Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i think i have a PUP virus and i cant get rid of it


  • This topic is locked This topic is locked
17 replies to this topic

#1 Arni

Arni

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 23 May 2011 - 02:13 PM

could anyone help me please ... ive got this really annoying virus in here which keeps poping up iexplore windows and sending e'mails form my account

this is my hijackthi log :


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:12:59, on 23/05/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft IntelliPoint\IPoint.exe
C:\Users\Arni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Arni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg.dll (file missing)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (file missing)
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\RunOnce: [RealtekHDAUpgrade] RealtekHDAUpgrade
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Arni\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll (file missing)
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg.dll (file missing)
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (file missing)
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (file missing)
O20 - AppInit_DLLs: ??E
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: AMD FusionUtility Service - Advanced Micro Devices, Inc. - C:\Program Files\AMD\Fusion Utility for Desktop\FusionUtility2Service.exe
O23 - Service: Trend Micro Solution Platform (Amsp) - Unknown owner - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB - Unknown owner - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 7994 bytes

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:44 PM

Posted 31 May 2011 - 11:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Arni

Arni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 05 June 2011 - 10:12 AM

Thank you for your reply.
Yes i have my original installation cd.
I will attrach dds log, but i was unable to create gmer log because as soon when it starts scanning file system it crashes the pc and restarts it. Gave it a few tries and gave up

Attached Files

  • Attached File  DDS.txt   18.98KB   9 downloads


#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:44 PM

Posted 06 June 2011 - 08:34 AM

Hi Arni,

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop. If you have since resolved the original problem you were having, we would appreciate you letting us know.

In your reply you neglected to attach the Attach.txt log from DDS. Please do so. :)


Step 1.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Step 2.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



In your next reply please include the following:

Attach.txt
RkUnhooker log



Thanks!!

Edited by pwgib, 06 June 2011 - 08:46 AM.

PW

#5 Arni

Arni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 07 June 2011 - 01:13 PM

HI!
this is my log.
Just to let you know in advance that i will be unable to check back into the forum in the next 6 or 7 days, so it may take a while before i post a reply

Thank you!




RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #2
==============================================
>Drivers
==============================================
0x90A0D000 C:\Windows\system32\DRIVERS\atikmdag.sys 8093696 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x8FA2E000 C:\Windows\system32\DRIVERS\kl1.sys 5382144 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x83203000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x83203000 PnpManager 4259840 bytes
0x83203000 RAW 4259840 bytes
0x83203000 WMIxWDM 4259840 bytes
0x98C02000 C:\Windows\system32\drivers\RTKVHDA.sys 3481600 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x9A0E0000 Win32k 2404352 bytes
0x9A0E0000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8A81F000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8A412000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x908A4000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8A60E000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x83C96000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0xA0414000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x9B481000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x83D41000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8E361000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x8A57F000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x8FF82000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x9161A000 C:\Windows\system32\DRIVERS\nvm62x32.sys 348160 bytes (NVIDIA Corporation, NVIDIA MCP Networking Function Driver.)
0xA059C000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0xA04E3000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x9A390000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9097A000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x83EB0000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x83E01000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x83F7C000 C:\Windows\system32\DRIVERS\storport.sys 290816 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x9B418000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x91888000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x83C54000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x8E2BE000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x90864000 C:\Windows\system32\DRIVERS\atikmpag.sys 262144 bytes (Advanced Micro Devices, Inc., AMD multi-vendor Miniport Driver)
0x8A9A2000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8A6C5000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x9183D000 C:\Windows\system32\DRIVERS\dtsoftbus01.sys 249856 bytes (DT Soft Ltd, DAEMON Tools Virtual Bus Driver)
0x9B554000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x911C5000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x83613000 ACPI_HAL 225280 bytes
0x83613000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x83FCC000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9177E000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x9B5B1000 C:\Windows\system32\DRIVERS\tmcomm.sys 212992 bytes (Trend Micro Inc., TrendMicro Common Module)
0x8A755000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8FF50000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8A968000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8A7BD000 C:\Windows\System32\Drivers\RDPWD.SYS 200704 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x918F9000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8A728000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x90800000 C:\Windows\system32\DRIVERS\1394ohci.sys 180224 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
0x8A541000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x83E65000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8E2FF000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 155648 bytes (Trusteer Ltd., RapportPG)
0x8A798000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x91941000 C:\Windows\System32\Drivers\dump_nvstor.sys 151552 bytes
0x8A703000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x83F57000 C:\Windows\system32\DRIVERS\nvstor.sys 151552 bytes (NVIDIA Corporation, NVIDIA® nForce™ Sata Performance Driver)
0x91800000 C:\Windows\System32\drivers\rdpdr.sys 151552 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0x83F34000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x9B531000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x916DE000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA04B5000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x90831000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x83C00000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x83DDA000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9095B000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8FA00000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x9A370000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x8E27B000 C:\Windows\System32\Drivers\Uim_IM.sys 122880 bytes (Paragon, Image Mounter)
0x919C2000 C:\Windows\system32\DRIVERS\tmactmon.sys 118784 bytes (Trend Micro Inc., TrendMicro Activity Monitor Module)
0x918DD000 C:\Windows\system32\drivers\AtihdW73.sys 114688 bytes (Advanced Micro Devices, AMD High Definition Audio Function Driver)
0x9197D000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x9B58F000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8E24E000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x91998000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x9B506000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x91928000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x8E3C5000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x91684000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x916BB000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x91700000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x91718000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x9172F000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8E22C000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x98F99000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x91966000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x83F15000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x8E299000 C:\Windows\system32\DRIVERS\tmtdi.sys 86016 bytes (Trend Micro Inc., Trend Micro TDI Driver (i386-fre))
0x98F70000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8A56C000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x9B46E000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8E268000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x916A9000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x90852000 C:\Windows\system32\DRIVERS\amdk8.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x9B51F000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x9B5E5000 C:\Windows\system32\DRIVERS\tmevtmgr.sys 73728 bytes (Trend Micro Inc., TrendMicro Event Management Module)
0x8A787000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x98FDD000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x83DC0000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x918CC000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x83E8F000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x83C3B000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8FFE3000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
0x917B2000 C:\Windows\system32\DRIVERS\amdiox86.sys 65536 bytes (Advanced Micro Devices, AMD IO Driver)
0x919B2000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8A800000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x9B45E000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8E2AE000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x83EA0000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x8E325000 C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 61440 bytes (Trusteer Ltd., RapportEI)
0x909C5000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8E3DD000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x917C2000 C:\Windows\system32\DRIVERS\circlass.sys 57344 bytes (Microsoft Corporation, Consumer IR Class Driver for eHome)
0x8FA1F000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8E21E000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x83F02000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8A5DC000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x9187A000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x83DB2000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x9169C000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x98FC6000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x9175C000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x91769000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x8E334000 C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys 53248 bytes (Trusteer Ltd., RapportCerberus)
0xA04D6000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0xA0400000 C:\Windows\System32\DRIVERS\tssecsrv.sys 53248 bytes (Microsoft Corporation, TS Security Filter Driver)
0x8A400000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8E355000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x98FBA000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x91746000 C:\Windows\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0x8A9E9000 C:\Windows\System32\Drivers\RapportKELL.sys 49152 bytes (Trusteer Ltd., RapportKE)
0x8A5F3000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9166F000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0x98F65000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x83C30000 C:\Windows\system32\mcupdate_AuthenticAMD.dll 45056 bytes (Microsoft Corporation, AMD Microcode Update Library)
0x98FEE000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x98F85000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8E213000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x916D3000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8E243000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x83E5A000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x98F54000 C:\Windows\system32\DRIVERS\dc3d.sys 40960 bytes (Microsoft Corporation, Filter Driver for Identification of Microsoft Hardware Wireless Mouse and Keyboard Device Models)
0x98FD3000 C:\Windows\System32\Drivers\dump_diskdump.sys 40960 bytes
0x98FB0000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8E34B000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8E341000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x91752000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0xA04AB000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x9167A000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0xA05ED000 C:\Windows\system32\drivers\tdtcp.sys 40960 bytes (Microsoft Corporation, TCP Transport Driver)
0x90A00000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x83FC3000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x83F2B000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0xA0532000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x8A5EA000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x98F90000 C:\Windows\system32\DRIVERS\point32.sys 36864 bytes (Microsoft Corporation, Point32k.sys)
0x83DD1000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x9A340000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8A999000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x83E49000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x83C4C000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8A810000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BD1000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x83E52000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x83C21000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8E203000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8E20B000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8A9E1000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8A600000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x98F5E000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8A818000 C:\Windows\system32\DRIVERS\null.sys 28672 bytes (Microsoft Corporation, NULL Driver)
0x9B5AA000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x83EFB000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8FFF6000 C:\Windows\system32\DRIVERS\UimBus.sys 28672 bytes (Windows ® 2000 DDK provider, Image Mounter SCSI Port Driver)
0x8FFDC000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x909D4000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x91776000 C:\Windows\system32\DRIVERS\seehcri.sys 24576 bytes (Sony Ericsson Mobile Communications, seehcri Driver)
0x83F10000 C:\Windows\system32\drivers\hotcore3.sys 20480 bytes (Paragon Software Group, Hotbackup helper driver)
0x9177C000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8FFF4000 C:\Windows\System32\Drivers\UimFIO.SYS 8192 bytes
0x98F83000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:44 PM

Posted 07 June 2011 - 04:48 PM

Hi Arni,

Let me know when you are ready to proceed. If I happen to close your topic shoot me a pm. :thumbup2:


Thanks!!
PW

#7 Arni

Arni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 13 June 2011 - 04:28 PM

Hi i'm back and ready to proceed

#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:44 PM

Posted 16 June 2011 - 08:25 AM

Hi Arni.

I apologize for the delay. I'm away from home and missed your reply.

Can you give an example of the Internet Explorer pop-ups?


Step 1.


We need to disable Spybot S&D's "TeaTimer"

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.
In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy


Step 2.

Please download Malwarebytes' Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.



Step 3.


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to Disable your Security Applications

    Note - If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications <----Important

    Refer to this page if you are not sure how. You can reinstall AVG when we are finished.

  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Please leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


In your next reply please include the following:


MBAM log
Combofix.txt



How is your computer running now?



Thanks!!

Edited by pwgib, 16 June 2011 - 08:35 AM.

PW

#9 Arni

Arni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 16 June 2011 - 12:35 PM

HI! Mbam still seems to find explorer.exe wanting to pop up things. Sorry but it think I've missed out a few things b4 like I've tried most AV-s avast and mbam have been able to block most of it. what I've found is that explorer.exe is the file that keeps getting blocked by these programs. That is the reason i turned to this forum in hope to find a solution and maybe i don't have to reinstall windows.

the pop-up are random advertisements. the seem to be changing all the time every few days they are different ads.
here are my logs

Thank You

Attached Files



#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:44 PM

Posted 17 June 2011 - 11:12 AM

Hi Arni,


Please do not attach logs unless asked to. Copy and paste them directly into the reply box. :thumbup2:


Do you know what this folder is?

C:\DSC


Step 1.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    userinit*
    winlogon* 
    wininit*
    explorer*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Step 2.


Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


In your next reply please post the following:


SystemLook.txt
aswMBR log



Thanks!!

Edited by pwgib, 17 June 2011 - 03:28 PM.

PW

#11 Arni

Arni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 17 June 2011 - 04:42 PM

Hi!
My system seems to be fine today but just encase here are the logs.
And yes i know that folder it is a demo viewing program.

SystemLook 04.09.10 by jpshortstuff
Log created at 22:34 on 17/06/2011 by Arni
Administrator - Elevation successful

========== filefind ==========

Searching for "userinit*"
C:\Qoobox\Quarantine\C\Windows\System32\userinit.exe.vir --a---- 26112 bytes [23:34 13/07/2009] [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\ERDNT\cache\userinit.exe --a---- 26112 bytes [16:40 16/06/2011] [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\System32\userinit.exe --a---- 26112 bytes [23:34 13/07/2009] [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\System32\en-US\userinit.exe.mui --a---- 3584 bytes [04:55 14/07/2009] [02:03 14/07/2009] EA67C653ECFED02D7DBFB889A908CAA9
C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8fc6fc4f33a62837\userinit.exe.mui --a---- 3584 bytes [04:55 14/07/2009] [02:03 14/07/2009] EA67C653ECFED02D7DBFB889A908CAA9
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe --a---- 26112 bytes [23:34 13/07/2009] [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175

Searching for "winlogon* "
C:\Windows\ERDNT\cache\winlogon.exe --a---- 285696 bytes [16:40 16/06/2011] [06:17 28/10/2009] 37CDB7E72EB66BA85A87CBE37E7F03FD
C:\Windows\PolicyDefinitions\WinLogon.admx --a---- 5237 bytes [21:50 13/07/2009] [21:43 10/06/2009] 89D8F50E186A16C2CED3CF36DBBC0B2C
C:\Windows\PolicyDefinitions\en-US\WinLogon.adml --a---- 8013 bytes [04:55 14/07/2009] [02:05 14/07/2009] CED0EAD8D152B3D0F114698DE2316C5E
C:\Windows\System32\winlogon.exe --a---- 285696 bytes [01:40 27/01/2010] [06:17 28/10/2009] 37CDB7E72EB66BA85A87CBE37E7F03FD
C:\Windows\System32\en-US\winlogon.exe.mui --a---- 22528 bytes [04:55 14/07/2009] [02:05 14/07/2009] DB61D28A59DEE68F77811B291D83AD1B
C:\Windows\System32\migwiz\dlmanifests\winlogon-DL.man --a---- 2346 bytes [21:43 10/06/2009] [21:43 10/06/2009] 0D22A775CE54F69925A7B65632D3D782
C:\Windows\System32\wbem\winlogon.mof --a---- 3192 bytes [21:50 13/07/2009] [20:37 13/07/2009] DF722B96F32A61783BC310FACF10240B
C:\Windows\System32\wbem\en-US\winlogon.mfl --a---- 1080 bytes [04:55 14/07/2009] [02:09 14/07/2009] 2783ED50691284F7EAE6BE9729337E1A
C:\Windows\System32\wdi\perftrack\WinlogonEvents.ptxml --a---- 1028 bytes [20:37 13/07/2009] [20:37 13/07/2009] 65AF8144A53A88F7F963AFAB3E2120E5
C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7600.16385_none_024f0ba1e4ed554c\winlogon-DL.man --a---- 2346 bytes [21:43 10/06/2009] [21:43 10/06/2009] 0D22A775CE54F69925A7B65632D3D782
C:\Windows\winsxs\x86_microsoft-windows-winlogon-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_94da67ab3e358f3a\WinLogon.adml --a---- 8013 bytes [04:55 14/07/2009] [02:05 14/07/2009] CED0EAD8D152B3D0F114698DE2316C5E
C:\Windows\winsxs\x86_microsoft-windows-winlogon-adm_31bf3856ad364e35_6.1.7600.16385_none_7ae3b2e5da95d117\WinLogon.admx --a---- 5237 bytes [21:50 13/07/2009] [21:43 10/06/2009] 89D8F50E186A16C2CED3CF36DBBC0B2C
C:\Windows\winsxs\x86_microsoft-windows-winlogon-events_31bf3856ad364e35_6.1.7600.16385_none_0d1382c1e95e55d0\WinlogonEvents.ptxml --a---- 1028 bytes [20:37 13/07/2009] [20:37 13/07/2009] 65AF8144A53A88F7F963AFAB3E2120E5
C:\Windows\winsxs\x86_microsoft-windows-winlogon-mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2891397980a26140\winlogon.mfl --a---- 1080 bytes [04:55 14/07/2009] [02:09 14/07/2009] 2783ED50691284F7EAE6BE9729337E1A
C:\Windows\winsxs\x86_microsoft-windows-winlogon-mof_31bf3856ad364e35_6.1.7600.16385_none_800f1ff3d73b72d9\winlogon.mof --a---- 3192 bytes [21:50 13/07/2009] [20:37 13/07/2009] DF722B96F32A61783BC310FACF10240B
C:\Windows\winsxs\x86_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cacee7ae656a07ab\winlogon.exe.mui --a---- 22528 bytes [04:55 14/07/2009] [02:05 14/07/2009] DB61D28A59DEE68F77811B291D83AD1B
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe --a---- 285696 bytes [23:37 13/07/2009] [01:14 14/07/2009] 8EC6A4AB12B8F3759E21F8E3A388F2CF
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe --a---- 285696 bytes [01:40 27/01/2010] [06:17 28/10/2009] 37CDB7E72EB66BA85A87CBE37E7F03FD
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe --a---- 285696 bytes [01:40 27/01/2010] [05:52 28/10/2009] 3BABE6767C78FBF5FB8435FEED187F30

Searching for "wininit*"
C:\Windows\wininit.ini --a---- 120 bytes [20:49 13/12/2009] [20:49 13/12/2009] 123782FDAC6072948187E119D3355191
C:\Windows\ERDNT\cache\wininit.exe --a---- 96256 bytes [16:40 16/06/2011] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665
C:\Windows\PolicyDefinitions\WinInit.admx --a---- 1955 bytes [21:50 13/07/2009] [21:43 10/06/2009] F66D412710F29E576EAF728735E0A520
C:\Windows\PolicyDefinitions\en-US\WinInit.adml --a---- 2026 bytes [04:55 14/07/2009] [02:07 14/07/2009] 5A55EFE78F5DE3C24FAD6717DE1A550F
C:\Windows\System32\wininit.exe --a---- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665
C:\Windows\System32\en-US\wininit.exe.mui --a---- 5120 bytes [04:55 14/07/2009] [02:05 14/07/2009] 0CA1666E3535B8045352649498A8E1A6
C:\Windows\System32\wbem\wininit.mof --a---- 1756 bytes [21:50 13/07/2009] [20:37 13/07/2009] DCAC8F9E0C0E855E43A5F3AFE90B5377
C:\Windows\System32\wbem\en-US\wininit.mfl --a---- 714 bytes [04:55 14/07/2009] [02:09 14/07/2009] 4CE464D75D5ABBC3566BD58D6D6C3630
C:\Windows\winsxs\x86_microsoft-windows-wininit-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_63b5b48dad59658b\WinInit.adml --a---- 2026 bytes [04:55 14/07/2009] [02:07 14/07/2009] 5A55EFE78F5DE3C24FAD6717DE1A550F
C:\Windows\winsxs\x86_microsoft-windows-wininit-adm_31bf3856ad364e35_6.1.7600.16385_none_ddc6dbfea8e7f0b8\WinInit.admx --a---- 1955 bytes [21:50 13/07/2009] [21:43 10/06/2009] F66D412710F29E576EAF728735E0A520
C:\Windows\winsxs\x86_microsoft-windows-wininit-mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_67fe9b5ab462e835\wininit.mfl --a---- 714 bytes [04:55 14/07/2009] [02:09 14/07/2009] 4CE464D75D5ABBC3566BD58D6D6C3630
C:\Windows\winsxs\x86_microsoft-windows-wininit-mof_31bf3856ad364e35_6.1.7600.16385_none_dab7329caadd1b06\wininit.mof --a---- 1756 bytes [21:50 13/07/2009] [20:37 13/07/2009] DCAC8F9E0C0E855E43A5F3AFE90B5377
C:\Windows\winsxs\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_453be6e96bdadb18\wininit.exe.mui --a---- 5120 bytes [04:55 14/07/2009] [02:05 14/07/2009] 0CA1666E3535B8045352649498A8E1A6
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe --a---- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665

Searching for "explorer*"
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMiniMouse\ExplorerMiniMouse.bmp --a---- 22840 bytes [14:56 07/01/2011] [14:56 07/01/2011] DA0845958C77001BB8A03CF96393554F
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMiniMouse\ExplorerMiniMouse_Button1.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] E8930E0BC07BA47C2238BB2546FCCE70
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMiniMouse\ExplorerMiniMouse_Button2.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] EF90937FB775E509C8FD266B0B54C353
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMiniMouse\ExplorerMiniMouse_Button3.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 81176804B6AEDB32153CFD4C0F92ADD6
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMiniMouse\ExplorerMiniMouse_Button4.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 89EF24E2D3D6D3D6908336BD8634B18B
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMiniMouse\ExplorerMiniMouse_Button5.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 05D85CBD5C40380D2DCACF76CF121C86
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMouse\ExplorerMouse.bmp --a---- 22840 bytes [14:56 07/01/2011] [14:56 07/01/2011] 832F839BA1783D2453F25C41CEBB3751
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMouse\ExplorerMouse_Button1.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 67B33A59840D86EBC6A7A929A245D229
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMouse\ExplorerMouse_Button2.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 4A6772145E9747DBE32245EDDB5A5209
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMouse\ExplorerMouse_Button3.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 9158307E99D424518BA22EAA59672AEB
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMouse\ExplorerMouse_Button4.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 58BAFB28D380022141D71D91B38B6190
C:\Program Files\Microsoft IntelliPoint\Models\ExplorerMouse\ExplorerMouse_Button5.bmp --a---- 2784 bytes [14:56 07/01/2011] [14:56 07/01/2011] 55BE444C70BEB43917A76384F1EAE6EA
C:\Program Files\Paragon Software\Drive Backup 8.51 Professional Trial\Program\Resource\html\Help\Explorer_Bar.htm --a---- 11985 bytes [18:46 15/04/2010] [08:06 06/11/2007] 80BCFB438746FE42B02535EFB0B9B8F0
C:\Program Files\Paragon Software\Drive Backup 8.51 Professional Trial\Program\Resource\img\explorer_large.png --a---- 1974 bytes [18:46 15/04/2010] [08:06 06/11/2007] AD7C67A5F098FB2847788F3953C298A8
C:\Program Files\Paragon Software\Drive Backup 8.51 Professional Trial\Program\Resource\img\explorer_small.png --a---- 621 bytes [18:46 15/04/2010] [08:06 06/11/2007] 20A5E2834C0CFE4E88A75BDEAD5045E3
C:\Program Files\Paragon Software\Partition Manager 9.0 Professional\Program\Resource\html\Help\Explorer_Bar.htm --a---- 9555 bytes [18:45 15/04/2010] [16:43 21/01/2008] 8702F69B1CEE03259A67D2A84092DFEB
C:\Program Files\Paragon Software\Partition Manager 9.0 Professional\Program\Resource\img\explorer_large.png --a---- 1974 bytes [18:45 15/04/2010] [16:43 21/01/2008] AD7C67A5F098FB2847788F3953C298A8
C:\Program Files\Paragon Software\Partition Manager 9.0 Professional\Program\Resource\img\explorer_small.png --a---- 621 bytes [18:45 15/04/2010] [16:43 21/01/2008] 20A5E2834C0CFE4E88A75BDEAD5045E3
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\Skin\Connected\Explorerbar.inf --a---- 876 bytes [20:10 05/03/2010] [23:06 17/10/2008] A8A7EDAA1A5B886DFA7161320D23F55D
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\Skin\FileTransfer\Explorerbar.inf --a---- 876 bytes [20:10 05/03/2010] [23:13 17/10/2008] A8A7EDAA1A5B886DFA7161320D23F55D
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\Skin\MediaTransfer\Explorerbar.inf --a---- 876 bytes [20:10 05/03/2010] [23:06 17/10/2008] A8A7EDAA1A5B886DFA7161320D23F55D
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\Skin\NoPhone\Explorerbar.inf --a---- 876 bytes [20:10 05/03/2010] [23:06 17/10/2008] A8A7EDAA1A5B886DFA7161320D23F55D
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Skin\Connected\Explorerbar.inf --a---- 2597 bytes [20:23 05/03/2010] [16:47 08/03/2007] CDB5867726F1C569F8457C080F1E685E
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Skin\FileTransfer\Explorerbar.inf --a---- 2597 bytes [20:23 05/03/2010] [16:51 08/03/2007] CDB5867726F1C569F8457C080F1E685E
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Skin\MediaTransfer\Explorerbar.inf --a---- 2597 bytes [20:23 05/03/2010] [16:51 08/03/2007] CDB5867726F1C569F8457C080F1E685E
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Skin\NoPhone\Explorerbar.inf --a---- 2597 bytes [20:23 05/03/2010] [16:51 08/03/2007] CDB5867726F1C569F8457C080F1E685E
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Studios\Sync Studio\Images\Explorer.gif --a---- 1054 bytes [20:23 05/03/2010] [09:22 22/07/2008] 678B9EABF7493254CDB7F86E98AFAFD7
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Studios\Sync Studio\Images\Explorer_D.gif --a---- 1054 bytes [20:23 05/03/2010] [09:22 22/07/2008] DB48BBC10BC3D64DF43EBC41FDE9B9C6
C:\Users\Arni\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl --a---- 32768 bytes [19:11 27/10/2009] [19:12 27/10/2009] 6B9BFF310073E34BDEF686AEF06B2FA0
C:\Users\Arni\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl --a---- 16384 bytes [19:11 27/10/2009] [16:37 16/06/2011] DC952B3D637D06154A8726629B21C8F1
C:\Users\Arni\AppData\Roaming\NoNameScript\iconsets\jaffa\Explorer.ico --a---- 894 bytes [10:18 01/02/2006] [10:18 01/02/2006] A17571325E1B61B63B8A7007462440C0
C:\Users\Arni\AppData\Roaming\NoNameScript\iconsets\megapack\explorer.ico --a---- 894 bytes [10:19 01/02/2006] [10:19 01/02/2006] 94BD1A2B94C0E307F781EA5C0BD156EB
C:\Users\Arni\AppData\Roaming\NoNameScript\iconsets\moonshine\Explorer.ico --a---- 894 bytes [10:20 01/02/2006] [10:20 01/02/2006] FCB9388526267BF7601C3FED3C3FBB67
C:\Users\Arni\Documents\ThaImpact\SystemFiles\RTM\x64\explorer.exe --a---- 2868224 bytes [18:15 29/10/2009] [10:58 04/09/2009] 5E6DDFC2288178681F11515C33EB73BC
C:\Users\Arni\Documents\ThaImpact\SystemFiles\RTM\x64\ExplorerFrame.dll --a---- 1844224 bytes [18:15 29/10/2009] [10:57 04/09/2009] 93BE30D09E154D1CE92D56CD74B0C018
C:\Users\Arni\Documents\ThaImpact\SystemFiles\RTM\x86\explorer.exe --a---- 2613248 bytes [18:15 29/10/2009] [22:14 01/09/2009] 2FB3BA5B9C744BD698767FC85B7CD3EE
C:\Users\Arni\Documents\ThaImpact\SystemFiles\RTM\x86\ExplorerFrame.dll --a---- 1475584 bytes [18:15 29/10/2009] [22:13 01/09/2009] 7DF25965F25D9EDBC9C44C4E520622B4
C:\Windows\explorer.exe --a---- 2614784 bytes [17:04 16/06/2011] [05:33 26/02/2011] 2AF58D15EDC06EC6FDACCE1F19482BBF
C:\Windows\en-US\explorer.exe.mui --a---- 22016 bytes [04:54 14/07/2009] [02:06 14/07/2009] B9F4B1CA23D60775736059D72BA48526
C:\Windows\ERDNT\cache\explorer.exe --a---- 2614272 bytes [16:40 16/06/2011] [05:45 31/10/2009] 2626FC9755BE22F805D3CFA0CE3EE727
C:\Windows\PolicyDefinitions\Explorer.admx --a---- 3836 bytes [21:56 13/07/2009] [21:34 10/06/2009] AD131A834808E6AFF4A3918DE05BFCF6
C:\Windows\PolicyDefinitions\en-US\Explorer.adml --a---- 3695 bytes [04:54 14/07/2009] [02:07 14/07/2009] 7A4C7F3CB156543113596988479CAFCE
C:\Windows\Prefetch\EXPLORER.EXE-7A3328DA.pf --a---- 145448 bytes [16:20 16/06/2011] [21:34 17/06/2011] C0A89477271424DEC74F11E9815D557D
C:\Windows\System32\ExplorerFrame.dll --a---- 1495040 bytes [18:17 11/01/2011] [05:14 26/06/2010] 8898C95862D03D16B2A06DB4DB6BB6B2
C:\Windows\System32\en-US\explorerframe.dll.mui --a---- 18432 bytes [04:54 14/07/2009] [02:03 14/07/2009] BC486AFF277CD6AE2406FA1FE1B09D56
C:\Windows\System32\migwiz\dlmanifests\explorer-DL.man --a---- 2571 bytes [21:19 10/06/2009] [21:19 10/06/2009] 87354E386F0C6B4D1FD4D9301A468C76
C:\Windows\System32\spp\tokens\ppdlic\explorer-ppdlic.xrm-ms --a---- 3065 bytes [17:04 16/06/2011] [05:46 26/02/2011] 85BBB08ADAA367955232AEEDEDDED99B
C:\Windows\tracing\Explorer_RASAPI32.LOG --a---- 375615 bytes [17:10 16/03/2010] [16:48 16/06/2011] 4E4E3B59AC7F92541DDBA7819F820655
C:\Windows\tracing\Explorer_RASAPI32.OLD --a---- 1410494 bytes [17:10 16/03/2010] [19:02 03/04/2011] 900C1633B2C6A7CC7D971720D9AE0B70
C:\Windows\tracing\Explorer_RASDLG.LOG --a---- 51508 bytes [17:10 16/03/2010] [14:58 05/06/2011] AFF993693B2619EF67A2F86E48944A78
C:\Windows\tracing\Explorer_RASGCW.LOG --a---- 5224 bytes [17:10 16/03/2010] [12:21 30/05/2011] 31013F7E9D01F27DC8532423AF1F979B
C:\Windows\tracing\Explorer_RASMANCS.LOG --a---- 128420 bytes [17:10 16/03/2010] [16:48 16/06/2011] 498DF31AEE5A5999097144D4E6A5F9B0
C:\Windows\winsxs\x86_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_en-us_534f06a653f639de\explorerframe.dll.mui --a---- 18432 bytes [04:54 14/07/2009] [02:03 14/07/2009] BC486AFF277CD6AE2406FA1FE1B09D56
C:\Windows\winsxs\x86_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05c8dd40d4f56065\explorer.exe.mui --a---- 22016 bytes [04:54 14/07/2009] [02:06 14/07/2009] B9F4B1CA23D60775736059D72BA48526
C:\Windows\winsxs\x86_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7600.16385_none_c2535f86d5247c4b\ExplorerFrame.dll --a---- 1495040 bytes [23:44 13/07/2009] [01:15 14/07/2009] FD13400115D3D0D70E087AB826DF593A
C:\Windows\winsxs\x86_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7600.16623_none_c292442cd4f5996c\ExplorerFrame.dll --a---- 1495040 bytes [18:17 11/01/2011] [05:14 26/06/2010] 8898C95862D03D16B2A06DB4DB6BB6B2
C:\Windows\winsxs\x86_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7600.20743_none_c306411fee237118\ExplorerFrame.dll --a---- 1495552 bytes [18:17 11/01/2011] [05:07 26/06/2010] EB8635C271546A027DCAD0EDF765DE64
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer-ppdlic.xrm-ms --a---- 3065 bytes [01:25 14/07/2009] [01:25 14/07/2009] F7DC315BA4E465D20EA75B88D5C3A5F8
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe --a---- 2613248 bytes [23:41 13/07/2009] [01:14 14/07/2009] 15BC38A7492BEFE831966ADB477CF76F
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer-ppdlic.xrm-ms --a---- 3065 bytes [03:04 31/10/2009] [05:55 03/08/2009] 179322B1AF820EF73EB6231B312A3112
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe --a---- 2613248 bytes [03:04 31/10/2009] [05:35 03/08/2009] B95EEB0F4E5EFBF1038A35B3351CF047
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer-ppdlic.xrm-ms --a---- 3065 bytes [01:40 27/01/2010] [05:59 31/10/2009] 4EEC220C7268BEDA3A76C9622EAFB6BB
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe --a---- 2614272 bytes [01:40 27/01/2010] [05:45 31/10/2009] 2626FC9755BE22F805D3CFA0CE3EE727
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer-ppdlic.xrm-ms --a---- 3065 bytes [17:04 16/06/2011] [05:46 26/02/2011] 85BBB08ADAA367955232AEEDEDDED99B
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe --a---- 2614784 bytes [17:04 16/06/2011] [05:33 26/02/2011] 2AF58D15EDC06EC6FDACCE1F19482BBF
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer-ppdlic.xrm-ms --a---- 3065 bytes [03:04 31/10/2009] [06:13 03/08/2009] E2FD11462CF95BB25A8440C7F2C2D1E9
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe --a---- 2613248 bytes [03:04 31/10/2009] [05:49 03/08/2009] 9FF6C4C91A3711C0A3B18F87B08B518D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer-ppdlic.xrm-ms --a---- 3065 bytes [01:40 27/01/2010] [06:09 31/10/2009] F88A36EEF75E6F1E24E9BCD244E33B01
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe --a---- 2614272 bytes [01:40 27/01/2010] [06:00 31/10/2009] C76153C7ECA00FA852BB0C193378F917
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer-ppdlic.xrm-ms --a---- 3065 bytes [17:04 16/06/2011] [06:03 26/02/2011] A22A871839C7FD622127471087C4BF44
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe --a---- 2614784 bytes [17:04 16/06/2011] [05:51 26/02/2011] 255CF508D7CFB10E0794D6AC93280BD8
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer-ppdlic.xrm-ms --a---- 3065 bytes [17:04 16/06/2011] [05:47 25/02/2011] 105767FBB2039774BADE7B91135812B2
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe --a---- 2616320 bytes [17:04 16/06/2011] [05:30 25/02/2011] 8B88EBBB05A0E56B7DCC708498C02B3E
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer-ppdlic.xrm-ms --a---- 3065 bytes [17:04 16/06/2011] [05:36 26/02/2011] 83D53AF512566B1511A7CB963BD1AD19
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe --a---- 2616320 bytes [17:04 16/06/2011] [05:19 26/02/2011] 0FB9C74046656D1579A64660AD67B746
C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7600.16385_none_024f0ba1e4ed554c\explorer-DL.man --a---- 2571 bytes [21:19 10/06/2009] [21:19 10/06/2009] 87354E386F0C6B4D1FD4D9301A468C76
C:\Windows\winsxs\x86_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22d6d5b5cba907ce\Explorer.adml --a---- 3695 bytes [04:54 14/07/2009] [02:07 14/07/2009] 7A4C7F3CB156543113596988479CAFCE
C:\Windows\winsxs\x86_microsoft-windows-shell-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_1590ffd752297581\Explorer.admx --a---- 3836 bytes [21:56 13/07/2009] [21:34 10/06/2009] AD131A834808E6AFF4A3918DE05BFCF6

-= EOF =-










aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-17 22:41:22
-----------------------------
22:41:22.558 OS Version: Windows 6.1.7600
22:41:22.558 Number of processors: 2 586 0x4B02
22:41:22.560 ComputerName: ARNI-PC UserName: Arni
22:41:23.130 Initialize success
22:41:26.771 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000007c
22:41:26.774 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 3
22:41:28.777 Disk 0 MBR read successfully
22:41:28.780 Disk 0 MBR scan
22:41:28.782 Disk 0 Windows 7 default MBR code
22:41:30.786 Disk 0 scanning sectors +625137345
22:41:30.814 Disk 0 scanning C:\Windows\system32\drivers
22:41:36.465 Service scanning
22:41:37.582 Disk 0 trace - called modules:
22:41:37.592 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
22:41:37.597 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86bbc030]
22:41:37.602 3 CLASSPNP.SYS[8b98659e] -> nt!IofCallDriver -> [0x85bb6f08]
22:41:37.608 5 ACPI.sys[83dab3b2] -> nt!IofCallDriver -> \Device\0000007c[0x864b9ac0]
22:41:37.613 Scan finished successfully
22:41:57.012 Disk 0 MBR has been saved successfully to "C:\Users\Arni\Desktop\MBR.dat"
22:41:57.021 The log file has been saved successfully to "C:\Users\Arni\Desktop\aswMBR.txt"





Thank You!

#12 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:44 PM

Posted 18 June 2011 - 07:24 AM

Hi Arni,


  • Click on this link--> virustotal
  • Click the browse button. Copy and paste the following lines in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

C:\Windows\System32\userinit.exe
C:\Windows\ERDNT\cache\userinit.exe


If the file has been analyzed before, click the Reanalyse File Now button.

Please copy and paste the results of the scan in your next post.




Note: I will be traveling and unavailable Saturday afternoon 06/18/2011.



Thanks!!
PW

#13 Arni

Arni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 June 2011 - 01:54 PM

Hi

Malwarebytes has found some things like : PUP.FunWebProducts , Trojan.FakeAlert


here ar the results

AhnLab-V3 2011.06.19.00 2011.06.18 -
AntiVir 7.11.10.12 2011.06.17 -
Antiy-AVL 2.0.3.7 2011.06.18 -
Avast 4.8.1351.0 2011.06.18 -
Avast5 5.0.677.0 2011.06.18 -
AVG 10.0.0.1190 2011.06.18 -
BitDefender 7.2 2011.06.18 -
CAT-QuickHeal 11.00 2011.06.18 -
ClamAV 0.97.0.0 2011.06.18 -
Commtouch 5.3.2.6 2011.06.18 -
Comodo 9114 2011.06.18 -
DrWeb 5.0.2.03300 2011.06.18 -
eSafe 7.0.17.0 2011.06.15 -
eTrust-Vet 36.1.8393 2011.06.17 -
F-Prot 4.6.2.117 2011.06.18 -
Fortinet 4.2.257.0 2011.06.18 -
GData 22 2011.06.18 -
Ikarus T3.1.1.104.0 2011.06.18 -
Jiangmin 13.0.900 2011.06.18 -
K7AntiVirus 9.106.4825 2011.06.18 -
Kaspersky 9.0.0.837 2011.06.18 -
McAfee 5.400.0.1158 2011.06.18 -
McAfee-GW-Edition 2010.1D 2011.06.18 -
Microsoft 1.6903 2011.06.13 -
NOD32 6220 2011.06.18 -
Norman 6.07.10 2011.06.18 -
nProtect 2011-06-18.01 2011.06.18 -
Panda 10.0.3.5 2011.06.18 -
PCTools 7.0.3.5 2011.06.17 -
Prevx 3.0 2011.06.18 -
Rising 23.62.03.03 2011.06.17 -
Sophos 4.66.0 2011.06.18 -
SUPERAntiSpyware 4.40.0.1006 2011.06.18 -
Symantec 20111.1.0.186 2011.06.18 -
TheHacker 6.7.0.1.233 2011.06.18 -
TrendMicro 9.200.0.1012 2011.06.18 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.18 -
VBA32 3.12.16.2 2011.06.17 -
VIPRE 9620 2011.06.18 -
ViRobot 2011.6.18.4521 2011.06.18 -
VirusBuster 14.0.85.1 2011.06.18 -
Additional informationShow all
MD5 : 6de80f60d7de9ce6b8c2ddfdf79ef175
SHA1 : 8d439a6186ff526403989ac217dfe8e3a2d8bc2c
SHA256: 7784a6cada74e314e7d79573ad9e490f4a36e0deb86c07732a75856a7e8f1e3a
ssdeep: 384:Oj+CsDNjesrHdlvJhRLYZpgKeGf5F/hyWeR22PXG/7LKpuZeRsJCKWuVymWB:OxstZlRhNY
ZpgpuFeR22vo7L3O1
File size : 26112 bytes
First seen: 2009-08-11 16:56:55
Last seen : 2011-06-18 18:37:57
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Userinit Logon Application
original name: USERINIT.EXE
internal name: userinit
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2B4E
timedatestamp....: 0x4A5BC47B (Mon Jul 13 23:34:19 2009)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x4CC9, 0x4E00, 6.08, 42103130bcecb40c949779c1a865ac9a
.data, 0x6000, 0x4E8, 0x600, 0.87, 33d7907333f0fbf9350ce65ced1af048
.rsrc, 0x7000, 0x778, 0x800, 4.05, cb2b29ba8fea6ee6f3666d8bf554071f
.reloc, 0x8000, 0x410, 0x600, 5.22, ae619042157784c4e0538bf811d6d473

[[ 7 import(s) ]]
ntdll.dll: DbgPrint, RtlInitUnicodeString, NtOpenKey, NtClose
API_MS_Win_Core_LocalRegistry_L1_1_0.dll: RegCreateKeyExW, RegDeleteTreeW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegQueryInfoKeyW
API_MS_Win_Core_ProcessThreads_L1_1_0.dll: SetThreadPriority, GetCurrentThread, CreateThread, GetCurrentProcess, CreateProcessW, OpenProcessToken
USER32.dll: CharNextW, GetKeyboardLayout, GetSystemMetrics, ExitWindowsEx, MessageBoxW, LoadStringW, LoadRemoteFonts, DefWindowProcW, RegisterClassExW, DestroyWindow, CreateWindowExW, SystemParametersInfoW
USERENV.dll: -
msvcrt.dll: _ismbblead, _XcptFilter, _exit, _cexit, exit, _wcsicmp, memset, memmove, _vsnwprintf, _initterm, _acmdln, _amsg_exit, __setusermatherr, __p__fmode, __set_app_type, _terminate@@YAXXZ, _except_handler4_common, _controlfp, __getmainargs, __p__commode
KERNEL32.dll: GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedExchange, LoadLibraryA, RegOpenKeyExA, RegQueryValueExA, ExpandEnvironmentStringsA, LoadLibraryExA, InterlockedCompareExchange, DelayLoadFailureHook, HeapSetInformation, SetCurrentDirectoryW, FormatMessageW, GetFileAttributesExW, GetSystemDirectoryW, SetLastError, ExpandEnvironmentStringsW, GetUserDefaultLangID, SetEvent, OpenEventW, Sleep, WaitForSingleObject, CloseHandle, GetLastError, SetEnvironmentVariableW, SearchPathW, GetCurrentThreadId, CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, GetEnvironmentVariableW, LocalAlloc, LocalFree, GetVersionExW, lstrlenW
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 19968
CompanyName: Microsoft Corporation
EntryPoint: 0x2b4e
FileDescription: Userinit Logon Application
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 26 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileVersionNumber: 6.1.7600.16385
ImageVersion: 6.1
InitializedDataSize: 5120
InternalName: userinit
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.1
ObjectFileType: Executable application
OriginalFilename: USERINIT.EXE
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.1.7600.16385
ProductVersionNumber: 6.1.7600.16385
Subsystem: Windows GUI
SubsystemVersion: 6.1
TimeStamp: 2009:07:14 01:34:19+02:00
UninitializedDataSize: 0









second one





AhnLab-V3 2011.06.19.00 2011.06.18 -
AntiVir 7.11.10.12 2011.06.17 -
Antiy-AVL 2.0.3.7 2011.06.18 -
Avast 4.8.1351.0 2011.06.18 -
Avast5 5.0.677.0 2011.06.18 -
AVG 10.0.0.1190 2011.06.18 -
BitDefender 7.2 2011.06.18 -
CAT-QuickHeal 11.00 2011.06.18 -
ClamAV 0.97.0.0 2011.06.18 -
Commtouch 5.3.2.6 2011.06.18 -
Comodo 9114 2011.06.18 -
DrWeb 5.0.2.03300 2011.06.18 -
eSafe 7.0.17.0 2011.06.15 -
eTrust-Vet 36.1.8393 2011.06.17 -
F-Prot 4.6.2.117 2011.06.18 -
F-Secure 9.0.16440.0 2011.06.18 -
Fortinet 4.2.257.0 2011.06.18 -
GData 22 2011.06.18 -
Ikarus T3.1.1.104.0 2011.06.18 -
Jiangmin 13.0.900 2011.06.18 -
K7AntiVirus 9.106.4825 2011.06.18 -
Kaspersky 9.0.0.837 2011.06.18 -
McAfee 5.400.0.1158 2011.06.18 -
McAfee-GW-Edition 2010.1D 2011.06.18 -
Microsoft 1.6903 2011.06.13 -
NOD32 6220 2011.06.18 -
Norman 6.07.10 2011.06.18 -
nProtect 2011-06-18.01 2011.06.18 -
Panda 10.0.3.5 2011.06.18 -
PCTools 7.0.3.5 2011.06.17 -
Prevx 3.0 2011.06.18 -
Rising 23.62.03.03 2011.06.17 -
Sophos 4.66.0 2011.06.18 -
SUPERAntiSpyware 4.40.0.1006 2011.06.18 -
Symantec 20111.1.0.186 2011.06.18 -
TheHacker 6.7.0.1.233 2011.06.18 -
TrendMicro 9.200.0.1012 2011.06.18 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.18 -
VBA32 3.12.16.2 2011.06.17 -
VIPRE 9620 2011.06.18 -
ViRobot 2011.6.18.4521 2011.06.18 -
VirusBuster 14.0.85.1 2011.06.18 -
Additional informationShow all
MD5 : 6de80f60d7de9ce6b8c2ddfdf79ef175
SHA1 : 8d439a6186ff526403989ac217dfe8e3a2d8bc2c
SHA256: 7784a6cada74e314e7d79573ad9e490f4a36e0deb86c07732a75856a7e8f1e3a
ssdeep: 384:Oj+CsDNjesrHdlvJhRLYZpgKeGf5F/hyWeR22PXG/7LKpuZeRsJCKWuVymWB:OxstZlRhNY
ZpgpuFeR22vo7L3O1
File size : 26112 bytes
First seen: 2009-08-11 16:56:55
Last seen : 2011-06-18 18:41:08
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Userinit Logon Application
original name: USERINIT.EXE
internal name: userinit
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2B4E
timedatestamp....: 0x4A5BC47B (Mon Jul 13 23:34:19 2009)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x4CC9, 0x4E00, 6.08, 42103130bcecb40c949779c1a865ac9a
.data, 0x6000, 0x4E8, 0x600, 0.87, 33d7907333f0fbf9350ce65ced1af048
.rsrc, 0x7000, 0x778, 0x800, 4.05, cb2b29ba8fea6ee6f3666d8bf554071f
.reloc, 0x8000, 0x410, 0x600, 5.22, ae619042157784c4e0538bf811d6d473

[[ 7 import(s) ]]
ntdll.dll: DbgPrint, RtlInitUnicodeString, NtOpenKey, NtClose
API_MS_Win_Core_LocalRegistry_L1_1_0.dll: RegCreateKeyExW, RegDeleteTreeW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegQueryInfoKeyW
API_MS_Win_Core_ProcessThreads_L1_1_0.dll: SetThreadPriority, GetCurrentThread, CreateThread, GetCurrentProcess, CreateProcessW, OpenProcessToken
USER32.dll: CharNextW, GetKeyboardLayout, GetSystemMetrics, ExitWindowsEx, MessageBoxW, LoadStringW, LoadRemoteFonts, DefWindowProcW, RegisterClassExW, DestroyWindow, CreateWindowExW, SystemParametersInfoW
USERENV.dll: -
msvcrt.dll: _ismbblead, _XcptFilter, _exit, _cexit, exit, _wcsicmp, memset, memmove, _vsnwprintf, _initterm, _acmdln, _amsg_exit, __setusermatherr, __p__fmode, __set_app_type, _terminate@@YAXXZ, _except_handler4_common, _controlfp, __getmainargs, __p__commode
KERNEL32.dll: GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedExchange, LoadLibraryA, RegOpenKeyExA, RegQueryValueExA, ExpandEnvironmentStringsA, LoadLibraryExA, InterlockedCompareExchange, DelayLoadFailureHook, HeapSetInformation, SetCurrentDirectoryW, FormatMessageW, GetFileAttributesExW, GetSystemDirectoryW, SetLastError, ExpandEnvironmentStringsW, GetUserDefaultLangID, SetEvent, OpenEventW, Sleep, WaitForSingleObject, CloseHandle, GetLastError, SetEnvironmentVariableW, SearchPathW, GetCurrentThreadId, CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, GetEnvironmentVariableW, LocalAlloc, LocalFree, GetVersionExW, lstrlenW
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 19968
CompanyName: Microsoft Corporation
EntryPoint: 0x2b4e
FileDescription: Userinit Logon Application
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 26 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileVersionNumber: 6.1.7600.16385
ImageVersion: 6.1
InitializedDataSize: 5120
InternalName: userinit
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.1
ObjectFileType: Executable application
OriginalFilename: USERINIT.EXE
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.1.7600.16385
ProductVersionNumber: 6.1.7600.16385
Subsystem: Windows GUI
SubsystemVersion: 6.1
TimeStamp: 2009:07:14 01:34:19+02:00
UninitializedDataSize: 0
Symantec reputation:Suspicious.Insight

#14 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:44 PM

Posted 19 June 2011 - 09:41 AM

Hi Arni,

Malwarebytes has found some things like : PUP.FunWebProducts , Trojan.FakeAlert

Please post that log from MBAM. It will be located under the logs tab.



Step 1.

Press the Win & R keys to open the Run command box.

Copy and paste or type C:\Qoobox\Add-Remove Programs.txt in the Run box and click OK. A text file should open. Please post the contents of that file in your next reply.


Step 2.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


In your next reply please post the following:

Add-Remove Programs.txt
MBAM log
ESET scan results.
Note: If ESET does not find anything there will be no report.


Thanks!!
PW

#15 Arni

Arni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 20 June 2011 - 03:19 PM

Hi!

Here are my logs

Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop CS5
Adobe Reader 9.4.3
AMD APP SDK Runtime
AMD Drag and Drop Transcoding
AMD Fuel
AMD Fusion Utility
AMD VISION Engine Control Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
ATI Catalyst Install Manager
ATI Catalyst Registration
Bonjour
Browser Defender 3.0
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-utility
CCC Help English
Command & Conquer™ Red Alert™ 3
ConvertXtoDVD 4.0.3.313
D3DX10
DAEMON Tools Pro
DarksidersInstaller
Dell Driver Download Manager
DEVIL MAY CRY 4
DivX Setup
DNA
Dragon Age II
Dragon Age: Origins
Driver Genius Professional Edition
EASEUS Partition Master 6.1.1 Home Edition
eReg
erLT
FBX Plugin 2009.0 for Max 2009
FLV Player 2.0 (build 25)
Futuremark SystemInfo
GameDesire-Pool & Snooker
Garmin Communicator Plugin
Garmin USB Drivers
gBurner
Geeks3D.com FurMark 1.9.0
Google Chrome
Google Earth
Google Update Helper
Graboid Video 1.71
HiJackThis
HOTKEurope 1.4.2
iTunes
Java Auto Updater
Junk Mail filter update
LimeWire 5.5.8
LiveUpdate
Malwarebytes' Anti-Malware version 1.51.0.1200
Medal of Honor ™
Media Go
MetaTrader 4.00
Microsoft .NET Framework 1.1
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.0
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
mIRC
MobileMe Control Panel
Movavi Video Converter 6
Mozilla Firefox 4.0.1 (x86 en-US)
MP3 Cutter 1.9
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Need for Speed™ Hot Pursuit
nLite 1.4.9.1
NNScript
NVIDIA PhysX
OGA Notifier 2.0.0048.0
OJOsoft Total Video Converter
Pando Media Booster
Paragon Drive Backup 8.51 Professional Trial
Paragon Partition Manager 9.0 Professional
PDF Settings CS5
PDFCreator
PerformanceTest v7.0
PlayStation®Network Downloader
PlayStation®Store
PunkBuster Services
Quake Live Internet Explorer Plugin
QuickTime
Rapport
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Roxio Easy Media Creator 9 Suite
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 4.1
SkyPlayer for Windows Media Center
Sony Ericsson PC Companion 1.50.52
Sony Ericsson PC Suite 6.011.00
Sony Ericsson Update Engine
Spybot - Search & Destroy
TeamSpeak 3 Client
The Rosetta Stone
Trend Micro™ Titanium™ Maximum Security
Ubisoft Game Launcher
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update Service
Urban Terror 4.1
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.9
Winamp
Winamp Detector Plug-in
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
WinRAR archiver
WMV9/VC-1 Video Playback
XP Codec Pack
Xvid 1.2.1 final uninstall


MBAM Log


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4305

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13/07/2010 07:16:57
mbam-log-2010-07-13 (07-16-57).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 261001
Time elapsed: 38 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{C28DF4E4-B3E9-4CDB-A3DD-FB45759108DA}\RP17\A0004253.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{C5F4720D-C49C-4992-B306-4B61FC2D2738}\RP132\A0027937.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
D:\Games\Setupid\Mängude failid\EA Games Serials\fff-ea117.exe (Trojan.Orsam) -> Not selected for removal.



ESET Log


C:\Users\Arni\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\06EW0B6C\forum[2].htm JS/Kryptik.AQ.Gen trojan cleaned by deleting - quarantined
C:\Users\Arni\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\7d6f8095-439f6e43 multiple threats deleted - quarantined
C:\Users\Arni\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\2fbb37bf-42778821 a variant of Java/Exploit.CVE-2009-2843.B trojan deleted - quarantined




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users