Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with remote administarion trojan + botnet #2


  • This topic is locked This topic is locked
19 replies to this topic

#1 Zazzec

Zazzec

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 08 September 2012 - 04:45 PM

Old topic from where i was redirected to post here

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 8.0.7601.17514
Run by MOB at 23:38:54 on 2012-09-08
Microsoft Windows 7 Professional   6.1.7601.1.1251.359.1033.18.4094.2355 [GMT 3:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe
C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\MOB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MOB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MOB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Users\MOB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
C:\Windows\system32\taskhost.exe
C:\Users\MOB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB: {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No File
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [KeyScrambler] C:\Program Files (x86)\KeyScrambler\keyscrambler.exe /a
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Експортиране към Microsoft Excel - D:\MICROS~1\Install\Office12\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - D:\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - D:\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - C:\Program Files (x86)\KeyScrambler\KeyScramblerIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 46.55.222.38 46.55.222.6
TCP: Interfaces\{0F8434BD-392A-4CB8-B822-4DA2FF3553A4} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{0F8434BD-392A-4CB8-B822-4DA2FF3553A4} : DhcpNameServer = 46.55.222.38 46.55.222.6
TCP: Interfaces\{5375FD3E-D877-4E30-8FCC-3DE83C92C425} : NameServer = 10.73.32.1
TCP: Interfaces\{E41DD838-B94E-45F7-B0F8-7EBFC7495412} : NameServer = 8.26.56.26,156.154.70.22
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
AppInit_DLLs:  C:\Windows\SysWOW64\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64:     URLRedirectionBHO - No File
BHO-X64: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB-X64: {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No File
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [KeyScrambler] C:\Program Files (x86)\KeyScrambler\keyscrambler.exe /a
AppInit_DLLs-X64:  C:\Windows\SysWOW64\guard32.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R1 HssDRV6;Hotspot Shield Routing Driver 6;C:\Windows\system32\DRIVERS\hssdrv6.sys --> C:\Windows\system32\DRIVERS\hssdrv6.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AntiVirMailService;Avira Mail Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe [2012-8-18 375760]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-8-18 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-8-18 110032]
R2 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebgrd.exe [2012-8-18 465360]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 hshld;Hotspot Shield Service;C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-8-3 476016]
R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [2012-8-3 387440]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-18 655944]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-8-18 1262400]
R2 RUBotSrv;Trend Micro RUBotted Service;C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2012-8-18 439632]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 KeyScrambler;KeyScrambler;C:\Windows\system32\drivers\keyscrambler.sys --> C:\Windows\system32\drivers\keyscrambler.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;C:\Windows\system32\DRIVERS\Rtnic64.sys --> C:\Windows\system32\DRIVERS\Rtnic64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S2 VMwareHostd;VMware Workstation Server;"D:\VMware\VMware Workstation\vmware-hostd.exe" -u "C:\ProgramData\VMware\hostd\config.xml" --> D:\VMware\VMware Workstation\vmware-hostd.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-18 250056]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;D:\Microsoft Office Professional Plus 2010 with Service Pack 1 VL EN x64\Office14\GROOVE.EXE [2010-3-25 51456888]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Revoflt;Revoflt;C:\Windows\system32\DRIVERS\revoflt.sys --> C:\Windows\system32\DRIVERS\revoflt.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-09-08 20:11:34	--------	d-----w-	C:\ProgramData\Panda Security
2012-09-08 20:11:24	--------	d-----w-	C:\Program Files (x86)\Panda USB Vaccine
2012-09-08 17:23:46	2622464	----a-w-	C:\Windows\System32\wucltux.dll
2012-09-08 17:23:30	36864	----a-w-	C:\Windows\System32\wuapp.exe
2012-09-08 17:23:30	186752	----a-w-	C:\Windows\System32\wuwebv.dll
2012-09-08 13:22:53	--------	d-----w-	C:\Users\MOB\AppData\Roaming\COMODO
2012-09-08 10:42:20	--------	d-----w-	C:\Windows\SysWow64\Hotspot Shield
2012-09-07 10:28:49	39184	----a-w-	C:\Windows\System32\Partizan.exe
2012-09-07 10:16:18	39184	----a-w-	C:\Windows\SysWow64\Partizan.exe
2012-09-07 10:16:18	35816	----a-w-	C:\Windows\SysWow64\drivers\Partizan.sys
2012-09-07 10:16:18	--------	d-----w-	C:\ProgramData\RegRun
2012-09-07 10:16:16	2	--shatr-	C:\Windows\winstart.bat
2012-09-07 10:16:14	12800	----a-w-	C:\Windows\SysWow64\drivers\UnHackMeDrv.sys
2012-09-07 10:16:12	--------	d-----w-	C:\Program Files (x86)\UnHackMe
2012-09-07 10:08:52	--------	d-----w-	C:\Users\MOB\AppData\Roaming\QFX Software
2012-09-07 10:08:52	--------	d-----w-	C:\ProgramData\QFX Software
2012-09-07 10:08:50	222904	----a-w-	C:\Windows\System32\drivers\keyscrambler.sys
2012-09-07 10:08:50	--------	d-----w-	C:\Program Files (x86)\KeyScrambler
2012-09-06 16:45:51	--------	d-----w-	C:\Program Files\Microsoft Synchronization Services
2012-09-06 16:45:23	--------	d-----w-	C:\Windows\PCHEALTH
2012-09-06 16:45:23	--------	d-----w-	C:\Program Files\Microsoft SQL Server Compact Edition
2012-09-06 16:42:54	--------	d-----w-	C:\Program Files (x86)\Microsoft Visual Studio 8
2012-09-06 16:41:58	--------	d-----w-	C:\Program Files\Microsoft Analysis Services
2012-09-06 16:41:58	--------	d-----w-	C:\Program Files (x86)\Microsoft Analysis Services
2012-09-06 16:37:04	--------	d-----w-	C:\Windows\System32\appmgmt
2012-09-04 20:26:44	--------	d-----w-	C:\Program Files (x86)\PANDORA.TV
2012-09-04 20:26:01	--------	d-----w-	C:\Program Files (x86)\The KMPlayer
2012-09-04 20:19:28	--------	d-----w-	C:\Users\MOB\AppData\Roaming\BSplayer PRO
2012-09-04 20:19:28	--------	d-----w-	C:\Program Files (x86)\Webteh
2012-09-04 13:28:48	281120	----a-w-	C:\Windows\SysWow64\PnkBstrB.exe
2012-09-04 13:28:48	281120	----a-w-	C:\Windows\SysWow64\PnkBstrB.ex0
2012-09-04 13:28:27	281120	----a-w-	C:\Windows\SysWow64\PnkBstrB.xtr
2012-09-04 11:39:21	75136	----a-w-	C:\Windows\SysWow64\PnkBstrA.exe
2012-09-04 11:39:09	--------	d-----w-	C:\Users\MOB\AppData\Local\PunkBuster
2012-09-04 11:02:42	74072	----a-w-	C:\Windows\SysWow64\XAPOFX1_5.dll
2012-09-04 11:02:42	527192	----a-w-	C:\Windows\SysWow64\XAudio2_7.dll
2012-09-04 11:02:41	2106216	----a-w-	C:\Windows\SysWow64\D3DCompiler_43.dll
2012-09-04 11:02:41	1998168	----a-w-	C:\Windows\SysWow64\D3DX9_43.dll
2012-09-01 09:17:42	--------	d-----w-	C:\Users\MOB\AppData\Roaming\WinPatrol
2012-08-31 18:14:33	--------	d-----w-	C:\Users\MOB\VirtualBox VMs
2012-08-31 18:14:09	--------	d-----w-	C:\Users\MOB\.VirtualBox
2012-08-31 18:13:04	224088	----a-w-	C:\Windows\System32\drivers\VBoxDrv.sys
2012-08-31 18:12:53	130904	----a-w-	C:\Windows\System32\drivers\VBoxUSBMon.sys
2012-08-31 18:02:16	--------	d-----w-	C:\Program Files (x86)\Common Files\VMware
2012-08-31 16:36:01	--------	d-----w-	C:\Users\MOB\AppData\Local\Adobe
2012-08-31 16:22:52	--------	d-----w-	C:\Users\MOB\AppData\Roaming\Foxit Software
2012-08-28 18:02:12	--------	d--h--w-	C:\VritualRoot
2012-08-27 18:30:07	--------	d-----w-	C:\Program Files (x86)\Foxit Software
2012-08-27 18:04:05	--------	d-----w-	C:\ProgramData\Comodo
2012-08-27 18:04:02	--------	d-----w-	C:\Program Files\COMODO
2012-08-25 19:07:47	--------	d-----w-	C:\Program Files\Speccy
2012-08-25 10:45:32	--------	d-----w-	C:\Users\MOB\AppData\Local\VMware
2012-08-25 10:42:46	63128	----a-w-	C:\Windows\System32\drivers\vmx86.sys
2012-08-25 10:42:46	31384	----a-w-	C:\Windows\System32\drivers\VMparport.sys
2012-08-25 10:42:17	433816	----a-w-	C:\Windows\SysWow64\vmnat.exe
2012-08-25 10:42:16	30360	----a-w-	C:\Windows\System32\drivers\vmnetuserif.sys
2012-08-25 10:42:11	942744	----a-w-	C:\Windows\System32\vnetlib64.dll
2012-08-25 09:48:13	--------	d-----w-	C:\Program Files (x86)\PhrozenSoft
2012-08-23 09:18:45	--------	d-----w-	C:\Windows\SysWow64\Adobe
2012-08-22 22:59:30	--------	d-----w-	C:\Users\MOB\AppData\Local\VS Revo Group
2012-08-22 22:59:27	31800	----a-w-	C:\Windows\System32\drivers\revoflt.sys
2012-08-22 22:59:26	--------	d-----w-	C:\Program Files\VS Revo Group
2012-08-22 18:03:54	--------	d-----w-	C:\Users\MOB\AppData\Roaming\Ashampoo
2012-08-22 18:03:35	--------	d-----w-	C:\Users\MOB\AppData\Local\ashampoo
2012-08-22 18:03:35	--------	d-----w-	C:\ProgramData\ashampoo
2012-08-22 18:02:49	--------	d-----w-	C:\Program Files (x86)\Ashampoo
2012-08-21 10:52:13	--------	d-----w-	C:\Program Files\CCleaner
2012-08-20 21:49:55	--------	d-----w-	C:\ProgramData\Hotspot Shield
2012-08-20 21:49:10	--------	d-----w-	C:\Program Files (x86)\Hotspot Shield
2012-08-20 14:23:52	166232	----a-w-	C:\Windows\System32\drivers\VBoxNetFlt.sys
2012-08-20 14:23:52	147288	----a-w-	C:\Windows\System32\drivers\VBoxNetAdp.sys
2012-08-20 14:23:50	320856	----a-w-	C:\Windows\System32\VBoxNetFltNobj.dll
2012-08-20 13:24:25	--------	d-----w-	C:\Users\MOB\AppData\Local\Microsoft Help
2012-08-19 18:30:03	--------	d-----w-	C:\Users\MOB\AppData\Local\Skyrim
2012-08-19 18:27:01	78680	----a-w-	C:\Windows\System32\XAPOFX1_4.dll
2012-08-19 18:27:01	74072	----a-w-	C:\Windows\SysWow64\XAPOFX1_4.dll
2012-08-19 18:27:01	530776	----a-w-	C:\Windows\System32\XAudio2_6.dll
2012-08-19 18:27:01	528216	----a-w-	C:\Windows\SysWow64\XAudio2_6.dll
2012-08-19 18:27:01	238936	----a-w-	C:\Windows\SysWow64\xactengine3_6.dll
2012-08-19 18:27:01	176984	----a-w-	C:\Windows\System32\xactengine3_6.dll
2012-08-19 18:27:00	24920	----a-w-	C:\Windows\System32\X3DAudio1_7.dll
2012-08-19 18:27:00	22360	----a-w-	C:\Windows\SysWow64\X3DAudio1_7.dll
2012-08-19 18:12:52	--------	d-----w-	C:\Users\MOB\AppData\Roaming\OpenCandy
2012-08-19 18:11:41	283200	----a-w-	C:\Windows\System32\drivers\dtsoftbus01.sys
2012-08-19 18:11:38	--------	d-----w-	C:\Users\MOB\AppData\Roaming\DAEMON Tools Pro
2012-08-19 18:11:36	--------	d-----w-	C:\Program Files (x86)\DAEMON Tools Pro
2012-08-19 18:10:21	--------	d-----w-	C:\ProgramData\DAEMON Tools Pro
2012-08-19 17:47:48	--------	d-----w-	C:\Users\MOB\AppData\Roaming\DAEMON Tools Lite
2012-08-19 17:47:45	--------	d-----w-	C:\ProgramData\DAEMON Tools Lite
2012-08-19 17:41:32	868848	----a-w-	C:\Windows\System32\drivers\sptd.sys
2012-08-19 16:51:22	--------	d-----w-	C:\Users\MOB\AppData\Local\CRE
2012-08-19 16:51:16	--------	d-----w-	C:\Program Files (x86)\Conduit
2012-08-19 16:51:15	--------	d-----w-	C:\Users\MOB\AppData\Local\Conduit
2012-08-19 16:51:09	--------	d-----w-	C:\Program Files (x86)\uTorrent
2012-08-19 16:48:55	--------	d-----w-	C:\Users\MOB\AppData\Roaming\uTorrent
2012-08-18 21:01:53	--------	d-----w-	C:\Windows\Panther
2012-08-18 21:01:39	--------	d-sh--w-	C:\Boot
2012-08-18 18:15:47	--------	d-----w-	C:\Users\MOB\AppData\Roaming\NVIDIA
2012-08-18 18:11:54	--------	d-----w-	C:\Program Files (x86)\NVIDIA Corporation
2012-08-18 18:11:39	63296	----a-w-	C:\Windows\System32\nvshext.dll
2012-08-18 18:11:38	889664	----a-w-	C:\Windows\System32\nvvsvc.exe
2012-08-18 18:11:38	6151488	----a-w-	C:\Windows\System32\nvcpl.dll
2012-08-18 18:11:38	3149632	----a-w-	C:\Windows\System32\nvsvc64.dll
2012-08-18 18:11:38	118080	----a-w-	C:\Windows\System32\nvmctray.dll
2012-08-18 18:11:21	68928	----a-w-	C:\Windows\System32\OpenCL.dll
2012-08-18 18:11:21	61248	----a-w-	C:\Windows\SysWow64\OpenCL.dll
2012-08-18 18:11:09	--------	d-----w-	C:\ProgramData\NVIDIA Corporation
2012-08-18 18:09:45	--------	d-----w-	C:\NVIDIA
2012-08-18 18:00:30	--------	d-----w-	C:\Program Files (x86)\Counter-Strike 1.6
2012-08-18 15:04:27	--------	d-----r-	C:\Program Files (x86)\Skype
2012-08-18 13:19:31	--------	d-----w-	C:\ProgramData\Trend Micro
2012-08-18 12:40:10	--------	d-----w-	C:\Users\MOB\AppData\Local\Diagnostics
2012-08-18 11:36:27	--------	d-----w-	C:\Users\MOB\AppData\Roaming\Avira
2012-08-18 11:33:45	27760	----a-w-	C:\Windows\System32\drivers\avkmgr.sys
2012-08-18 11:33:44	98848	----a-w-	C:\Windows\System32\drivers\avgntflt.sys
2012-08-18 11:33:44	139360	----a-w-	C:\Windows\System32\drivers\avfwot.sys
2012-08-18 11:33:43	114128	----a-w-	C:\Windows\System32\drivers\avfwim.sys
2012-08-18 11:33:37	--------	d-----w-	C:\ProgramData\Avira
2012-08-18 11:33:37	--------	d-----w-	C:\Program Files (x86)\Avira
2012-08-18 11:28:36	287304	----a-w-	C:\Windows\System32\drivers\Trufos.sys
2012-08-18 10:55:26	--------	d-----w-	C:\Program Files (x86)\WinPcap
2012-08-18 10:55:12	--------	d-----w-	C:\Program Files (x86)\Trend Micro
2012-08-18 10:54:28	70344	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-18 10:54:28	426184	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-18 10:51:44	--------	d-----w-	C:\Users\MOB\AppData\Local\Google
2012-08-18 10:51:09	--------	d-----w-	C:\Users\MOB\AppData\Local\Apps
2012-08-18 10:51:07	--------	d-----w-	C:\Users\MOB\AppData\Local\Deployment
2012-08-18 10:22:12	--------	d-----w-	C:\Users\MOB\AppData\Roaming\Malwarebytes
2012-08-18 10:21:58	--------	d-----w-	C:\ProgramData\Malwarebytes
2012-08-18 10:21:57	24904	----a-w-	C:\Windows\System32\drivers\mbam.sys
2012-08-18 10:21:57	--------	d-----w-	C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-18 10:20:22	--------	d-sh--w-	C:\Windows\Installer
.
==================== Find3M  ====================
.
2012-08-01 18:13:42	41704	----a-w-	C:\Windows\System32\drivers\hssdrv6.sys
2012-08-01 18:13:40	38632	----a-w-	C:\Windows\System32\drivers\taphss.sys
.
============= FINISH: 23:39:26.05 ===============


After the scanning Gmer dont found found any system modifications,so dont generated any log.

Attached Files


Edited by Zazzec, 08 September 2012 - 04:46 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 AM

Posted 11 September 2012 - 08:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Remove the AdWare, PUP (Potentially Unwanted Program) found.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Please post the logs for my review and let me know what problem persists.

#3 Zazzec

Zazzec
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 12 September 2012 - 05:57 AM

Hey nasdaq,here are the logs you need :

ComboFix 12-09-12.02 - MOB 09/12/2012 13:42:38.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1251.359.1033.18.4094.2987 [GMT 3:00]
Running from: c:\users\MOB\Downloads\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Outpost Security Suite Pro *Disabled/Updated* {ECEA6BCD-A007-0BC7-D5A5-0254DCBD816E}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
FW: Outpost Security Suite Pro *Disabled* {D4D1EAE8-EA68-0A9F-FEFA-AB61226EC615}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Outpost Security Suite Pro *Disabled/Updated* {578B8A29-863D-0449-EF15-3926A73ACBD3}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\wpcap.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-08-12 to 2012-09-12 )))))))))))))))))))))))))))))))
.
.
2012-09-12 10:46 . 2012-09-12 10:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-10 11:06 . 2012-09-10 11:07 -------- d-----w- C:\FRST
2012-09-09 13:05 . 2012-09-09 13:05 -------- d-----w- c:\program files (x86)\DIY DataRecovery MBRtool
2012-09-09 12:40 . 2012-09-09 16:39 -------- d-----w- c:\programdata\Agnitum
2012-09-08 22:57 . 2012-09-08 22:57 -------- d-----w- c:\windows\SysWow64\WCID
2012-09-08 22:51 . 2012-09-09 13:11 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-09-08 22:51 . 2012-06-22 12:35 251560 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-09-08 22:50 . 2012-09-09 11:46 -------- d-----w- c:\programdata\PC Tools
2012-09-08 20:11 . 2012-09-08 20:11 -------- d-----w- c:\programdata\Panda Security
2012-09-08 20:11 . 2012-09-08 20:11 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2012-09-08 17:23 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-09-08 17:23 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-09-08 17:23 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-09-08 17:23 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-09-08 17:23 . 2012-06-02 12:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-09-08 17:23 . 2012-06-02 12:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-09-08 10:42 . 2012-09-08 10:42 -------- d-----w- c:\windows\SysWow64\Hotspot Shield
2012-09-07 10:28 . 2012-09-07 10:28 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-09-07 10:16 . 2012-09-10 16:39 -------- d-----w- c:\programdata\RegRun
2012-09-07 10:16 . 2012-09-07 10:16 39184 ----a-w- c:\windows\SysWow64\Partizan.exe
2012-09-07 10:16 . 2012-09-07 10:16 35816 ----a-w- c:\windows\SysWow64\drivers\Partizan.sys
2012-09-07 10:16 . 2012-09-07 10:16 2 --shatr- c:\windows\winstart.bat
2012-09-07 10:16 . 2012-06-27 13:01 12800 ----a-w- c:\windows\SysWow64\drivers\UnHackMeDrv.sys
2012-09-07 10:16 . 2012-09-09 20:47 -------- d-----w- c:\program files (x86)\UnHackMe
2012-09-07 10:08 . 2012-09-07 10:08 -------- d-----w- c:\programdata\QFX Software
2012-09-07 10:08 . 2012-09-07 10:08 -------- d-----w- c:\program files (x86)\KeyScrambler
2012-09-07 10:08 . 2011-12-15 00:46 222904 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2012-09-06 16:53 . 2012-09-06 16:53 -------- d-----w- c:\program files\Microsoft Office
2012-09-06 16:46 . 2012-09-06 16:46 -------- d-----w- c:\program files\Common Files\DESIGNER
2012-09-06 16:45 . 2012-09-06 16:45 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-09-06 16:45 . 2012-09-06 16:45 -------- d-----w- c:\windows\PCHEALTH
2012-09-06 16:45 . 2012-09-06 16:45 -------- d-----w- c:\program files\Microsoft Sync Framework
2012-09-06 16:45 . 2012-09-06 16:45 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-09-06 16:45 . 2012-09-06 16:45 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-09-06 16:42 . 2012-09-06 16:42 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2012-09-06 16:41 . 2012-09-06 16:41 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-09-06 16:41 . 2012-09-06 16:41 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-09-06 16:37 . 2012-09-06 16:37 -------- d-----w- c:\windows\system32\appmgmt
2012-09-04 20:26 . 2012-09-04 20:26 -------- d-----w- c:\program files (x86)\PANDORA.TV
2012-09-04 20:26 . 2012-09-11 21:49 -------- d-----w- c:\program files (x86)\The KMPlayer
2012-09-04 20:19 . 2012-09-04 20:19 -------- d-----w- c:\program files (x86)\Webteh
2012-09-04 13:28 . 2012-09-04 22:26 281120 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-09-04 13:28 . 2012-09-04 15:27 281120 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-09-04 13:28 . 2012-09-04 22:26 281120 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-09-04 11:39 . 2012-09-05 13:35 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-09-04 11:02 . 2010-06-02 01:55 74072 ----a-w- c:\windows\SysWow64\XAPOFX1_5.dll
2012-09-04 11:02 . 2010-06-02 01:55 527192 ----a-w- c:\windows\SysWow64\XAudio2_7.dll
2012-09-04 11:02 . 2010-05-26 08:41 2106216 ----a-w- c:\windows\SysWow64\D3DCompiler_43.dll
2012-09-04 11:02 . 2010-05-26 08:41 1998168 ----a-w- c:\windows\SysWow64\D3DX9_43.dll
2012-08-31 18:13 . 2012-08-20 14:23 224088 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-08-31 18:12 . 2012-08-20 14:23 130904 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-08-31 18:12 . 2012-09-08 18:18 -------- dc----w- c:\windows\system32\DRVSTORE
2012-08-31 18:02 . 2012-08-31 18:02 -------- d-----w- c:\program files (x86)\Common Files\VMware
2012-08-31 16:35 . 2012-08-31 16:35 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-08-28 18:02 . 2012-08-28 18:02 -------- d-----w- C:\VritualRoot
2012-08-27 18:30 . 2012-08-27 18:30 -------- d-----w- c:\program files (x86)\Foxit Software
2012-08-27 18:04 . 2012-09-08 13:22 -------- d-----w- c:\programdata\Comodo
2012-08-27 18:04 . 2012-09-08 18:18 -------- d-----w- c:\program files\COMODO
2012-08-25 19:07 . 2012-08-25 19:07 -------- d-----w- c:\program files\Speccy
2012-08-25 10:42 . 2012-06-08 23:18 63128 ----a-w- c:\windows\system32\drivers\vmx86.sys
2012-08-25 10:42 . 2012-06-08 23:18 31384 ----a-w- c:\windows\system32\drivers\VMparport.sys
2012-08-25 10:42 . 2012-06-08 23:18 433816 ----a-w- c:\windows\SysWow64\vmnat.exe
2012-08-25 10:42 . 2012-06-08 23:16 30360 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2012-08-25 10:42 . 2012-06-08 23:18 942744 ----a-w- c:\windows\system32\vnetlib64.dll
2012-08-25 10:40 . 2012-08-31 18:02 -------- d-----w- c:\programdata\VMware
2012-08-25 09:48 . 2012-08-25 09:48 -------- d-----w- c:\program files (x86)\PhrozenSoft
2012-08-23 17:59 . 2012-08-23 17:59 -------- d-----w- c:\program files\WinRAR
2012-08-23 09:18 . 2012-08-23 10:16 -------- d-----w- c:\windows\SysWow64\Adobe
2012-08-22 22:59 . 2009-12-30 08:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-08-22 22:59 . 2012-08-22 22:59 -------- d-----w- c:\program files\VS Revo Group
2012-08-22 18:03 . 2012-08-22 18:03 -------- d-----w- c:\programdata\ashampoo
2012-08-22 18:02 . 2012-08-22 18:02 -------- d-----w- c:\program files (x86)\Ashampoo
2012-08-21 10:52 . 2012-08-21 10:52 -------- d-----w- c:\program files\CCleaner
2012-08-20 21:49 . 2012-08-20 21:49 -------- d-----w- c:\programdata\Hotspot Shield
2012-08-20 21:49 . 2012-08-20 21:50 -------- d-----w- c:\program files (x86)\Hotspot Shield
2012-08-20 14:23 . 2012-08-20 14:23 166232 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2012-08-20 14:23 . 2012-08-20 14:23 147288 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2012-08-20 14:23 . 2012-08-20 14:23 320856 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2012-08-20 13:24 . 2012-09-06 16:53 -------- d-----w- c:\programdata\Microsoft Help
2012-08-19 18:27 . 2010-02-04 07:01 78680 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2012-08-19 18:27 . 2010-02-04 07:01 74072 ----a-w- c:\windows\SysWow64\XAPOFX1_4.dll
2012-08-19 18:27 . 2010-02-04 07:01 530776 ----a-w- c:\windows\system32\XAudio2_6.dll
2012-08-19 18:27 . 2010-02-04 07:01 528216 ----a-w- c:\windows\SysWow64\XAudio2_6.dll
2012-08-19 18:27 . 2010-02-04 07:01 238936 ----a-w- c:\windows\SysWow64\xactengine3_6.dll
2012-08-19 18:27 . 2010-02-04 07:01 176984 ----a-w- c:\windows\system32\xactengine3_6.dll
2012-08-19 18:27 . 2010-02-04 07:01 24920 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2012-08-19 18:27 . 2010-02-04 07:01 22360 ----a-w- c:\windows\SysWow64\X3DAudio1_7.dll
2012-08-19 18:11 . 2012-08-19 18:11 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-19 18:11 . 2012-08-19 18:11 -------- d-----w- c:\program files (x86)\DAEMON Tools Pro
2012-08-19 18:10 . 2012-08-19 18:15 -------- d-----w- c:\programdata\DAEMON Tools Pro
2012-08-19 17:47 . 2012-08-19 17:47 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-08-19 17:41 . 2012-08-19 18:00 868848 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-08-19 16:51 . 2012-08-19 16:51 -------- d-----w- c:\program files (x86)\Conduit
2012-08-19 16:51 . 2012-08-19 16:51 -------- d-----w- c:\program files (x86)\uTorrent
2012-08-18 21:01 . 2012-08-21 10:54 -------- d-----w- c:\windows\Panther
2012-08-18 21:01 . 2012-08-18 21:01 -------- d-----w- C:\Boot
2012-08-18 18:11 . 2012-09-11 22:15 -------- d-----w- c:\users\UpdatusUser
2012-08-18 18:11 . 2012-08-18 18:13 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-08-18 18:11 . 2012-09-12 10:31 -------- d-----w- c:\programdata\NVIDIA
2012-08-18 18:11 . 2012-05-15 09:29 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-08-18 18:11 . 2012-05-15 09:29 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-08-18 18:11 . 2012-05-15 09:29 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-08-18 18:11 . 2012-05-15 09:29 3149632 ----a-w- c:\windows\system32\nvsvc64.dll
2012-08-18 18:11 . 2012-05-15 09:28 6151488 ----a-w- c:\windows\system32\nvcpl.dll
2012-08-18 18:11 . 2012-05-15 10:48 68928 ----a-w- c:\windows\system32\OpenCL.dll
2012-08-18 18:11 . 2012-05-15 10:48 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-08-18 18:11 . 2012-08-18 18:11 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-08-18 18:09 . 2012-08-18 18:09 -------- d-----w- C:\NVIDIA
2012-08-18 18:00 . 2012-09-09 23:53 -------- d-----w- c:\program files (x86)\Counter-Strike 1.6
2012-08-18 15:04 . 2012-08-18 15:04 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-08-18 15:04 . 2012-08-18 15:04 -------- d-----r- c:\program files (x86)\Skype
2012-08-18 15:04 . 2012-08-18 15:04 -------- d-----w- c:\programdata\Skype
2012-08-18 13:19 . 2012-08-18 13:19 -------- d-----w- c:\programdata\Trend Micro
2012-08-18 13:06 . 2012-08-18 13:06 -------- d-----w- c:\program files (x86)\ImgBurn
2012-08-18 11:33 . 2012-08-18 11:29 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-08-18 11:33 . 2012-08-18 11:29 132832 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-08-18 11:33 . 2012-08-18 11:29 98848 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-08-18 11:33 . 2012-08-18 11:29 139360 ----a-w- c:\windows\system32\drivers\avfwot.sys
2012-08-18 11:33 . 2012-08-18 11:29 114128 ----a-w- c:\windows\system32\drivers\avfwim.sys
2012-08-18 11:33 . 2012-08-18 11:34 -------- d-----w- c:\programdata\Avira
2012-08-18 11:33 . 2012-08-18 11:33 -------- d-----w- c:\program files (x86)\Avira
2012-08-18 11:28 . 2012-08-18 11:28 287304 ----a-w- c:\windows\system32\drivers\Trufos.sys
2012-08-18 10:55 . 2012-08-18 10:55 -------- d-----w- c:\program files (x86)\WinPcap
2012-08-18 10:55 . 2012-08-18 10:55 -------- d-----w- c:\program files (x86)\Trend Micro
2012-08-18 10:54 . 2012-08-18 10:54 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-01 18:13 . 2012-08-01 18:13 41704 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2012-08-01 18:13 . 2012-08-01 18:13 38632 ----a-w- c:\windows\system32\drivers\taphss.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"KeyScrambler"="c:\program files (x86)\KeyScrambler\keyscrambler.exe" [2012-06-08 431760]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-08-18 348664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2012-08-19 868848]
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R2 VMwareHostd;VMware Workstation Server;d:\vmware\VMware Workstation\vmware-hostd.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-18 250056]
R3 ATP;Comodo Unite Miniport Driver;c:\windows\system32\DRIVERS\cmdatp.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\microsoft office professional plus 2010 with service pack 1 vl en x64\Office14\GROOVE.EXE [2010-03-25 51456888]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-08-18 27760]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-03-11 577824]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2012-03-11 43248]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [2012-08-01 41704]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2012-08-20 224088]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2012-08-20 130904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AntiVirMailService;Avira Mail Protection;c:\program files (x86)\Avira\AntiVir Desktop\avmailc.exe [2012-08-18 375760]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-08-18 86224]
S2 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [2012-08-18 465360]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-08-03 476016]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2012-08-03 387440]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 47632]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-14 382272]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-08-19 283200]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2011-12-15 222904]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;c:\windows\system32\DRIVERS\Rtnic64.sys [2009-06-10 51712]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-08-20 147288]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2012-08-20 166232]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3785713819-1276736145-1527644736-1000Core.job
- c:\users\MOB\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-11 22:09]
.
2012-09-07 c:\windows\Tasks\UnHackMe Task Scheduler.job
- c:\program files (x86)\UnHackMe\hackmon.exe [2012-09-07 13:01]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2012-08-01 18:13 287048 ----a-w- c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 9569096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &Експортиране към Microsoft Excel - d:\micros~1\Install\Office12\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - d:\micros~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - d:\micros~2\Office14\ONBttnIE.dll/105
LSP: c:\program files (x86)\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 46.55.222.38 46.55.222.6
TCP: Interfaces\{0F8434BD-392A-4CB8-B822-4DA2FF3553A4}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{5375FD3E-D877-4E30-8FCC-3DE83C92C425}: NameServer = 10.47.32.1
TCP: Interfaces\{E41DD838-B94E-45F7-B0F8-7EBFC7495412}: NameServer = 8.26.56.26,156.154.70.22
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
WebBrowser-{7473B6BD-4691-4744-A82B-7854EB3D70B6} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-12 13:47:33
ComboFix-quarantined-files.txt 2012-09-12 10:47
.
Pre-Run: 325,636,096 bytes free
Post-Run: 399,728,640 bytes free
.
- - End Of File - - 1CF5AC6C4507B03B359B7A60FA99C8C0


Results of screen317's Security Check version 0.99.50
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Avira Desktop
Outpost Security Suite Pro
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Adobe Reader X (10.1.4)
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
Trend Micro RUBotted RUBotSrv.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Edited by nasdaq, 12 September 2012 - 07:45 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 AM

Posted 12 September 2012 - 07:47 AM

I omitted to give your the link to download AdwCleaner.

Please download AdwCleaner by Xplode onto your Desktop.

Please run the tool as previously requested and post the log.

Let me know what problem persists.

#5 Zazzec

Zazzec
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 12 September 2012 - 05:41 PM

Sorry i have missed that.

# AdwCleaner v2.001 - Logfile created 09/13/2012 at 01:38:15
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : MOB - MOB-PC
# Boot Mode : Normal
# Running from : C:\Users\MOB\Downloads\adwcleaner (1).exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Users\MOB\AppData\Local\Conduit
Folder Found : C:\Users\MOB\AppData\LocalLow\Conduit
Folder Found : C:\Users\MOB\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKU\S-1-5-21-3785713819-1276736145-1527644736-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.89

File : C:\Users\MOB\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1562 octets] - [13/09/2012 01:38:15]

########## EOF - C:\AdwCleaner[R1].txt - [1622 octets] ##########


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 AM

Posted 13 September 2012 - 07:02 AM

Remove the AdWare, PUP (Potentially Unwanted Program) identified by this tool.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Any other issues with this computer?

#7 Zazzec

Zazzec
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 13 September 2012 - 07:31 AM

# AdwCleaner v2.001 - Logfile created 09/13/2012 at 15:26:24
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : MOB - MOB-PC
# Boot Mode : Normal
# Running from : C:\Users\MOB\Downloads\adwcleaner (2).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\MOB\AppData\Local\Conduit
Folder Deleted : C:\Users\MOB\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\MOB\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-21-3785713819-1276736145-1527644736-1001\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Google Chrome v21.0.1180.89

File : C:\Users\MOB\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1687 octets] - [13/09/2012 01:38:15]
AdwCleaner[R2].txt - [1747 octets] - [13/09/2012 15:26:15]
AdwCleaner[S2].txt - [2030 octets] - [13/09/2012 15:26:24]

########## EOF - C:\AdwCleaner[S2].txt - [2090 octets] ##########

And no i dont have other issues other that im infected with FUD rat.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 AM

Posted 13 September 2012 - 09:37 AM

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Execute the instructions on this page.
http://ed-allaboutcomputer.blogspot.ca/2011_11_01_archive.html

p.s.
You can first try netstat -ano only to see the image first.

Please post the awsMBR log and keep me posted on the netstat.

#9 Zazzec

Zazzec
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 15 September 2012 - 12:11 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-14 01:43:51
-----------------------------
01:43:51.812 OS Version: Windows x64 6.1.7601 Service Pack 1
01:43:51.812 Number of processors: 4 586 0x503
01:43:51.813 ComputerName: MOB-PC UserName: MOB
01:43:52.496 Initialize success
01:44:03.930 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
01:44:03.935 Disk 0 Vendor: ST3160811AS 3.AAE Size: 152627MB BusType: 3
01:44:03.947 Disk 0 MBR read successfully
01:44:03.954 Disk 0 MBR scan
01:44:03.960 Disk 0 Windows 7 default MBR code
01:44:03.966 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 20002 MB offset 63
01:44:03.973 Disk 0 Partition - 00 0F Extended LBA 132614 MB offset 40965750
01:44:03.996 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 132614 MB offset 40965813
01:44:04.030 Disk 0 scanning C:\Windows\system32\drivers
01:44:12.130 Service scanning
01:44:25.747 Modules scanning
01:44:25.765 Disk 0 trace - called modules:
01:44:25.781 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
01:44:25.786 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a68060]
01:44:26.124 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa80047d49b0]
01:44:26.137 5 ACPI.sys[fffff88000fb47a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa80047e4060]
01:44:26.150 Scan finished successfully
01:44:38.793 Disk 0 MBR has been saved successfully to "C:\Users\MOB\Downloads\MBR.dat"
01:44:38.799 The log file has been saved successfully to "C:\Users\MOB\Downloads\aswMBR.txt"

Im not able to attach the mbr.dat,as normal and archive due to "You aren't permitted to upload this kind of file'' error.
And about ''netstat'' and CurrPorts i have checked over 15-20 times and havent saw any suspensious connection.

Edited by nasdaq, 15 September 2012 - 07:48 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 AM

Posted 15 September 2012 - 07:53 AM

Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Your MBR is clean I do not need to see the mbr.dat file. As noted the file was to have been compressed for you to be able to attach it.

===

As a last check.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


#11 Zazzec

Zazzec
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 16 September 2012 - 11:27 AM

Eset scanner detected nothing ..
Well i know that those nasty s***ts that im infected arent easy to remove,but can you make me a recommendation on what to do to fully remove them ?

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 AM

Posted 16 September 2012 - 01:09 PM

All your logs are clean.

It's difficult to remove something that I cannot see.

Download this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Explain to me the difficulties you are having with this computer.

#13 Zazzec

Zazzec
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 18 September 2012 - 01:44 PM

Im not able to do the step in red :

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.



After i type this - G:\FRST.exe,also tryed FRST.exe.Both dont work and gives me the those "error" :
"the system needed to support the image type is not present" ...

Edited by Zazzec, 18 September 2012 - 04:24 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 AM

Posted 19 September 2012 - 08:25 AM

Did you download the 64bit version?

#15 Zazzec

Zazzec
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 20 September 2012 - 07:13 AM

Yes,of course.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users