Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Tracur.y / Google Redirect


  • This topic is locked This topic is locked
2 replies to this topic

#1 SinitusT

SinitusT

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 September 2011 - 06:11 PM

Hello. A few weeks ago my computer became infected with the tracur.y virus, which created redirects on google searches. I basically piggy backed on someone elses thread and it removed the virus without a problem. All of the google redirects were gone and all of my anti-virus scans showed up clean.

Just today the virus seems to have come back (or so i think). MSE hasn't picked up on it yet, but the google redirects are back. I'm running Windows 7 ultimate

Logs:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Run by Joey at 15:49:33 on 2011-09-04
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2517 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\ASUS\WLAN Card Utilities\ASWLCCSVC.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesApp64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\IObit\Game Booster\gbtray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\foobar2000\foobar2000.exe
C:\Program Files (x86)\Last.fm\LastFM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.6\iobitToolbarIE.dll
BHO: {07d86aba-b2d9-4150-9956-3db6efc451a2} - C:\Windows\SysWow64\wscui32.dll
BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.6\iobitToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.6\iobitToolbarIE.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [DFUserRootUpdate] C:\Users\Joey\AppData\Local\DFUserRoot\DFUserRootUpdate\DFUserRootupdt32.exe
uRun: [MouseProfileUpdate] rundll32.exe "C:\ProgramData\MouseProfileUpdate.dll",DllRegisterServer
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [<NO NAME>]
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
dRun: [DFUserRootUpdate] C:\Users\Joey\AppData\Local\DFUserRoot\DFUserRootUpdate\DFUserRootupdt32.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CONFIG~1.LNK - C:\Program Files (x86)\MA311 PCI Adapter Configuration Utility\wlanutil.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: DisableThumbnailsOnNetworkFolders = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{CE49341B-0225-4E13-972F-C6F8DACD68EC} : NameServer = 10.0.0.1
TCP: Interfaces\{CE49341B-0225-4E13-972F-C6F8DACD68EC}\F6E6564723 : DhcpNameServer = 10.0.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
C:\Windows\SysWow64\wscui32.dll
BHO-X64: IObit Toolbar: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files (x86)\IObit Toolbar\IE\4.6\iobitToolbarIE.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: IObit Toolbar: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files (x86)\IObit Toolbar\IE\4.6\iobitToolbarIE.dll
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [(Default)]
mRun-x64: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Joey\AppData\Roaming\Mozilla\Firefox\Profiles\i2fhzlt9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=382950&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61030
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\null\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Joey\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Users\Joey\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 ASWLCCSvc;ASUS Wireless Card Service;C:\Program Files (x86)\ASUS\WLAN Card Utilities\ASWLCCSVC.exe [2011-6-21 172032]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-8-21 366640]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe [2011-8-15 2027840]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesDriver64.sys [2011-5-31 11856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 FLASHSYS;FLASHSYS;C:\Program Files (x86)\MSI\Live Update 4\LU4\Flashsys64.sys [2010-5-5 15192]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-30 136176]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-30 136176]
S4 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-09-04 07:47:40 239104 ----a-w- C:\Windows\SysWow64\wscui32.dll
2011-09-04 07:47:36 68608 ----a-w- C:\ProgramData\MouseProfileUpdate.dll
2011-09-03 22:57:09 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{75270D15-489A-4522-B2DC-485FF23F319E}\mpengine.dll
2011-09-02 03:10:00 -------- d-----w- C:\Program Files (x86)\IObit Toolbar
2011-09-02 03:10:00 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2011-09-02 03:10:00 -------- d-----w- C:\Program Files (x86)\Application Updater
2011-09-01 01:00:47 -------- d-----w- C:\Users\Joey\AppData\Local\dxhr
2011-09-01 01:00:03 -------- d-----w- C:\Users\Joey\AppData\Local\28050
2011-09-01 01:00:02 -------- d-----w- C:\Users\Joey\AppData\Local\SKIDROW
2011-09-01 00:54:03 -------- d-----w- C:\Users\Joey\AppData\Roaming\DYA_PPGNOHWWWWJRTBLBR
2011-09-01 00:54:03 -------- d-----w- C:\ProgramData\DYA_PPGNOHWWWWJRTBLBR
2011-08-25 00:06:23 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-24 11:53:45 34624 ----a-w- C:\Windows\System32\TURegOpt.exe
2011-08-24 11:53:39 36160 ----a-w- C:\Windows\System32\uxtuneup.dll
2011-08-24 11:53:39 29504 ----a-w- C:\Windows\SysWow64\uxtuneup.dll
2011-08-24 11:53:38 25920 ----a-w- C:\Windows\System32\authuitu.dll
2011-08-24 11:53:38 21312 ----a-w- C:\Windows\SysWow64\authuitu.dll
2011-08-24 11:53:27 -------- d-----w- C:\Users\Joey\AppData\Roaming\TuneUp Software
2011-08-24 11:53:18 -------- d-----w- C:\Program Files (x86)\TuneUp Utilities 2011
2011-08-24 11:53:00 -------- d-----w- C:\ProgramData\TuneUp Software
2011-08-24 11:52:57 -------- d-sh--w- C:\ProgramData\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-08-24 11:15:43 -------- d-----w- C:\ProgramData\AVAST Software
2011-08-24 11:15:43 -------- d-----w- C:\Program Files\AVAST Software
2011-08-24 10:42:24 -------- d-----w- C:\Users\Joey\AppData\Roaming\Auslogics
2011-08-24 10:40:43 -------- d-----w- C:\Program Files (x86)\Auslogics
2011-08-24 10:39:25 -------- dc----w- C:\ProgramData\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2011-08-23 18:28:09 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-23 18:28:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-08-23 10:01:03 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-08-23 10:00:43 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-08-21 09:29:28 -------- d-----w- C:\Users\Joey\AppData\Roaming\ESET
2011-08-21 09:29:28 -------- d-----w- C:\Users\Joey\AppData\Local\ESET
2011-08-21 09:20:50 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-21 09:20:46 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-21 09:08:03 -------- d-----w- C:\Windows\pss
2011-08-21 09:05:32 -------- d-----w- C:\Program Files\CCleaner
2011-08-11 23:27:06 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5E472A3B-1EC6-4409-9CB9-1F16E93D8CA2}\gapaengine.dll
2011-08-09 21:36:59 482816 ----a-w- C:\Windows\System32\html.iec
2011-08-09 21:36:59 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-08-09 21:36:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-09 21:36:59 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-08-09 21:36:57 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-08-09 21:36:57 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-08-09 21:36:56 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-08-08 08:12:07 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2011-09-03 01:14:15 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-09-03 01:14:15 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-09-03 01:12:51 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-11 01:58:44 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-07-11 01:46:22 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-07-07 02:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-21 10:07:47 30208 ----a-w- C:\Windows\System32\drivers\AegisP.sys
2011-06-21 06:27:14 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-21 06:20:48 1197056 ----a-w- C:\Windows\System32\wininet.dll
2011-06-21 06:20:06 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-06-21 05:36:36 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-06-21 05:35:05 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-06-15 09:58:31 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 09:58:31 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 09:04:46 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 09:04:46 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 09:04:46 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 09:04:46 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 09:04:46 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 02:56:44 3134464 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 15:50:19.80 ===============

I had some trouble with the GMER scan. A lot of the boxes i was supposed to check were grayed out and wouldn't allow me to check them. The: System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, and Libraries boxes were all greyed out.

Here is the log from that:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-04 16:09:54
Windows 6.1.7600
Running: gmer.exe


---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Windows\Start Menu\Folder Lock 6.lnk 1114 bytes
File C:\Windows\SysWOW64\sys_drv_2.dat 6024 bytes
File C:\Users\Joey\AppData\Roaming\systemfl.$dk 990 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:12 AM

Posted 09 September 2011 - 03:11 PM

Hi SinitusT, and welcome to Bleeping Computer.

Firstly,
These folders recently created caught my eye:

2011-09-01 01:00:47 -------- d-----w- C:\Users\Joey\AppData\Local\dxhr
2011-09-01 01:00:03 -------- d-----w- C:\Users\Joey\AppData\Local\28050
2011-09-01 01:00:02 -------- d-----w- C:\Users\Joey\AppData\Local\SKIDROW
2011-09-01 00:54:03 -------- d-----w- C:\Users\Joey\AppData\Roaming\DYA_PPGNOHWWWWJRTBLBR
2011-09-01 00:54:03 -------- d-----w- C:\ProgramData\DYA_PPGNOHWWWWJRTBLBR

The name Skidrow has something to do with cracks/keygens to computer games... Of course, using pirated software is simply stealing copyrighted materials... Anyway, when it comes to malware removal, the point is that the source of many infections is the use of cracks or keygens by victims... That's why I ask you to uninstall all pirated software/games from your computer (of course, if there is any) prior to following the steps below... It's your choice if you decide to do it, however, please note that I might not be able to guarantee a clean computer if pirated software is present on the computer...

Secondly,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

C:\Windows\SysWow64\wscui32.dll

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.

Please do the same for this file: C:\ProgramData\MouseProfileUpdate.dll

Thirdly,
  • Please launch Malwarebytes' Anti-Malware, click the Update tab, and then Check for Updates.
  • Then choose the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Finally,
Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:12 AM

Posted 25 September 2011 - 11:01 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users