Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix results and dds


  • This topic is locked This topic is locked
2 replies to this topic

#1 prohantu

prohantu

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 08 April 2012 - 02:49 AM

DDS.txt log result


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by ArofAni at 15:18:06 on 2012-04-08
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1526.494 [GMT 8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\AGRSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Users\ArofAni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ArofAni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ArofAni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ArofAni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\ArofAni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\WUDFHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{33FF49B4-3D36-4A54-A35B-41446DE7FACE} : NameServer = 203.82.64.145 203.82.64.129
TCP: Interfaces\{3FA4CD95-675E-4B5D-97EB-6E111A0D9153} : NameServer = 203.82.64.145 203.82.64.129
TCP: Interfaces\{CA17ACA5-8BC7-475C-B2BB-C3DE5367D36B} : DhcpNameServer = 10.10.100.90 10.15.3.37
TCP: Interfaces\{CA17ACA5-8BC7-475C-B2BB-C3DE5367D36B}\E45525F5B48414942555E4 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{CA17ACA5-8BC7-475C-B2BB-C3DE5367D36B}\E45525F5B48414942555E4 : DhcpNameServer = 202.188.1.5 202.188.0.133
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2012-3-16 91936]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2012-4-2 206336]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-4-2 70656]
R3 NETwLv32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwLv32.sys [2012-3-31 6639616]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 253600]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-4-2 101504]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-3-31 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-3-31 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-31 1343400]
.
=============== Created Last 30 ================
.
2012-04-08 07:12:15 -------- d-sh--w- C:\$RECYCLE.BIN
2012-04-08 07:05:37 -------- d-----w- c:\users\arofani\appdata\local\temp
2012-04-08 06:41:34 98816 ----a-w- c:\windows\sed.exe
2012-04-08 06:41:34 518144 ----a-w- c:\windows\SWREG.exe
2012-04-08 06:41:34 256000 ----a-w- c:\windows\PEV.exe
2012-04-08 06:41:34 208896 ----a-w- c:\windows\MBR.exe
2012-04-08 06:41:26 -------- d-----w- C:\ComboFix
2012-04-06 14:23:36 6582328 ------w- c:\programdata\microsoft\windows defender\definition updates\{9a03f56e-2bc2-4714-b351-417285b0d97e}\mpengine.dll
2012-04-06 09:33:48 -------- d-----w- c:\program files\EA Sports
2012-04-04 17:02:38 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-04-02 11:06:08 70656 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2012-04-02 11:06:08 69632 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2012-04-02 11:06:08 51584 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2012-04-02 11:06:08 26880 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2012-04-02 11:06:08 167936 ----a-w- c:\windows\system32\drivers\ew_juwwanecm.sys
2012-04-02 11:06:08 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-04-02 11:06:08 1461992 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01009.dll
2012-04-02 11:06:00 860928 ----a-w- c:\windows\system32\drivers\mod7700.sys
2012-04-02 11:06:00 27136 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2012-04-02 11:06:00 206336 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2012-04-02 11:06:00 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2012-04-02 11:06:00 105984 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2012-04-02 11:05:50 101504 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2012-04-02 11:05:32 -------- d-----w- c:\program files\Mobile Partner
2012-04-01 15:04:59 -------- d-----w- c:\users\arofani\appdata\local\Adobe
2012-04-01 14:53:46 108032 ----a-w- c:\windows\Explorermgr.exe
2012-03-31 17:21:46 -------- d-----w- c:\windows\Panther
2012-03-31 12:43:26 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-31 12:43:26 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-31 12:37:58 446258 ----a-w- c:\windows\AutoKMS.exe
2012-03-31 12:29:14 -------- d-----w- c:\users\arofani\appdata\roaming\Smadav
2012-03-31 12:29:14 -------- d-----w- c:\program files\Smadav
2012-03-31 12:28:58 -------- d-----w- C:\[Smad-Cage]
2012-03-31 12:25:44 -------- d-----w- c:\program files\VideoLAN
2012-03-31 12:09:16 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-03-31 12:08:43 -------- d-----w- c:\windows\PCHEALTH
2012-03-31 12:08:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-03-31 12:07:20 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-03-31 12:05:50 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-03-31 12:05:00 -------- d-----w- c:\users\arofani\appdata\local\Microsoft Help
2012-03-31 11:14:19 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-31 11:14:19 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-31 10:21:41 -------- d-----w- c:\windows\system32\SPReview
2012-03-31 10:21:05 -------- d-----w- c:\windows\system32\EventProviders
2012-03-31 07:32:59 2494464 ----a-w- c:\windows\system32\netshell.dll
2012-03-31 07:31:59 94208 ----a-w- c:\program files\common files\system\msadc\msadcf.dll
2012-03-31 07:02:48 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-03-31 06:32:49 -------- d-----w- c:\windows\system32\Wat
2012-03-31 05:47:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-31 05:46:51 -------- d-sh--w- c:\windows\Installer
2012-03-31 05:39:11 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 05:39:11 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 05:37:32 67072 ----a-w- c:\windows\system32\packager.dll
2012-03-31 05:37:01 805376 ----a-w- c:\windows\system32\FntCache.dll
2012-03-31 05:37:01 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-03-31 05:35:58 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2012-03-31 05:34:55 571904 ----a-w- c:\windows\system32\oleaut32.dll
2012-03-31 05:33:44 2616320 ----a-w- c:\windows\explorer.exe
2012-03-31 05:33:27 534528 ----a-w- c:\windows\system32\EncDec.dll
2012-03-31 05:33:26 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-31 05:33:26 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-31 05:31:29 123904 ----a-w- c:\windows\system32\poqexec.exe
2012-03-31 05:29:10 -------- d-----w- c:\users\arofani\appdata\local\Microsoft Games
2012-03-31 05:27:29 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-31 05:25:11 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-03-31 05:25:11 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-31 05:25:11 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-31 05:25:11 18432 ----a-w- c:\windows\system32\drivers\tdpipe.sys
2012-03-31 05:25:11 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-31 05:25:11 15872 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2012-03-31 05:25:11 134656 ----a-w- c:\windows\system32\rdpudd.dll
2012-03-31 05:24:42 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-03-31 05:24:42 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2012-03-31 05:24:42 107520 ----a-w- c:\windows\system32\cdd.dll
2012-03-31 05:22:49 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-03-31 05:16:42 4135800 ----a-w- c:\windows\system32\GameMon.des
2012-03-31 05:15:15 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2012-03-31 05:15:15 4682 ----a-w- c:\windows\system32\npptNT2.sys
2012-03-31 05:14:53 -------- d-----w- c:\program files\common files\INCA Shared
2012-03-31 05:08:36 -------- d-----w- c:\windows\system32\x64
2012-03-31 05:06:29 6639616 ----a-w- c:\windows\system32\drivers\NETwLv32.sys
2012-03-31 05:06:28 675840 ----a-w- c:\windows\system32\NETwLc32.dll
2012-03-31 05:06:28 2756608 ----a-w- c:\windows\system32\NETwLr32.dll
2012-03-31 05:03:11 -------- d-----w- c:\program files\CCleaner
2012-03-31 05:00:22 -------- d-----w- c:\users\arofani\appdata\roaming\IDM
2012-03-31 05:00:21 -------- d-----w- c:\users\arofani\appdata\roaming\DMCache
2012-03-31 05:00:16 -------- d-----w- c:\program files\Internet Download Manager
2012-03-31 02:03:23 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-31 01:48:53 -------- d-----w- c:\programdata\Uniblue
2012-03-31 01:47:47 -------- d-----w- c:\users\arofani\appdata\local\Google
2012-03-31 01:36:55 -------- d-----w- c:\windows\system32\wbem\Performance
2012-03-31 01:35:51 -------- d-----w- C:\Recovery
2012-03-31 01:09:43 -------- d-----w- C:\Boot
2012-03-16 11:08:36 91936 ----a-w- c:\windows\system32\drivers\idmwfp.sys
.
==================== Find3M ====================
.
2012-03-31 10:59:46 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-03-31 05:10:26 58400 ----a-w- c:\windows\system32\RtkCoInst.dll
2012-03-31 05:08:02 59392 ----a-w- c:\windows\system32\oemdspif.dll
2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54:27 2343424 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:19:07.63 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 13 April 2012 - 10:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs and let me know the nature of your problems with this computer.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 19 April 2012 - 10:20 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users