Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something fishy...


  • This topic is locked This topic is locked
24 replies to this topic

#1 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 30 August 2011 - 03:48 PM

Old link, crypto told me to go here. I'm a little short on time so I might not be able to get the logs to you super fast.

Pasting in the GMER log posted in other topic. ~ OB

Gmer log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-30 12:53:26
Windows 6.1.7601 Service Pack 1
Running: 7x7r5d07.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004e9e9235
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004e9e9235 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}@iaiblbekkhecjkckkc 0x69 0x61 0x6B 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}@hacefgagedhfiejc 0x69 0x61 0x6B 0x63 ...

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 30 August 2011 - 10:22 PM.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 AM

Posted 04 September 2011 - 09:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

Before I suggest any removal tool I need more information.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just paste the contents of the DDS.txt log in your next post.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please post the logs and let me know what problem persists.

#3 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 05 September 2011 - 10:28 PM

Sorry, I'm not gone, I have just had a lot of stuff going on with school starting up in a day or so, so it might be a while, if the thread gets closed, should I pm a mod or just make a new one?

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#4 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 05 September 2011 - 10:33 PM

DDS Log, as requested.
Attach.txt is also zipped and attached.
----------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Ryan at 20:29:05 on 2011-09-05
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4077.2261 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\atieclxx.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\windows\system32\conhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\explorer.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://lenovo.msn.com
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [P2kAutostart]
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - C:\Users\Ryan\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Send image to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A820C16A-2FA8-4680-986F-472EE0D01B13} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A820C16A-2FA8-4680-986F-472EE0D01B13}\7457563747 : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\kldjrfma.default\
FF - prefs.js: browser.search.selectedEngine - Search the web
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\Ryan\AppData\Local\Roblox\Versions\version-9d8ee47fdc21422e\NPRobloxProxy.dll
FF - plugin: C:\windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\system32\DRIVERS\avgrkx64.sys --> C:\windows\system32\DRIVERS\avgrkx64.sys [?]
R0 LHDmgr;LHDmgr;C:\windows\system32\DRIVERS\LhdX64.sys --> C:\windows\system32\DRIVERS\LhdX64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\system32\DRIVERS\avgldx64.sys --> C:\windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\system32\DRIVERS\avgmfx64.sys --> C:\windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\windows\system32\DRIVERS\avgtdia.sys --> C:\windows\system32\DRIVERS\avgtdia.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
R2 Oasis2Service;Oasis2Service;C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [2010-12-22 46080]
R2 sp_rsdrv2;Spyware Terminator Driver Filter;C:\windows\system32\DRIVERS\stflt.sys --> C:\windows\system32\DRIVERS\stflt.sys [?]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\system32\DRIVERS\AcpiVpc.sys --> C:\windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
R3 JmUsbCcgp;JMicron USB Composite Device Lower Filter Driver;C:\windows\system32\DRIVERS\jmccgp.sys --> C:\windows\system32\DRIVERS\jmccgp.sys [?]
R3 JmUsbVideo;JMicron 31x Upper Filter Driver;C:\windows\system32\Drivers\jmcam.sys --> C:\windows\system32\Drivers\jmcam.sys [?]
R3 JmUsbVideo2;JMicron 31x Lower Filter Driver;C:\windows\system32\Drivers\jmcam_lo.sys --> C:\windows\system32\Drivers\jmcam_lo.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\windows\system32\DRIVERS\k57nd60a.sys --> C:\windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 btusbflt;Bluetooth USB Filter;C:\windows\system32\drivers\btusbflt.sys --> C:\windows\system32\drivers\btusbflt.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
S3 Desura Install Service;Desura Install Service;C:\Program Files (x86)\Common Files\Desura\desura_service.exe [2011-7-12 131912]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;\??\C:\windows\system32\drivers\hitmanpro35.sys --> C:\windows\system32\drivers\hitmanpro35.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\windows\system32\DRIVERS\netw5v64.sys --> C:\windows\system32\DRIVERS\netw5v64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 VBoxUSB;VirtualBox USB;C:\windows\system32\Drivers\VBoxUSB.sys --> C:\windows\system32\Drivers\VBoxUSB.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
S4 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-09-05 04:48:41 -------- d-----w- C:\Program Files (x86)\Common Files\DVDVideoSoft
2011-09-02 21:33:19 -------- d-----w- C:\Users\Ryan\AppData\Roaming\enchant
2011-09-02 21:33:19 -------- d-----w- C:\Users\Ryan\AppData\Roaming\.purple
2011-09-02 21:31:32 -------- d-----w- C:\Program Files (x86)\Pidgin
2011-08-30 08:05:12 -------- d-----w- C:\temp_phw
2011-08-30 01:00:25 -------- d-----w- C:\Users\Ryan\AppData\Roaming\SUPERAntiSpyware.com
2011-08-30 01:00:25 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-08-30 00:54:29 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-23 21:07:06 -------- d-----w- C:\Program Files (x86)\Atari
2011-08-23 20:38:21 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2011-08-23 20:38:21 2048 ----a-w- C:\windows\System32\tzres.dll
2011-08-23 20:26:07 -------- d-----w- C:\windows\SysWow64\RTCOM
2011-08-23 20:23:34 -------- d-----w- C:\Program Files (x86)\Realtek
2011-08-23 20:22:53 -------- d-----w- C:\Drivers
2011-08-23 05:08:42 20 ----a-w- C:\windows\System32\NCTTEXTTOAUDIO2.DLL
2011-08-23 03:36:54 -------- d-----w- C:\Program Files (x86)\Conduit
2011-08-23 03:36:49 -------- d-----w- C:\Users\Ryan\AppData\Local\Conduit
2011-08-23 03:36:27 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Free Sound Recorder
2011-08-23 03:36:21 344064 ----a-w- C:\windows\SysWow64\msvcr70.dll
2011-08-16 03:44:11 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Moveax
2011-08-15 02:54:54 -------- d-----w- C:\Users\Ryan\AppData\Local\{46F8FB77-F972-48B8-8231-DD286CB71E54}
2011-08-15 02:54:43 -------- d-----w- C:\Users\Ryan\AppData\Local\{36BC1BE5-0B46-4EA9-AA5E-78C4496BAE01}
2011-08-15 02:17:35 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\7ee7e3d21cc5af101\MeshBetaRemover.exe
2011-08-15 02:17:10 -------- d-----w- C:\Users\Ryan\AppData\Local\Windows Live
2011-08-15 01:41:57 -------- d-----w- C:\Users\Ryan\AppData\Local\Apple Computer
2011-08-12 20:15:22 -------- d-----w- C:\windows\System32\ShellExt
2011-08-12 20:15:21 -------- d-----w- C:\windows\SysWow64\ShellExt
2011-08-12 05:46:48 -------- d-----w- C:\Users\Ryan\AppData\Local\WMTools Downloaded Files
2011-08-12 05:40:58 -------- d-----w- C:\Program Files (x86)\Movie Maker 2.6
2011-08-12 05:14:37 -------- d-----w- C:\Users\Ryan\AppData\Local\Apple
2011-08-12 05:10:05 -------- d-----w- C:\Program Files\Matrox VFW Software Codecs
2011-08-12 01:32:11 -------- d-----w- C:\Program Files\CCleaner
2011-08-10 21:35:21 -------- d-----w- C:\Program Files (x86)\Camstudio-2.6c
2011-08-09 21:20:54 5561216 ----a-w- C:\windows\System32\ntoskrnl.exe
2011-08-09 21:20:54 3967872 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2011-08-09 21:20:54 3912576 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2011-08-09 21:07:34 -------- d-----w- C:\Users\Ryan\.VirtualBox
2011-08-09 21:05:11 223536 ----a-w- C:\windows\System32\drivers\VBoxDrv.sys
2011-08-09 21:05:09 -------- d-----w- C:\Program Files\Oracle
2011-08-09 00:37:42 -------- d-----w- C:\Users\Ryan\AppData\Local\Opera
2011-08-07 22:24:58 -------- d-----w- C:\Users\Ryan\.yawcam
2011-08-07 22:24:51 -------- d-----w- C:\Program Files (x86)\Yawcam
.
==================== Find3M ====================
.
2011-09-05 22:53:59 404640 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-23 01:24:11 20 ----a-w- C:\windows\System32\SHMEDIA.DLL
2011-07-22 05:42:23 2303488 ----a-w- C:\windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-07-19 20:08:46 117040 ----a-w- C:\windows\System32\drivers\VBoxUSB.sys
2011-07-19 20:08:18 165680 ----a-w- C:\windows\System32\drivers\VBoxNetFlt.sys
2011-07-19 20:08:18 146736 ----a-w- C:\windows\System32\drivers\VBoxNetAdp.sys
2011-07-19 20:08:18 131376 ----a-w- C:\windows\System32\drivers\VBoxUSBMon.sys
2011-07-19 20:08:16 320816 ----a-w- C:\windows\System32\VBoxNetFltNobj.dll
2011-07-16 05:41:50 362496 ----a-w- C:\windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-11 22:17:00 1698408 ----a-w- C:\windows\RtlExUpd.dll
2011-07-09 02:46:28 288768 ----a-w- C:\windows\System32\drivers\mrxsmb10.sys
2011-07-08 03:46:16 2432104 ----a-w- C:\windows\System32\RtPgEx64.dll
2011-07-08 01:39:06 2914408 ----a-w- C:\windows\System32\drivers\RTKVHD64.sys
2011-07-07 05:42:46 3148904 ----a-w- C:\windows\System32\RtkAPO64.dll
2011-07-07 02:52:42 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-07-06 21:27:00 92264 ----a-w- C:\windows\System32\RCoInst64.dll
2011-07-06 01:37:00 94208 ----a-w- C:\windows\SysWow64\QuickTimeVR.qtx
2011-07-06 01:37:00 69632 ----a-w- C:\windows\SysWow64\QuickTime.qts
2011-07-01 22:05:42 1822824 ----a-w- C:\windows\System32\RtkApi64.dll
2011-07-01 00:14:56 1560168 ----a-w- C:\windows\System32\RTSnMg64.cpl
2011-06-30 01:13:01 695578 ------w- C:\windows\SysWow64\unins000.exe
2011-06-27 22:44:54 2604376 ----a-w- C:\windows\System32\WavesGUILib.dll
2011-06-24 05:34:53 214528 ----a-w- C:\windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\windows\System32\conhost.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-06-15 10:02:23 212992 ----a-w- C:\windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\windows\SysWow64\odbccp32.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\windows\System32\win32k.sys
.
============= FINISH: 20:29:56.53 ===============

Attached Files


Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#5 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 05 September 2011 - 11:02 PM

The other scan.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-05 20:34:08
-----------------------------
20:34:09.000 OS Version: Windows x64 6.1.7601 Service Pack 1
20:34:09.000 Number of processors: 8 586 0x2A07
20:34:09.001 ComputerName: RYAN-LAPTOP UserName: Ryan
20:34:11.019 Initialize success
20:42:24.943 AVAST engine defs: 11090501
20:42:28.860 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:42:28.866 Disk 0 Vendor: ST950032 0010 Size: 476940MB BusType: 3
20:42:28.885 Disk 0 MBR read successfully
20:42:28.891 Disk 0 MBR scan
20:42:28.899 Disk 0 Windows 7 default MBR code
20:42:28.906 Service scanning
20:42:30.218 Modules scanning
20:42:30.226 Disk 0 trace - called modules:
20:42:30.291 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
20:42:30.299 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c3d790]
20:42:30.307 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047b1050]
20:42:32.947 AVAST engine scan C:\windows
20:42:35.588 AVAST engine scan C:\windows\system32
20:44:36.372 AVAST engine scan C:\windows\system32\drivers
20:44:48.830 AVAST engine scan C:\Users\Ryan
21:01:09.340 Disk 0 MBR has been saved successfully to "C:\Users\Ryan\Desktop\MBR.dat"
21:01:09.346 The log file has been saved successfully to "C:\Users\Ryan\Desktop\aswMBR.txt"

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 AM

Posted 06 September 2011 - 12:20 PM

Both logs are clean.

What are the issues with this computer?

#7 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 06 September 2011 - 05:03 PM

There seems to be no apparent infection, but when I I went to the publisher of a software program, which I was trying to download (easyuharc) I was initiated with flash based popups, so I navigated away from the page, exited out of Firefox and I found multiple instances of internet explorer running in task manager, I had not used ie that day, or any other day recently, I had not used (to my knowledge) any programs that use ie, so I was thinking that it was strange to have ie running when I had not told it to do so, furthermore they seemed to be running silently, no windows visible for internet explorer. So, it might be a false alarm, but why would ie be running without my permission?

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 AM

Posted 06 September 2011 - 07:54 PM

Lets check further.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#9 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 07 September 2011 - 04:54 PM

Okay, I will do so and post the log.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#10 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 07 September 2011 - 05:10 PM

Combofix log.


ComboFix 11-09-07.04 - Ryan 09/07/2011 14:56:22.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4077.2749 [GMT -7:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\windows\s.bat
c:\windows\SysWow64\mfc100deu.dll
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-08-07 to 2011-09-07 )))))))))))))))))))))))))))))))
.
.
2011-09-05 04:48 . 2011-09-05 04:56 -------- d-----w- c:\program files (x86)\Common Files\DVDVideoSoft
2011-09-02 21:33 . 2011-09-02 21:33 -------- d-----w- c:\users\Ryan\AppData\Roaming\.purple
2011-09-02 21:33 . 2011-09-02 21:33 -------- d-----w- c:\users\Ryan\AppData\Roaming\enchant
2011-09-02 21:31 . 2011-09-02 21:33 -------- d-----w- c:\program files (x86)\Pidgin
2011-08-30 08:05 . 2011-08-30 08:05 -------- d-----w- C:\temp_phw
2011-08-30 01:00 . 2011-08-30 01:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\SUPERAntiSpyware.com
2011-08-30 01:00 . 2011-08-30 01:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-08-30 00:54 . 2011-07-07 02:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-23 21:07 . 2011-08-23 21:07 -------- d-----w- c:\program files (x86)\Atari
2011-08-23 20:38 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-23 20:38 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-08-23 20:26 . 2011-08-23 20:26 -------- d-----w- c:\windows\SysWow64\RTCOM
2011-08-23 20:23 . 2011-08-23 20:23 -------- d-----w- c:\program files (x86)\Realtek
2011-08-23 20:22 . 2011-08-23 20:23 -------- d-----w- C:\Drivers
2011-08-23 05:08 . 2011-08-23 05:08 20 ----a-w- c:\windows\system32\NCTTEXTTOAUDIO2.DLL
2011-08-23 03:36 . 2011-09-05 22:45 -------- d-----w- c:\users\Ryan\AppData\Local\Conduit
2011-08-23 03:36 . 2011-08-23 04:01 -------- d-----w- c:\users\Ryan\AppData\Roaming\Free Sound Recorder
2011-08-23 03:36 . 2002-01-05 23:37 344064 ----a-w- c:\windows\SysWow64\msvcr70.dll
2011-08-16 03:44 . 2011-08-16 03:44 -------- d-----w- c:\users\Ryan\AppData\Roaming\Moveax
2011-08-15 02:17 . 2011-08-15 02:17 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\7ee7e3d21cc5af101\MeshBetaRemover.exe
2011-08-15 02:17 . 2011-08-15 02:54 -------- d-----w- c:\users\Ryan\AppData\Local\Windows Live
2011-08-15 01:41 . 2011-08-15 01:41 -------- d-----w- c:\users\Ryan\AppData\Local\Apple Computer
2011-08-15 01:41 . 2011-08-15 01:41 -------- d-----w- c:\users\Ryan\AppData\Roaming\Apple Computer
2011-08-12 20:15 . 2011-08-15 02:53 -------- d-----w- c:\windows\system32\ShellExt
2011-08-12 20:15 . 2011-08-15 02:53 -------- d-----w- c:\windows\SysWow64\ShellExt
2011-08-12 05:46 . 2011-08-27 01:34 -------- d-----w- c:\users\Ryan\AppData\Local\WMTools Downloaded Files
2011-08-12 05:40 . 2011-08-12 05:40 -------- d-----w- c:\program files (x86)\Movie Maker 2.6
2011-08-12 05:14 . 2011-08-12 05:14 -------- d-----w- c:\program files (x86)\Common Files\Apple
2011-08-12 05:14 . 2011-08-12 05:14 -------- d-----w- c:\users\Ryan\AppData\Local\Apple
2011-08-12 05:14 . 2011-08-12 05:14 -------- d-----w- c:\programdata\Apple
2011-08-12 05:14 . 2011-08-12 05:14 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-08-12 05:10 . 2011-08-12 05:10 -------- d-----w- c:\program files\Matrox VFW Software Codecs
2011-08-12 01:32 . 2011-08-12 01:32 -------- d-----w- c:\program files\CCleaner
2011-08-10 21:35 . 2011-08-10 21:35 -------- d-----w- c:\program files (x86)\Camstudio-2.6c
2011-08-09 21:20 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-09 21:20 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-08-09 21:20 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-08-09 21:07 . 2011-09-06 22:39 -------- d-----w- c:\users\Ryan\.VirtualBox
2011-08-09 21:05 . 2011-07-19 20:08 223536 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2011-08-09 21:05 . 2011-08-09 21:05 -------- d-----w- c:\program files\Oracle
2011-08-09 00:37 . 2011-08-12 03:02 -------- d-----w- c:\users\Ryan\AppData\Local\Opera
2011-08-09 00:35 . 2011-08-12 03:02 -------- d-----w- c:\program files (x86)\Opera
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-05 22:53 . 2011-05-16 22:56 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-15 02:21 . 2010-06-24 11:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-08-09 20:46 . 2011-05-27 23:43 165232 ---ha-w- c:\users\Ryan\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2011-07-23 01:24 . 2011-07-23 01:24 20 ----a-w- c:\windows\system32\SHMEDIA.DLL
2011-07-21 18:25 . 2011-07-21 18:25 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2011-07-21 18:25 . 2011-07-21 18:25 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-07-21 18:22 . 2011-07-21 18:22 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-07-21 18:21 . 2011-07-21 18:21 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-07-19 20:08 . 2011-07-19 20:08 117040 ----a-w- c:\windows\system32\drivers\VBoxUSB.sys
2011-07-19 20:08 . 2011-07-30 23:10 131376 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2011-07-19 20:08 . 2011-07-19 20:08 165680 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2011-07-19 20:08 . 2011-07-19 20:08 146736 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-07-19 20:08 . 2011-07-19 20:08 320816 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2011-07-16 04:26 . 2011-08-09 21:21 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-07-11 22:17 . 2011-03-10 09:23 1698408 ----a-w- c:\windows\RtlExUpd.dll
2011-07-07 02:52 . 2011-08-04 05:14 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 01:37 . 2011-07-06 01:37 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-07-06 01:37 . 2011-07-06 01:37 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-06-30 01:13 . 2011-06-30 01:13 695578 ------w- c:\windows\SysWow64\unins000.exe
2011-06-21 01:45 . 2011-06-21 01:45 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-06-21 01:44 . 2011-06-21 01:44 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-06-21 01:41 . 2011-06-21 01:41 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-06-21 01:41 . 2011-06-21 01:41 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-06-11 03:07 . 2011-07-12 22:12 3137536 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2011-04-19 2334560]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 SASDIFSV;SASDIFSV;c:\users\Ryan\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Ryan\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 Desura Install Service;Desura Install Service;c:\program files (x86)\Common Files\Desura\desura_service.exe [2011-09-05 131912]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
R4 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-09 169312]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 LHDmgr;LHDmgr;c:\windows\System32\DRIVERS\LhdX64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-04-19 7398752]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 Oasis2Service;Oasis2Service;c:\program files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [2010-12-22 46080]
S2 sp_rsdrv2;Spyware Terminator Driver Filter;c:\windows\system32\DRIVERS\stflt.sys [x]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 JmUsbCcgp;JMicron USB Composite Device Lower Filter Driver;c:\windows\system32\DRIVERS\jmccgp.sys [x]
S3 JmUsbVideo;JMicron 31x Upper Filter Driver;c:\windows\system32\Drivers\jmcam.sys [x]
S3 JmUsbVideo2;JMicron 31x Lower Filter Driver;c:\windows\system32\Drivers\jmcam_lo.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2010-04-23 4462496]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2010-09-15 7069088]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-06-03 2226280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://lenovo.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\Ryan\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\kldjrfma.default\
FF - prefs.js: browser.search.selectedEngine - Search the web
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{32b29df0-2237-4370-9a29-37cebb730e9b} - (no file)
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-P2kAutostart - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SynBtnAsst - c:\program files (x86)\Synaptics\SynTP\SynBtnAsst.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Desura - c:\program files (x86)\Common Files\Desura\\Desura_Uninstaller.exe
AddRemove-eSupport UndeletePlus_is1 - e:\esupport undeleteplus\unins000.exe
AddRemove-{FD9C31B6-F572-414D-81E3-89368C97A125}_is1 - c:\program files (x86)\CamStudio 2.6b\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1839007091-301062112-3871788137-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3C93FA0-94CA-F319-49A3-F9AA6E31305E}*]
"iaiblbekkhecjkckkc"=hex:69,61,6b,63,68,66,70,6a,62,69,63,6d,6e,65,6f,62,64,67,
00,00
"hacefgagedhfiejc"=hex:69,61,6b,63,68,66,70,6a,62,69,63,6d,6e,65,6f,62,64,67,
00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-07 15:09:34
ComboFix-quarantined-files.txt 2011-09-07 22:09
.
Pre-Run: 307,139,858,432 bytes free
Post-Run: 307,090,923,520 bytes free
.
- - End Of File - - 35C8BA73FE2A94200E4146D954A8D333

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#11 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 07 September 2011 - 05:13 PM

The contents of the batch file it found has been attached as a text file, I don't know who or where this batch file was created, I don't remember making it :/

Attached Files

  • Attached File  info.txt   488bytes   3 downloads

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 AM

Posted 08 September 2011 - 10:54 AM

Your ComboFix looks good.

The contents of the batch file it found has been attached as a text file,


The common denominator is PRDV10

Did you ever install this game?

http://search.4shared.com/search.html?searchmode=2&searchName=PRDV10.

If a program calls this file it will test if this folder and files exist c:\prdv10\*.*

If it exist it will execute the message.exe and script.exe files possibly in the c:\prdv10\ folder.

@echo off
if exist c:\prdv10\*.* goto testc

:testc
c:
cd c:\prdv10
if exist message.exe start message.exe
if exist script.exe start script.exe
exit
goto end


It will also check the D: and e: drives and execute the files if found.

===

If you did not install this delete the batch file and the c:\prdv10\ folder.

Keep me posted.

#13 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 08 September 2011 - 05:17 PM

I don't remember installing that game, I do however remember installing some other game, I cannot however remember what the name of the game was. :/

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 AM

Posted 08 September 2011 - 05:54 PM

Delete this folder in bold. c:\prdv10

Please let me know what problem persists.

#15 Zestypanda

Zestypanda
  • Topic Starter

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:11:15 PM

Posted 09 September 2011 - 01:13 PM

Okay, I looked, I cannot find the said folder, sorry I wasn't able to respond quicker, I live in San Diego so I was effected by the blackout.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users