BleepingComputer.com: Spy ware

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Spy ware

#1 User is offline   Passarill 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 12-January 12

Posted 12 January 2012 - 04:17 PM

Good evening,
I found in my computer with spyware program Marwarebytes 21.
I cleaned the computer but is slow anda friend advised me to run Combofix.
I used the program by following all the advice.
I would like to know, please, where do I post the Combofix log file. :wacko:
thanks

#2 User is online   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 48,795
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 12 January 2012 - 04:51 PM

Hello having run ComboFix we need to see that and a DDS log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in this topic,thanks.
Skip the GMER step and instead post the ComboFix log you have.

Let me know if that went well.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#3 User is offline   Passarill 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 12-January 12

Posted 12 January 2012 - 05:29 PM

Thank you for answer, here is the Combofix log file:


ComboFix 12-01-10.02 - Nibbio 12/01/2012 0:27.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.39.1040.18.2942.1765 [GMT 1:00]
Eseguito da: c:\users\Nibbio\Desktop\Combo\Nicombo.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.crx
c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.png
c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll
c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe
c:\users\Nibbio\Documents\~WRL0003.tmp
.
.
((((((((((((((((((((((((( Files Creati Da 2011-12-11 al 2012-01-11 )))))))))))))))))))))))))))))))))))
.
.
2012-01-11 23:21 . 2012-01-11 23:21 -------- d-----w- C:\ProgComb52
2012-01-11 22:35 . 2012-01-11 22:35 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD033BE2-CA68-4AD9-BB14-986F38FEC513}\MpKsl94b91bc1.sys
2012-01-11 20:02 . 2012-01-11 20:02 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD033BE2-CA68-4AD9-BB14-986F38FEC513}\MpKsl9853584a.sys
2012-01-11 20:02 . 2012-01-11 22:35 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD033BE2-CA68-4AD9-BB14-986F38FEC513}\offreg.dll
2012-01-11 14:59 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD033BE2-CA68-4AD9-BB14-986F38FEC513}\mpengine.dll
2012-01-11 14:55 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 14:55 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 14:55 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 14:55 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-10 18:34 . 2012-01-10 18:34 -------- d-----w- c:\users\Nibbio\AppData\Roaming\Lingoes
2012-01-10 18:34 . 2012-01-10 18:34 -------- d-----w- c:\users\Nibbio\AppData\Local\Lingoes
2012-01-10 18:33 . 2012-01-10 18:33 -------- d-----w- c:\programdata\Lingoes
2012-01-10 18:33 . 2012-01-10 18:33 -------- d-----w- c:\program files\Lingoes
2012-01-08 09:20 . 2012-01-08 09:21 -------- d-----w- c:\users\Ingresso ospiti\AppData\Roaming\uTorrent
2012-01-06 17:48 . 2012-01-06 23:02 -------- d-----w- c:\programdata\MAGIX
2012-01-06 17:48 . 2012-01-06 17:48 -------- d-----w- c:\program files\MAGIX
2012-01-06 17:43 . 2012-01-06 23:02 -------- d-----w- c:\users\Nibbio\AppData\Roaming\MAGIX
2012-01-05 18:17 . 2012-01-05 18:17 -------- d-----w- c:\program files\Cartoon Maker
2012-01-05 18:06 . 2012-01-05 18:06 -------- d-----w- c:\program files\Caricature Software
2012-01-05 01:19 . 2012-01-05 01:20 -------- d-----w- c:\users\Nibbio\AppData\Roaming\PhotoFiltre
2012-01-05 01:19 . 2012-01-05 01:19 -------- d-----w- c:\program files\PhotoFiltre
2012-01-05 01:10 . 2012-01-05 01:10 -------- d-----w- c:\users\Nibbio\AppData\Roaming\Photopos
2012-01-05 01:10 . 2012-01-05 01:10 -------- d-----w- c:\program files\PhotoposComTbr
2012-01-05 01:10 . 2012-01-05 01:10 203998 ----a-w- c:\windows\Photo Pos Pro Uninstaller.exe
2012-01-05 01:09 . 2012-01-05 01:09 -------- d-----w- c:\program files\Common Files\Thraex Software
2012-01-05 01:02 . 2012-01-05 09:14 -------- d-----w- c:\users\Nibbio\AppData\Local\ServUpdater
2012-01-05 01:02 . 2012-01-05 01:02 -------- d-----w- c:\users\Nibbio\AppData\Local\PosService
2012-01-05 01:02 . 2012-01-05 01:02 -------- d-----w- c:\users\Nibbio\AppData\Local\PowerOffer
2012-01-05 01:02 . 2011-11-05 07:25 801752 ----a-w- c:\program files\Mozilla Firefox\sqlite3.dll
2012-01-04 23:09 . 2002-07-31 18:55 98 --sh--w- c:\windows\WSYS049.SYS
2012-01-04 23:07 . 2012-01-04 23:07 -------- d-----w- c:\programdata\EmailNotifier
2012-01-04 23:06 . 2012-01-05 01:10 -------- d-----w- c:\program files\Photo Pos Pro
2012-01-04 23:02 . 2012-01-04 23:02 -------- d-----w- c:\users\Nibbio\AppData\Roaming\Morpheus Software
2012-01-04 00:51 . 2012-01-04 00:51 -------- d-----w- c:\users\Nibbio\AppData\Roaming\mojosoft
2012-01-04 00:51 . 2012-01-04 00:51 -------- d-----w- c:\program files\mojosoft
2012-01-03 23:14 . 2012-01-03 23:14 -------- d-----w- c:\users\Nibbio\AppData\Roaming\NVIDIA
2012-01-03 15:23 . 2012-01-03 15:23 -------- d-----w- c:\users\Nibbio\AppData\Roaming\Uniblue
2012-01-03 15:22 . 2012-01-03 15:22 -------- d-----w- c:\program files\Uniblue
2012-01-03 15:14 . 2012-01-03 15:22 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 15:01 . 2012-01-03 15:01 -------- d-----w- c:\users\Nibbio\AppData\Local\PackageAware
2011-12-31 17:36 . 2011-12-31 17:36 -------- d-----w- c:\program files\Intel
2011-12-31 17:36 . 2011-12-06 14:55 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-12-31 17:34 . 2011-12-31 17:34 -------- d-----w- C:\Intel
2011-12-31 17:33 . 2009-07-23 21:02 43008 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2011-12-31 17:33 . 2009-07-20 19:07 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2011-12-31 17:31 . 2012-01-11 20:05 -------- d-----w- c:\users\UpdatusUser
2011-12-31 17:30 . 2011-10-15 08:53 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-12-31 17:30 . 2011-10-15 08:53 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-12-31 17:28 . 2011-10-15 08:53 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-12-31 17:28 . 2011-10-15 08:53 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-12-31 17:28 . 2011-10-15 08:53 61248 ----a-w- c:\windows\system32\OpenCL.dll
2011-12-31 17:28 . 2011-10-15 08:53 5578560 ----a-w- c:\windows\system32\nvcuda.dll
2011-12-31 17:28 . 2011-10-15 08:53 2401088 ----a-w- c:\windows\system32\nvcuvid.dll
2011-12-31 17:28 . 2011-10-15 08:53 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-12-31 17:28 . 2011-10-15 08:53 18871616 ----a-w- c:\windows\system32\nvoglv32.dll
2011-12-31 17:28 . 2011-10-15 08:53 17248576 ----a-w- c:\windows\system32\nvcompiler.dll
2011-12-31 17:28 . 2011-10-15 08:53 10327360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-12-31 17:26 . 2011-12-31 17:26 -------- d-----w- C:\NVIDIA
2011-12-31 17:26 . 2011-12-31 17:26 53248 ----a-r- c:\users\Nibbio\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-31 17:25 . 2012-01-02 18:16 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-12-31 17:21 . 2011-12-31 17:26 -------- d-----w- c:\users\Nibbio\AppData\Roaming\Logitech
2011-12-31 17:21 . 2011-12-31 17:21 -------- d-----w- c:\users\Nibbio\AppData\Roaming\Logishrd
2011-12-31 17:19 . 2011-12-31 17:19 -------- d-----w- c:\windows\system32\RTCOM
2011-12-31 17:16 . 2011-05-31 08:42 631400 ----a-w- c:\windows\system32\DTSSymmetryDLL.dll
2011-12-31 17:02 . 2011-12-31 17:02 -------- d-----w- c:\program files\Driver-Soft
2011-12-31 16:55 . 2011-12-31 17:21 -------- d-----w- c:\programdata\DriverGenius
2011-12-31 15:11 . 2011-12-31 17:31 -------- d-----w- c:\programdata\NVIDIA
2011-12-31 15:03 . 2011-12-31 15:03 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-12-31 15:03 . 2011-12-31 17:31 -------- d-----w- c:\program files\NVIDIA Corporation
2011-12-25 16:21 . 2011-12-25 16:21 -------- d-----w- c:\users\Ingresso ospiti\AppData\Local\SanctionedMedia
2011-12-18 23:15 . 2009-06-09 00:43 316928 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp092.dll
2011-12-18 23:13 . 2011-12-18 23:13 -------- d-----w- c:\program files\Common Files\HP
2011-12-18 23:13 . 2011-12-18 23:13 -------- d-----w- c:\windows\hpoj4500g510n-z
2011-12-18 23:12 . 2009-06-09 00:43 122880 ----a-w- c:\windows\system32\hpf3l092.dll
2011-12-18 23:11 . 2009-08-17 18:26 452408 ----a-w- c:\windows\system32\hpzids01.dll
2011-12-18 23:11 . 2009-08-17 18:26 716288 ----a-w- c:\windows\system32\hpwwiax9.dll
2011-12-18 23:11 . 2009-08-17 18:26 593920 ----a-w- c:\windows\system32\hpwtscl5.dll
2011-12-18 23:11 . 2009-08-17 18:26 315392 ----a-w- c:\windows\system32\hpwvst01.dll
2011-12-17 19:07 . 2011-12-17 19:07 -------- d-----w- c:\program files\Application Updater
2011-12-17 19:07 . 2011-12-17 19:07 -------- d-----w- c:\program files\pdfforge Toolbar
2011-12-17 19:07 . 2011-12-17 19:07 -------- d-----w- c:\program files\Common Files\Spigot
2011-12-17 19:06 . 1998-06-24 00:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2011-12-17 19:06 . 2001-10-28 16:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2011-12-17 19:06 . 1998-08-05 07:45 122128 ----a-w- c:\windows\system32\VB6IT.DLL
2011-12-17 19:06 . 1998-08-05 07:45 150528 ----a-w- c:\windows\system32\MSCMCIT.DLL
2011-12-17 19:06 . 1998-08-05 07:45 63488 ----a-w- c:\windows\system32\MSCC2IT.DLL
2011-12-17 19:06 . 1998-07-06 00:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2011-12-17 19:06 . 2011-12-17 19:08 -------- d-----w- c:\program files\PDFCreator
2011-12-17 18:45 . 2011-12-17 18:45 -------- d-----w- c:\users\Nibbio\AppData\Roaming\com.1minus1.socialsafe.D675411CF670AA3EFAC13BDD847989BEDE2115E2.1
2011-12-15 00:30 . 2011-11-03 22:31 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-14 17:52 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 17:52 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 17:52 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 17:52 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 17:52 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 17:52 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-26 22:40 . 2011-05-16 05:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 14:24 . 2011-01-29 16:01 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 16:45 . 2011-11-24 16:39 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-11-21 10:47 . 2011-08-11 13:50 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-24 13:29 . 2011-10-24 13:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 13:29 . 2011-10-24 13:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 16:24 . 2011-10-18 16:24 1382304 ----a-w- c:\users\Nibbio\AppData\Local\setup.exe
2011-10-15 08:53 . 2010-07-10 04:37 2458432 ----a-w- c:\windows\system32\nvapi.dll
2011-10-15 08:53 . 2010-07-09 15:37 6350144 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 08:53 . 2010-07-09 15:37 3840320 ----a-w- c:\windows\system32\nvsvc.dll
2011-10-15 08:53 . 2010-07-09 15:37 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2010-07-09 15:37 123712 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 08:53 . 2010-07-09 15:37 1136448 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2009-06-10 21:19 13205312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-11-05 07:25 . 2011-11-17 18:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4ae0c3d6-f713-4eed-bc65-25dc3ffdaac1}"= "c:\program files\uTorrentBar_IT\tbuTor.dll" [2010-12-09 3911776]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\prxtbDVDV.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{4ae0c3d6-f713-4eed-bc65-25dc3ffdaac1}]
.
[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ae0c3d6-f713-4eed-bc65-25dc3ffdaac1}]
2010-12-09 11:51 3911776 ----a-w- c:\program files\uTorrentBar_IT\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2011-01-17 14:54 175912 ----a-w- c:\program files\DVDVideoSoftTB\prxtbDVDV.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4ae0c3d6-f713-4eed-bc65-25dc3ffdaac1}"= "c:\program files\uTorrentBar_IT\tbuTor.dll" [2010-12-09 3911776]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\prxtbDVDV.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{4ae0c3d6-f713-4eed-bc65-25dc3ffdaac1}]
.
[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4AE0C3D6-F713-4EED-BC65-25DC3FFDAAC1}"= "c:\program files\uTorrentBar_IT\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{4ae0c3d6-f713-4eed-bc65-25dc3ffdaac1}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-21 718720]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-03-26 399736]
"Facebook Update"="c:\users\Nibbio\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-01 137536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-29 39408]
"NokiaSuite.exe"="c:\program files\Nokia\Nokia Suite\NokiaSuite.exe" [2011-11-01 1053056]
"Lingoes"="c:\program files\Lingoes\Translator2\Lingoes.exe" [2011-10-31 2375680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PosService"="c:\users\Public\Documents\AppData\PoApp\PLauncher.exe" [2011-12-15 218624]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=sxgb.dll
"wave1"=sxgb.dll
"mixer1"=sxgb.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Nibbio^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Registrazione prodotti.lnk]
path=c:\users\Nibbio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Registrazione prodotti.lnk
backup=c:\windows\pss\Logitech . Registrazione prodotti.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 10:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-01 06:15 136176 ----a-w- c:\users\Nibbio\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 10:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2010-09-28 15:17 1406248 ----a-w- c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 16:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 13:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-01-29 22:28 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-26 18:38 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Servizio di Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 136176]
R2 PowerOffer Service;Pos Service;c:\users\Nibbio\AppData\Local\PosService\Pos.exe [2011-12-15 164352]
R2 ServUpdater;Serv Updater;c:\users\Nibbio\AppData\Local\ServUpdater\ServiceUpd.exe [2011-12-15 156160]
R3 BthAvrcp;Profilo Bluetooth AVRCP;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
R3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-07-19 225280]
R3 gupdatem;Servizio Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 136176]
R3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-07-20 47104]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-08-17 137472]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-08-17 8576]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-30 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 MpKsl94b91bc1;MpKsl94b91bc1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD033BE2-CA68-4AD9-BB14-986F38FEC513}\MpKsl94b91bc1.sys [2012-01-11 29904]
S1 MpKsl9853584a;MpKsl9853584a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD033BE2-CA68-4AD9-BB14-986F38FEC513}\MpKsl9853584a.sys [2012-01-11 29904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2011-12-14 748440]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-11-16 50704]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
.
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - MPKSL94B91BC1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-01-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2424577311-3649120688-578307007-1000Core.job
- c:\users\Nibbio\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-01 12:27]
.
2012-01-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2424577311-3649120688-578307007-1000UA.job
- c:\users\Nibbio\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-01 12:27]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 22:28]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 22:28]
.
2012-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2424577311-3649120688-578307007-1000Core.job
- c:\users\Nibbio\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-03 06:15]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2424577311-3649120688-578307007-1000UA.job
- c:\users\Nibbio\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-03 06:15]
.
2012-01-11 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2012-01-03 08:26]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.mystart.com?pr=photopos2_0
mStart Page = hxxp://search.findeer.com
uInternet Settings,ProxyOverride = local;*.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: I&nvia a OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{08A026E4-D5FC-41C0-9012-F9397A1AF9C4}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{1554CC5A-5D85-4086-BB2C-0147D95FF14D}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{27C472AF-10BA-48B9-B1BF-2376649681D0}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{28DBB6BB-DC31-471F-BF9B-BFA84D3D7F9E}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{3DDD9FDC-51CA-45D7-8A39-2BB3D9B45185}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{4CFF04F8-2268-4241-9DBA-AABBDE9D23DD}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{79759D91-8067-442F-9D30-08CD0CD7F49C}: NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{e29ac6c2-7037-11de-816d-806e6f6e6963}: NameServer = 176.31.229.24,176.31.229.25
FF - ProfilePath - c:\users\Nibbio\AppData\Roaming\Mozilla\Firefox\Profiles\34yzb74d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2582604&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Cerca...
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/ig
FF - prefs.js: keyword.URL - hxxp://it.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=971163&p=
FF - prefs.js: network.proxy.type - 0
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
URLSearchHooks-{fde1c224-0b9c-46b2-8fca-8945bcf8d4cb} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-HW_OPENEYE_OUC_Hi Suite - c:\program files\Hi Suite\UpdateDog\ouc.exe
HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
MSConfigStartUp-ComponentAnalyzer - c:\users\Nibbio\Documents\Keylogger\Steel Keylogger\Steel.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
MSConfigStartUp-SxgTkBar - SxgTkBar.exe
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe
AddRemove-PKR - c:\users\Nibbio\Desktop\Nuova cartella (2)\PKR\uninstall-pkr.exe
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-2424577311-3649120688-578307007-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C1B0578F-73BF-F7F9-131B-9F4B0ADF32D3}*]
"haakgjfffnogoofg"=hex:6b,61,63,65,66,67,6f,6d,6d,66,6a,6c,63,6a,61,68,64,6a,
6a,69,6b,6d,00,00
"iagdamfencnfmpifgi"=hex:6a,61,63,65,6b,66,68,6f,70,63,6d,61,6e,61,62,62,62,6a,
66,6e,00,00
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Ora fine scansione: 2012-01-12 00:44:15
ComboFix-quarantined-files.txt 2012-01-11 23:44
.
Pre-Run: 367.151.316.992 byte disponibili
Post-Run: 367.198.793.728 byte disponibili
.
- - End Of File - - 1828A2CFDE6E074A8586772464F74D4D

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 16 January 2012 - 12:52 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply


information and logs:

    In your next post I need the following

    • .logs from DDS
    • let me know of any problems you may have had


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 19 January 2012 - 01:26 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 22 January 2012 - 01:44 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users