Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System is infected with the win32/Chir.B@mm (runouce.exe) virus, many programmes have been corrupted


  • This topic is locked This topic is locked
9 replies to this topic

#1 DonFol

DonFol

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 21 April 2012 - 06:11 PM

The windows7 OS drive on my system got infected with the win32/Chir.B@mm (runouce.exe) virus, I guess through an email. The virus started multiplying and also imported some trojans and it seemed my Microsoft Security Essentials antivirus couldn’t handle it. At a time it I had to reinstall the antivirus programme. I posted a topic “How do I completely remove the win32 Chir.B@mm aka win32 runouce.exe virus?” to the “Am I infected? What do I do?” forum. A BC advisor asked me to run the following scans: SecurityCheck.exe, FSS, MINIToolBox, MBAM and asmMBR. Prior to getting the previous instructions from the advisor, I had run MBAM in safemode following an online post. So, when I posted my scan results to the forum, all appeared to be clean. Nevertheless the BC advisor still asked me to run Temp File Cleaner and ESET Online Scanner. To my utter dismay, the ESET online scan showed 280 infections with about 190 of it on a second drive on my system with the Vista OS. Most of the infections (>90%) were with this win32/Chir.B virus. I was surprised that the Vista OS drive got infected since I have not accessed the drive after the infection occurred. My BC advisor then instructed to go for more advanced checks and directed me to this forum. The virus has corrupted many programmes on my system like adobe CS4 (which I tried to uninstall but without success), winRAR and DAP downloader and has infected many files in Encyclopedia Brittanica and other programmes. Following online posts, I disabled runouce.exe at startup and deleted its registry keys. Recently, while scanning the windows7 drive, my MSE antivirus detected the win32/Chir.B virus again. On looking at the details, it seemed it reported that the virus was on the Vista drive and in the Recycle bin. The ESET scan itself did not detect any infections. I have disabled my MSE antivirus programme. I don’t really know whether my system is clean.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Dr.akinmoladun at 18:59:00 on 2012-04-21
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3935.1830 [GMT 1:00]
.
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
G:\Windows\system32\wininit.exe
G:\Windows\system32\lsm.exe
G:\Windows\system32\svchost.exe -k DcomLaunch
G:\Windows\system32\svchost.exe -k RPCSS
g:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
G:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
G:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
G:\Windows\system32\svchost.exe -k netsvcs
G:\Windows\system32\svchost.exe -k LocalService
G:\Windows\System32\svchost.exe -k NetworkService
G:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
G:\Windows\System32\spoolsv.exe
G:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe
G:\Program Files (x86)\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
G:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
G:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
G:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
G:\Program Files (x86)\Bonjour\mDNSResponder.exe
G:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
G:\ProgramData\DatacardService\DCService.exe
G:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
G:\Windows\system32\HPSIsvc.exe
g:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Sony\VAIO Care\collsvc.exe
G:\Windows\system32\svchost.exe -k imgsvc
G:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
G:\Program Files\Multi-links Telkom\bin\MonServiceUDisk.exe
G:\Program Files (x86)\MTN F@stLink\AssistantServices.exe
G:\Windows\system32\taskhost.exe
G:\Windows\system32\Dwm.exe
G:\Windows\Explorer.EXE
G:\ProgramData\DatacardService\DCSHelper.exe
G:\Program Files\Microsoft Security Client\msseces.exe
G:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
G:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
G:\Program Files\Sony\VAIO Power Management\SPMService.exe
G:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
G:\Program Files (x86)\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
G:\Windows\SysWOW64\DllHost.exe
G:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE
G:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
G:\Windows\system32\SearchIndexer.exe
G:\Windows\system32\WUDFHost.exe
G:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
G:\Program Files (x86)\Sony\VAIO Event Service\VESGfxMgr.exe
G:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
G:\Windows\system32\wuauclt.exe
G:\Windows\system32\svchost.exe -k SDRSVC
G:\Program Files\Windows Media Player\wmpnetwk.exe
G:\Program Files (x86)\Internet Explorer\IELowutil.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
G:\Windows\SysWOW64\Macromed\Flash\FlashUtil11f_ActiveX.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Sony\VAIO Care\listener.exe
G:\Windows\SysWOW64\DllHost.exe
C:\Program Files\Multilinks Blue 900\EASYWIRELESSNET.EXE
G:\Program Files (x86)\e-Sword\e-Sword.exe
G:\Windows\splwow64.exe
G:\Windows\system32\SearchProtocolHost.exe
G:\Windows\system32\SearchFilterHost.exe
G:\Windows\SysWOW64\cmd.exe
G:\Windows\system32\conhost.exe
G:\Windows\SysWOW64\cscript.exe
G:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - G:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - G:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - G:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - G:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - G:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - G:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - G:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - G:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "G:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - G:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: GretechBHO Class: {f0181c6e-9218-4792-9f3c-e8df52b2f1ac} - G:\Program Files (x86)\GRETECH\GomPicker\GomPickerBHO.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - G:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - G:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - G:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "G:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - G:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - G:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [uTorrent] "G:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
uRun: [E09AXLRD_7500434] "G:\Program Files (x86)\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE" -m
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - G:\PROGRA~2\MICROS~2\OFFICE~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - G:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - G:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - G:\PROGRA~2\MICROS~2\OFFICE~1\OFFICE11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - G:\Program Files (x86)\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{162BCC67-73A8-4BAD-B12A-CB4493510183}\64554514 : DhcpNameServer = 82.128.127.3 82.128.127.4
TCP: Interfaces\{60D71DB8-FCE1-4A58-A78D-15B65C88D9B0} : NameServer = 82.128.127.4 82.128.127.3
TCP: Interfaces\{ACC78E83-E40C-4920-B741-9B5935A6AF36} : DhcpNameServer = 82.128.127.3 82.128.127.4
TCP: Interfaces\{C76E749B-402F-4DE5-A34F-E64720E49604} : NameServer = 10.199.212.120 83.143.8.249
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - G:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - G:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - G:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - G:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - G:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - G:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO-X64: uTorrentBar - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "G:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: GretechBHO Class: {F0181C6E-9218-4792-9F3C-E8DF52B2F1AC} - G:\Program Files (x86)\GRETECH\GomPicker\GomPickerBHO.dll
BHO-X64: GomPicker - No File
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - G:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - G:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "G:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - G:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB-X64: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - G:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 127.94.0.1 client.openvpn.net
Hosts: 127.94.0.2 openvpn-client.us.shieldexchange.com
.
================= FIREFOX ===================
.
FF - ProfilePath - G:\Users\Dr.akinmoladun\AppData\Roaming\Mozilla\Firefox\Profiles\nz22h0c2.default\
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 5.6.7.8
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: G:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: G:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: G:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: G:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: G:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: G:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: G:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;G:\Windows\system32\Drivers\PxHlpa64.sys --> G:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;G:\Windows\system32\DRIVERS\MpFilter.sys --> G:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 eamonm;eamonm;G:\Windows\system32\DRIVERS\eamonm.sys --> G:\Windows\system32\DRIVERS\eamonm.sys [?]
R2 epfwwfpr;epfwwfpr;G:\Windows\system32\DRIVERS\epfwwfpr.sys --> G:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
R3 adusbser;AnyDATA USB Device for Legacy Serial Communication;G:\Windows\system32\DRIVERS\adusbser.sys --> G:\Windows\system32\DRIVERS\adusbser.sys [?]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;G:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys --> G:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [?]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;G:\Windows\system32\DRIVERS\netw5v64.sys --> G:\Windows\system32\DRIVERS\netw5v64.sys [?]
R3 SFEP;Sony Firmware Extension Parser;G:\Windows\system32\DRIVERS\SFEP.sys --> G:\Windows\system32\DRIVERS\SFEP.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;G:\Windows\system32\DRIVERS\VSTAZL6.SYS --> G:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;G:\Windows\system32\DRIVERS\VSTDPV6.SYS --> G:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;G:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> G:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
R3 tapoas;TAP-Win32 Adapter OAS;G:\Windows\system32\DRIVERS\tapoas.sys --> G:\Windows\system32\DRIVERS\tapoas.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;G:\Windows\system32\DRIVERS\yk62x64.sys --> G:\Windows\system32\DRIVERS\yk62x64.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;G:\Windows\system32\DRIVERS\btwl2cap.sys --> G:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;G:\Windows\system32\DRIVERS\ewusbnet.sys --> G:\Windows\system32\DRIVERS\ewusbnet.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;G:\Windows\system32\DRIVERS\ewusbdev.sys --> G:\Windows\system32\DRIVERS\ewusbdev.sys [?]
S3 massfilter;MBB Mass Storage Filter Driver;G:\Windows\system32\DRIVERS\massfilter.sys --> G:\Windows\system32\DRIVERS\massfilter.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;G:\Windows\system32\DRIVERS\MpNWMon.sys --> G:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 mvusbews;USB EWS Device;G:\Windows\system32\Drivers\mvusbews.sys --> G:\Windows\system32\Drivers\mvusbews.sys [?]
S3 NisDrv;Microsoft Network Inspection System;G:\Windows\system32\DRIVERS\NisDrvWFP.sys --> G:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;G:\Windows\system32\drivers\rdpvideominiport.sys --> G:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;G:\Windows\system32\drivers\tsusbflt.sys --> G:\Windows\system32\drivers\tsusbflt.sys [?]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;G:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys --> G:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [?]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;G:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys --> G:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [?]
.
=============== Created Last 30 ================
.
2012-04-21 17:00:07 8917360 ----a-w- G:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0BF8697C-65C3-434A-86D8-213E7AFFB1F3}\mpengine.dll
2012-04-20 18:51:43 -------- d-----w- G:\Program Files\ESET
2012-04-14 20:13:29 -------- d-----w- G:\Program Files (x86)\ESET
2012-04-14 20:11:22 -------- d--h--w- G:\Windows\AxInstSV
2012-04-14 13:01:50 2560 ----a-w- G:\Windows\_MSRSTRT.EXE
2012-04-11 22:07:41 -------- d-----w- G:\Users\Dr.akinmoladun\AppData\Roaming\Malwarebytes
2012-04-11 22:06:11 -------- d-----w- G:\ProgramData\Malwarebytes
2012-04-11 22:06:10 24904 ----a-w- G:\Windows\System32\drivers\mbam.sys
2012-04-11 22:06:09 -------- d-----w- G:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-11 18:30:22 -------- d-----w- G:\ProgramData\Kaspersky Lab
2012-04-10 22:31:35 8917360 ----a-w- G:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-10 16:01:57 -------- d-----w- G:\ProgramData\Symantec
2012-04-10 16:01:51 -------- d-----w- G:\ProgramData\Norton
2012-04-10 16:01:49 -------- d-----w- G:\ProgramData\NortonInstaller
2012-04-09 19:51:22 927800 ------w- G:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{36ADF045-EF1D-4358-9AF8-C3AEDB303E5A}\gapaengine.dll
2012-04-09 16:16:43 -------- d-----w- G:\Program Files (x86)\Microsoft Security Client
2012-04-09 15:24:13 -------- d-----w- G:\Users\Dr.akinmoladun\AppData\Roaming\SPE
2012-04-08 17:04:10 -------- d-----w- G:\Windows\pss
2012-04-08 15:14:32 -------- d-----w- G:\Users\Dr.akinmoladun\AppData\Roaming\Curiolab
2012-04-05 11:06:58 -------- d-----w- G:\ProgramData\SafeNet Sentinel
2012-04-05 11:06:13 -------- d-----w- G:\Program Files\Common Files\IBM
2012-04-05 11:04:59 -------- d-----w- G:\ProgramData\SPSS
2012-04-05 11:03:43 -------- d-----w- G:\Program Files (x86)\Common Files\IBM
2012-04-05 11:02:34 -------- d-----w- G:\Program Files (x86)\IBM
2012-04-04 22:12:20 -------- d-----w- G:\Program Files (x86)\Application
2012-03-31 19:53:11 -------- d-----w- G:\Users\Dr.akinmoladun\.gimp-2.6
2012-03-31 19:52:31 -------- d-----w- G:\Program Files (x86)\GIMP-2.0
2012-03-29 14:43:36 205 ----a-w- G:\Windows\SysWow64\lsprst7.dll
2012-03-29 14:43:36 1025 ----a-w- G:\Windows\SysWow64\sysprs7.dll
.
==================== Find3M ====================
.
2012-02-20 20:23:22 414368 ----a-w- G:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-17 06:38:27 1112064 ----a-w- G:\Windows\System32\rdpcorets.dll
2012-02-17 06:38:26 1031680 ----a-w- G:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- G:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- G:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- G:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07 1544192 ----a-w- G:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- G:\Windows\SysWow64\DWrite.dll
2012-02-03 04:34:34 3145728 ----a-w- G:\Windows\System32\win32k.sys
2012-01-31 12:44:20 279656 ------w- G:\Windows\System32\MpSigStub.exe
2012-01-25 06:38:39 77312 ----a-w- G:\Windows\System32\rdpwsx.dll
2012-01-25 06:38:38 149504 ----a-w- G:\Windows\System32\rdpcorekmts.dll
2012-01-25 06:33:30 9216 ----a-w- G:\Windows\System32\rdrmemptylst.exe
2004-07-30 07:56:22 90112 ----a-w- G:\Program Files (x86)\Common Files\PCSBclean.exe
2004-07-26 13:30:14 291840 ----a-w- G:\Program Files (x86)\Common Files\PCSBoff.exe
.
============= FINISH: 19:00:10.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 27 April 2012 - 07:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your DDS log is clean.
Lets check further.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

#3 DonFol

DonFol
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 01 May 2012 - 05:01 PM

Hello nasdaq, many thanks for your assistance. The required logs are posted below.

ComboFix Log

ComboFix 12-05-01.02 - Dr.akinmoladun 05/01/2012 22:27:06.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3935.2468 [GMT 1:00]
Running from: g:\users\Dr.akinmoladun\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
G:\Install.exe
g:\windows\SysWow64\lsprst7.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2012-04-01 to 2012-05-01 )))))))))))))))))))))))))))))))
.
.
2012-05-01 21:37 . 2012-05-01 21:37 69000 ----a-w- g:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4763FDE4-6D41-4B88-BC11-71C9629CC83E}\offreg.dll
2012-05-01 21:34 . 2012-05-01 21:34 -------- d-----w- g:\users\Guest\AppData\Local\temp
2012-05-01 21:34 . 2012-05-01 21:34 -------- d-----w- g:\users\Default\AppData\Local\temp
2012-04-30 21:05 . 2012-04-13 08:46 8917360 ----a-w- g:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4763FDE4-6D41-4B88-BC11-71C9629CC83E}\mpengine.dll
2012-04-26 15:52 . 2012-04-26 15:54 -------- d-----w- g:\users\Dr.akinmoladun\Musibleepitled - 04-26-12
2012-04-21 23:35 . 2012-03-06 06:53 5559152 ----a-w- g:\windows\system32\ntoskrnl.exe
2012-04-21 23:35 . 2012-03-06 05:59 3968368 ----a-w- g:\windows\SysWow64\ntkrnlpa.exe
2012-04-21 23:35 . 2012-03-06 05:59 3913072 ----a-w- g:\windows\SysWow64\ntoskrnl.exe
2012-04-21 23:32 . 2012-03-01 06:46 23408 ----a-w- g:\windows\system32\drivers\fs_rec.sys
2012-04-21 23:32 . 2012-03-01 06:38 220672 ----a-w- g:\windows\system32\wintrust.dll
2012-04-21 23:32 . 2012-03-01 06:33 81408 ----a-w- g:\windows\system32\imagehlp.dll
2012-04-21 23:32 . 2012-03-01 06:28 5120 ----a-w- g:\windows\system32\wmi.dll
2012-04-21 23:32 . 2012-03-01 05:37 172544 ----a-w- g:\windows\SysWow64\wintrust.dll
2012-04-21 23:32 . 2012-03-01 05:33 159232 ----a-w- g:\windows\SysWow64\imagehlp.dll
2012-04-21 23:32 . 2012-03-01 05:29 5120 ----a-w- g:\windows\SysWow64\wmi.dll
2012-04-20 18:51 . 2012-04-20 18:51 -------- d-----w- g:\program files\ESET
2012-04-14 20:13 . 2012-04-14 20:13 -------- d-----w- g:\program files (x86)\ESET
2012-04-14 20:11 . 2012-04-14 20:13 -------- d--h--w- g:\windows\AxInstSV
2012-04-14 13:01 . 2012-04-14 13:01 2560 ----a-w- g:\windows\_MSRSTRT.EXE
2012-04-11 22:07 . 2012-04-11 22:07 -------- d-----w- g:\users\Dr.akinmoladun\AppData\Roaming\Malwarebytes
2012-04-11 22:06 . 2012-04-11 22:06 -------- d-----w- g:\programdata\Malwarebytes
2012-04-11 22:06 . 2012-04-04 14:56 24904 ----a-w- g:\windows\system32\drivers\mbam.sys
2012-04-11 22:06 . 2012-04-11 22:06 -------- d-----w- g:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-11 18:30 . 2012-04-11 18:30 -------- d-----w- g:\programdata\Kaspersky Lab
2012-04-10 22:31 . 2012-04-13 08:46 8917360 ----a-w- g:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-10 16:01 . 2012-04-10 16:01 -------- d-----w- g:\programdata\Symantec
2012-04-10 16:01 . 2012-04-10 16:48 -------- d-----w- g:\programdata\Norton
2012-04-09 19:51 . 2012-04-09 19:51 927800 ------w- g:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{36ADF045-EF1D-4358-9AF8-C3AEDB303E5A}\gapaengine.dll
2012-04-09 16:16 . 2012-04-09 16:16 -------- d-----w- g:\program files (x86)\Microsoft Security Client
2012-04-09 15:24 . 2012-04-09 15:24 -------- d-----w- g:\users\Dr.akinmoladun\AppData\Roaming\SPE
2012-04-08 15:14 . 2012-04-08 15:14 -------- d-----w- g:\users\Dr.akinmoladun\AppData\Roaming\Curiolab
2012-04-05 11:06 . 2012-04-05 11:06 -------- d-----w- g:\programdata\SafeNet Sentinel
2012-04-05 11:06 . 2012-04-05 11:06 -------- d-----w- g:\program files\Common Files\IBM
2012-04-05 11:04 . 2012-04-05 11:04 -------- d-----w- g:\programdata\SPSS
2012-04-05 11:03 . 2012-04-05 11:03 -------- d-----w- g:\program files (x86)\Common Files\IBM
2012-04-05 11:02 . 2012-04-05 11:02 -------- d-----w- g:\program files (x86)\IBM
2012-04-04 22:12 . 2012-04-04 22:12 -------- d-----w- g:\program files (x86)\Application
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-24 11:55 . 2011-06-19 10:15 2828 --sha-w- g:\programdata\KGyGaAvL.sys
2012-02-20 20:23 . 2011-05-16 18:25 414368 ----a-w- g:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-17 06:38 . 2012-03-14 19:06 1112064 ----a-w- g:\windows\system32\rdpcorets.dll
2012-02-17 06:38 . 2012-03-14 19:06 1031680 ----a-w- g:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 19:06 826880 ----a-w- g:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 19:06 210944 ----a-w- g:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 19:06 23552 ----a-w- g:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-14 19:06 1544192 ----a-w- g:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 19:06 1077248 ----a-w- g:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-14 19:06 3145728 ----a-w- g:\windows\system32\win32k.sys
2004-07-30 07:56 . 2011-06-14 14:26 90112 ----a-w- g:\program files (x86)\Common Files\PCSBclean.exe
2004-07-26 13:30 . 2011-06-14 14:26 291840 ----a-w- g:\program files (x86)\Common Files\PCSBoff.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "g:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 08:49 176936 ----a-w- g:\program files (x86)\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "g:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="g:\program files (x86)\uTorrent\uTorrent.exe" [2012-03-06 741240]
"E09AXLRD_7500434"="g:\program files (x86)\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE" [2008-06-03 351000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-12-09 08:27 98304 ----a-w- g:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 gupdate;Google Update Service (gupdate);g:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-17 136176]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;g:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 BBSvc;Bing Bar Update Service;g:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 btwl2cap;Bluetooth L2CAP Service;g:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;g:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 gupdatem;Google Update Service (gupdatem);g:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-17 136176]
R3 hwusbdev;Huawei DataCard USB PNP Device;g:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 massfilter;MBB Mass Storage Filter Driver;g:\windows\system32\DRIVERS\massfilter.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;g:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 mvusbews;USB EWS Device;g:\windows\system32\Drivers\mvusbews.sys [x]
R3 NisDrv;Microsoft Network Inspection System;g:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;g:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;g:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;g:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;g:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;g:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;g:\windows\system32\drivers\rdvgkmd.sys [x]
R3 ztemtusbser;ZTEMT Legacy Serial Communication;g:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [x]
R3 zteusbser;ZTE USB Device for Legacy Serial Communication;g:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [x]
S0 PxHlpa64;PxHlpa64;g:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 ehdrv;ehdrv;g:\windows\system32\DRIVERS\ehdrv.sys [x]
S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files (x86)\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
S2 AdobeARMservice;Adobe Acrobat Update Service;g:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 BBUpdate;BBUpdate;g:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 DCService.exe;DCService.exe;g:\programdata\DatacardService\DCService.exe [2010-09-29 249856]
S2 eamonm;eamonm;g:\windows\system32\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;g:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
S2 epfwwfpr;epfwwfpr;g:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 HP LaserJet Service;HP LaserJet Service;g:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2009-06-24 136704]
S2 HPSIService;HP SI Service;g:\windows\system32\HPSIsvc.exe [x]
S2 SampleCollector;Intel® Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2008-09-29 167424]
S2 uCamMonitor;CamMonitor;g:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
S2 UDisk Monitor;UDisk Monitor;g:\program files\Multi-links Telkom\bin\MonServiceUDisk.exe [2008-10-11 400896]
S2 UI Assistant Service;UI Assistant Service;g:\program files (x86)\MTN F@stLink\AssistantServices.exe [2011-03-17 261456]
S2 VAIO Power Management;VAIO Power Management;g:\program files\Sony\VAIO Power Management\SPMService.exe [2008-09-05 407392]
S3 adusbser;AnyDATA USB Device for Legacy Serial Communication;g:\windows\system32\DRIVERS\adusbser.sys [x]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;g:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;g:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 SFEP;Sony Firmware Extension Parser;g:\windows\system32\DRIVERS\SFEP.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;g:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;g:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;g:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
S3 tapoas;TAP-Win32 Adapter OAS;g:\windows\system32\DRIVERS\tapoas.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;g:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-01 g:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- g:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-17 12:10]
.
2012-05-01 g:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- g:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-17 12:10]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DpTsClnt"="g:\program files\DigitalPersona\Bin\DpTsClnt.dll" [2010-08-17 292720]
"MSC"="g:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"egui"="g:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
"combofix"="g:\combofix\CF9560.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = g:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = g:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080;ftp=localhost:8080;socks=localhost:1080
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - g:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - g:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - g:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - g:\progra~2\MICROS~2\OFFICE~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - g:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: Interfaces\{C76E749B-402F-4DE5-A34F-E64720E49604}: NameServer = 10.199.212.120 83.143.8.249
FF - ProfilePath - g:\users\Dr.akinmoladun\AppData\Roaming\Mozilla\Firefox\Profiles\nz22h0c2.default\
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 5.6.7.8
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
BHO-{FF6C3CF0-4B15-11D1-ABED-709549C10000} - g:\program files (x86)\DAP\DAPIELoader64.dll
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-(Default) - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="g:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="g:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="g:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="g:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
g:\program files (x86)\DigitalPersona\Bin\DpHostW.exe
g:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
g:\program files (x86)\Bonjour\mDNSResponder.exe
g:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Sony\VAIO Care\listener.exe
g:\program files (x86)\Sony\VAIO Event Service\VESMgr.exe
g:\windows\SysWOW64\DllHost.exe
g:\program files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
g:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2012-05-01 22:44:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-01 21:44
.
Pre-Run: 48,304,807,936 bytes free
Post-Run: 47,843,799,040 bytes free
.
- - End Of File - - 03FB67FE4764CDCF8EF27FC5D1203EB1


Security Check Log

Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 26
Java version out of date!
Adobe Reader X (10.1.1)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

Thank you

#4 DonFol

DonFol
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 01 May 2012 - 05:04 PM

One more thing please. The infection started on Drive G and spread to the C Drive. Should I run ComboFix on the C Drive as well?

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 02 May 2012 - 09:09 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26


===

I think ComboFix scans the complete computer. It has removed on file from your C Drive.
C:\install.exe

No arm if you can run it from your C:\ drive.

What are the current issues with this computer?

#6 DonFol

DonFol
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 03 May 2012 - 04:37 AM

None that I see presently. I just want to be sure whether the nasty virus is gone for good or if I need to format my system if it is still hiding somewhere. I also want to know if I can go ahead to reinstall some of the programmes that the virus corrupted.
Thank you.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 03 May 2012 - 09:06 AM

Yes you can reinstall any program. If you do not delete them first with the Add/Remove Programs list make sure your installation goes to the same folder location.

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#8 DonFol

DonFol
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 03 May 2012 - 06:30 PM

ComboFix was uninstalled.

Many many thanks nasdaq.

#9 DonFol

DonFol
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 08 May 2012 - 06:27 AM

Well, I guess I can safely put the nasty assault by runouce.exe virus behind me.Thanks all!

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 14 May 2012 - 08:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users