Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found trojan in services.exe


  • This topic is locked This topic is locked
14 replies to this topic

#1 pcnewbie_94

pcnewbie_94

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 26 July 2012 - 07:02 AM

Hello there, I encountered a problem that I'm unable to solve. A software called Live security platinum was installed on my PC, I think I succesfully removed it. But then my antivirus Nod32 found a trojan virus in system32 file called services.exe. I know this file is essential to keep my PC working, and I can't delete it, not with my antivirus nor manually. I saw one and only web site where the problem was solved, but it demands using hijackthis. Since I've never used it, I would appreciate if anyone could tell me what's there to fix or delete.
This is the site where I found the solution (also, is it any good?): http://forums.techguy.org/windows-xp/322401-solved-c-windows-services-exe.html

And this is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:58:13, on 26.7.2012.
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2776682
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
R3 - URLSearchHook: BrotherSoft Extreme Toolbar - {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files\BrotherSoft_Extreme\prxtbBrot.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BrotherSoft Extreme - {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files\BrotherSoft_Extreme\prxtbBrot.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~2\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~2\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: BrotherSoft Extreme Toolbar - {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files\BrotherSoft_Extreme\prxtbBrot.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2294212471-1987294167-2412013380-1010\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2294212471-1987294167-2412013380-1010\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: First Web Flash Casino - {803bec6f-306e-4a9e-9864-b6df07e1411b} - https://firstweb.gameassists.co.uk/FIRSTWEB/Default.aspx?gameid=Jokerpok&sEXT1=demo&sEXT2=demo&bTag=fwks_73&bTag=fwks_73 (file missing) (HKCU)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Usluga Google ažuriranje (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Usluga Google ažuriranje (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: UAZ Racing 4x4 Drivers Auto Removal (pr2anrqc) (pr2anrqc) - Cenega Publishing - C:\Windows\system32\pr2anrqc.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 9068 bytes


______________________

Thank you very much for any reply, I hope you can help me to get rid of this virus :)

Edited by Orange Blossom, 26 July 2012 - 10:12 AM.
Unembedded link. ~ OB


BC AdBot (Login to Remove)

 


#2 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:07:32 AM

Posted 26 July 2012 - 12:35 PM

Hi pcnewbie_94,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Regards,
M-K-D-B

#3 pcnewbie_94

pcnewbie_94
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 26 July 2012 - 01:13 PM

Thank you so much! It's really getting worse, PC rebooting itself, blue screens, freezing...

#4 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:07:32 AM

Posted 28 July 2012 - 06:41 AM

Hi pcnewbie_94,


:welcome: to BleepingComputer.

My name is M-K-D-B and I'll help you with the cleanup of your computer.

Please be aware of the following:
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 3 days, I am assuming that you don't need help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.





Backdoor Warning!
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
If you decide to clean your machine, please follow the instructions below.





Step 1
Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.





What you should post with your next answer:
  • the logfile from ComboFix,
  • any further information that seems to be important in your eyes.

Regards,
M-K-D-B

#5 pcnewbie_94

pcnewbie_94
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 29 July 2012 - 03:43 PM

Hello M-K-D-B! Thank you for posting this. I don't know how, but I THINK I had solved the problem before your post. My antivirus Nod32 doesn't show the warning window anymore and is running fine. My question is: does this mean that the virus is gone, or is it just hidden? Should I proceed with combofix cleaning?

Once again, thank you, I've had problems with this one hacker who's trying to ruin my relationship with my friends.

Looking forward to your reply,
pcnewbie_94

#6 pcnewbie_94

pcnewbie_94
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 30 July 2012 - 05:25 PM

Hello M-K-D-B, once again!

I decided to run combofix after all.
This is the log:



ComboFix 12-07-30.01 - user 1.07.2012. 0:11.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.385.1033.18.2047.1310 [GMT 2:00]
Running from: c:\users\user\Desktop\comfix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\LP
c:\program files\LP\156A\1DF5.tmp
c:\program files\LP\156A\46AC.tmp
c:\program files\LP\156A\4B35.tmp
c:\program files\LP\156A\57D1.tmp
c:\program files\LP\156A\742B.tmp
c:\program files\LP\156A\8337.tmp
c:\program files\LP\156A\83B8.tmp
c:\program files\LP\156A\A3D0.tmp
c:\program files\LP\156A\CCC5.tmp
c:\program files\LP\156A\D369.tmp
c:\program files\LP\156A\F64B.tmp
c:\program files\LP\156A\FC4F.tmp
c:\program files\Uninstall.exe
c:\windows\dcstds3.dll
c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\@
c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\U\00000001.@
c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\U\80000000.@
c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\U\800000cb.@
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-30 )))))))))))))))))))))))))))))))
.
.
2074-05-07 16:38 . 2006-11-21 18:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-07-30 22:17 . 2012-07-30 22:17 -------- d-----w- c:\users\user\AppData\Local\temp
2012-07-30 22:17 . 2012-07-30 22:17 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-30 22:17 . 2012-07-30 22:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-27 11:39 . 2012-07-30 22:18 -------- d-----w- c:\program files\PC Tools Security
2012-07-26 21:31 . 2012-07-27 16:50 -------- d-----w- c:\program files\TDS3
2012-07-26 12:07 . 2012-07-27 07:25 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-07-26 12:07 . 2012-07-26 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-26 11:31 . 2012-07-26 11:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-26 11:15 . 2012-07-26 11:15 102400 ----a-w- c:\windows\RegBootClean.exe
2012-07-26 11:00 . 2012-06-05 07:37 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-07-26 10:57 . 2012-07-26 10:57 388096 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-26 10:57 . 2012-07-26 10:57 -------- d-----w- c:\program files\Trend Micro
2012-07-25 16:29 . 2012-07-25 16:29 110080 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconF7A21AF7.exe
2012-07-25 16:29 . 2012-07-25 16:29 110080 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconD7F16134.exe
2012-07-25 16:29 . 2012-07-25 16:29 110080 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconCF33A0CE.exe
2012-07-25 16:29 . 2012-07-25 16:30 -------- d-----w- C:\sh4ldr
2012-07-25 16:29 . 2012-07-25 16:29 -------- d-----w- c:\program files\Enigma Software Group
2012-07-25 16:28 . 2012-07-25 16:30 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-07-25 16:28 . 2012-07-25 16:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-07-25 16:10 . 2012-07-25 16:10 -------- d-----w- c:\program files\CCleaner
2012-07-25 15:51 . 2012-07-25 15:51 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2012-07-25 15:50 . 2012-07-25 15:50 -------- d-----w- c:\programdata\Malwarebytes
2012-07-25 15:50 . 2012-07-25 15:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-25 15:50 . 2012-07-03 11:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 15:49 . 2012-07-25 15:49 -------- d--h--w- c:\windows\PIF
2012-07-25 15:44 . 2012-07-27 16:49 -------- d-----w- c:\programdata\SecTaskMan
2012-07-25 15:44 . 2012-07-27 16:49 -------- d-----w- c:\program files\Security Task Manager
2012-07-11 01:00 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 22:58 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-10 22:58 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll
2012-07-10 22:58 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-10 22:58 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-10 22:58 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-10 22:58 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-10 22:58 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-10 22:54 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-10 22:54 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-10 22:54 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 22:54 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-10 22:54 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 22:54 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 22:54 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 22:54 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-05 14:40 . 2012-07-05 14:40 -------- d-----w- c:\users\user\AppData\Roaming\Origin
2012-07-05 14:40 . 2012-07-27 07:25 -------- d-----w- c:\programdata\Origin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 02:14 . 2012-05-27 11:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-27 02:14 . 2011-06-23 22:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-21 19:18 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 19:18 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 19:18 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 19:18 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 19:18 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 19:18 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 19:18 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 19:18 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:12 . 2012-06-21 19:18 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 10:25 . 2011-05-03 12:41 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-15 03:03 . 2012-06-13 08:33 981504 ----a-w- c:\windows\system32\wininet.dll
2012-01-19 14:21 . 2011-11-25 16:38 321024 ----a-w- c:\program files\gproxy.exe
2011-09-25 21:18 . 2011-11-25 16:38 98816 ----a-w- c:\program files\euroloader.exe
2011-05-13 09:33 . 2011-11-25 16:38 3336 ----a-w- c:\program files\eurobattle.reg
2011-04-23 23:30 . 2011-11-25 16:38 68608 ----a-w- c:\program files\w3lh.dll
2010-03-11 07:00 . 2011-11-25 16:38 118784 ----a-w- c:\program files\pdcurses.dll
2003-04-10 15:56 . 2011-11-25 16:38 351744 ----a-w- c:\program files\winmpq.exe
2003-04-10 15:18 . 2011-11-25 16:38 184320 ------w- c:\program files\SFmpq.dll
1996-11-08 01:17 . 2011-11-25 16:38 721168 ------w- c:\program files\VB40032.DLL
2012-06-20 12:38 . 2011-05-04 13:52 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-07-27 3077528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 gupdate;Usluga Google ažuriranje (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 gupdatem;Usluga Google ažuriranje (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclock.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-27 02:14]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-05 13:07]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-05 13:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\glchw2cf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - BrotherSoft Extreme Customized Web Search
FF - prefs.js: browser.startup.homepage - www.google.hr
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?SSPV=FFSB3&ctid=CT2776682&SearchSource=2&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62061
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\prxtbuTo0.dll
Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\prxtbuTo0.dll
Toolbar-10 - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\uTorrentBar\prxtbuTo0.dll
WebBrowser-{51A86BB3-6602-4C85-92A5-130EE4864F13} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-Eurobattle.net1.26 - c:\program files\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2294212471-1987294167-2412013380-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:aa,c7,32,c7,e8,c6,e8,54,9f,92,ea,34,b1,97,cd,4c,cc,6c,0c,b9,ba,26,7d,
aa,22,60,55,d8,f7,d5,03,92,1a,73,83,3f,d0,00,93,57,80,d2,ed,17,3f,92,12,95,\
"??"=hex:e4,ed,d9,ac,60,ef,ad,e4,dc,51,4a,07,c6,d3,3f,f5
.
[HKEY_USERS\S-1-5-21-2294212471-1987294167-2412013380-1000\Software\SecuROM\License information*]
"datasecu"=hex:4a,13,17,db,af,31,8b,6b,73,c6,73,4f,f4,c8,8d,bf,07,62,01,9c,b2,
44,5a,5d,96,e7,95,62,5b,b0,c4,63,ea,99,a9,41,a1,ab,07,e5,10,fb,81,4c,bd,0a,\
"rkeysecu"=hex:f0,69,a4,32,37,cb,1c,31,48,b3,52,03,b7,f4,1f,2b
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758

#7 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:07:32 AM

Posted 01 August 2012 - 10:09 AM

Hi pcnewbie_94,



I decided to run combofix after all.

And this was a good decision as the rootkit was still active in the background :)

c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\@
c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\U\00000001.@
c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\U\80000000.@
c:\windows\Installer\{9f054759-0ee9-b851-bb7a-063ab92b3e5d}\U\800000cb.@
.
Infected copy of c:\windows\system32\services.exe was found and disinfected






Step 1
You have installed NOD Antivirus. There is no need for SpyHunter. Moreover, it has a dubious repute as it uses some kind of Rogue tactics to lure users into buying.
Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Spyhunter
Enigma Software Group
uTorrentBar


Additional instructions can be found here if needed.





Step 2
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
C:\sh4ldr
c:\program files\Enigma Software Group
c:\program files\uTorrentBar

Driver::
SpyHunter 4 Service

Firefox::
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\glchw2cf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - BrotherSoft Extreme Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?SSPV=FFSB3&ctid=CT2776682&SearchSource=2&q=
FF - prefs.js: network.proxy.http_port - 62061


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





Step 3
Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.





What you should post with your next answer:
  • the logfile from ComboFix,
  • the logfile from AdwCleaner.

Regards,
M-K-D-B

#8 pcnewbie_94

pcnewbie_94
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 01 August 2012 - 06:09 PM

Hello again M-K-D-B!
I found Spyhunter there and removed it, I didn't find uTorrent bar and Enigma Software group.
I just want to thank you again for helping me, you've been too kind!

Here are the logs you requested (first from ComboFix, then from AdwCleaner):

ComboFix:

ComboFix 12-07-31.03 - user 2.08.2012. 0:55.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.385.1033.18.2047.1198 [GMT 2:00]
Running from: c:\users\user\Desktop\comfix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Enigma Software Group
c:\program files\Enigma Software Group\SpyHunter\INSTALL.LOG
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_220423.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_223003.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_225116.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_225810.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_231849.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_232722.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_233310.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_233531.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120726_233813.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120727_140225.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120727_140824.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120727_141034.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120727_141527.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120727_142244.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120727_142629.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120727_152830.log
c:\program files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120731_002102.log
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2074-05-07 16:38 . 2006-11-21 18:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-08-01 23:01 . 2012-08-01 23:01 -------- d-----w- c:\users\user\AppData\Local\temp
2012-08-01 23:01 . 2012-08-01 23:01 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-01 23:01 . 2012-08-01 23:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-31 17:36 . 2012-07-31 17:36 -------- d-----w- c:\program files\Oracle
2012-07-27 16:45 . 2012-07-27 16:46 5 ----a-w- c:\windows\system\tdsdcs.dll
2012-07-27 15:07 . 2012-07-16 00:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FE3CEC72-6FC2-48EA-9752-4F1A5C05CC49}\mpengine.dll
2012-07-27 11:57 . 2012-07-27 11:57 -------- d-----w- C:\user
2012-07-27 11:39 . 2012-07-30 22:18 -------- d-----w- c:\program files\PC Tools Security
2012-07-26 21:31 . 2012-07-27 16:50 -------- d-----w- c:\program files\TDS3
2012-07-26 12:07 . 2012-07-27 07:25 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-07-26 12:07 . 2012-07-26 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-26 11:31 . 2012-07-26 11:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-26 11:15 . 2012-07-26 11:15 102400 ----a-w- c:\windows\RegBootClean.exe
2012-07-26 11:00 . 2012-06-05 07:37 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-07-26 10:57 . 2012-07-26 10:57 388096 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-26 10:57 . 2012-07-26 10:57 -------- d-----w- c:\program files\Trend Micro
2012-07-25 16:28 . 2012-08-01 22:46 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-07-25 16:28 . 2012-07-25 16:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-07-25 16:10 . 2012-07-25 16:10 -------- d-----w- c:\program files\CCleaner
2012-07-25 15:51 . 2012-07-25 15:51 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2012-07-25 15:50 . 2012-07-25 15:50 -------- d-----w- c:\programdata\Malwarebytes
2012-07-25 15:50 . 2012-07-25 15:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-25 15:50 . 2012-07-03 11:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 15:49 . 2012-07-25 15:49 -------- d--h--w- c:\windows\PIF
2012-07-25 15:44 . 2012-07-27 16:49 -------- d-----w- c:\programdata\SecTaskMan
2012-07-25 15:44 . 2012-07-27 16:49 -------- d-----w- c:\program files\Security Task Manager
2012-07-11 01:00 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 22:58 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-10 22:58 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll
2012-07-10 22:58 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-10 22:58 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-10 22:58 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-10 22:58 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-10 22:58 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-10 22:54 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-10 22:54 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-10 22:54 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 22:54 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-10 22:54 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 22:54 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 22:54 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 22:54 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-05 14:40 . 2012-07-05 14:40 -------- d-----w- c:\users\user\AppData\Roaming\Origin
2012-07-05 14:40 . 2012-07-27 07:25 -------- d-----w- c:\programdata\Origin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 02:14 . 2012-05-27 11:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-27 02:14 . 2011-06-23 22:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 20:06 . 2011-07-16 01:29 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-02 22:19 . 2012-06-21 19:18 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 19:18 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 19:18 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 19:18 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 19:18 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 19:18 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 19:18 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 19:18 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:12 . 2012-06-21 19:18 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 10:25 . 2011-05-03 12:41 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-15 03:03 . 2012-06-13 08:33 981504 ----a-w- c:\windows\system32\wininet.dll
2012-01-19 14:21 . 2011-11-25 16:38 321024 ----a-w- c:\program files\gproxy.exe
2011-09-25 21:18 . 2011-11-25 16:38 98816 ----a-w- c:\program files\euroloader.exe
2011-05-13 09:33 . 2011-11-25 16:38 3336 ----a-w- c:\program files\eurobattle.reg
2011-04-23 23:30 . 2011-11-25 16:38 68608 ----a-w- c:\program files\w3lh.dll
2010-03-11 07:00 . 2011-11-25 16:38 118784 ----a-w- c:\program files\pdcurses.dll
2003-04-10 15:56 . 2011-11-25 16:38 351744 ----a-w- c:\program files\winmpq.exe
2003-04-10 15:18 . 2011-11-25 16:38 184320 ------w- c:\program files\SFmpq.dll
1996-11-08 01:17 . 2011-11-25 16:38 721168 ------w- c:\program files\VB40032.DLL
2012-06-20 12:38 . 2011-05-04 13:52 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-30_22.18.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-03 12:20 . 2012-07-31 12:27 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-03 12:20 . 2012-07-28 13:04 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:41 . 2012-07-28 13:04 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2012-07-31 12:27 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-03 13:00 . 2012-07-30 22:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-03 13:00 . 2012-08-01 22:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-03 13:00 . 2012-08-01 22:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-03 13:00 . 2012-07-30 22:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-01 22:45 . 2012-08-01 22:45 27499 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCall.dll
+ 2011-05-03 17:02 . 2012-08-01 22:38 522578 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2012-07-31 17:36 . 2012-07-05 20:06 227760 c:\windows\System32\javaws.exe
+ 2012-07-31 17:35 . 2012-06-26 23:43 174064 c:\windows\System32\javaw.exe
+ 2012-07-31 17:35 . 2012-06-26 23:43 174064 c:\windows\System32\java.exe
+ 2011-05-03 12:20 . 2012-07-31 12:27 933888 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-03 12:20 . 2012-07-28 13:04 933888 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-07-31 17:35 . 2012-07-31 17:35 461312 c:\windows\Installer\423340f.msi
+ 2012-08-01 22:45 . 2012-08-01 22:45 180696 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla21.dll
+ 2012-08-01 22:45 . 2012-08-01 22:45 175992 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla20.dll
+ 2012-08-01 22:45 . 2012-08-01 22:45 176035 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla2.dll
+ 2012-08-01 22:45 . 2012-08-01 22:45 176035 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla19.dll
+ 2012-08-01 22:45 . 2012-08-01 22:45 179526 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla18.exe
+ 2012-08-01 22:45 . 2012-08-01 22:45 176545 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla17.dll
+ 2012-08-01 22:45 . 2012-08-01 22:45 179526 c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-07-27 3077528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 gupdate;Usluga Google ažuriranje (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 gupdatem;Usluga Google ažuriranje (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclock.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-27 02:14]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-05 13:07]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-05 13:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\glchw2cf.default\
FF - prefs.js: browser.startup.homepage - www.google.hr
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2294212471-1987294167-2412013380-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:aa,c7,32,c7,e8,c6,e8,54,9f,92,ea,34,b1,97,cd,4c,cc,6c,0c,b9,ba,26,7d,
aa,22,60,55,d8,f7,d5,03,92,1a,73,83,3f,d0,00,93,57,80,d2,ed,17,3f,92,12,95,\
"??"=hex:e4,ed,d9,ac,60,ef,ad,e4,dc,51,4a,07,c6,d3,3f,f5
.
[HKEY_USERS\S-1-5-21-2294212471-1987294167-2412013380-1000\Software\SecuROM\License information*]
"datasecu"=hex:4a,13,17,db,af,31,8b,6b,73,c6,73,4f,f4,c8,8d,bf,07,62,01,9c,b2,
44,5a,5d,96,e7,95,62,5b,b0,c4,63,ea,99,a9,41,a1,ab,07,e5,10,fb,81,4c,bd,0a,\
"rkeysecu"=hex:f0,69,a4,32,37,cb,1c,31,48,b3,52,03,b7,f4,1f,2b
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{CDF97135-7FD2-4289-96B8-DD4505267ACD}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.314.0"
"UniqueId"="000249824DC000D2"
"ScannerBuild"=dword:00001124
"ScannerVersionId"=dword:00000ef8
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000009
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-02 01:03:08
ComboFix-quarantined-files.txt 2012-08-01 23:03
ComboFix2.txt 2012-07-30 22:23
.
Pre-Run: 65.318.428.672 bytes free
Post-Run: 65.361.350.656 bytes free
.
- - End Of File - - DDCF162F4E9B987F5E185312FCCF5514




_________________________________________________________


AdwCleaner:

# AdwCleaner v1.800 - Logfile created 08/02/2012 at 01:06:19
# Updated 01/08/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : user - USER-PC
# Running from : C:\Users\user\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
Folder Found : C:\Program Files\Ilivid
Folder Found : C:\Program Files\Windows iLivid Toolbar
File Found : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
File Found : C:\Program Files\Mozilla Firefox\searchplugins\SearchResults.xml

***** [Registry] *****

[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\searchqutoolbar
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Headlight
Key Found : HKCU\Software\ilivid
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
Key Found : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
Key Found : HKLM\SOFTWARE\DT Soft
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar
Key Found : HKLM\SOFTWARE\uTorrentBar

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DB9500FD-4B75-4045-A21A-81076AA03B4E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B4E7EB6B-0728-41EA-B222-0401F2C34D57}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8C8824AF-A0E6-4B33-99E7-E3630CCCAD91}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DB9500FD-4B75-4045-A21A-81076AA03B4E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB9500FD-4B75-4045-A21A-81076AA03B4E}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (hr)

-\\ Google Chrome v20.0.1132.57

*************************

AdwCleaner[R1].txt - [3256 octets] - [02/08/2012 01:06:19]

########## EOF - C:\AdwCleaner[R1].txt - [3384 octets] ##########

Edited by pcnewbie_94, 01 August 2012 - 06:11 PM.


#9 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:07:32 AM

Posted 02 August 2012 - 06:41 AM

Hi pcnewbie_94,



good job so far! :thumbup2:
Let's fix some remnants with AdwCleaner and do a control scan with DDS please. :)



Step 1
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.





Step 2
We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE





Step 3
I would like you to answer the following questions as exactly and detailed as you can:
  • How is your compter running at the moment?





What you should post with your next answer:
  • the logfile from AdwCleaner,
  • both logfiles from DDS,
  • an answer to my question.

Regards,
M-K-D-B

#10 pcnewbie_94

pcnewbie_94
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 02 August 2012 - 02:07 PM

Hi M-K-D-B! Thank you for the fast reply!

Here are the logs:

from adwcleaner:

# AdwCleaner v1.800 - Logfile created 08/02/2012 at 20:53:55
# Updated 01/08/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : user - USER-PC
# Running from : C:\Users\user\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
Folder Deleted : C:\Program Files\Ilivid
Folder Deleted : C:\Program Files\Windows iLivid Toolbar
File Deleted : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\SearchResults.xml

***** [Registry] *****

[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\searchqutoolbar
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
Key Deleted : HKLM\SOFTWARE\DT Soft
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar
Key Deleted : HKLM\SOFTWARE\uTorrentBar

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DB9500FD-4B75-4045-A21A-81076AA03B4E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B4E7EB6B-0728-41EA-B222-0401F2C34D57}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8C8824AF-A0E6-4B33-99E7-E3630CCCAD91}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DB9500FD-4B75-4045-A21A-81076AA03B4E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB9500FD-4B75-4045-A21A-81076AA03B4E}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (hr)

-\\ Google Chrome v20.0.1132.57

*************************

AdwCleaner[R1].txt - [3385 octets] - [02/08/2012 01:06:19]
AdwCleaner[S1].txt - [3390 octets] - [02/08/2012 20:53:55]

########## EOF - C:\AdwCleaner[S1].txt - [3518 octets] ##########



_____________________________________________________________________

from DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.5.1
Run by user at 20:57:25 on 2012-08-02
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.385.1033.18.2047.1084 [GMT 2:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{94F6FDF1-6838-4052-8638-00EE62FD3BD6} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\glchw2cf.default\
FF - prefs.js: browser.search.selectedEngine - BrotherSoft Extreme Customized Web Search
FF - prefs.js: browser.startup.homepage - www.google.hr
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?SSPV=FFSB3&ctid=CT2776682&SearchSource=2&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\glchw2cf.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\plugins\np-mswmp.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\glchw2cf.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-7-26 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-2-9 382272]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2009-6-25 47104]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Usluga Google ažuriranje (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-5 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-25 655944]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-3-8 2348352]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-27 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Usluga Google ažuriranje (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-5 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-25 22344]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-20 129976]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-5-26 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-3 1343400]
.
=============== Created Last 30 ================
.
2074-05-07 16:38:48 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2012-08-01 23:03:11 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-01 23:03:10 -------- d-----w- c:\users\user\appdata\local\temp
2012-07-31 17:36:27 -------- d-----w- c:\program files\Oracle
2012-07-30 22:08:53 98816 ----a-w- c:\windows\sed.exe
2012-07-30 22:08:53 518144 ----a-w- c:\windows\SWREG.exe
2012-07-30 22:08:53 256000 ----a-w- c:\windows\PEV.exe
2012-07-30 22:08:53 208896 ----a-w- c:\windows\MBR.exe
2012-07-27 16:45:39 5 ----a-w- c:\windows\system\tdsdcs.dll
2012-07-27 15:07:53 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fe3cec72-6fc2-48ea-9752-4f1a5c05cc49}\mpengine.dll
2012-07-27 11:57:32 -------- d-----w- C:\user
2012-07-27 11:39:08 -------- d-----w- c:\program files\PC Tools Security
2012-07-26 21:31:33 -------- d-----w- c:\program files\TDS3
2012-07-26 12:07:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-07-26 12:07:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-26 11:31:18 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-26 11:15:29 102400 ----a-w- c:\windows\RegBootClean.exe
2012-07-26 11:00:34 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-07-26 10:57:29 388096 ----a-r- c:\users\user\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-07-26 10:57:29 -------- d-----w- c:\program files\Trend Micro
2012-07-25 16:28:36 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-07-25 16:28:20 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-07-25 16:10:08 -------- d-----w- c:\program files\CCleaner
2012-07-25 15:51:18 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2012-07-25 15:50:59 -------- d-----w- c:\programdata\Malwarebytes
2012-07-25 15:50:57 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 15:50:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-25 15:49:11 -------- d--h--w- c:\windows\PIF
2012-07-25 15:44:52 -------- d-----w- c:\programdata\SecTaskMan
2012-07-25 15:44:49 -------- d-----w- c:\program files\Security Task Manager
2012-07-11 01:00:48 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 22:58:06 1019904 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-10 22:58:05 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-10 22:58:05 57344 ----a-w- c:\program files\common files\system\ado\msador15.dll
2012-07-10 22:58:05 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll
2012-07-10 22:58:05 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2012-07-10 22:58:05 212992 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2012-07-10 22:58:05 143360 ----a-w- c:\program files\common files\system\ado\msjro.dll
2012-07-10 22:54:53 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-10 22:54:53 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 22:54:53 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-10 22:54:53 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-10 22:54:52 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 22:54:51 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 22:54:50 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-10 22:54:50 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-05 14:40:16 -------- d-----w- c:\users\user\appdata\roaming\Origin
2012-07-05 14:40:09 -------- d-----w- c:\programdata\Origin
.
==================== Find3M ====================
.
2012-07-27 02:14:49 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-27 02:14:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-05 20:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 10:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-15 03:03:54 981504 ----a-w- c:\windows\system32\wininet.dll
2012-01-19 14:21:32 321024 ----a-w- c:\program files\gproxy.exe
2011-09-25 21:18:06 98816 ----a-w- c:\program files\euroloader.exe
2011-05-13 09:33:57 3336 ----a-w- c:\program files\eurobattle.reg
2011-04-23 23:30:39 68608 ----a-w- c:\program files\w3lh.dll
2010-03-11 07:00:40 118784 ----a-w- c:\program files\pdcurses.dll
2003-04-10 15:56:02 351744 ----a-w- c:\program files\winmpq.exe
2003-04-10 15:18:26 184320 ------w- c:\program files\SFmpq.dll
1996-11-08 01:17:52 721168 ------w- c:\program files\VB40032.DLL
.
============= FINISH: 20:58:14,75 ===============


_________________________________________________________________

2nd log from DDS: (I'm sorry, I didn't know how to zip it)

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 3.5.2011. 14:21:42
System Uptime: 2.8.2012. 20:55:07 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5KPL
Processor: Intel® Core™2 Duo CPU E8400 @ 3.00GHz | Socket 775 | 2997/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 59,978 GiB free.
D: is CDROM ()
F: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP230: 26.7.2012. 23:05:10 - Removed UAZ Racing 4x4
RP232: 26.7.2012. 23:06:30 - Removed UAZ Racing 4x4
RP233: 27.7.2012. 1:45:04 - eva
RP235: 27.7.2012. 18:44:20 - Windows Defender Checkpoint
RP236: 31.7.2012. 0:09:05 - ComboFix created restore point
RP237: 31.7.2012. 19:34:22 - Installed Java™ 7 Update 5
RP238: 31.7.2012. 19:35:46 - Removed JavaFX 2.1.0
RP239: 31.7.2012. 19:36:10 - Installed JavaFX 2.1.1
RP240: 2.8.2012. 0:44:38 - Removed SpyHunter
.
==== Installed Programs ======================
.
.
18 WoS Extreme Trucker 2 (v.1.0)
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.6
µTorrent
BS.Player FREE
CCleaner
ESET NOD32 Antivirus
ffdshow v1.1.3562 [2010-09-07]
Garena 2010
GOM Player
Google Chrome
Google Earth
Google Earth Plug-in
Google Update Helper
HiJackThis
iLivid
Java Auto Updater
Java™ 6 Update 26
Java™ 7 Update 5
JavaFX 2.1.1
Malwarebytes Anti-Malware version 1.62.0.1300
Media Player Classic - Home Cinema v. 1.3.1249.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Mozilla Firefox 12.0 (x86 hr)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
neroxml
NVIDIA 3D Vision Controller Driver
NVIDIA 3D Vision Controller Driver 295.73
NVIDIA 3D Vision Driver 295.73
NVIDIA Control Panel 295.73
NVIDIA Drivers
NVIDIA Graphics Driver 295.73
NVIDIA Install Application
NVIDIA Performance
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0209
NVIDIA Stereoscopic 3D Driver
NVIDIA System Monitor
NVIDIA Update 1.7.11
NVIDIA Update Components
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
Pando Media Booster
Pocket Tanks v1.3
Risk WarZone Client
Security Task Manager 1.8d
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Spybot - Search & Destroy
swMSM
The Sims™ 3
UAZ Racing 4x4
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Warcraft III Reign of Chaos & The Frozen Throne
WinRAR arhiver
Xfire (remove only)
.
==== Event Viewer Messages From Past Week ========
.
31.7.2012. 0:18:46, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SBSD Security Center Service service to connect.
31.7.2012. 0:18:46, Error: Service Control Manager [7000] - The SBSD Security Center Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
31.7.2012. 0:08:21, Error: Service Control Manager [7034] - The SpyHunter 4 Service service terminated unexpectedly. It has done this 1 time(s).
30.7.2012. 23:47:44, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
30.7.2012. 23:47:44, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
27.7.2012. 15:28:31, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
27.7.2012. 13:45:06, Error: Service Control Manager [7000] - The Security Center service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
27.7.2012. 13:24:20, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
27.7.2012. 13:24:20, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
26.7.2012. 23:37:57, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error: The account specified for this service is different from the account specified for other services running in the same process.
26.7.2012. 23:37:56, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
26.7.2012. 23:37:56, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
26.7.2012. 23:37:56, Error: Service Control Manager [7000] - The epfwwfpr service failed to start due to the following error: There are no more endpoints available from the endpoint mapper.
26.7.2012. 23:27:13, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x00000003, 0x86728108, 0x86728274, 0x82c34df0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 072612-23828-01.
26.7.2012. 22:25:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
26.7.2012. 22:25:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
26.7.2012. 22:25:39, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
26.7.2012. 22:25:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
26.7.2012. 22:25:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
26.7.2012. 22:25:34, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
26.7.2012. 22:25:28, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
26.7.2012. 22:25:27, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ehdrv spldr sptd Wanarpv6
26.7.2012. 22:25:25, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
26.7.2012. 22:25:04, Error: sptd [4] - Driver detected an internal error in its data structures for .
26.7.2012. 22:04:05, Error: Microsoft-Windows-WER-SystemErrorReporting [1005] - Unable to produce a minidump file from the full dump file.
26.7.2012. 22:04:05, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007a (0xc0416540, 0xc0000185, 0x05c36860, 0x82ca8357). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: .
26.7.2012. 21:08:54, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort2.
26.7.2012. 20:08:12, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007a (0xc04858e8, 0xc0000185, 0x5e8a8860, 0x90b1d03a). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: .
26.7.2012. 19:53:38, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
26.7.2012. 19:45:15, Error: volsnap [14] - The shadow copies of volume C: were aborted because of an IO failure on volume C:.
2.8.2012. 1:01:13, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
.
==== End Of File ===========================

___________________________________________________

Answer: Well, the shutting down stopped, it's a bit faster, antivirus doesn't report anything, I'm free of some toolbars and junk I didn't need. That's about it, I don't know if the virus from services.exe is really gone, but it sure feels like it is. If you need any more details, please tell me :)
And once again thank you!

Edited by pcnewbie_94, 02 August 2012 - 02:09 PM.


#11 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:07:32 AM

Posted 03 August 2012 - 01:00 PM

Hi pcnewbie_94,


sounds good so far. :)
Let's remove outdated and unwanted software and do some control scans. :thumbup2:



Step 1
Going over your logs I noticed that you have µTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgĺsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you as you can use the program for legit downloads as well. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.





Step 2
Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Java™ 6 Update 26

Additional instructions can be found here if needed.





Step 3
Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.

Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of the previous uninstall. If that is the case simply stop and let me know.
  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on the listed program(s), or anything similar, to remove it
    Ilived
    
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next
  • Once the program has searched for leftovers click Next.
  • Check the items in bold only on the list then click Delete. You may have to expand some folders by clicking the "+" mark.
  • When prompted click on Yes and then on Next.
  • Put a check on any folders that are found and select Delete
  • When prompted select Yes then Next
  • Once done click Finish.





Step 4
  • Please start Malwarebytes' Anti-Malware.
  • Click on the Update tab and download the newest definitions updates.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.





Step 5
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!





Step 6
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.





What you should post with your next answer:
  • a feedback about the uninstall of those programs,
  • the logfile from MBAM,
  • the logfile from ESET Online Scanner,
  • the logfile from SecurityCheck.

Regards,
M-K-D-B

#12 pcnewbie_94

pcnewbie_94
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 August 2012 - 01:36 PM

Hey M-K-D-B!
Sorry for the late reply.

I know about the dangers of downloading via torrent, but seems that my family doesn't. I'll make sure they know what they're allowed to download and how. Thank you for the warning, but I'm going to keep it installed on my PC. I'm not going to use it during the process of cleaning it :)

I successfully removed Update 26 from Java AND ILivid both.

Here are the scans:

from MBAM:

Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.05.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
user :: USER-PC [administrator]

Protection: Enabled

5.8.2012. 17:09:05
mbam-log-2012-08-05 (17-09-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211006
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

_____________________________________________________________

Also, MBAM Protection log:

2012/08/05 17:08:49 +0200 USER-PC user MESSAGE Starting database refresh
2012/08/05 17:08:49 +0200 USER-PC user MESSAGE Stopping IP protection
2012/08/05 17:11:33 +0200 USER-PC user MESSAGE IP Protection stopped
2012/08/05 17:12:11 +0200 USER-PC user MESSAGE Database refreshed successfully
2012/08/05 17:12:11 +0200 USER-PC user MESSAGE Starting IP protection
2012/08/05 17:12:13 +0200 USER-PC user MESSAGE IP Protection started successfully
2012/08/05 17:16:47 +0200 USER-PC user MESSAGE Stopping IP protection
2012/08/05 17:19:00 +0200 USER-PC user MESSAGE IP Protection stopped

_____________________________________________________________

ESET online scanner log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=433c992bd5438242a8434ee526804d8a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-08-05 06:15:46
# local_time=2012-08-05 08:15:46 (+0100, Central European Daylight Time)
# country="Croatia"
# lang=1033
# osver=6.0.6000 NT
# compatibility_mode=512 16777215 100 0 886119 886119 0 0
# compatibility_mode=5893 16776574 100 94 2788 95817559 0 0
# compatibility_mode=8199 22379965 100 100 21119 110267180 0 0
# scanned=150482
# found=0
# cleaned=0
# scan_time=4177
# nod_component=V3 Build:0x30000000

__________________________________________________________________

SecurityCheck log:

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
ESET NOD32 Antivirus 4.0
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
JavaFX 2.1.1
Java™ 7 Update 5
Adobe Flash Player 11.3.300.270
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 12.0 Firefox out of Date!
Google Chrome 20.0.1132.57
Google Chrome 21.0.1180.60
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````






That's it, thanks again!

#13 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:07:32 AM

Posted 06 August 2012 - 08:07 AM

Hi pcnewbie_94,



If you have no more problems, then we're done here. Your computer is clean. :thumbup2:
Finally, we have to take a few steps to clean up and protect your computer.





Step 1
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!





Step 2
Important Note: Your version of Firefox is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to update Firefox:





Step 3
I've seen that User Account Control (UAC) is disabled on your computer. This windows feature can help you to protect your computer against malware.
I recommend enabling it. Have a look here:
http://windows.microsoft.com/en-us/windows-vista/Turn-User-Account-Control-on-or-off





Step 4
Your version of Internet Explorer is outdated.






Step 5
  • Press the "windows key" + "R"
  • Copy and paste the following code into the box
ComboFix /Uninstall
  • Click ok
  • ComboFix will be uninstalled now.





Step 6
To protect your computer from similar infections in the future, I recommend a couple of useful programs, including a few tips:


Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiMalware Program
A highly recommended and free Anti-Malware program is Malwarebytes' Anti-Malware.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiMalware program on a regular basis just as you would an antivirus software.


Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.





Step 7
Please give me a short notice, when you're done and have no more questions, so I can delete the topic from my subscriptions.
Regards,
M-K-D-B

#14 pcnewbie_94

pcnewbie_94
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 10 August 2012 - 09:46 AM

Hey, I just want to thank you for everything you've done, I wasn't sure if I could do it without reinstalling windows, but with your help I did it!
So thank you very much, my PC is running fine, and I've read everything you wrote :)

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:32 AM

Posted 19 August 2012 - 03:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users