Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help with Trojan:Win64/Necurs.A


  • This topic is locked This topic is locked
12 replies to this topic

#1 cee_cee

cee_cee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 05 September 2012 - 09:26 PM

Hello,

My computer was acting strange these past couple of days. But it got me worried when my virus scanner (Avira) ceased to function even if I enable it manually. Second, the notification tray (the one with the flag thingy) said that Windows Defender is off, so I turned it on, updated and ran a quick scan and to my surprise, it found a win64/necurs.A trojan. Defender tried to clean it, but it resulted in an error, thus I couldn't find any logs for it nor have an idea of what really happened.

I'm hoping that the virus is gone but still getting paranoid about it :<
Thanks! (UPDATE: WITH DDS logs, GMER won't run)

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.7.2
Run by Raul Nengasca at 10:13:44 on 2012-09-06
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4077.2613 [GMT -7:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Vtune\TBPANEL.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\USB Disk Security\USBGuard.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Avira SearchFree Toolbar plus Web Protection: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [TBPANEL] C:\Program Files (x86)\Vtune\TBPANEL.exe /A
uRun: [KSS] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" /autorun
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Super-Charger] C:\Program Files (x86)\MSI\Super-Charger\StartSuperCharger.exe
mRun: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [<NO NAME>]
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 124.106.7.2 124.106.6.2
TCP: Interfaces\{221829F7-5BFC-4166-A4E6-E442B2536986} : DhcpNameServer = 124.106.7.2 124.106.6.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [Super-Charger] C:\Program Files (x86)\MSI\Super-Charger\StartSuperCharger.exe
mRun-x64: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [(Default)]
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Raul Nengasca\AppData\Roaming\Mozilla\Firefox\Profiles\ck0ph3q2.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10403&locale=en_PH&apn_uid=eb85f3a3-3085-46c2-81b1-7068287114ac&apn_ptnrs=%5EAC1&apn_sauid=D7003F1C-1C4A-469F-80E2-AAAE33D7B0AE&apn_dtid=%5EYYYYYY%5EYY%5EPH&&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-9-6 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-9-6 110032]
R2 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebgrd.exe [2012-9-6 465360]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 KSS;Kaspersky Security Scan Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [2012-4-25 202296]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-5-9 654408]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-8-13 3064000]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-5-8 2656280]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2012-5-14 10568]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-5-8 1262400]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-8 250568]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-11 113120]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [2012-5-11 33592]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;C:\Program Files (x86)\MSI\Live Update 5\NTIOLib_X64.sys [2012-5-11 14136]
.
=============== Created Last 30 ================
.
2012-09-06 09:34:13 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-06 09:24:55 -------- d-----w- C:\Program Files (x86)\Ask.com
2012-09-06 07:49:26 -------- d-----w- C:\ProgramData\Kaspersky Lab
2012-09-06 07:49:26 -------- d-----w- C:\Program Files (x86)\Kaspersky Lab
2012-09-06 07:08:33 -------- d-----w- C:\Users\Raul Nengasca\AppData\Roaming\Avira
2012-09-06 07:06:35 98848 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-09-06 07:06:35 27760 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2012-09-06 07:06:35 -------- d-----w- C:\ProgramData\Avira
2012-09-06 07:06:35 -------- d-----w- C:\Program Files (x86)\Avira
2012-09-06 06:36:01 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DCEB5E9A-9DC1-4B76-9EBB-9B889709B686}\mpengine.dll
2012-09-06 05:56:27 -------- d-----w- C:\ProgramData\GFI Software
2012-09-03 03:41:32 -------- d-----w- C:\Program Files (x86)\PopCap Games
2012-08-29 02:31:48 -------- d-----w- C:\Windows\en
2012-08-29 02:28:46 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-08-29 02:23:09 89944 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\3b1718191cd858d01\DSETUP.dll
2012-08-29 02:23:09 537432 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\3b1718191cd858d01\DXSETUP.exe
2012-08-29 02:23:09 1801048 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\3b1718191cd858d01\dsetup32.dll
2012-08-29 02:22:20 -------- d-----w- C:\Users\Raul Nengasca\AppData\Local\Windows Live
2012-08-29 02:22:12 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2012-08-26 01:26:18 -------- d-----w- C:\Program Files (x86)\Traffic Simulator Configuration Tool
2012-08-25 04:55:31 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-08-18 07:50:51 -------- d-----w- C:\ProgramData\GoBit Games
2012-08-13 20:35:32 5115584 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-08-12 01:29:12 -------- d-----w- C:\Users\Raul Nengasca\AppData\Local\Apple Computer
2012-08-12 01:29:00 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-08-12 01:29:00 126312 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-08-12 01:29:00 107368 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-08-12 01:28:47 -------- d-----w- C:\Program Files\iPod
2012-08-12 01:28:46 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-08-12 01:28:46 -------- d-----w- C:\Program Files\iTunes
2012-08-12 01:28:46 -------- d-----w- C:\Program Files (x86)\iTunes
2012-08-12 01:28:10 -------- d-----w- C:\Users\Raul Nengasca\AppData\Local\Apple
2012-08-12 01:27:48 -------- d-----w- C:\Program Files\Bonjour
2012-08-12 01:27:48 -------- d-----w- C:\Program Files (x86)\Bonjour
2012-08-11 00:51:02 -------- d-----w- C:\Windows\System32\appmgmt
.
==================== Find3M ====================
.
2012-09-06 09:34:09 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-09-06 09:34:09 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-08-27 12:30:18 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-27 12:30:17 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-28 09:54:00 321472 ----a-w- C:\Windows\WLXPGSS.SCR
2012-07-27 02:08:06 862664 ----a-w- C:\Windows\SysWow64\msvcr110.dll
2012-07-27 02:08:06 534480 ----a-w- C:\Windows\SysWow64\msvcp110.dll
2012-07-27 02:08:06 251864 ----a-w- C:\Windows\SysWow64\vccorlib110.dll
2012-07-27 02:08:06 153536 ----a-w- C:\Windows\SysWow64\atl110.dll
2012-07-27 02:08:06 115656 ----a-w- C:\Windows\SysWow64\vcomp110.dll
2012-07-26 22:22:10 828872 ----a-w- C:\Windows\System32\msvcr110.dll
2012-07-26 22:22:10 661448 ----a-w- C:\Windows\System32\msvcp110.dll
2012-07-26 22:22:10 354264 ----a-w- C:\Windows\System32\vccorlib110.dll
2012-07-26 22:22:10 177096 ----a-w- C:\Windows\System32\atl110.dll
2012-07-26 22:22:10 124360 ----a-w- C:\Windows\System32\vcomp110.dll
2012-07-17 22:14:44 253184 ----a-w- C:\Windows\System32\LIVESSP.DLL
2012-07-17 21:49:00 209648 ----a-w- C:\Windows\SysWow64\LIVESSP.DLL
.
============= FINISH: 10:14:01.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:55 AM

Posted 06 September 2012 - 06:59 AM

Hello cee_cee ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit Necurs. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



Lets give it a try. You will need a flasdrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.



Regards,
Georgi

cXfZ4wS.png


#3 cee_cee

cee_cee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 06 September 2012 - 07:30 AM

Here is the FRST log.

Scan result of Farbar Recovery Scan Tool (x64) Version: 05-09-2012
Ran by SYSTEM at 06-09-2012 20:26:28
Running from G:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11780712 2011-02-23] (Realtek Semiconductor)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [Super-Charger] C:\Program Files (x86)\MSI\Super-Charger\StartSuperCharger.exe [303104 2011-01-25] (TODO: <Company name>)
HKLM-x32\...\Run: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe [623520 2011-01-31] (Zbshareware Lab)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-07-18] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\R.J. Nengasca\...\Run: [TBPANEL] C:\Program Files (x86)\Vtune\TBPANEL.exe /A [3648000 2012-02-29] ()
HKU\R.J. Nengasca\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Raul Nengasca\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671872 2012-04-17] (DT Soft Ltd)
HKU\Raul Nengasca\...\Run: [TBPANEL] C:\Program Files (x86)\Vtune\TBPANEL.exe /A [3648000 2012-02-29] ()
HKU\Raul Nengasca\...\Run: [KSS] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" /autorun [202296 2012-04-25] (Kaspersky Lab ZAO)
Tcpip\Parameters: [DhcpNameServer] 124.106.7.2 124.106.6.2

==================== Services ====================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86224 2012-07-18] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110032 2012-07-18] (Avira Operations GmbH & Co. KG)
2 KSS; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" -r [202296 2012-04-25] (Kaspersky Lab ZAO)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)

==================== Drivers =================================

2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [98848 2012-07-18] (Avira GmbH)
1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [132832 2012-07-18] (Avira GmbH)
1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27760 2012-07-18] (Avira GmbH)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-05-09] (DT Soft Ltd)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 MSI_MSIBIOS_010507; \??\C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [33592 2010-05-10] (Your Corporation)
3 NTIOLib_1_0_4; \??\C:\Program Files (x86)\MSI\Live Update 5\NTIOLib_X64.sys [14136 2010-10-22] (MSI)
3 RTCore64; \??\C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [10568 2012-05-14] ()
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [x]
3 TBPanel; [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-06 15:33 - 2012-09-06 15:33 - 00100352 ____A C:\Windows\System32\dfboottime.exe
2012-09-06 15:33 - 2012-09-06 15:33 - 00000929 ____A C:\Windows\System32\dfboottime.cfg
2012-09-06 11:03 - 2012-09-06 11:03 - 00000056 ____A C:\Windows\setupact.log
2012-09-06 11:03 - 2012-09-06 11:03 - 00000000 ____A C:\Windows\setuperr.log
2012-09-06 10:04 - 2012-09-06 10:04 - 02322184 ____A (ESET) C:\Users\Raul Nengasca\Downloads\esetsmartinstaller_enu.exe
2012-09-06 09:16 - 2012-09-06 09:16 - 00019695 ____A C:\Users\Raul Nengasca\Desktop\DDS.txt
2012-09-06 09:16 - 2012-09-06 09:16 - 00007724 ____A C:\Users\Raul Nengasca\Desktop\Attach.txt
2012-09-06 09:11 - 2012-09-06 09:11 - 00607260 ____R (Swearware) C:\Users\Raul Nengasca\Desktop\dds.com
2012-09-06 08:58 - 2012-09-06 08:58 - 00000000 ____D C:\Users\Raul Nengasca\Downloads\The_Sims_3_Supernatural-FLT
2012-09-06 01:34 - 2012-09-06 01:34 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-06 01:34 - 2012-09-06 01:34 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-06 01:34 - 2012-09-06 01:34 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-06 01:34 - 2012-09-06 01:34 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-06 01:30 - 2012-09-06 01:30 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Roaming\Avira
2012-09-05 23:49 - 2012-09-05 23:49 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-09-05 23:49 - 2012-09-05 23:49 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2012-09-05 23:08 - 2012-09-05 23:08 - 00000000 ____D C:\Users\Raul Nengasca\AppData\Roaming\Avira
2012-09-05 23:06 - 2012-09-06 01:25 - 00000000 ____D C:\Users\All Users\Avira
2012-09-05 23:06 - 2012-09-05 23:06 - 00000000 ____D C:\Program Files (x86)\Avira
2012-09-05 23:06 - 2012-07-18 17:05 - 00132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-09-05 23:06 - 2012-07-18 17:05 - 00098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys
2012-09-05 23:06 - 2012-07-18 17:05 - 00027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys
2012-09-05 22:49 - 2012-09-06 19:23 - 00318852 ____A C:\Windows\WindowsUpdate.log
2012-09-05 21:56 - 2012-09-05 21:56 - 00000000 ____D C:\Users\All Users\GFI Software
2012-09-03 11:02 - 2012-09-03 11:11 - 34993455 ____A C:\Users\R.J. Nengasca\Downloads\Punk O Matic 2 Offline Installer.zip
2012-09-02 19:41 - 2012-09-05 23:32 - 00000000 ____D C:\Program Files (x86)\PopCap Games
2012-09-01 10:20 - 2012-09-05 23:19 - 00000000 ___RD C:\Users\Raul Nengasca\Desktop\MOM'S FILES
2012-08-30 16:36 - 2012-08-30 16:37 - 33483664 ____A C:\Users\Raul Nengasca\Documents\AP PRESENTATION- 8-FAITH.mp4
2012-08-29 13:11 - 2012-08-29 13:12 - 29430434 ____A C:\Users\Raul Nengasca\Documents\My Movie. AP.mp4
2012-08-28 18:31 - 2012-08-28 18:31 - 00000000 ____D C:\Windows\en
2012-08-28 18:28 - 2012-08-28 18:28 - 00000020 ____A C:\Windows\`
2012-08-28 18:28 - 2012-08-28 18:28 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-08-28 18:27 - 2012-08-28 18:28 - 00000000 ____D C:\Program Files (x86)\Windows Live
2012-08-28 18:25 - 2010-08-10 21:19 - 03860992 ____A (Microsoft Corporation) C:\Windows\System32\UIRibbon.dll
2012-08-28 18:25 - 2010-08-10 21:13 - 01164800 ____A (Microsoft Corporation) C:\Windows\System32\UIRibbonRes.dll
2012-08-28 18:25 - 2010-08-10 20:44 - 02983424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIRibbon.dll
2012-08-28 18:25 - 2010-08-10 20:35 - 01164800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIRibbonRes.dll
2012-08-28 18:25 - 2010-05-23 02:15 - 01619456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2012-08-28 18:25 - 2010-05-23 02:11 - 03181568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2012-08-28 18:25 - 2010-05-23 02:11 - 00196608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfreadwrite.dll
2012-08-28 18:25 - 2010-05-23 00:37 - 01888256 ____A (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2012-08-28 18:25 - 2010-05-23 00:35 - 04068864 ____A (Microsoft Corporation) C:\Windows\System32\mf.dll
2012-08-28 18:25 - 2010-05-23 00:35 - 00257024 ____A (Microsoft Corporation) C:\Windows\System32\mfreadwrite.dll
2012-08-28 18:25 - 2010-05-23 00:35 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\mfps.dll
2012-08-28 18:22 - 2012-08-28 18:43 - 00000000 ____D C:\Users\Raul Nengasca\AppData\Local\Windows Live
2012-08-28 18:21 - 2012-08-28 18:21 - 01239976 ____A (Microsoft Corporation) C:\Users\Raul Nengasca\Downloads\wlsetup-web.exe
2012-08-26 07:56 - 2012-08-26 07:56 - 00000000 ____D C:\Users\Raul Nengasca\Desktop\mom
2012-08-25 19:53 - 2012-08-25 19:53 - 00040322 ____A C:\Users\Raul Nengasca\Downloads\Attachments_2012_08_25.zip
2012-08-25 17:26 - 2012-08-25 17:26 - 00000000 ____D C:\Program Files (x86)\Traffic Simulator Configuration Tool
2012-08-25 13:58 - 2012-08-26 13:02 - 00001241 ____A C:\Users\Raul Nengasca\Desktop\SimCity 4 - Shortcut.lnk
2012-08-25 13:53 - 2012-09-05 23:19 - 00000000 ____D C:\Users\Raul Nengasca\Documents\SimCity 4
2012-08-25 13:41 - 2012-08-25 13:41 - 00000533 ____A C:\Windows\eReg.dat
2012-08-25 13:32 - 2012-08-25 13:32 - 04178304 ____A C:\Users\Raul Nengasca\Downloads\RadicalOne Sc4 Demand Modifier.zip
2012-08-24 20:55 - 2012-08-24 20:55 - 00000000 ____D C:\Program Files (x86)\VideoLAN
2012-08-24 20:50 - 2012-08-24 20:55 - 22657136 ____A C:\Users\Raul Nengasca\Documents\vlc-2.0.2-win32.exe
2012-08-24 20:50 - 2012-08-24 20:50 - 00000778 ____A C:\Users\Raul Nengasca\Desktop\vlc - Shortcut.lnk
2012-08-23 20:14 - 2012-08-25 13:33 - 00000000 ____D C:\Users\Raul Nengasca\Downloads\SIMCITY 4 DELUXE EDITION
2012-08-17 23:51 - 2012-08-28 10:43 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Roaming\vlc
2012-08-17 23:50 - 2012-08-17 23:50 - 00000000 ____D C:\Users\All Users\GoBit Games
2012-08-17 22:30 - 2012-08-17 22:33 - 10026390 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - OA Build Beta Patch 96061.zip
2012-08-17 18:58 - 2012-09-05 23:29 - 00000000 ____D C:\Users\Raul Nengasca\AppData\Roaming\vlc
2012-08-15 17:56 - 2012-08-15 17:56 - 00001160 ____A C:\Users\Raul Nengasca\Desktop\skse_loader - Shortcut.lnk
2012-08-15 17:04 - 2012-09-05 23:19 - 00000000 ____D C:\Users\Raul Nengasca\Desktop\My Games
2012-08-14 06:33 - 2012-08-14 06:37 - 09692228 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - JSRS ACE Patch.rar
2012-08-13 20:58 - 2012-08-13 20:58 - 00067056 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - Mon's Urban Patrol Script.zip
2012-08-13 15:27 - 2012-09-05 23:19 - 00000000 ____D C:\Users\R.J. Nengasca\Documents\ArmA 2
2012-08-13 14:29 - 2012-08-13 14:43 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Roaming\six-updater
2012-08-13 14:29 - 2012-08-13 14:29 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Local\SIX_Projects
2012-08-13 07:27 - 2012-08-13 07:27 - 00000000 ____D C:\Users\R.J. Nengasca\Documents\Electronic Arts
2012-08-13 07:21 - 2012-08-13 11:07 - 972384753 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - JSRS Sound Mod.7z
2012-08-13 07:21 - 2012-08-13 08:36 - 241260055 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - JSRS Patch.7z
2012-08-13 06:46 - 2012-08-13 06:53 - 16899502 ____A (Oleg N. Scherbakov) C:\Users\R.J. Nengasca\Downloads\Six Updater Installer.exe
2012-08-12 17:20 - 2012-08-12 17:20 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Local\Apple Computer
2012-08-12 17:20 - 2012-08-12 17:20 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Local\Apple
2012-08-12 15:19 - 2012-08-12 15:45 - 54744235 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 CO Patch 1.62.zip
2012-08-11 20:03 - 2012-08-12 17:21 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Roaming\Apple Computer
2012-08-11 17:29 - 2012-08-11 18:31 - 00000000 ____D C:\Users\Raul Nengasca\AppData\Roaming\Apple Computer
2012-08-11 17:29 - 2012-08-11 17:29 - 00000000 ____D C:\Users\Raul Nengasca\AppData\Local\Apple Computer
2012-08-11 17:29 - 2009-05-18 12:17 - 00034152 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-08-11 17:29 - 2008-04-17 11:12 - 00126312 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi64.dll
2012-08-11 17:29 - 2008-04-17 11:12 - 00107368 ____A (GEAR Software Inc.) C:\Windows\SysWOW64\GEARAspi.dll
2012-08-11 17:28 - 2012-08-11 17:28 - 00000000 ____D C:\Users\Raul Nengasca\AppData\Local\Apple
2012-08-11 17:28 - 2012-08-11 17:28 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-08-11 17:28 - 2012-08-11 17:28 - 00000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-08-11 17:28 - 2012-08-11 17:28 - 00000000 ____D C:\Program Files\iTunes
2012-08-11 17:28 - 2012-08-11 17:28 - 00000000 ____D C:\Program Files\iPod
2012-08-11 17:28 - 2012-08-11 17:28 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-08-11 17:28 - 2012-08-11 17:28 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-08-11 17:27 - 2012-08-11 17:28 - 00000000 ____D C:\Users\All Users\Apple
2012-08-11 17:27 - 2012-08-11 17:27 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-08-11 17:27 - 2012-08-11 17:27 - 00000000 ____D C:\Program Files\Bonjour
2012-08-11 17:27 - 2012-08-11 17:27 - 00000000 ____D C:\Program Files (x86)\Bonjour
2012-08-11 13:26 - 2012-08-20 10:15 - 00000000 ____D C:\Users\R.J. Nengasca\AppData\Roaming\DAEMON Tools Lite
2012-08-10 16:51 - 2012-08-10 16:51 - 00000000 ____D C:\Windows\System32\appmgmt


==================== 3 Months Modified Files ================================

2012-09-06 19:23 - 2012-09-05 22:49 - 00318852 ____A C:\Windows\WindowsUpdate.log
2012-09-06 19:23 - 2009-07-13 21:13 - 00778150 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-06 19:01 - 2012-05-08 16:10 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-06 15:33 - 2012-09-06 15:33 - 00100352 ____A C:\Windows\System32\dfboottime.exe
2012-09-06 15:33 - 2012-09-06 15:33 - 00000929 ____A C:\Windows\System32\dfboottime.cfg
2012-09-06 11:09 - 2009-07-13 20:45 - 00010208 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-06 11:09 - 2009-07-13 20:45 - 00010208 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-06 11:03 - 2012-09-06 11:03 - 00000056 ____A C:\Windows\setupact.log
2012-09-06 11:03 - 2012-09-06 11:03 - 00000000 ____A C:\Windows\setuperr.log
2012-09-06 11:03 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-06 10:04 - 2012-09-06 10:04 - 02322184 ____A (ESET) C:\Users\Raul Nengasca\Downloads\esetsmartinstaller_enu.exe
2012-09-06 09:16 - 2012-09-06 09:16 - 00019695 ____A C:\Users\Raul Nengasca\Desktop\DDS.txt
2012-09-06 09:16 - 2012-09-06 09:16 - 00007724 ____A C:\Users\Raul Nengasca\Desktop\Attach.txt
2012-09-06 09:11 - 2012-09-06 09:11 - 00607260 ____R (Swearware) C:\Users\Raul Nengasca\Desktop\dds.com
2012-09-06 01:34 - 2012-09-06 01:34 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-06 01:34 - 2012-09-06 01:34 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-06 01:34 - 2012-09-06 01:34 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-06 01:34 - 2012-09-06 01:34 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-06 01:34 - 2012-05-18 07:10 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-09-06 01:34 - 2012-05-08 16:10 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-09-03 11:11 - 2012-09-03 11:02 - 34993455 ____A C:\Users\R.J. Nengasca\Downloads\Punk O Matic 2 Offline Installer.zip
2012-08-30 16:37 - 2012-08-30 16:36 - 33483664 ____A C:\Users\Raul Nengasca\Documents\AP PRESENTATION- 8-FAITH.mp4
2012-08-29 13:12 - 2012-08-29 13:11 - 29430434 ____A C:\Users\Raul Nengasca\Documents\My Movie. AP.mp4
2012-08-28 18:28 - 2012-08-28 18:28 - 00000020 ____A C:\Windows\`
2012-08-28 18:21 - 2012-08-28 18:21 - 01239976 ____A (Microsoft Corporation) C:\Users\Raul Nengasca\Downloads\wlsetup-web.exe
2012-08-27 04:30 - 2012-05-08 16:10 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-27 04:30 - 2012-05-08 16:10 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-26 13:02 - 2012-08-25 13:58 - 00001241 ____A C:\Users\Raul Nengasca\Desktop\SimCity 4 - Shortcut.lnk
2012-08-25 19:53 - 2012-08-25 19:53 - 00040322 ____A C:\Users\Raul Nengasca\Downloads\Attachments_2012_08_25.zip
2012-08-25 13:41 - 2012-08-25 13:41 - 00000533 ____A C:\Windows\eReg.dat
2012-08-25 13:32 - 2012-08-25 13:32 - 04178304 ____A C:\Users\Raul Nengasca\Downloads\RadicalOne Sc4 Demand Modifier.zip
2012-08-24 20:55 - 2012-08-24 20:50 - 22657136 ____A C:\Users\Raul Nengasca\Documents\vlc-2.0.2-win32.exe
2012-08-24 20:50 - 2012-08-24 20:50 - 00000778 ____A C:\Users\Raul Nengasca\Desktop\vlc - Shortcut.lnk
2012-08-17 22:33 - 2012-08-17 22:30 - 10026390 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - OA Build Beta Patch 96061.zip
2012-08-15 17:56 - 2012-08-15 17:56 - 00001160 ____A C:\Users\Raul Nengasca\Desktop\skse_loader - Shortcut.lnk
2012-08-14 06:37 - 2012-08-14 06:33 - 09692228 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - JSRS ACE Patch.rar
2012-08-13 20:58 - 2012-08-13 20:58 - 00067056 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - Mon's Urban Patrol Script.zip
2012-08-13 11:07 - 2012-08-13 07:21 - 972384753 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - JSRS Sound Mod.7z
2012-08-13 08:36 - 2012-08-13 07:21 - 241260055 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 - JSRS Patch.7z
2012-08-13 06:53 - 2012-08-13 06:46 - 16899502 ____A (Oleg N. Scherbakov) C:\Users\R.J. Nengasca\Downloads\Six Updater Installer.exe
2012-08-12 15:45 - 2012-08-12 15:19 - 54744235 ____A C:\Users\R.J. Nengasca\Downloads\ArmA 2 CO Patch 1.62.zip
2012-07-29 16:48 - 2012-07-29 16:48 - 00001130 ____A C:\Users\Raul Nengasca\Desktop\Launcher - Shortcut.lnk
2012-07-28 01:54 - 2012-07-28 01:54 - 00321472 ____A (Microsoft Corporation) C:\Windows\WLXPGSS.SCR
2012-07-26 18:08 - 2012-07-26 18:08 - 00862664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr110.dll
2012-07-26 18:08 - 2012-07-26 18:08 - 00534480 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp110.dll
2012-07-26 18:08 - 2012-07-26 18:08 - 00251864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vccorlib110.dll
2012-07-26 18:08 - 2012-07-26 18:08 - 00153536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\atl110.dll
2012-07-26 18:08 - 2012-07-26 18:08 - 00115656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vcomp110.dll
2012-07-26 14:22 - 2012-07-26 14:22 - 00828872 ____A (Microsoft Corporation) C:\Windows\System32\msvcr110.dll
2012-07-26 14:22 - 2012-07-26 14:22 - 00661448 ____A (Microsoft Corporation) C:\Windows\System32\msvcp110.dll
2012-07-26 14:22 - 2012-07-26 14:22 - 00354264 ____A (Microsoft Corporation) C:\Windows\System32\vccorlib110.dll
2012-07-26 14:22 - 2012-07-26 14:22 - 00177096 ____A (Microsoft Corporation) C:\Windows\System32\atl110.dll
2012-07-26 14:22 - 2012-07-26 14:22 - 00124360 ____A (Microsoft Corporation) C:\Windows\System32\vcomp110.dll
2012-07-18 17:05 - 2012-09-05 23:06 - 00132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-07-18 17:05 - 2012-09-05 23:06 - 00098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys
2012-07-18 17:05 - 2012-09-05 23:06 - 00027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys
2012-07-17 14:14 - 2012-07-17 14:14 - 00253184 ____A (Microsoft Corp.) C:\Windows\System32\LIVESSP.DLL
2012-07-17 13:49 - 2012-07-17 13:49 - 00209648 ____A (Microsoft Corp.) C:\Windows\SysWOW64\LIVESSP.DLL
2012-07-16 19:54 - 2012-05-11 07:34 - 00000565 ____A C:\Users\Raul Nengasca\AppData\Roaming\myMPQ.ini
2012-07-14 08:46 - 2012-07-14 08:40 - 25653424 ____A (Skype Technologies S.A.) C:\Users\R.J. Nengasca\Downloads\Skype Setup Installer (Full).exe
2012-07-11 12:15 - 2012-07-11 12:15 - 00000990 ____A C:\Users\Raul Nengasca\Desktop\Tropico4 - Shortcut.lnk
2012-06-30 07:15 - 2009-07-13 21:08 - 00032626 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-27 07:47 - 2012-06-27 07:47 - 00002954 ____A C:\Windows\SysWOW64\jupdate-1.7.0_05-b05.log
2012-06-25 10:17 - 2012-06-25 10:26 - 20234866 ____A C:\Users\Raul Nengasca\Downloads\Realistic_Lighting_3_4a_Manual_Install-7654-3-4a.rar
2012-06-11 07:27 - 2012-06-11 07:27 - 00001242 ____A C:\Users\Raul Nengasca\Desktop\TSM - Shortcut.lnk


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-06 01:33:44
Restore point made on: 2012-09-06 07:05:58
Restore point made on: 2012-09-06 07:08:01
Restore point made on: 2012-09-06 07:49:38

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4076.87 MB
Available physical RAM: 3471.38 MB
Total Pagefile: 4075.02 MB
Available Pagefile: 3462.21 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:146.39 GB) (Free:82.26 GB) NTFS
2 Drive e: () (Fixed) (Total:319.28 GB) (Free:205.09 GB) NTFS
4 Drive g: (RAP) (Removable) (Total:0.96 GB) (Free:0.63 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 984 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 146 GB 101 MB
Partition 3 Primary 319 GB 146 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 146 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E NTFS Partition 319 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 983 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G RAP FAT Removable 983 MB Healthy

==================================================================================

Last Boot: 2012-09-06 12:26

==================== End Of Log =============================

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:55 AM

Posted 06 September 2012 - 09:06 AM

Hi,



I don't see any evidence for the presence of Necurs on your system anymore.

Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.



STEP 1


  • Please download ESETNecursRemover.zip and extract it on your desktop.
  • Right click on ESETNecursRemover.exe and choose => Run as administrator.
  • If you see a message box that telling you: "Win32Necurs was found active on your system, do you want to perform cleaning" => Select YES.
  • Next you will see this: "To remove win32 necurs it's required to install driver and restart your computer, perform this action". => Select YES.
  • Now you will see this: "Driver installed successfully, restart now? => Select YES.
  • If nothing happened when you start ESETNecursRemover.exe that means that the rootkit is no more active.



STEP 2



1.Please download HitmanPro.
  • For 32-bit Operating System - Posted Image.
  • This is the mirror - Posted Image
  • For 64-bit Operating System - Posted Image
  • This is the mirror - Posted Image
2.Launch the program by double clicking on the Posted Image icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

3.Click on the next button. You must agree with the terms of EULA.

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Export scan results to XML file".

10.Save that file to your desktop and zip and upload it here

11. Post the link to this zipped file in your next reply.



STEP 3


  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



STEP 4



Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 5



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



Regards,
Georgi

cXfZ4wS.png


#5 cee_cee

cee_cee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 07 September 2012 - 06:03 AM

Good to hear!! Felt relieved.

1) ESETNecursRemover did not find anything

2) Link for HitmanPro http://depositfiles.com/files/a32okaby7

3) MBAM LOG
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.09.06.12

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Raul Nengasca :: RAULNENGASCA-PC [administrator]

9/7/2012 5:46:00 AM
mbam-log-2012-09-07 (05-46-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236926
Time elapsed: 1 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

4) ESET Online Scan LOG
D:\Games\AngelJam\AngelJam\Angelo2.exe probably a variant of Win32/VB.KXWIKOY worm

#6 cee_cee

cee_cee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 07 September 2012 - 06:07 AM

TDSSKiller log (post was too long so I attached it).

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:55 AM

Posted 08 September 2012 - 06:13 AM

Hi,


Sorry for the delay.
All your logs are clean.
Before I set you free let's check for vulnerable software.



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi

cXfZ4wS.png


#8 cee_cee

cee_cee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 08 September 2012 - 08:46 PM

No problem :)
Here are the results:

Results of screen317's Security Check version 0.99.50
Windows 7 x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Avira Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.61.0.1400
JavaFX 2.1.1
Java 7 Update 7
Adobe Flash Player 11.4.402.265
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 19.0.1036.7
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Kaspersky Lab Kaspersky Security Scan 2.0 kss.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

Oh, I thought this might interest you, was scanning out of boredom when kaspersky security scan found this one:

Computer protection (0)

Information about anti-virus software and firewalls installed on the computer.

Malware (1)

Information about malware detected on the computer.

HEUR:Exploit.Java.CVE-2012-4681.gen
34024c57-3106a7da
C:\Documents and Settings\Raul Nengasca\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23

Vulnerabilities (1)

Information about applications and operating system components in which vulnerabilities have been detected.

C:\Program Files (x86)\Winamp\winamp.exe

Other issues (21)

Information about vulnerabilities associated with the settings of installed applications and the operating system.

"Invalid EXE files association"
"Invalid COM files association"
"Invalid PIF files association"
"Invalid BAT files association"
"Invalid LNK files association"
"Invalid SCR files association"
"Invalid REG files association"
"Autorun from hard drives is allowed"
"Autorun from network drives is enabled"
"CD/DVD autorun is enabled"
"Removable media autorun is enabled"
"Windows Explorer - show extensions of known file types"
"Microsoft Internet Explorer: clear history of typed URLs"
"Microsoft Internet Explorer - disable caching data received via protected channel"
"Microsoft Internet Explorer: disable sending error reports"
"Microsoft Internet Explorer: delete cookies"
"Microsoft Internet Explorer: clear the list of trusted domains"
"Microsoft Internet Explorer: clear list of pop-up blocker exceptions"
"Microsoft Internet Explorer: enable cache autocleanup on browser closing"
"Windows Explorer: display of known file types extensions is disabled"
"Microsoft Internet Explorer: start page reset"

Any thoughts on this?

#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:55 AM

Posted 09 September 2012 - 12:34 PM

Hi,



Let's do some updates here:



Go ahead and delete this folder:

C:\Documents and Settings\Raul Nengasca\AppData\LocalLow\Sun\Java\Deployment\cache\6.0

Also download and install JavaFX 2.2


I want you to run this for me

:Run JavaRa

  • Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.




Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 10.1.4 to your PC's desktop.

  • Uninstall Adobe Reader 9 via Start => Control Panel > Uninstall a program
  • Install the new downloaded updated software.

Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
Posted Image





Your Mozilla Firefox is out of date!
Download and install the latest version Mozilla Firefox 15.0.1 Final for Windows
Do a backup of your existing profile using Mozbackup or FEBE before you proceed with the update.



Your Google Chrome is out of date!
Download and install the latest version from here - Google Chrome 21.0.1180.89 Stable





Your Internet Explorer is out of date! Even you don't use it it's recommended to update it.
You can download the latest one from here => Internet Explorer 9.0 Final for Windows 7 EN x64



Update Winamp from here - Winamp 5.63 Build 3235 Full




Next please Open Disk Defragmenter by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Defragmenter

Select the drive you want to Defragment (the drive where Windows is installed).

Click Defragment Now.

Note: Do NOT defrag if SSD!



About these:



"Autorun from hard drives is allowed"
"Autorun from network drives is enabled"
"CD/DVD autorun is enabled"
"Removable media autorun is enabled"
"Windows Explorer - show extensions of known file types"
"Microsoft Internet Explorer: clear history of typed URLs"
"Microsoft Internet Explorer - disable caching data received via protected channel"
"Microsoft Internet Explorer: disable sending error reports"
"Microsoft Internet Explorer: delete cookies"
"Microsoft Internet Explorer: clear the list of trusted domains"
"Microsoft Internet Explorer: clear list of pop-up blocker exceptions"
"Microsoft Internet Explorer: enable cache autocleanup on browser closing"
"Windows Explorer: display of known file types extensions is disabled"
"Microsoft Internet Explorer: start page reset"



  • Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Click on File => Database update => start
  • Now click on File => Troubleshooting wizard
    • From the drop down menu change the dangerousness level to all issues
    • Clik on start. Put checkmarks beside all found entries and select Fix selected entries
    • Next from the drop down menu (issue type) select change System Issues to Brower tweaks ans settings
    • Clik on start. Put checkmarks beside all found entries and select Fix selected entries
    • Next from the drop down menu (issue type) select change Brower tweaks ans settings to Privacy
    • Clik on start. Put checkmarks beside all found entries except for clear prefetch, enable cleaning swap during boot, enable cleaning list of recent documents after exit and select Fix selected entries
    • Next from the drop down menu (issue type) select change Privacy to System CleanUp
    • Clik on start. Put checkmarks beside all found entries except for clear prefetch cache and select Fix selected entries
  • Restart the computer


I don't know if this report is accurate...If you have problems with these file type associations:

"Invalid EXE files association"
"Invalid COM files association"
"Invalid PIF files association"
"Invalid BAT files association"
"Invalid LNK files association"
"Invalid SCR files association"
"Invalid REG files association"


Open this site, download and merge to the registry the appropriate registry fix.


Then run a new scan with Kaspersky Security Scan 2.0



Regards,
Georgi

cXfZ4wS.png


#10 cee_cee

cee_cee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 11 September 2012 - 04:51 AM

Updated as instructed. Here is the KSS log file:

Computer protection (0)

Information about anti-virus software and firewalls installed on the computer.

Malware (0)

Information about malware detected on the computer.

Vulnerabilities (0)

Information about applications and operating system components in which vulnerabilities have been detected.

Other issues (8)

Information about vulnerabilities associated with the settings of installed applications and the operating system.

"Invalid EXE files association"
"Invalid COM files association"
"Invalid PIF files association"
"Invalid BAT files association"
"Invalid LNK files association"
"Invalid SCR files association"
"Invalid REG files association"
"CD/DVD autorun is enabled"

Still got those invalid files associations. I did follow the instructions on the link that you provided though.

#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:55 AM

Posted 11 September 2012 - 07:17 AM

Hi,


This report shouldn't be taken seriously. Maybe some kind of bug. Nothing to worry about. Just ignore it.
The rest of the log look much better now, as you can see. :)



Nicely done !
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.



STEP 1 UPDATING TASKS


  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

Posted Image



Visit Microsoft's Windows Update Site Frequently



  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Note:
It is recommended to turn automatic updates on: Click here for more information.





STEP 2 CLEANUP



To remove all of the tools we used and the files and folders they created, please do the following:


  • Please download OTC.exe on your desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.


Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Feel free to uninstall Eset Online Scanner.





STEP 3 SECURITY ADVICES



Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately !! (just in case).
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.



If you do Online Banikng!

Online Banking Protection Against Identity Theft

Also make sure you use HTTPS protocol with your banking websites.

Use HTTPS When Login To Social Websites



Keep your antivirus software turned on and up-to-date


  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.


Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:


  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.


Use Google Chrome or Install Mozilla Firefox with these add-ons - NoScript, Addblock Plus or optimize Internet Explorer


To prevent further infections, use Google Chrome, which has a sandbox - Google Chrome 21.0.1180.89 Stable

You can download Mozilla Firefox from here - Mozilla Firefox 15.0.1 Final
NoScript can be found here.
Addblock Plus can be found here.

Tracking Protection and ActiveX filtering description can be found here.



Create an image of your system


  • It is always a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorials can be found here.
  • Be sure to read the tutorial first.



Optimize Windows 7 for better performance


Check the following link for more info.



Follow this list and your potential for being infected again will reduce dramatically.



Safe Surfing ! :thumbup:



Regards,
Georgi

Edited by B-boy/StyLe/, 11 September 2012 - 07:17 AM.
typo.

cXfZ4wS.png


#12 cee_cee

cee_cee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 12 September 2012 - 06:43 AM

I see. Yay, its clean!

Thanks a lot, Georgi, for the effort that you made! Awesome site also :)

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:55 AM

Posted 12 September 2012 - 10:07 AM

You are more than welcome! :)


It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


Everyone else please start a new topic!



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users