Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It all started this morning...


  • This topic is locked This topic is locked
14 replies to this topic

#1 draculamolecula

draculamolecula

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 11 September 2012 - 11:34 AM

Hello from Latvia,Im new to this threads and really in need to be helped by you guys. This afternoon I discovered ,a serious problem with my dear AVG antivirus help. First of all firefox was spontaneously exiting and then suddenly appeared two software installation warnings,one about adobe flash update(well usual thing as i didnt update for months) and second was from windows manager something on my hardware( I thought to my self : this is strange should i click it? NO i canceled several times but that appeared again after I closed) ,so I looked up ,scanned my whole disk with AVG and what I see : IRP HOOK,\driver\iaStor IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xFFFFFA80033D5334 can't say what this thing is ,but it keeps coming back. And other results too:
GMER:
(although I was able only mark "Services","Registry","Files",ADS" boxes)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-11 19:28:43
Windows 6.1.7601 Service Pack 1
Running: 3iyiuddq.exe


---- Files - GMER 1.0.15 ----

File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes

---- EOF - GMER 1.0.15 ----
(hmm this time I scanned there was no one more file that started with avg...I have read that some malware files masking as avg files)


DDS:
Attached File  Attach.txt   5.52KB   0 downloads

Attached Files

  • Attached File  DDS.txt   19.72KB   6 downloads


BC AdBot (Login to Remove)

 


#2 draculamolecula

draculamolecula
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 12 September 2012 - 04:40 AM

Just updating the situation(day 2):
the situation is now, I hope not critical ,but stuff is happening. When I attach my USB devices,they couldnt be safely ejected,because some processes are running
second thing is my browser,they are super slow,but i have optical pretty expensive internet
my music folders are now full of album art picture copies ( example AlbumArt_{6C468227-E2E3-4D4E-8EBD-02490C015732}_Large) and configuration setting files with transparent icon(also they are on my desktop) with some code I dont understand:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

Also my laptop is behaving funny ,couldnt load adobe drivers,find google and CPU is almost 100% because of firefox.
The kaspersky TDSS rootkit removal not running.
I feel paranoid and delusional. Yesterday I watched "The possession" I think my laptops having demons))
Hope for the quick reply guys,before I am forced to format my disk..
HEHE still no one? HUH well ,I had to experiment and used Rkill program the results:
Rkill 2.3.11 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/13/2012 12:11:07 AM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\SysWOW64\ACEngSvr.exe (PID: 2588) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\John Doe\Desktop\rkill\rkill-09-13-2012-12-11-14.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\$Recycle.Bin\S-1-5-21-2858585086-1713080278-810761171-1000\$c810a1c9787e55db375c0c5d8f7a50be\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-2858585086-1713080278-810761171-1000\$c810a1c9787e55db375c0c5d8f7a50be\@ [ZA File]
* C:\$Recycle.Bin\S-1-5-21-2858585086-1713080278-810761171-1000\$c810a1c9787e55db375c0c5d8f7a50be\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-2858585086-1713080278-810761171-1000\$c810a1c9787e55db375c0c5d8f7a50be\U\ [ZA Dir]

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* BFE [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/13/2012 12:11:15 AM
Execution time: 0 hours(s), 0 minute(s), and 8 seconds(s)

I have suspition that my information have been jacked...

Edited by draculamolecula, 12 September 2012 - 04:16 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:51 PM

Posted 13 September 2012 - 08:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#4 draculamolecula

draculamolecula
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 13 September 2012 - 10:11 AM

OH hiiiii,I hope youll help,because my computer is now insane and slow.Nope, both this programs are blocked by malware( user account control) , they wont run,my virus is naaaasty.Well I can show some changes on my computer. Guess better than nothing
http://imageshack.us/photo/my-images/819/proof3e.png
http://imageshack.us/photo/my-images/853/proof2qy.png
http://imageshack.us/photo/my-images/651/proof1jp.png
Besides I cant use desktop like normally,only through path. Found that in task manager there are few more than I had ,svchost.exe's.
I have log from unhack me program ,which diagnosed and deleted few of corrupted rootkit files(zero access in recycle bin),but seems it failed at finding every one of them.
Also i have read one article about similar problem:
"SOFTPEDIA.COM – “TROJAN MASQUERADES AS ADOBE READER UPDATER
The trojan creates a registry entry called Adobe Update Manager under HKLM\Software\Microsoft\Windows\CurrentVersion\Run pointing to where the legit AdobeUpdater.exe should normally reside. Otherwise, a file named AdobeUpdater.exe appearing in a process or startup listings with a different path would look very suspicious.

After infecting a computer, the trojan starts several services if they are not already running, including DHCP client, DNS client and network share. It also opens a special port in order to listen for commands from the hackers.

Adobe is not the only company whose products are targeted by this threat. The update component from Oracle’s newly acquired Java Runtime Environment is also masqueraded and deleted. BKIS has seen a variant of this trojan using the “C:\Program Files\Java\jre6\bin\jucheck.exe” path and file name.”

Attached Files


Edited by draculamolecula, 13 September 2012 - 10:53 AM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:51 PM

Posted 13 September 2012 - 10:41 AM

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.

Before your post your log and without restarting the computer try to run the two tools I suggested.

p.s. please do not post logs from programs I'm not requesting. The last one I know nothing about.

#6 draculamolecula

draculamolecula
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 13 September 2012 - 11:37 AM

Still computer is questioning TDSS killer and that avast file to run it and afterwards nothing happens,silently. So rkill did run Ill post the log:

Rkill 2.3.14 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/13/2012 07:27:33 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\SysWOW64\ACEngSvr.exe (PID: 2300) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]

* WinDefend => %ProgramFiles(x86)%\Windows Defender\mpsvc.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/13/2012 07:28:15 PM
Execution time: 0 hours(s), 0 minute(s), and 41 seconds(s)

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:51 PM

Posted 13 September 2012 - 01:03 PM

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]

* WinDefend => %ProgramFiles(x86)%\Windows Defender\mpsvc.dll [Incorrect ServiceDLL]


===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===

Download this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

p.s.
Please note that these are two different programs.

#8 draculamolecula

draculamolecula
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 September 2012 - 06:58 AM

Yeah soo...another day another problem,pressing f8 entering the advanced menu,pressing Repair computer aaand loading screen takes forever, took hour for it,think its nogo. At least first farbar service scanner results:
Farbar Service Scanner Version: 06-08-2012
Ran by John Doe (administrator) on 13-09-2012 at 21:53:11
Running from "C:\Users\John Doe\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-12 16:18] - [2012-08-22 21:12] - 1913200 ____A (Microsoft Corporation) F782CAD3CEDBB3F9FFE3BF2775D92DDC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


YESs finally some progress today,I had copied the tdss killer clean download from flash memory stick and at first it didnt work ,but then after several times of rebooting and copying the tdss.exe ,tdss.exe(3) made it!! found rootkit on a physical drive and quarantined 29 files! Dunno if my computer is clean for sure. But AVG didnt find anything he didnt like :)

Edited by draculamolecula, 14 September 2012 - 07:45 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:51 PM

Posted 14 September 2012 - 08:36 AM

Please download Seven.zip file from here: http://www.smartestc...y-network-keys/
Unzip the file to a temporary folder your desktop.

These files will be extracted:
afd.reg
bit.reg
bfe.reg
mpssvc.reg
nsiproxy.reg
sdrsvc.reg
tdx.reg
wscsvc.reg
windefend.reg
wuauserv.reg

legacy_afd.reg
legacy_bfe.reg
Legacy_bit.reg
legacy_mpssvc.reg
legacy_nsiproxy.reg
legacy_sdrsvc.reg
legacy_tdx.reg
Legacy_windefend.reg
legacy_wscsvc.reg
legacy_wuauserv.reg

start_services.bat


Double-click on the mpssvc.reg and legacy_mpssvc.reg

each one of the 2 .reg files in turn and click Yes to add it to the Registry
Allow registry merge.
When the 2 file have been executed.

Restart computer normally.

===

Run the Farbar Service Scanner again and post a fresh log.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

Please post the logs andd let me know what problem persists.

#10 draculamolecula

draculamolecula
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 September 2012 - 10:20 AM

legacy_mpssvc.reg cannot import Error accessing the registry. Should I proceed anyway?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:51 PM

Posted 14 September 2012 - 01:09 PM

Yes, close any application and restart the computer.

Post the logs and let me know the status of the internet.

#12 draculamolecula

draculamolecula
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 September 2012 - 03:56 PM

Okaay I the process went fine,actually both of them. But I noticed some fishy thing when I start skype,like automatically that triggers somehow to UPDATE ADOBE,huuuh,how thats possible.
Oh yeah the logs:
Farbar Service Scanner Version: 06-08-2012
Ran by John Doe (administrator) on 14-09-2012 at 22:34:56
Running from "C:\Users\John Doe\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-12 16:18] - [2012-08-22 21:12] - 1913200 ____A (Microsoft Corporation) F782CAD3CEDBB3F9FFE3BF2775D92DDC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
+ COmbofix

ComboFix 12-09-14.03 - John Doe 14-Sep-12 23:33:29.5.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2989.1877 [GMT 3:00]
Running from: c:\users\John Doe\Desktop\SHUH.exe
AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Internet Security 2012 *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache86\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
.
.
2012-09-14 20:41 . 2012-09-14 20:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-14 13:20 . 2012-09-14 13:27 -------- d-----w- c:\program files (x86)\Unlocker
2012-09-14 12:29 . 2012-09-14 12:29 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-13 16:00 . 2012-09-13 16:00 -------- d-----w- c:\users\John Doe\AppData\Roaming\Malwarebytes
2012-09-13 16:00 . 2012-09-13 16:00 -------- d-----w- c:\programdata\Malwarebytes
2012-09-13 16:00 . 2012-09-13 16:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-13 12:37 . 2012-09-13 12:37 -------- d-----w- c:\users\John Doe\DoctorWeb
2012-09-13 12:30 . 2012-09-13 12:30 -------- d-----w- c:\users\John Doe\AppData\Local\Adobe
2012-09-13 12:09 . 2012-09-13 12:09 -------- d-----w- c:\program files\trend micro
2012-09-13 12:09 . 2012-09-13 14:23 -------- d-----w- C:\rsit
2012-09-13 08:23 . 2009-07-14 00:10 21504 ----a-w- c:\windows\system32\drivers\ws2ifsl.sys
2012-09-13 06:32 . 2012-09-13 06:32 -------- d-----w- C:\Backreg
2012-09-12 15:16 . 2012-09-12 15:18 -------- d-----w- C:\BackSys
2012-09-12 14:14 . 2012-09-12 14:14 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-09-12 14:06 . 2012-09-12 14:06 2 --shatr- c:\windows\winstart.bat
2012-09-12 14:06 . 2012-09-14 20:29 -------- d-----w- c:\programdata\RegRun
2012-09-12 14:06 . 2012-09-14 20:30 -------- d-----w- c:\program files (x86)\DLJA PIDARASOV
2012-09-12 13:18 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 13:18 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 13:18 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 13:18 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 13:18 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-12 13:18 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-12 13:18 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-11 13:58 . 2012-09-11 13:58 -------- d-----w- c:\users\John Doe\AppData\Local\Macromedia
2012-09-04 20:39 . 2012-09-04 20:39 -------- d-----w- c:\program files (x86)\MDickie
2012-09-04 14:06 . 2012-09-04 14:06 31080 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-08-24 12:43 . 2012-08-24 12:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-08-17 20:37 . 2012-08-17 20:37 -------- d-----w- c:\users\John Doe\AppData\Roaming\Atari
2012-08-17 20:37 . 2012-08-17 20:37 -------- d-----w- c:\users\John Doe\AppData\Local\Atari
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-13 06:45 . 2012-04-11 18:42 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-07-26 00:21 . 2012-07-26 00:21 291680 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2012-07-18 18:15 . 2012-08-15 09:04 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-04 22:16 . 2012-08-15 09:04 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-15 09:04 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-15 09:04 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-15 09:04 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-06-29 04:55 . 2012-08-15 19:51 17809920 ----a-w- c:\windows\system32\mshtml.dll
2012-06-29 04:09 . 2012-08-15 19:51 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-06-29 03:56 . 2012-08-15 19:51 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 03:49 . 2012-08-15 19:51 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-29 03:49 . 2012-08-15 19:51 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 03:48 . 2012-08-15 19:51 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 03:47 . 2012-08-15 19:51 237056 ----a-w- c:\windows\system32\url.dll
2012-06-29 03:45 . 2012-08-15 19:51 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-29 03:44 . 2012-08-15 19:51 816640 ----a-w- c:\windows\system32\jscript.dll
2012-06-29 03:43 . 2012-08-15 19:51 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 03:42 . 2012-08-15 19:51 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-29 03:40 . 2012-08-15 19:51 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-29 03:39 . 2012-08-15 19:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-29 03:35 . 2012-08-15 19:51 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-29 00:16 . 2012-08-15 19:51 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-29 00:09 . 2012-08-15 19:51 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-29 00:08 . 2012-08-15 19:51 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04 . 2012-08-15 19:51 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00 . 2012-08-15 19:51 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-14_20.22.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-09-14 20:30 54236 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-14 20:30 43062 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-09-14 20:10 43062 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-11 20:07 . 2012-09-14 20:30 14468 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2858585086-1713080278-810761171-1000_UserData.bin
+ 2012-09-14 20:42 . 2012-09-14 20:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-14 20:21 . 2012-09-14 20:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-14 20:42 . 2012-09-14 20:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-14 20:21 . 2012-09-14 20:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-10 15:53 . 2012-09-14 20:15 684128 c:\windows\system32\perfh019.dat
+ 2012-07-10 15:53 . 2012-09-14 20:33 684128 c:\windows\system32\perfh019.dat
- 2009-07-14 02:36 . 2012-09-14 20:15 624178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-14 20:33 624178 c:\windows\system32\perfh009.dat
+ 2012-07-10 15:53 . 2012-09-14 20:33 132650 c:\windows\system32\perfc019.dat
- 2012-07-10 15:53 . 2012-09-14 20:15 132650 c:\windows\system32\perfc019.dat
+ 2009-07-14 02:36 . 2012-09-14 20:33 106522 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-09-14 20:15 106522 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-09-14 20:41 419540 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-09-14 20:20 419540 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-05-29 22:25 . 2012-09-14 20:41 1379856 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2012-05-29 22:25 . 2012-09-14 20:20 1379856 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2012-03-11 23:27 . 2012-09-14 20:20 49410408 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2858585086-1713080278-810761171-1000-8192.dat
+ 2012-03-11 23:27 . 2012-09-14 20:41 49410408 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2858585086-1713080278-810761171-1000-8192.dat
+ 2012-03-11 23:27 . 2012-09-14 20:41 10483380 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2858585086-1713080278-810761171-1000-12288.dat
- 2012-03-11 23:27 . 2012-09-14 20:20 10483380 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2858585086-1713080278-810761171-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-09-04 14:06 1734240 ----a-w- c:\program files (x86)\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll" [2012-09-04 1734240]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 15:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"AdobeBridge"="" [BU]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-05-14 880496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-11 98304]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-05-03 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-07-02 1597440]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-02-21 222504]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-09-24 210216]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-09-04 947808]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2012-02-09 312376]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"ADSMTray"="c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2009-06-24 272952]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2012-03-11 3054136]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-18 104936]
"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2008-04-02 87336]
"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2008-02-22 62760]
"ROC_ROC_JULY_P1"="c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-09-04 1022048]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"UnlockerAssistant"="c:\program files (x86)\Unlocker\UnlockerAssistant.exe" [BU]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2012-3-11 156952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-13 136176]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-07 676936]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-13 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-12 1255736]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys [2011-05-22 48992]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-09-04 31080]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2010-06-22 379520]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-11 203264]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-02 15416]
S2 avgfws;AVG Firewall;c:\program files (x86)\AVG\AVG2012\avgfws.exe [2012-06-13 2321560]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2012-08-13 5167736]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-07 399432]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2314240]
S2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [2012-09-04 722528]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-11 7765504]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-11 279040]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-07-15 116240]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-13 135560]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-08-18 143472]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [2010-02-25 115312]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-13 06:47]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-13 06:47]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"ETDWare"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://isearch.avg.com/?cid={BB3F9403-A0A5-43DD-8B0A-C82AFB925F9E}&mid=f7ce1cd9a26e47d08b626de78334b64b-be9abacd2b0d8fb17fa5dd2bb9608f781b54a8ba&lang=en&ds=AVG&pr=pr&d=2012-04-28 20:47&v=12.2.5.32&sap=hp
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 136.169.0.2 136.169.69.66
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
AddRemove-K_Series_ScreenSaver_EN - c:\windows\system32\K_Series_ScreenSaver_EN.scr
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\Net4Switch\Net4Switch.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeck.exe
.
**************************************************************************
.
Completion time: 2012-09-14 23:48:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-14 20:48
.
Pre-Run: 42,390,585,344 bytes free
Post-Run: 42,312,564,736 bytes free
.
- - End Of File - - E22B8B1546175996FD6531FB92138E43

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:51 PM

Posted 15 September 2012 - 06:54 AM

I start skype,like automatically that triggers somehow to UPDATE ADOBE,huuuh,how thats possible.

I thing this is just a coincidence.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Please post the logs and let me know what problem persists.

#14 draculamolecula

draculamolecula
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 17 September 2012 - 12:03 PM

Oh hi there! Yeah i did like you said.
Security check

Results of screen317's Security Check version 0.99.51
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
AVG Internet Security 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
Adobe Reader X (10.1.4)
Google Chrome 20.0.1132.57
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````


And i pinned the Adwcleaner logs,but at 2 first attempts program just froze.

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:51 PM

Posted 17 September 2012 - 12:31 PM

Looking good.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users