Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Police Central E-crime Unit Virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 April_fool

April_fool

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 23 June 2012 - 08:14 AM

I've recently picked up (what looks like a new version of) the PCEU virus and none of the anti-virus softwares I've tried have managed to find it. The virus creates a pop up anytime there's an internet connection which blocks all computer usage. The Met's website gives a brief description if that helps anyone.

Following Broni's advice (here) I've run Defogger, DDS and GMER. The DDS log is below and the Attach and Ark files are attached.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Ash at 12:58:34 on 2012-06-23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.2351 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_257.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_257.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110014&babsrc=HP_ss&mntrId=563220520000000000007ee400659d85
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Premiumplay Codec-C: {11111111-1111-1111-1111-110011041135} - c:\program files\premiumplay codec-c\Premiumplay Codec-C.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - c:\program files\dealply\DealPlyIE.dll
BHO: Wajam: {a7a6995d-6ee1-4fd1-a258-49395d5bf99c} - c:\program files\wajam\ie\priam_bho.dll
BHO: CrossRider: {a876e312-7d08-401a-b7a6-fafc5dc2f292} - c:\program files\crossriderwebapps\Crossrider.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [NIRegistrationWizard] c:\program files\national instruments\shared\registrationwizard\bin\RegistrationWizard.exe -autoDiscover 1 -displayIfNoneFound 0 -displayRegisterOptions 1 -sleepIfNoneFound 0 -locale 2057
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [APLangApp] "c:\program files\anypc client\APLangApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
mRun: [NPSStartup]
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
StartupFolder: c:\users\ash\appdata\roaming\micros~1\windows\startm~1\programs\startup\ctfmon.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\users\ash\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\ash\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A} : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A}\4434F5C61607 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A}\4434F5E4 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\244565F4951474542523039313D24344 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\244584572633D28353B4E4 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\2445F40756E6A7F6E656D284 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\7457563747 : DhcpNameServer = 137.195.151.105 137.195.150.61 137.195.151.110
TCP: Interfaces\{967EC87F-B575-4828-8930-EB70DEEBD527} : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{F6DBA9C0-4310-41F5-AB04-93A047BA37FE} : DhcpNameServer = 203.241.132.34 204.59.144.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ash\appdata\roaming\mozilla\firefox\profiles\dzpb3051.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/|http://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110014&babsrc=KW_ss&mntrId=563220520000000000007ee400659d85&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ash\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_257.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=bf4
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=bf4
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=
FF - user.js: extensions.funmoods_i.id - 563220520000000000007ee400659d85
FF - user.js: extensions.funmoods_i.instlDay - 15416
FF - user.js: extensions.funmoods_i.vrsn - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsni - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.12.222:31:30
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - bf4
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false
FF - user.js: extentions.y2layers.installId - 2934512f-d074-4c83-94f0-d926657c5f34
FF - user.js: extentions.y2layers.defaultEnableAppsList - pagerage,buzzdock,bestvideodownloader,ezlooker,dropdowndeals,twittube,toprelatedtopics,interstitialads
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110014
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 563220520000000000007ee400659d85
FF - user.js: extensions.BabylonToolbar_i.hardId - 563220520000000000007ee400659d85
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15493
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:41:36
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-1-12 10752]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-11-10 233472]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\samsung casual games\gameconsole\OberonGameConsoleService.exe [2010-5-18 44312]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-4-5 158856]
S2 WajamUpdater;WajamUpdater;c:\program files\wajam\updater\WajamUpdater.exe [2012-4-24 109064]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 257224]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-3-5 286248]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-11 33320]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-5-18 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-11-10 36608]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-13 122880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-4 113120]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-11-10 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-11-10 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-11-10 121856]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-23 1343400]
.
=============== Created Last 30 ================
.
2012-06-22 19:56:37 -------- d-sh--w- C:\found.001
2012-06-22 15:15:48 -------- d-----w- c:\users\ash\appdata\roaming\Malwarebytes
2012-06-22 15:15:42 -------- d-----w- c:\programdata\Malwarebytes
2012-06-22 15:15:41 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-22 15:15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-22 15:07:02 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 15:06:53 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 15:06:47 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 15:06:47 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 14:59:44 -------- d-sh--w- C:\found.000
2012-06-22 14:30:40 -------- d-----w- c:\users\ash\appdata\local\adawarebp
2012-06-22 14:30:40 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-06-22 14:30:38 -------- d-----w- c:\program files\Toolbar Cleaner
2012-06-22 14:30:36 -------- d-----w- c:\program files\adawaretb
2012-06-22 14:24:44 -------- d-----w- c:\users\ash\appdata\roaming\Ad-Aware Antivirus
2012-06-20 13:22:41 -------- d-----w- C:\Documents
2012-06-13 12:58:16 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 12:53:00 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 12:52:40 2342400 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 12:51:57 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 12:51:57 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 12:51:57 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 12:51:28 163328 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 12:50:46 139264 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 12:50:46 1156608 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 12:50:46 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 09:14:13 -------- d-----w- c:\users\ash\appdata\local\Macromedia
2012-06-09 13:21:16 -------- d-----r- c:\users\ash\Dropbox
2012-06-09 13:18:38 -------- d-----w- c:\users\ash\appdata\roaming\Dropbox
2012-06-08 12:31:00 -------- d-----w- c:\users\ash\appdata\roaming\MathWorks
2012-06-08 12:23:13 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2012-06-08 12:23:13 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2012-06-08 12:04:09 -------- d-----w- c:\program files\MATLAB
2012-06-07 11:32:35 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-07 11:32:34 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-02 13:41:24 -------- d-----w- c:\users\ash\appdata\roaming\Babylon
2012-06-02 13:41:24 -------- d-----w- c:\programdata\Babylon
2012-06-02 13:40:37 -------- d-----w- c:\program files\DealPly
2012-06-02 13:40:21 -------- d-----w- c:\users\ash\appdata\local\Wajam
2012-06-02 13:40:20 -------- d-----w- c:\program files\Wajam
2012-06-02 13:40:12 -------- d-----w- c:\program files\Yontoo
2012-06-02 13:40:11 -------- d-----w- c:\programdata\Tarma Installer
.
==================== Find3M ====================
.
2012-06-13 09:13:51 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 09:13:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-22 18:35:43 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-02 04:46:44 3958128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-02 04:46:44 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:29:05 1287024 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 13:00:47.33 ===============

Really hoping someone can help.

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:50 PM

Posted 26 June 2012 - 02:58 AM

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 April_fool

April_fool
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 26 June 2012 - 04:59 AM

Done.

Here's the logs, DDS below and ComboFix attached:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Ash at 10:52:43 on 2012-06-26
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.2136 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\FsUsbExService.Exe
C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Skype\Updater\Updater.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Wajam\Updater\WajamUpdater.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\AnyPC Client\APLangApp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Ash\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110014&babsrc=HP_ss&mntrId=563220520000000000007ee400659d85
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Wajam: {a7a6995d-6ee1-4fd1-a258-49395d5bf99c} - c:\program files\wajam\ie\priam_bho.dll
BHO: CrossRider: {a876e312-7d08-401a-b7a6-fafc5dc2f292} - c:\program files\crossriderwebapps\Crossrider.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [APLangApp] "c:\program files\anypc client\APLangApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
StartupFolder: c:\users\ash\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\ash\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A} : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A}\4434F5C61607 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A}\4434F5E4 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\244565F4951474542523039313D24344 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\244584572633D28353B4E4 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\2445F40756E6A7F6E656D284 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\7457563747 : DhcpNameServer = 137.195.151.105 137.195.150.61 137.195.151.110
TCP: Interfaces\{967EC87F-B575-4828-8930-EB70DEEBD527} : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{F6DBA9C0-4310-41F5-AB04-93A047BA37FE} : DhcpNameServer = 203.241.132.34 204.59.144.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ash\appdata\roaming\mozilla\firefox\profiles\dzpb3051.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/|http://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110014&babsrc=KW_ss&mntrId=563220520000000000007ee400659d85&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ash\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_257.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=bf4
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=bf4
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=
FF - user.js: extensions.funmoods_i.id - 563220520000000000007ee400659d85
FF - user.js: extensions.funmoods_i.instlDay - 15416
FF - user.js: extensions.funmoods_i.vrsn - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsni - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.12.222:31:30
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - bf4
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false
FF - user.js: extentions.y2layers.installId - 2934512f-d074-4c83-94f0-d926657c5f34
FF - user.js: extentions.y2layers.defaultEnableAppsList - pagerage,buzzdock,bestvideodownloader,ezlooker,dropdowndeals,twittube,toprelatedtopics,interstitialads
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110014
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 563220520000000000007ee400659d85
FF - user.js: extensions.BabylonToolbar_i.hardId - 563220520000000000007ee400659d85
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15493
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:41:36
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-1-12 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-11-10 233472]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\samsung casual games\gameconsole\OberonGameConsoleService.exe [2010-5-18 44312]
R2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-4-5 158856]
R2 WajamUpdater;WajamUpdater;c:\program files\wajam\updater\WajamUpdater.exe [2012-4-24 109064]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-11-10 36608]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-13 122880]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 257224]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-3-5 286248]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-11 33320]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-5-18 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-4 113120]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-11-10 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-11-10 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-11-10 121856]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-23 1343400]
.
=============== Created Last 30 ================
.
2012-06-26 09:40:19 -------- d-sh--w- C:\$RECYCLE.BIN
2012-06-26 09:40:18 -------- d-----w- c:\users\ash\appdata\local\temp
2012-06-26 09:22:26 98816 ----a-w- c:\windows\sed.exe
2012-06-26 09:22:26 518144 ----a-w- c:\windows\SWREG.exe
2012-06-26 09:22:26 256000 ----a-w- c:\windows\PEV.exe
2012-06-26 09:22:26 208896 ----a-w- c:\windows\MBR.exe
2012-06-22 19:56:37 -------- d-----w- C:\found.001
2012-06-22 15:15:48 -------- d-----w- c:\users\ash\appdata\roaming\Malwarebytes
2012-06-22 15:15:42 -------- d-----w- c:\programdata\Malwarebytes
2012-06-22 15:15:41 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-22 15:15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-22 15:07:02 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 15:06:53 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 15:06:47 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 15:06:47 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 14:59:44 -------- d-----w- C:\found.000
2012-06-22 14:30:40 -------- d-----w- c:\users\ash\appdata\local\adawarebp
2012-06-22 14:30:40 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-06-22 14:30:38 -------- d-----w- c:\program files\Toolbar Cleaner
2012-06-22 14:30:36 -------- d-----w- c:\program files\adawaretb
2012-06-22 14:24:44 -------- d-----w- c:\users\ash\appdata\roaming\Ad-Aware Antivirus
2012-06-20 13:22:41 -------- d-----w- C:\Documents
2012-06-13 12:58:16 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 12:53:00 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 12:52:40 2342400 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 12:51:57 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 12:51:57 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 12:51:57 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 12:51:28 163328 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 12:50:46 139264 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 12:50:46 1156608 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 12:50:46 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 09:14:13 -------- d-----w- c:\users\ash\appdata\local\Macromedia
2012-06-09 13:21:16 -------- d-----r- c:\users\ash\Dropbox
2012-06-09 13:18:38 -------- d-----w- c:\users\ash\appdata\roaming\Dropbox
2012-06-08 12:31:00 -------- d-----w- c:\users\ash\appdata\roaming\MathWorks
2012-06-08 12:23:13 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2012-06-08 12:23:13 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2012-06-08 12:04:09 -------- d-----w- c:\program files\MATLAB
2012-06-07 11:32:35 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-07 11:32:34 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-02 13:41:24 -------- d-----w- c:\users\ash\appdata\roaming\Babylon
2012-06-02 13:41:24 -------- d-----w- c:\programdata\Babylon
2012-06-02 13:40:21 -------- d-----w- c:\users\ash\appdata\local\Wajam
2012-06-02 13:40:20 -------- d-----w- c:\program files\Wajam
2012-06-02 13:40:12 -------- d-----w- c:\program files\Yontoo
2012-06-02 13:40:11 -------- d-----w- c:\programdata\Tarma Installer
.
==================== Find3M ====================
.
2012-06-13 09:13:51 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 09:13:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-22 18:35:43 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-02 04:46:44 3958128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-02 04:46:44 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:29:05 1287024 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 10:54:55.34 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:50 PM

Posted 26 June 2012 - 11:39 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\users\Ash\AppData\Roaming\Babylon
c:\programdata\Babylon
c:\program files\DealPly
Firefox::
uStart Page = hxxp://search.babylon.com/?affID=110014&babsrc=HP_ss&mntrId=563220520000000000007ee400659d85
FF - ProfilePath - c:\users\Ash\AppData\Roaming\Mozilla\Firefox\Profiles\dzpb3051.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110014&babsrc=KW_ss&mntrId=563220520000000000007ee400659d85&q=
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=bf4
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=bf4
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=
FF - user.js: extensions.funmoods_i.id - 563220520000000000007ee400659d85
FF - user.js: extensions.funmoods_i.instlDay - 15416
FF - user.js: extensions.funmoods_i.vrsn - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsni - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.12.222:31
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - bf4
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef - 
FF - user.js: extensions.funmoods_i.dfltLng - 
FF - user.js: extensions.funmoods_i.excTlbr - false
FF - user.js: extentions.y2layers.installId - 2934512f-d074-4c83-94f0-d926657c5f34
FF - user.js: extentions.y2layers.defaultEnableAppsList - pagerage,buzzdock,bestvideodownloader,ezlooker,dropdowndeals,twittube,toprelatedtopics,interstitialads
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110014
FF - user.js: extensions.BabylonToolbar_i.babExt - 
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 563220520000000000007ee400659d85
FF - user.js: extensions.BabylonToolbar_i.hardId - 563220520000000000007ee400659d85
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15493
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:41
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1 and separate 10.1.1, 10.1.2 & 10.1.3 updates for it) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 7 Update 5.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u5-windows-i586.exe to install the newest version.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 April_fool

April_fool
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 26 June 2012 - 04:52 PM

All Done

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.0
Run by Ash at 22:43:41 on 2012-06-26
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.2112 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110014&babsrc=HP_ss&mntrId=563220520000000000007ee400659d85
uInternet Settings,ProxyOverride = *.local
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Wajam: {a7a6995d-6ee1-4fd1-a258-49395d5bf99c} - c:\program files\wajam\ie\priam_bho.dll
BHO: CrossRider: {a876e312-7d08-401a-b7a6-fafc5dc2f292} - c:\program files\crossriderwebapps\Crossrider.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [APLangApp] "c:\program files\anypc client\APLangApp.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\ash\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\ash\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A} : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A}\4434F5C61607 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{562DD9F8-111E-4FED-A9B3-809C58B6422A}\4434F5E4 : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\244565F4951474542523039313D24344 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\244584572633D28353B4E4 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\2445F40756E6A7F6E656D284 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{61281670-6767-42B0-B0F1-2D093F396413}\7457563747 : DhcpNameServer = 137.195.151.105 137.195.150.61 137.195.151.110
TCP: Interfaces\{967EC87F-B575-4828-8930-EB70DEEBD527} : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{F6DBA9C0-4310-41F5-AB04-93A047BA37FE} : DhcpNameServer = 203.241.132.34 204.59.144.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ash\appdata\roaming\mozilla\firefox\profiles\dzpb3051.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/|http://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ash\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_257.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-1-12 10752]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-11-10 233472]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\samsung casual games\gameconsole\OberonGameConsoleService.exe [2010-5-18 44312]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-4-5 158856]
S2 WajamUpdater;WajamUpdater;c:\program files\wajam\updater\WajamUpdater.exe [2012-4-24 109064]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 257224]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-3-5 286248]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-11 33320]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-5-18 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-11-10 36608]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-13 122880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-4 113120]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-11-10 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-11-10 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-11-10 121856]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-23 1343400]
.
=============== Created Last 30 ================
.
2012-06-26 19:05:17 -------- d-----w- c:\program files\ESET
2012-06-26 19:00:36 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-26 18:46:50 -------- d-----w- c:\program files\Foxit Software
2012-06-26 18:19:44 -------- d-sh--w- C:\$RECYCLE.BIN
2012-06-26 18:19:42 -------- d-----w- c:\users\ash\appdata\local\temp
2012-06-26 09:22:26 98816 ----a-w- c:\windows\sed.exe
2012-06-26 09:22:26 518144 ----a-w- c:\windows\SWREG.exe
2012-06-26 09:22:26 256000 ----a-w- c:\windows\PEV.exe
2012-06-26 09:22:26 208896 ----a-w- c:\windows\MBR.exe
2012-06-22 19:56:37 -------- d-----w- C:\found.001
2012-06-22 15:15:48 -------- d-----w- c:\users\ash\appdata\roaming\Malwarebytes
2012-06-22 15:15:42 -------- d-----w- c:\programdata\Malwarebytes
2012-06-22 15:15:41 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-22 15:15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-22 15:07:02 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 15:06:53 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 15:06:47 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 15:06:47 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 14:59:44 -------- d-----w- C:\found.000
2012-06-22 14:30:40 -------- d-----w- c:\users\ash\appdata\local\adawarebp
2012-06-22 14:30:40 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-06-22 14:30:38 -------- d-----w- c:\program files\Toolbar Cleaner
2012-06-22 14:30:36 -------- d-----w- c:\program files\adawaretb
2012-06-22 14:24:44 -------- d-----w- c:\users\ash\appdata\roaming\Ad-Aware Antivirus
2012-06-20 13:22:41 -------- d-----w- C:\Documents
2012-06-13 12:58:16 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 12:53:00 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 12:52:40 2342400 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 12:51:57 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 12:51:57 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 12:51:57 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 12:51:28 163328 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 12:50:46 139264 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 12:50:46 1156608 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 12:50:46 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 09:14:13 -------- d-----w- c:\users\ash\appdata\local\Macromedia
2012-06-09 13:21:16 -------- d-----r- c:\users\ash\Dropbox
2012-06-09 13:18:38 -------- d-----w- c:\users\ash\appdata\roaming\Dropbox
2012-06-08 12:31:00 -------- d-----w- c:\users\ash\appdata\roaming\MathWorks
2012-06-08 12:23:13 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2012-06-08 12:23:13 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2012-06-08 12:04:09 -------- d-----w- c:\program files\MATLAB
2012-06-07 11:32:35 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-07 11:32:34 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-02 13:40:21 -------- d-----w- c:\users\ash\appdata\local\Wajam
2012-06-02 13:40:20 -------- d-----w- c:\program files\Wajam
2012-06-02 13:40:12 -------- d-----w- c:\program files\Yontoo
2012-06-02 13:40:11 -------- d-----w- c:\programdata\Tarma Installer
.
==================== Find3M ====================
.
2012-06-26 19:00:23 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-13 09:13:51 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 09:13:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-22 18:35:43 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-02 04:46:44 3958128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-02 04:46:44 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:29:05 1287024 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 22:44:28.35 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:50 PM

Posted 26 June 2012 - 11:35 PM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uStart Page = hxxp://search.babylon.com/?affID=110014&babsrc=HP_ss&mntrId=563220520000000000007ee400659d85
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
Folder::
C:\Program Files\Yontoo
C:\ProgramData\Tarma Installer
C:\Users\All Users\Tarma Installer


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log + fresh dds.txt log. How's the system doing?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 April_fool

April_fool
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 27 June 2012 - 04:30 AM

Bit slow on start up but apart from that good, no sign of the virus as far as I can see. Thank you so much for all your help, you're a legend

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:50 PM

Posted 27 June 2012 - 10:15 AM

Hi,

Could you post dds.txt log taken in normal mode too, please? :)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 April_fool

April_fool
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 27 June 2012 - 10:58 AM

Sure, here you go

Attached Files

  • Attached File  DDS5.txt   17.73KB   2 downloads


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:50 PM

Posted 28 June 2012 - 12:00 AM

Good. If no issues left let's see the final steps.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.




Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 April_fool

April_fool
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 28 June 2012 - 06:08 AM

It' all fine, everything done. Can't thank you enough for all your help. Will make sure everything's kept up to date and working properly. Again... you're a legend!

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:50 PM

Posted 28 June 2012 - 11:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users