Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious Activity. No idea about the infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 Kondo

Kondo

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 28 May 2012 - 12:13 PM

I am not actually sure if I am really infected or not. I'm just worried because the last time I performed a full scan, there are 16 detected files (http://i1251.photobucket.com/albums/hh554/Asura_Kishin/infectd.png). So I want to make sure everything's fine.

Here's my first topic about this: http://www.bleepingcomputer.com/forums/topic454914.html

Mr. Broni told me that there are some malicious activity.

Here are the logs


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by paolo at 22:59:52 on 2012-05-28
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1975.1085 [GMT 8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bluetooth Suite\adminservice.exe
C:\Windows\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\DatacardService\DCService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Gravity\Ragnarok Online2\Ro2LotsSsoLauncher.exe
C:\Gravity\Ragnarok Online2\Launcher2.exe
C:\Windows\system32\rundll32.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
D:\Installers\1Games\Ragnarok Online PH\remember\main - Copy\support.exe
C:\Windows\system32\conhost.exe
D:\Installers\1Games\Ragnarok Online PH\remember\main\attack.exe
C:\Windows\system32\conhost.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = about:blank
uSearch Bar =
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = wpad:80
uInternet Settings,ProxyOverride = local;*.local;<local>
uURLSearchHooks: H - No File
uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
mURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\progra~1\imesha~1\mediabar\toolbar\iMeshMediaBarDx.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\progra~1\imesha~1\mediabar\toolbar\iMeshMediaBarDx.dll
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{08CF7FAE-2589-4627-B79C-BCAFA6A5F5DE}\24167716C6020716E676564702261697164602D657E616 : DhcpNameServer = 192.168.1.1 121.1.3.82 121.1.3.20
TCP: Interfaces\{08CF7FAE-2589-4627-B79C-BCAFA6A5F5DE}\473616F566563747966716C6 : DhcpNameServer = 58.69.254.70 58.69.254.137
TCP: Interfaces\{53FA65F8-E86B-4F48-805F-D7A699520606} : NameServer = 202.138.128.50 202.138.128.54
TCP: Interfaces\{945316D5-2F10-4223-B33D-B35E5F71426D} : DhcpNameServer = 202.138.128.50 202.138.128.54
TCP: Interfaces\{9C76B684-EAC4-4356-AE36-9A4EE3CABEFD} : NameServer = 202.138.128.50 202.138.128.54,8.8.8.8,8.8.4.4
TCP: Interfaces\{9C76B684-EAC4-4356-AE36-9A4EE3CABEFD} : DhcpNameServer = 202.138.128.50 202.138.128.54
TCP: Interfaces\{B2100051-1F63-40B8-80EF-C52B2CA17342} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B2100051-1F63-40B8-80EF-C52B2CA17342} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DB638B9C-5322-41A7-94DC-67B362F4EED7} : DhcpNameServer = 202.138.128.50 202.138.128.54
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: DfLogon - LogonDll.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paolo\appdata\roaming\mozilla\firefox\profiles\pdq1eziy.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\paolo\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\paolo\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\paolo\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 171064]
R1 MpKslcf882141;MpKslcf882141;c:\programdata\microsoft\microsoft antimalware\definition updates\{2bd1f45e-b1ee-43b8-b163-f8248087e63c}\MpKslcf882141.sys [2012-5-28 29904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-3-3 172032]
R2 AtherosSvc;AtherosSvc;c:\program files\bluetooth suite\AdminService.exe [2010-1-18 20520]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2009-10-11 81920]
R2 DCService.exe;DCService.exe;c:\programdata\datacardservice\DCService.exe [2010-5-8 229376]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2011-4-6 86792]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-27 654408]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\rtwtkrnl.sys [2011-10-13 40856]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-3-3 5317632]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-3-3 152064]
R3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\drivers\btath_bus.sys [2010-1-18 27688]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2011-5-1 70656]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-6-1 65576]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-27 22344]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.sys [2009-5-26 25600]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\drivers\btath_flt.sys [2010-1-18 42024]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2010-1-18 291880]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\drivers\btath_hcrp.sys [2010-1-18 213032]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\drivers\btath_rcp.sys [2010-1-18 145320]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2012-2-23 23456]
S3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [2012-5-16 516736]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2011-5-1 101504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-8-9 113152]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-27 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2010-4-21 3328]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-6 129976]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-2-26 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-2-26 8320]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-28 15872]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-13 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2011-6-18 25088]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-1 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-05-28 13:18:55 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{2bd1f45e-b1ee-43b8-b163-f8248087e63c}\MpKslcf882141.sys
2012-05-28 05:44:26 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{2bd1f45e-b1ee-43b8-b163-f8248087e63c}\mpengine.dll
2012-05-27 17:53:36 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-27 06:13:58 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-27 06:13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-19 14:04:34 -------- d-----w- c:\users\paolo\appdata\roaming\EurekaLog
2012-05-15 22:08:07 516736 ----a-w- c:\windows\system32\drivers\EagleXNt.sys
2012-05-13 07:07:39 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-13 07:07:38 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-13 07:07:37 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-13 07:07:37 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-12 22:25:23 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 22:25:22 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 22:25:22 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 22:25:10 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-12 22:24:58 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-12 22:24:51 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 01:49:51 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
2012-05-09 01:49:51 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
2012-05-09 01:49:50 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
2012-05-09 01:49:50 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
2012-05-09 01:49:50 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
2012-05-09 01:49:50 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
2012-05-09 01:49:49 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
2012-05-05 23:04:34 53248 ------w- c:\program files\common files\installshield\engine\6\intel 32\msihook.dll
2012-05-05 23:04:34 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-05-05 23:04:34 221184 ------w- c:\program files\common files\installshield\iscript\iscript.dll
2012-05-05 23:04:34 126976 ------w- c:\program files\common files\installshield\engine\6\intel 32\knlwrap.exe
2012-05-05 23:04:33 598016 ------w- c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
2012-05-05 23:04:33 217088 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-05-05 23:04:33 114688 ------w- c:\program files\common files\installshield\engine\6\intel 32\scpthdlr.dll
2012-05-04 01:26:05 -------- d-----w- c:\users\paolo\appdata\roaming\2K Sports
2012-05-02 21:39:44 -------- d-----w- c:\users\paolo\appdata\local\ActiveState
2012-05-02 21:14:53 -------- d-----w- C:\Perl
2012-05-02 14:11:24 -------- d-----w- c:\users\paolo\appdata\local\LoLPHLauncher
2012-05-02 09:58:34 -------- d-----r- C:\Sandbox
2012-05-02 09:54:57 -------- d-----w- c:\program files\Sandboxie
2012-04-30 06:45:43 -------- d-----w- c:\program files\ESET
2012-04-29 12:41:08 -------- d-----w- c:\program files\TeamViewer
.
==================== Find3M ====================
.
2012-05-06 21:24:53 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-06 21:24:52 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-29 23:43:36 53073 ----a-w- c:\windows\uninst.exe
2012-03-20 12:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 12:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-01 05:46:57 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37:41 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- c:\windows\system32\wmi.dll
.
============= FINISH: 23:01:43.72 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:36 AM

Posted 30 May 2012 - 03:08 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Kondo

Kondo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 30 May 2012 - 09:29 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by paolo at 6:48:50 on 2012-05-31
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1975.1136 [GMT 8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bluetooth Suite\adminservice.exe
C:\Windows\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\DatacardService\DCService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\paolo\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = about:blank
uSearch Bar =
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = wpad:80
uInternet Settings,ProxyOverride = local;*.local;<local>
uURLSearchHooks: H - No File
uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
mURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\progra~1\imesha~1\mediabar\toolbar\iMeshMediaBarDx.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\progra~1\imesha~1\mediabar\toolbar\iMeshMediaBarDx.dll
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{08CF7FAE-2589-4627-B79C-BCAFA6A5F5DE}\24167716C6020716E676564702261697164602D657E616 : DhcpNameServer = 192.168.1.1 121.1.3.82 121.1.3.20
TCP: Interfaces\{08CF7FAE-2589-4627-B79C-BCAFA6A5F5DE}\473616F566563747966716C6 : DhcpNameServer = 58.69.254.70 58.69.254.137
TCP: Interfaces\{53FA65F8-E86B-4F48-805F-D7A699520606} : NameServer = 202.138.128.50 202.138.128.54
TCP: Interfaces\{945316D5-2F10-4223-B33D-B35E5F71426D} : DhcpNameServer = 202.138.128.50 202.138.128.54
TCP: Interfaces\{9C76B684-EAC4-4356-AE36-9A4EE3CABEFD} : NameServer = 202.138.128.50 202.138.128.54,8.8.8.8,8.8.4.4
TCP: Interfaces\{9C76B684-EAC4-4356-AE36-9A4EE3CABEFD} : DhcpNameServer = 202.138.128.50 202.138.128.54
TCP: Interfaces\{B2100051-1F63-40B8-80EF-C52B2CA17342} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B2100051-1F63-40B8-80EF-C52B2CA17342} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DB638B9C-5322-41A7-94DC-67B362F4EED7} : DhcpNameServer = 202.138.128.50 202.138.128.54
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: DfLogon - LogonDll.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paolo\appdata\roaming\mozilla\firefox\profiles\pdq1eziy.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\paolo\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\paolo\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\paolo\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 171064]
R1 MpKsl63d8a866;MpKsl63d8a866;c:\programdata\microsoft\microsoft antimalware\definition updates\{3c6a9671-77b9-48b6-82f2-847f08179d01}\MpKsl63d8a866.sys [2012-5-31 29904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-3-3 172032]
R2 AtherosSvc;AtherosSvc;c:\program files\bluetooth suite\AdminService.exe [2010-1-18 20520]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2009-10-11 81920]
R2 DCService.exe;DCService.exe;c:\programdata\datacardservice\DCService.exe [2010-5-8 229376]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2011-4-6 86792]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-27 654408]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\rtwtkrnl.sys [2011-10-13 40856]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-3-3 5317632]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-3-3 152064]
R3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\drivers\btath_bus.sys [2010-1-18 27688]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2011-5-1 70656]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-6-1 65576]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-27 22344]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.sys [2009-5-26 25600]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\drivers\btath_flt.sys [2010-1-18 42024]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2010-1-18 291880]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\drivers\btath_hcrp.sys [2010-1-18 213032]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\drivers\btath_rcp.sys [2010-1-18 145320]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2012-2-23 23456]
S3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [2012-5-16 516736]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2011-5-1 101504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-8-9 113152]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-27 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2010-4-21 3328]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-6 129976]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-2-26 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-2-26 8320]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-28 15872]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-13 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2011-6-18 25088]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-1 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-05-30 22:43:37 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3c6a9671-77b9-48b6-82f2-847f08179d01}\offreg.dll
2012-05-30 22:40:57 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3c6a9671-77b9-48b6-82f2-847f08179d01}\MpKsl63d8a866.sys
2012-05-30 08:49:40 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3c6a9671-77b9-48b6-82f2-847f08179d01}\mpengine.dll
2012-05-29 06:28:06 6737808 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-27 06:13:58 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-27 06:13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-19 14:04:34 -------- d-----w- c:\users\paolo\appdata\roaming\EurekaLog
2012-05-15 22:08:07 516736 ----a-w- c:\windows\system32\drivers\EagleXNt.sys
2012-05-13 07:07:39 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-13 07:07:38 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-13 07:07:37 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-13 07:07:37 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-12 22:25:23 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 22:25:22 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 22:25:22 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 22:25:10 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-12 22:24:58 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-12 22:24:51 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 01:49:51 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
2012-05-09 01:49:51 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
2012-05-09 01:49:50 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
2012-05-09 01:49:50 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
2012-05-09 01:49:50 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
2012-05-09 01:49:50 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
2012-05-09 01:49:49 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
2012-05-05 23:04:34 53248 ------w- c:\program files\common files\installshield\engine\6\intel 32\msihook.dll
2012-05-05 23:04:34 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-05-05 23:04:34 221184 ------w- c:\program files\common files\installshield\iscript\iscript.dll
2012-05-05 23:04:34 126976 ------w- c:\program files\common files\installshield\engine\6\intel 32\knlwrap.exe
2012-05-05 23:04:33 598016 ------w- c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
2012-05-05 23:04:33 217088 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-05-05 23:04:33 114688 ------w- c:\program files\common files\installshield\engine\6\intel 32\scpthdlr.dll
2012-05-04 01:26:05 -------- d-----w- c:\users\paolo\appdata\roaming\2K Sports
2012-05-02 21:39:44 -------- d-----w- c:\users\paolo\appdata\local\ActiveState
2012-05-02 21:14:53 -------- d-----w- C:\Perl
2012-05-02 14:11:24 -------- d-----w- c:\users\paolo\appdata\local\LoLPHLauncher
2012-05-02 09:58:34 -------- d-----r- C:\Sandbox
2012-05-02 09:54:57 -------- d-----w- c:\program files\Sandboxie
.
==================== Find3M ====================
.
2012-05-06 21:24:53 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-06 21:24:52 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-29 23:43:36 53073 ----a-w- c:\windows\uninst.exe
2012-03-20 12:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 12:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 6:51:36.14 ===============

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:36 AM

Posted 01 June 2012 - 12:28 PM

Hi there,




Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.






Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Kondo

Kondo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 01 June 2012 - 09:59 PM

ComboFix 12-06-01.04 - paolo 06/02/2012 10:41:20.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1975.1151 [GMT 8:00]
Running from: d:\downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\dfinstall.log
c:\users\paolo\AppData\Local\assembly\tmp
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\chrome.manifest
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components2\idmhelper.js
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components2\idmhelper2.js
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components2\idmmzcc.dll
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components2\idmmzcc64.dll
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components2\iIDMHelper.xpt
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components2\iIDMHelper2.xpt
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\components2\iIDMMzCC.xpt
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\install.js
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\install.rdf
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\META-INF\manifest.mf
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\users\paolo\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.sf
c:\windows\system\VI30AUT.DLL
c:\windows\system32\1690667a.dll
c:\windows\system32\35a7aab4.dll
c:\windows\system32\UNWISE.EXE
.
.
((((((((((((((((((((((((( Files Created from 2012-05-02 to 2012-06-02 )))))))))))))))))))))))))))))))
.
.
2012-06-02 02:53 . 2012-06-02 02:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-02 02:53 . 2012-06-02 02:53 -------- d-----w- c:\users\Public.JPCZAFRA\AppData\Local\temp
2012-06-02 02:35 . 2012-06-02 02:35 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-02 02:04 . 2012-06-02 02:04 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E9C5FFCA-E4D6-4165-8D56-0718785DDE19}\MpKsldcdaae3e.sys
2012-06-01 07:22 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E9C5FFCA-E4D6-4165-8D56-0718785DDE19}\mpengine.dll
2012-05-30 08:49 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-27 06:13 . 2012-05-27 06:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-27 06:13 . 2012-04-04 07:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-19 14:04 . 2012-05-19 14:20 -------- d-----w- c:\users\paolo\AppData\Roaming\EurekaLog
2012-05-15 22:08 . 2012-05-15 22:08 516736 ----a-w- c:\windows\system32\drivers\EagleXNt.sys
2012-05-13 13:12 . 2012-05-13 13:12 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-05-13 07:07 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-13 07:07 . 2012-03-31 04:30 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-13 07:07 . 2012-03-31 04:29 989184 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-13 07:07 . 2012-03-31 04:29 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-12 22:25 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 22:25 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 22:25 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 22:25 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-12 22:24 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-12 22:24 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 01:49 . 2004-04-18 15:39 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
2012-05-09 01:49 . 2004-04-18 15:39 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
2012-05-09 01:49 . 2012-05-09 01:49 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
2012-05-09 01:49 . 2004-04-18 15:42 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
2012-05-09 01:49 . 2004-04-18 15:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
2012-05-09 01:49 . 2004-04-18 15:39 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
2012-05-09 01:49 . 2012-05-09 01:49 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll
2012-05-05 23:04 . 2012-05-05 23:04 53248 ------w- c:\program files\Common Files\InstallShield\engine\6\Intel 32\msihook.dll
2012-05-05 23:04 . 2012-05-05 23:04 32768 ------w- c:\program files\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-05-05 23:04 . 2012-05-05 23:04 221184 ------w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
2012-05-05 23:04 . 2012-05-05 23:04 126976 ------w- c:\program files\Common Files\InstallShield\engine\6\Intel 32\knlwrap.exe
2012-05-05 23:04 . 2012-05-05 23:04 598016 ------w- c:\program files\Common Files\InstallShield\engine\6\Intel 32\ikernel.exe
2012-05-05 23:04 . 2012-05-05 23:04 217088 ------w- c:\program files\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-05-05 23:04 . 2012-05-05 23:04 114688 ------w- c:\program files\Common Files\InstallShield\engine\6\Intel 32\scpthdlr.dll
2012-05-04 01:26 . 2012-05-04 01:26 -------- d-----w- c:\users\paolo\AppData\Roaming\2K Sports
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-06 21:24 . 2012-04-18 12:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-06 21:24 . 2011-07-02 23:12 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-28 05:12 . 2012-04-28 05:13 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C72FC378-302C-42CE-B975-07C45D43086B}\gapaengine.dll
2012-04-17 19:06 . 2012-04-26 03:41 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B9BA4255-8B50-46F7-B62C-A2B53B524A81}\mpengine.dll
2012-03-29 23:43 . 2012-03-29 23:43 53073 ----a-w- c:\windows\uninst.exe
2012-03-20 12:44 . 2010-10-24 13:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 12:44 . 2010-03-25 13:30 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-04-21 01:19 . 2012-05-06 06:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-11-20 17:34 87472 ----a-w- c:\progra~1\IMESHA~1\MediaBar\ToolBar\iMeshMediaBarDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\progra~1\IMESHA~1\MediaBar\ToolBar\iMeshMediaBarDx.dll" [2009-11-20 87472]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{687578B9-7132-4A7A-80E4-30EE31099E03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-03-02 15:23 68216 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-04-05 3278232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-17 1565992]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Public.JPCZAFRA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Real Desktop.lnk - c:\program files\Real Desktop\Real Desktop.exe [2012-3-30 11972608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^paolo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\users\paolo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-26 23:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-02-19 10:25 137536 ----atw- c:\users\paolo\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2011-04-05 17:55 3278232 ----a-w- c:\program files\Internet Download Manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-04-29 08:59 5248312 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 02:32 1479680 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"DAEMON Tools Lite"="d:\daemon tools lite\DTLite.exe" -autorun
"Google Update"="c:\users\paolo\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"ChikkaV5"=d:\chikka v.5\ChikkaLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"AtherosBtStack"=c:\program files\Bluetooth Suite\BtvStack.exe
"PLFSetI"=c:\windows\PLFSetI.exe
"AmIcoSinglun"=c:\program files\AmIcoSingLun\AmIcoSinglun.exe
"NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2009-10-10 81920]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DCService.exe;DCService.exe;c:\programdata\DatacardService\DCService.exe [2010-05-08 229376]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-06-20 136176]
R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2009-05-26 25600]
R3 apf001;apf001;d:\games\RakionIS\Bin\apf001.sys [x]
R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [2010-01-18 42024]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2010-01-18 291880]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [2010-01-18 213032]
R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [2010-01-18 145320]
R3 DrvAgent32;DrvAgent32;c:\windows\system32\Drivers\DrvAgent32.sys [2012-02-23 23456]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [2012-05-15 516736]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2010-03-20 101504]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2008-09-26 113152]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-06-20 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-02-26 137344]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-02-26 8320]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-06-19 4122968]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-05-12 121064]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-05-12 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-05-12 136808]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2011-03-30 25088]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-30 1343400]
R3 XDva312;XDva312;c:\windows\system32\XDva312.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-31 691696]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 MpKsldcdaae3e;MpKsldcdaae3e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E9C5FFCA-E4D6-4165-8D56-0718785DDE19}\MpKsldcdaae3e.sys [2012-06-02 29904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-02 172032]
S2 AtherosSvc;AtherosSvc;c:\program files\Bluetooth Suite\adminservice.exe [2010-01-18 20520]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2011-03-28 86792]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\rtwtkrnl.sys [2011-07-09 40856]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-02 5317632]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-02 152064]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2010-01-18 27688]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2010-05-22 70656]
S3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2009-12-22 65576]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-06-02 40776]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MPKSLDCDAAE3E
*NewlyCreated* - NPKCRYPT
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2058545990-3703762126-2259859118-1000Core.job
- c:\users\paolo\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-19 10:25]
.
2012-06-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2058545990-3703762126-2259859118-1000UA.job
- c:\users\paolo\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-19 10:25]
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-20 06:24]
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-20 06:24]
.
2012-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2058545990-3703762126-2259859118-1000Core.job
- c:\users\paolo\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-20 02:21]
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2058545990-3703762126-2259859118-1000UA.job
- c:\users\paolo\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-20 02:21]
.
2012-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2058545990-3703762126-2259859118-1008Core.job
- c:\users\Public.JPCZAFRA\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-11 06:37]
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2058545990-3703762126-2259859118-1008UA.job
- c:\users\Public.JPCZAFRA\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-11 06:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = wpad:80
uInternet Settings,ProxyOverride = local;*.local;<local>
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{53FA65F8-E86B-4F48-805F-D7A699520606}: NameServer = 202.138.128.50 202.138.128.54
TCP: Interfaces\{9C76B684-EAC4-4356-AE36-9A4EE3CABEFD}: NameServer = 202.138.128.50 202.138.128.54,8.8.8.8,8.8.4.4
TCP: Interfaces\{B2100051-1F63-40B8-80EF-C52B2CA17342}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\paolo\AppData\Roaming\Mozilla\Firefox\Profiles\pdq1eziy.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
Notify-DfLogon - LogonDll.dll
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2058545990-3703762126-2259859118-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ù=ãm| *€n*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-2058545990-3703762126-2259859118-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ù=ãm| *€n*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-2058545990-3703762126-2259859118-1000_Classes\CLSID\{29781a47-9926-42bf-81b4-c78eb3df8bb4}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000ed
"Therad"=dword:0000001c
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-2058545990-3703762126-2259859118-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):09,ee,e3,09,8a,cc,40,bd,43,d6,76,d9,59,83,5a,09,1b,1f,7c,b5,cf,
61,8c,bb,d1,f9,fe,76,f9,ae,b1,9e,54,cf,77,f8,88,20,21,e0,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-02 10:57:18
ComboFix-quarantined-files.txt 2012-06-02 02:57
.
Pre-Run: 117,853,384,704 bytes free
Post-Run: 117,672,259,584 bytes free
.
- - End Of File - - D865AC2D8DF09F3D5DD2D56FD451199E

#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:36 AM

Posted 03 June 2012 - 09:16 AM

Hi there,


Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

===============================================================================================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:


Folder::
c:\progra~1\IMESHA~1\

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"=-



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


==========================================================================================

There is one more thing I must ask you: are you usually connecting to a proxy? Have you set it up?


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:36 AM

Posted 06 June 2012 - 03:53 PM

Hi,


It has been a while since you last replied. Do you still need help?




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:36 AM

Posted 08 June 2012 - 06:40 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users