Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection with Virut (newdev.exe)


  • This topic is locked This topic is locked
15 replies to this topic

#1 Skitz69

Skitz69

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 13 January 2011 - 01:44 AM

Hey

When I log in to windows after a restart I get User Account Control popping up saying an unknown publisher wants to make changes to the computer. The program name is newdev.exe
The program location is C:\Windows\System32\newdev.exe followed by different letters and PNP_device_install_pipe
I click no to make changes, but it still comes up every time i restart the computer.

I've talked to etavares about It and it could be a sign of Virut.

I can't use GMER as I am running 64 bit windows.

Here is my dds log:


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by User at 14:23:13.00 on Thu 13/01/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.4087.2474 [GMT 8:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\TMonitor.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Sandboxie\SandboxieCrypto.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\User\Desktop\dds (1).scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Sony Ericsson PC Companion] "C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" /Background
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\User\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LIMEWI~1.LNK - C:\Program Files (x86)\LimeWire\LimeWire.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\svsks20h.default\
FF - prefs.js: network.proxy.ftp - 189.1.7.136
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 189.1.7.136
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 189.1.7.136
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 189.1.7.136
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 189.1.7.136
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1
FF - component: C:\Program Files (x86)\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Sony\Media Go\npmediago.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - C:\Program Files (x86)\McAfee\SiteAdvisor

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;C:\Windows\System32\drivers\pavboot64.sys [2010-12-6 33800]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-9-29 121936]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-18 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-18 12360]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-10-23 203776]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-9-29 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-9-29 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-29 40384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2010-12-16 101048]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-10-27 8012288]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-10-27 287232]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-10-23 116240]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-29 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-29 40384]
R3 Lycosa;Lycosa Keyboard;C:\Windows\System32\drivers\Lycosa.sys [2008-1-17 18816]
R3 Razerlow;Razer Pro|Solutions;C:\Windows\System32\drivers\DB3G.sys [2005-11-7 21120]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2010-8-9 143464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-29 136176]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\System32\drivers\ggflt.sys [2010-12-7 13352]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2010-12-6 155344]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-10-1 1255736]
S4 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-30 128752]

=============== Created Last 30 ================

2011-01-12 10:20:58 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-01-12 10:20:58 720896 ----a-w- C:\Windows\System32\odbc32.dll
2011-01-12 10:20:58 573440 ----a-w- C:\Windows\SysWow64\odbc32.dll
2011-01-12 10:20:58 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-01-12 10:20:58 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-01-12 10:20:58 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-01-12 10:20:58 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-01-12 10:20:58 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-01-12 10:20:58 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2011-01-12 10:20:58 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-01-11 08:20:28 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{65B38428-EB9F-45F9-8699-83814C57339E}\mpengine.dll
2011-01-11 03:52:22 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2011-01-10 15:13:01 -------- d-----w- C:\Users\user\.file_store_32
2011-01-10 15:13:00 -------- d-----w- C:\.file_store_32
2011-01-08 13:36:17 -------- d-----w- C:\Users\user\.jagex_cache_32
2011-01-08 12:21:28 -------- d-----w- C:\PROGRA~3\SwiftKit
2011-01-08 12:21:27 -------- d-----w- C:\Program Files (x86)\SwiftKit
2010-12-26 19:15:36 -------- d-----w- C:\Ante
2010-12-24 11:53:51 -------- d-----w- C:\.jagex_cache_32
2010-12-19 12:31:58 -------- d-----w- C:\Program Files\iTunes
2010-12-19 12:31:58 -------- d-----w- C:\Program Files\iPod
2010-12-19 12:31:58 -------- d-----w- C:\Program Files (x86)\iTunes
2010-12-18 03:10:21 -------- d-----w- C:\Program Files (x86)\VideoLAN

==================== Find3M ====================

2010-12-06 16:02:55 27176 ----a-w- C:\Windows\System32\drivers\ggsemc.sys
2010-12-06 16:02:55 1490656 ----a-w- C:\Windows\System32\WdfCoInstaller01007.dll
2010-12-06 16:02:55 13352 ----a-w- C:\Windows\System32\drivers\ggflt.sys
2010-11-29 09:42:06 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-29 09:38:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-11-29 09:38:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-11-12 10:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:21:51 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2010-11-02 05:18:59 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2010-11-02 05:18:59 229888 ----a-w- C:\Windows\System32\XpsRasterService.dll
2010-11-02 05:18:58 470016 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:12:53 1133568 ----a-w- C:\Windows\System32\FntCache.dll
2010-11-02 05:12:25 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2010-11-02 05:12:08 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll
2010-11-02 05:12:07 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2010-11-02 05:12:06 902656 ----a-w- C:\Windows\System32\d2d1.dll
2010-11-02 05:12:06 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:59:08 144384 ----a-w- C:\Windows\System32\cdd.dll
2010-11-02 04:41:36 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2010-11-02 04:41:36 283648 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2010-11-02 04:41:36 135168 ----a-w- C:\Windows\SysWow64\XpsRasterService.dll
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:35:51 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2010-11-02 04:35:35 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2010-11-02 04:35:34 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2010-11-02 04:35:34 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2010-11-02 04:35:34 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-11-02 02:50:58 258048 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-26 20:00:16 8012288 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2010-10-26 19:25:38 21422592 ----a-w- C:\Windows\System32\atio6axx.dll
2010-10-26 19:08:18 16281600 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2010-10-26 18:55:32 143360 ----a-w- C:\Windows\System32\atiapfxx.exe
2010-10-26 18:55:24 547328 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2010-10-26 18:54:24 645120 ----a-w- C:\Windows\System32\aticfx64.dll
2010-10-26 18:52:18 450560 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2010-10-26 18:52:14 478208 ----a-w- C:\Windows\System32\atieclxx.exe
2010-10-26 18:51:38 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2010-10-26 18:50:30 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2010-10-26 18:50:16 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2010-10-26 18:50:10 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2010-10-26 18:49:58 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2010-10-26 18:49:54 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2010-10-26 18:49:50 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2010-10-26 18:49:46 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2010-10-26 18:46:58 4020736 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2010-10-26 18:38:04 4744704 ----a-w- C:\Windows\System32\atidxx64.dll
2010-10-26 18:35:30 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2010-10-26 18:35:28 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2010-10-26 18:35:20 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2010-10-26 18:35:18 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2010-10-26 18:35:08 6815744 ----a-w- C:\Windows\System32\aticaldd64.dll
2010-10-26 18:33:52 5441536 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2010-10-26 18:28:22 4094464 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2010-10-26 18:22:04 5218304 ----a-w- C:\Windows\System32\atiumd64.dll
2010-10-26 18:15:00 58880 ----a-w- C:\Windows\System32\coinst.dll
2010-10-26 18:14:58 349184 ----a-w- C:\Windows\System32\atiadlxx.dll
2010-10-26 18:14:52 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2010-10-26 18:14:44 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2010-10-26 18:14:42 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2010-10-26 18:14:42 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2010-10-26 18:14:38 31744 ----a-w- C:\Windows\System32\atig6txx.dll
2010-10-26 18:14:32 27136 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2010-10-26 18:14:24 287232 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2010-10-26 18:13:44 39936 ----a-w- C:\Windows\System32\atiuxp64.dll
2010-10-26 18:13:36 30720 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2010-10-26 18:13:30 37888 ----a-w- C:\Windows\System32\atiu9p64.dll
2010-10-26 18:13:24 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2010-10-26 18:12:56 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2010-10-26 17:57:04 3221504 ----a-w- C:\Windows\System32\atiumd6a.dll
2010-10-26 17:50:10 3460096 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2010-10-26 17:37:18 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2010-10-26 17:37:18 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2010-10-26 17:37:14 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2010-10-26 17:37:14 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2010-10-23 02:15:38 51200 ----a-w- C:\Windows\System32\ATIODCLI.exe
2010-10-23 02:12:58 332800 ----a-w- C:\Windows\System32\ATIODE.exe
2010-10-23 01:42:12 116240 ----a-w- C:\Windows\System32\drivers\AtihdW76.sys
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll

============= FINISH: 14:23:34.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 13 January 2011 - 09:40 PM

Hello, Skitz69.

I'll will be helping you with this log like we talked in the other log we are working together.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 2

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Windows\System32\newdev.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares

Edited by etavares, 13 January 2011 - 09:40 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 14 January 2011 - 12:58 AM

Hey I scanned with malwarebytes and there was no infection.
Also jotti didn't pick up any infection.
I am also prepared to format this computer if need be as I have the CD.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 14 January 2011 - 05:14 PM

Hello, Skitz69.

It's up to you on the reformat. If you want to continue, we can run Combofix. I don't have a positive ID of Virut yet from something that can look at the file itself, so it just may be a coincidental file name.



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares

Edited by etavares, 14 January 2011 - 05:14 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 16 January 2011 - 07:08 AM

Hey

I didn't have any troubles after running combo fix.
Here is my ComboFix log:

ComboFix 11-01-15.01 - User 16/01/2011 19:59:37.1.4 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.4087.2889 [GMT 8:00]
Running from: c:\users\User\Desktop\etavaresCF.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-12-16 to 2011-01-16 )))))))))))))))))))))))))))))))
.

2011-01-16 12:03 . 2011-01-16 12:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-14 05:49 . 2010-11-10 05:35 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE9D522E-A24D-4E3A-8D0F-A6FFB0BF083A}\mpengine.dll
2011-01-12 10:20 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 10:20 . 2010-10-16 05:16 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 10:20 . 2010-10-16 05:16 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 10:20 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 10:20 . 2010-10-16 05:16 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-12 10:20 . 2010-10-16 04:34 573440 ----a-w- c:\windows\SysWow64\odbc32.dll
2011-01-12 10:20 . 2010-10-16 04:33 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2011-01-12 10:20 . 2010-10-16 04:33 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2011-01-12 10:20 . 2010-10-16 04:33 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2011-01-12 10:20 . 2010-10-16 04:33 208896 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2011-01-11 03:52 . 2011-01-11 03:52 521448 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-11 03:50 . 2011-01-11 03:52 -------- d-----w- c:\program files\Java
2011-01-10 15:13 . 2011-01-10 15:13 -------- d-----w- c:\users\User\.file_store_32
2011-01-10 15:13 . 2011-01-10 15:13 -------- d-----w- C:\.file_store_32
2011-01-08 14:01 . 2011-01-08 14:01 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-01-08 13:36 . 2011-01-08 13:36 -------- d-----w- c:\users\User\.jagex_cache_32
2011-01-08 13:25 . 2011-01-08 13:25 -------- d-----w- c:\windows\Sun
2011-01-08 12:21 . 2011-01-08 12:21 -------- d-----w- c:\programdata\SwiftKit
2011-01-08 12:21 . 2011-01-09 16:58 -------- d-----w- c:\program files (x86)\SwiftKit
2010-12-24 11:53 . 2010-12-24 11:53 -------- d-----w- C:\.jagex_cache_32
2010-12-19 12:31 . 2010-12-19 12:32 -------- d-----w- c:\program files\iTunes
2010-12-19 12:31 . 2010-12-19 12:32 -------- d-----w- c:\program files (x86)\iTunes
2010-12-19 12:31 . 2010-12-19 12:31 -------- d-----w- c:\program files\iPod
2010-12-18 03:11 . 2010-12-18 03:12 -------- d-----w- c:\users\User\AppData\Roaming\vlc
2010-12-18 03:10 . 2010-12-18 03:10 -------- d-----w- c:\program files (x86)\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 10:09 . 2010-10-02 11:35 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-20 10:08 . 2010-10-02 11:35 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 16:02 . 2010-12-06 16:02 27176 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2010-12-06 16:02 . 2010-12-06 16:02 1490656 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-12-06 16:02 . 2010-12-06 16:02 13352 ----a-w- c:\windows\system32\drivers\ggflt.sys
2010-11-29 09:38 . 2010-11-29 09:38 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2010-11-29 09:38 . 2010-11-29 09:38 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2010-11-12 10:53 . 2010-10-03 04:32 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-11-04 06:35 . 2010-12-15 09:21 1194496 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 06:31 . 2010-12-15 09:21 57856 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 05:52 . 2010-12-15 09:21 978944 ----a-w- c:\windows\SysWow64\wininet.dll
2010-11-04 05:48 . 2010-12-15 09:21 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2010-11-04 05:16 . 2010-12-15 09:21 482816 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:41 . 2010-12-15 09:21 386048 ----a-w- c:\windows\SysWow64\html.iec
2010-11-04 04:35 . 2010-12-15 09:21 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-04 04:08 . 2010-12-15 09:21 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2010-11-02 05:18 . 2010-12-15 09:21 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 05:17 . 2010-12-15 09:21 473600 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 05:17 . 2010-12-15 09:21 1169408 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 05:16 . 2010-12-15 09:21 1114624 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 05:10 . 2010-12-15 09:21 464384 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 05:10 . 2010-12-15 09:21 285696 ----a-w- c:\windows\system32\schtasks.exe
2010-11-02 04:40 . 2010-12-15 09:21 496128 ----a-w- c:\windows\SysWow64\taskschd.dll
2010-11-02 04:40 . 2010-12-15 09:21 305152 ----a-w- c:\windows\SysWow64\taskcomp.dll
2010-11-02 04:34 . 2010-12-15 09:21 192000 ----a-w- c:\windows\SysWow64\taskeng.exe
2010-11-02 04:34 . 2010-12-15 09:21 179712 ----a-w- c:\windows\SysWow64\schtasks.exe
2010-10-27 05:06 . 2010-12-15 09:21 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-27 04:32 . 2010-12-15 09:21 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2010-10-26 20:00 . 2010-10-26 20:00 8012288 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-10-26 19:25 . 2010-10-26 19:25 21422592 ----a-w- c:\windows\system32\atio6axx.dll
2010-10-26 19:08 . 2010-10-26 19:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
2010-10-26 18:55 . 2010-10-26 18:55 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-10-26 18:55 . 2010-10-23 01:41 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
2010-10-26 18:54 . 2010-08-03 17:54 645120 ----a-w- c:\windows\system32\aticfx64.dll
2010-10-26 18:52 . 2010-10-26 18:52 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-10-26 18:52 . 2010-10-23 01:41 478208 ----a-w- c:\windows\system32\atieclxx.exe
2010-10-26 18:51 . 2010-10-23 01:43 203776 ----a-w- c:\windows\system32\atiesrxx.exe
2010-10-26 18:50 . 2010-10-26 18:50 120320 ----a-w- c:\windows\system32\atitmm64.dll
2010-10-26 18:50 . 2010-10-23 02:12 423424 ----a-w- c:\windows\system32\atipdl64.dll
2010-10-26 18:50 . 2010-10-26 18:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2010-10-26 18:49 . 2010-10-26 18:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2010-10-26 18:49 . 2010-10-26 18:49 16384 ----a-w- c:\windows\system32\atimuixx.dll
2010-10-26 18:49 . 2010-10-26 18:49 59392 ----a-w- c:\windows\system32\atiedu64.dll
2010-10-26 18:49 . 2010-10-26 18:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2010-10-26 18:46 . 2010-10-23 01:41 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
2010-10-26 18:38 . 2010-08-03 17:37 4744704 ----a-w- c:\windows\system32\atidxx64.dll
2010-10-26 18:35 . 2010-10-26 18:35 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2010-10-26 18:35 . 2010-10-26 18:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2010-10-26 18:35 . 2010-10-26 18:35 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2010-10-26 18:35 . 2010-10-26 18:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2010-10-26 18:35 . 2010-10-26 18:35 6815744 ----a-w- c:\windows\system32\aticaldd64.dll
2010-10-26 18:33 . 2010-10-26 18:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
2010-10-26 18:28 . 2010-10-23 02:12 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2010-10-26 18:22 . 2010-10-26 18:22 5218304 ----a-w- c:\windows\system32\atiumd64.dll
2010-10-26 18:15 . 2010-08-03 17:23 58880 ----a-w- c:\windows\system32\coinst.dll
2010-10-26 18:14 . 2010-10-23 01:41 349184 ----a-w- c:\windows\system32\atiadlxx.dll
2010-10-26 18:14 . 2010-10-26 18:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2010-10-26 18:14 . 2010-10-26 18:14 14848 ----a-w- c:\windows\system32\atig6pxx.dll
2010-10-26 18:14 . 2010-10-26 18:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2010-10-26 18:14 . 2010-10-26 18:14 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-10-26 18:14 . 2010-10-26 18:14 31744 ----a-w- c:\windows\system32\atig6txx.dll
2010-10-26 18:14 . 2010-10-26 18:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
2010-10-26 18:14 . 2010-10-26 18:14 287232 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-10-26 18:13 . 2010-08-03 17:15 39936 ----a-w- c:\windows\system32\atiuxp64.dll
2010-10-26 18:13 . 2010-10-23 01:41 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2010-10-26 18:13 . 2010-10-26 18:13 37888 ----a-w- c:\windows\system32\atiu9p64.dll
2010-10-26 18:13 . 2010-08-03 17:14 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2010-10-26 18:12 . 2010-10-26 18:12 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-10-26 17:57 . 2010-10-26 17:57 3221504 ----a-w- c:\windows\system32\atiumd6a.dll
2010-10-26 17:50 . 2010-10-23 02:11 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
2010-10-26 17:37 . 2010-10-26 17:37 53760 ----a-w- c:\windows\system32\atimpc64.dll
2010-10-26 17:37 . 2010-10-26 17:37 53760 ----a-w- c:\windows\system32\amdpcom64.dll
2010-10-26 17:37 . 2010-10-26 17:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2010-10-26 17:37 . 2010-10-26 17:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2010-10-23 02:15 . 2010-10-23 02:15 51200 ----a-w- c:\windows\system32\ATIODCLI.exe
2010-10-23 02:12 . 2010-10-23 02:12 332800 ----a-w- c:\windows\system32\ATIODE.exe
2010-10-23 01:42 . 2010-10-23 01:42 116240 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
2010-10-20 05:20 . 2010-12-15 09:21 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 04:54 . 2010-12-15 09:21 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2010-10-20 03:09 . 2010-12-15 09:21 3124224 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 03:05 . 2010-12-15 09:21 367104 ----a-w- c:\windows\system32\atmfd.dll
2010-10-20 02:58 . 2010-12-15 09:21 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2010-10-19 02:41 . 2010-09-29 07:49 270720 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Sony Ericsson PC Companion"="c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" [2010-11-16 422912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-30 98304]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files (x86)\LimeWire\LimeWire.exe [2010-10-1 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-29 136176]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2010-12-06 13352]
R3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2010-10-26 155344]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-01 1255736]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [2009-06-30 33800]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-26 203776]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 61008]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [2010-11-24 101048]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-26 8012288]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-26 287232]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-10-23 116240]
S3 Lycosa;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-01-17 18816]
S3 Razerlow;Razer Pro|Solutions;c:\windows\system32\drivers\DB3G.sys [2005-11-06 21120]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-01 187392]

.
Contents of the 'Scheduled Tasks' folder

2011-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-29 09:18]

2011-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-29 09:18]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\svsks20h.default\
FF - prefs.js: network.proxy.ftp - 189.1.7.136
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 189.1.7.136
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 189.1.7.136
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 189.1.7.136
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 189.1.7.136
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files (x86)\McAfee\SiteAdvisor
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-16 20:04:18
ComboFix-quarantined-files.txt 2011-01-16 12:04

Pre-Run: 734,753,103,872 bytes free
Post-Run: 734,432,133,120 bytes free

- - End Of File - - D6863025368C73E5C88407B30DE6D849

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 16 January 2011 - 10:25 AM

Hi,

OK, that's not too bad, it didn't find anything. That's great news. Are you still getting that popup about newdev.exe wanting to change the registry? I'm not seeing it in the logs, so we'll have to search for the loading point if you're still getting that.

Also, does this IP address mean anything to you?
189.1.7.136

It's resolving to a webserver in Brazil. If that makes sense (e.g. you're located in Brazil), it's fine. If you have no idea why your computer would have a proxy linked to Brazil...that's important to know.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 16 January 2011 - 10:38 AM

Hey,

Yes, I still get the message upon restart about newdev.exe

I had a look at that IP and I have never seen that website before. I'm in Australia so I'm not sure why I would have it.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 18 January 2011 - 06:22 PM

Hello, Skitz69.

Just to confirm, the error is specifically newdev.EXE NOT .DLL? DLL is legitimate and not malware and we'd need a different path. Let's look for other instances.

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    newdev.*
    :regfind
    newdev
    
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 19 January 2011 - 11:34 PM

Hey
Here is the log from systemlook:

SystemLook 04.09.10 by jpshortstuff
Log created at 12:25 on 20/01/2011 by User
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "newdev.*"
C:\Windows\System32\newdev.dll --a---- 313856 bytes [23:16 13/07/2009] [01:16 14/07/2009] A6154A954F08E99D27CEA4D3B9563172
C:\Windows\System32\newdev.exe --a---- 76800 bytes [23:16 13/07/2009] [01:14 14/07/2009] 38926BA136342B3F6A750098195B29A1
C:\Windows\System32\en-US\newdev.dll.mui --a---- 25088 bytes [05:35 14/07/2009] [02:03 14/07/2009] 8E350F30DF551C748CB6D898348A0F58
C:\Windows\System32\en-US\newdev.exe.mui --a---- 2048 bytes [05:35 14/07/2009] [02:02 14/07/2009] 72AA1ED2004775AB8256B4AB18C26910
C:\Windows\System32\wbem\newdev.mof --a---- 3681 bytes [21:46 10/06/2009] [21:46 10/06/2009] 6C4A592699650BA71AB19EC0027D857B
C:\Windows\SysWOW64\newdev.dll --a---- 313856 bytes [23:16 13/07/2009] [01:16 14/07/2009] A6154A954F08E99D27CEA4D3B9563172
C:\Windows\SysWOW64\newdev.exe --a---- 76800 bytes [23:16 13/07/2009] [01:14 14/07/2009] 38926BA136342B3F6A750098195B29A1
C:\Windows\SysWOW64\en-US\newdev.dll.mui --a---- 25088 bytes [05:35 14/07/2009] [02:03 14/07/2009] 8E350F30DF551C748CB6D898348A0F58
C:\Windows\SysWOW64\en-US\newdev.exe.mui --a---- 2048 bytes [05:35 14/07/2009] [02:02 14/07/2009] 72AA1ED2004775AB8256B4AB18C26910
C:\Windows\SysWOW64\wbem\newdev.mof --a---- 3681 bytes [21:46 10/06/2009] [21:46 10/06/2009] 6C4A592699650BA71AB19EC0027D857B
C:\Windows\winsxs\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b\newdev.dll.mui --a---- 25088 bytes [05:35 14/07/2009] [02:23 14/07/2009] 61700792F4DDE375F78BA88904518BA1
C:\Windows\winsxs\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b\newdev.exe.mui --a---- 2048 bytes [05:35 14/07/2009] [02:23 14/07/2009] 1D5DB15DB355F9E465A07713FDE86A94
C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.dll --a---- 313856 bytes [23:26 13/07/2009] [01:41 14/07/2009] BB7E865599FA258C70DF8B1F70109F6F
C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.exe --a---- 76288 bytes [23:27 13/07/2009] [01:39 14/07/2009] 78D26E7614DDBC22B34C412624285D81
C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.mof --a---- 3681 bytes [21:08 10/06/2009] [21:08 10/06/2009] 6C4A592699650BA71AB19EC0027D857B
C:\Windows\winsxs\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15\newdev.dll.mui --a---- 25088 bytes [05:35 14/07/2009] [02:03 14/07/2009] 8E350F30DF551C748CB6D898348A0F58
C:\Windows\winsxs\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15\newdev.exe.mui --a---- 2048 bytes [05:35 14/07/2009] [02:02 14/07/2009] 72AA1ED2004775AB8256B4AB18C26910
C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\newdev.dll --a---- 313856 bytes [23:16 13/07/2009] [01:16 14/07/2009] A6154A954F08E99D27CEA4D3B9563172
C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\newdev.exe --a---- 76800 bytes [23:16 13/07/2009] [01:14 14/07/2009] 38926BA136342B3F6A750098195B29A1
C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\newdev.mof --a---- 3681 bytes [21:46 10/06/2009] [21:46 10/06/2009] 6C4A592699650BA71AB19EC0027D857B

========== regfind ==========

Searching for "newdev"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17514 (win7sp1_rtm.101119-1850)\ComponentFamilies\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_en-us_8e7411f1932786dc]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17514 (win7sp1_rtm.101119-1850)\ComponentFamilies\amd64_microsoft-windows-newdev_31bf3856ad364e35_none_6eec311d54796185]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17514 (win7sp1_rtm.101119-1850)\ComponentFamilies\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_en-us_3255766ddaca15a6]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17514 (win7sp1_rtm.101119-1850)\ComponentFamilies\x86_microsoft-windows-newdev_31bf3856ad364e35_none_12cd95999c1bf04f]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\newdev.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{70FFD812-4C7F-4C7D-926A-637B7DD852AF}\Shell\DeviceInstall]
"Icon"="newdev.dll,-200"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{70FFD812-4C7F-4C7D-926A-637B7DD852AF}\Shell\DeviceInstall\command]
@="rundll32.exe newdev.dll,DeviceInternetSettingUi 2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\newdev.exe]

-= EOF =-

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 20 January 2011 - 08:02 PM

OK, that looks like the legitmate file. A couple quick questions:

Did you recently upgrade this computer to Windows 7?
Did you recently add new hardware to it?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 20 January 2011 - 10:55 PM

Hey

I would've upgraded to Windows 7 a couple of months ago and I did try to install a printer recently, but I didn't have the CD so I tried downloading the drivers from the internet but that didn't work.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 21 January 2011 - 04:16 PM

OK, try allowing newdev.exe to access your computer. It sounds like the drivers tried to isntall, but didn't. That file is legitimate based on our virus scan and it's signature. It's used to install new hardware.

Your printer may even work after that.

Let me know what's up after that.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 05 February 2011 - 04:36 PM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 05 February 2011 - 09:21 PM

Sorry I've started Yr 12 and It's been full on.
I pressed yes to newdev.exe and my computer has been running fine and I haven't had any messages pop up again so I think all is well.

Thanks very much for your help and I'm extremely sorry for taking so long to reply.

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 06 February 2011 - 06:20 AM

Hello, Skitz69.

No problem. Let's clean up. I hope your'e at least enjoying Year 12!


Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. We can reinstall it when we're done with CF. Please let me know if you do uninstall it.

Uninstall ComboFix and Clean Up
Click Start > Run and type combofix /Uninstall click OK (Note the space between combofix and /Uninstall) See below:
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • If that link doesn't work, try this one.
  • Double click Posted Imageicon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users