59 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 AM

Posted 08 December 2013 - 09:03 PM

Hello digitalmofo

Something is keeping this thing in place and sounds like a type of file infector - we have thrown everything at this thing that I can think of and has not slowed it down - the only other thing I can think of at this time is to format the drive


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#60 digitalmofo

digitalmofo
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 08 December 2013 - 09:26 PM

I was considering that and have my windows disc ready for it in case it came to this.  That's why I came here, I could not figure anything out to do with it.  While we did not get it, I am certainly glad that it is not just me that cannot figure it out.  I want to thank you for the tremendous amount of help that you have given me.  

Thank you again, and hopefully it doesn't persist through the re-format!  






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users