Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MyStart Incredibar infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 attackedBYspam

attackedBYspam

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 02 November 2012 - 12:32 PM

I have a lingering issue with MyStart Incredibar. I have removed all entries via control panel and browser plugins but it's lingering in Chrome and IE9, possibly Firefox but I don't see any indication of that. Unfortunately I already ran Combofix before I knew I wasn't supposed to, so hopefully that won't screw this process up too bad here. I will wait for further instructions. Thanks for the help.

EDIT: I'm running Win 7 x64 Pro.

Edited by attackedBYspam, 02 November 2012 - 12:32 PM.


BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:02:48 PM

Posted 02 November 2012 - 01:36 PM

Hello attackedBYspam and :welcome: on BC.
I will be helping with your computer problems.

Before to start please note the following:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know
  • Do not make any changes on your own to the computer (installing/uninstall programs, deleting files, modifying the registry, running scanners or other tools, etc.) without instructions to do it
  • Please read every post completely and perform all steps in the specified order. If you can't understand something or you encounter problems please stop and let me know
  • Do not attach logs, use code or quote boxes. Just copy and paste the text unless directed otherwise
  • Even if things appear to be better, it does not mean we have finished. Follow the instructions and reply back until I tell you that your computer is clean. At the end I will also provide you further suggestions about how to avoid future infections and improve security on your system
  • Please reply using the Add Reply button in the lower right hand corner of your screen
  • Please track this topic by clicking on the Watch Topic button on the top right on this tread => select Immediate Email Notification => click on Proceed button
Now please follow these steps and post the required logs as described in that topic.:)


Regards

#3 attackedBYspam

attackedBYspam
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 02 November 2012 - 02:06 PM

Completed steps. Here are my DDS.txt and Attach.txt logs:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 9/7/2012 10:10:10 PM
System Uptime: 10/31/2012 10:29:13 PM (40 hours ago)
.
Motherboard: ASRock | | Z68 Extreme4 Gen3
Processor: Intel® Core™ i7-2600K CPU @ 3.40GHz | CPUSocket | 3401/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 33.209 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 0 GiB total, 0.069 GiB free.
F: is FIXED (NTFS) - 932 GiB total, 338.036 GiB free.
G: is FIXED (NTFS) - 466 GiB total, 180.902 GiB free.
H: is CDROM ()
I: is Removable
J: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1412&DEV_1712&SUBSYS_D6341412&REV_02\7&10DABA8B&0&08002000E7
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1412&DEV_1712&SUBSYS_D6341412&REV_02\7&10DABA8B&0&08002000E7
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
7-Zip 9.25 (x64 edition)
Adobe Flash Player 11 Plugin
Alt.Binz 0.39.4
Borderlands 2
CDBurnerXP
Corsair K90 Gaming Keyboard Driver V1.0
Corsair M60 Gaming Mouse Driver V1.0
CPUID CPU-Z 1.61.5
Creative Audio Control Panel
Creative Console Launcher
Creative Diagnostics
Creative Software AutoUpdate
Creative Sound Blaster Properties x64 Edition
dBpoweramp DSP Effects
dBpoweramp Music Converter
Deadlight
Dishonored © Bethesda Softworks version 1
Eraser 5.8.8
Eraser 6.0.10.2620
Etron USB3.0 Host Controller
foobar2000 v1.1.15
Foxit Reader
Fraps (remove only)
Google Chrome
Google Talk (remove only)
HashCheck Shell Extension (x86-32)
HashCheck Shell Extension (x86-64)
Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
ImgBurn
Intel® OpenCL CPU Runtime
Intel® Processor Graphics
Intel® Rapid Storage Technology
Intel® Solid-State Drive Toolbox
Internet Download Manager
Java 7 Update 9
Java Auto Updater
Java™ 6 Update 35
Java™ 6 Update 35 (64-bit)
K-Lite Codec Pack 9.3.0 (Full)
League of Legends
Left 4 Dead 2
LibreOffice 3.6
Malwarebytes Anti-Malware version 1.65.1.1000
marvell 91xx driver
MediaInfo 0.7.61
Microsoft .NET Framework 4 Client Profile
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 16.0.2 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird 16.0.2 (x86 en-US)
MSI Afterburner 2.2.5
Mumble 1.2.3
Notepad++
NVIDIA Control Panel 306.97
NVIDIA Graphics Driver 306.97
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0604
NVIDIA Update 1.10.8
NVIDIA Update Components
OpenAL
Pando Media Booster
QuickPar 0.9
Realtek High Definition Audio Driver
Recuva
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Skype™ 5.10
Source SDK Base 2007
SSD Tweaker version 2.1.1
System Requirements Lab for Intel
TrueCrypt
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VirtualCloneDrive
VLC media player 2.0.3
.
==== Event Viewer Messages From Past Week ========
.
10/31/2012 11:02:55 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
10/31/2012 11:02:44 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
.
==== End Of File ===========================




DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.9.2
Run by GTI at 14:46:01 on 2012-11-02
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8100.4832 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Samsung\Kies\Kies.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Corsair\M60 Mouse\M60Hid.exe
C:\Program Files (x86)\Corsair\M60 Mouse\CorsTra.exe
C:\Program Files (x86)\Corsair\K90 Keyboard\K90Hid.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_500_104.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_500_104.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mystart.incredibar.com/mb185?a=6OyS1UE0jU&i=26
uSearchAssistant = hxxp://www.searchamong.com/searchview.php?query={searchTerms}&cat=webs&bar=true
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
uRun: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
mRun: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
mRun: [Corsair M60 Mouse] C:\Program Files (x86)\Corsair\M60 Mouse\M60Hid.exe
mRun: [Corsair laver] C:\Program Files (x86)\Corsair\K90 Keyboard\K90Hid.exe
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: NameServer = 24.25.5.150 209.18.47.61
TCP: Interfaces\{FE7FE438-F863-41E2-A433-FB88092E6DE8} : DHCPNameServer = 24.25.5.150 209.18.47.61
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\GTI\AppData\Roaming\Mozilla\Firefox\Profiles\omsorwl9.default-1351042774930\
FF - prefs.js: browser.startup.homepage - hxxp://rlslog.net
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\GTI\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_500_104.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-10-11 03:16; mozilla_cc@internetdownloadmanager.com; C:\Users\GTI\AppData\Roaming\IDM\idmmzcc5
FF - ExtSQL: 2012-10-11 17:59; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF - ExtSQL: 2012-10-23 21:40; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\GTI\AppData\Roaming\Mozilla\Firefox\Profiles\omsorwl9.default-1351042774930\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-10-23 21:41; jid1-xUfzOsOFlzSOXg@jetpack; C:\Users\GTI\AppData\Roaming\Mozilla\Firefox\Profiles\omsorwl9.default-1351042774930\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R0 mvs91xx;mvs91xx;C:\Windows\System32\drivers\mvs91xx.sys [2011-4-8 312624]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-9-8 13632]
R2 IDMWFP;IDMWFP;C:\Windows\System32\drivers\idmwfp.sys [2012-10-26 160992]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 128456]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-10-13 1258856]
R3 CORSGKB;Corsair Gaming Keyboard;C:\Windows\System32\drivers\CORSGKB.sys [2012-9-8 25600]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2011-8-11 230488]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2011-8-11 1494104]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2011-8-11 95320]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2011-2-8 39936]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2011-2-8 64512]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2011-8-11 1678936]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-2-14 412712]
R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\System32\drivers\HECIx64.sys [2010-10-19 56344]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2012-10-30 13368]
R3 WIMBLEMS;Corsair M60 Gaming Mouse;C:\Windows\System32\drivers\WIMBLEMS.sys [2012-9-8 25600]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 cphs;Intel® Content Protection HECI Service;C:\Windows\SysWOW64\IntelCpHeciSvc.exe [2012-10-10 277024]
S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2011-6-2 17864]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-9-7 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2011-8-11 230488]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2011-8-11 1494104]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2011-8-11 95320]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2012-10-13 102368]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-9-7 115168]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-30 19456]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2012-10-13 203104]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-30 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-8 1255736]
.
=============== Created Last 30 ================
.
2012-11-02 04:04:45 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-02 02:41:22 9291768 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{20D965E1-5936-428F-8533-23B0B37CCDC5}\mpengine.dll
2012-11-01 21:44:23 9291768 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-01 03:00:42 98816 ----a-w- C:\Windows\sed.exe
2012-11-01 03:00:42 256000 ----a-w- C:\Windows\PEV.exe
2012-11-01 03:00:42 208896 ----a-w- C:\Windows\MBR.exe
2012-11-01 02:33:13 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-01 02:33:13 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-30 23:39:19 -------- d-----w- C:\Users\GTI\AppData\Local\Programs
2012-10-26 13:15:35 160992 ----a-w- C:\Windows\System32\drivers\idmwfp.sys
2012-10-24 00:55:32 -------- d-----w- C:\Program Files (x86)\Perion
2012-10-24 00:55:25 829264 ----a-w- C:\Windows\System32\msvcr100.dll
2012-10-24 00:55:25 608080 ----a-w- C:\Windows\System32\msvcp100.dll
2012-10-23 01:16:05 -------- d-----w- C:\Reditr
2012-10-19 21:26:58 972192 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AF05B71F-B655-4787-A31C-8322CDF2653F}\gapaengine.dll
2012-10-18 00:57:13 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-10-14 07:59:47 -------- d-----w- C:\Users\GTI\AppData\Roaming\Mumble
2012-10-14 07:58:26 -------- d-----w- C:\Program Files (x86)\Mumble
2012-10-13 22:23:50 203104 ----a-w- C:\Windows\System32\drivers\ssudmdm.sys
2012-10-13 22:23:50 102368 ----a-w- C:\Windows\System32\drivers\ssudbus.sys
2012-10-13 19:53:52 -------- d-----w- C:\ProgramData\RELOADED
2012-10-13 18:05:00 891240 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-10-13 18:05:00 63336 ----a-w- C:\Windows\System32\nvshext.dll
2012-10-13 18:05:00 6200680 ----a-w- C:\Windows\System32\nvcpl.dll
2012-10-13 18:05:00 3536817 ----a-w- C:\Windows\System32\nvcoproc.bin
2012-10-13 18:05:00 3293544 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-10-13 18:05:00 2557800 ----a-w- C:\Windows\System32\nvsvcr.dll
2012-10-13 18:05:00 118120 ----a-w- C:\Windows\System32\nvmctray.dll
2012-10-13 18:04:49 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-10-10 23:12:34 -------- d-----w- C:\Users\GTI\AppData\Roaming\AccurateRip
2012-10-10 23:12:30 4779592 ----a-w- C:\Windows\SysWow64\SpoonUninstall.exe
2012-10-10 23:12:28 -------- d-----w- C:\Program Files (x86)\Illustrate
2012-10-10 22:39:59 -------- d-----w- C:\Users\GTI\temp
2012-10-10 22:39:58 -------- d-----w- C:\Users\GTI\AppData\Roaming\TeamViewer
2012-10-10 22:31:13 -------- d-----w- C:\Program Files (x86)\Microsoft Chart Controls
2012-10-10 06:22:42 80384 ----a-w- C:\Windows\System32\igdde64.dll
.
==================== Find3M ====================
.
2012-10-18 00:57:11 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-10-18 00:57:11 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-10-02 22:21:00 973672 ----a-w- C:\Windows\System32\nvumdshimx.dll
2012-09-29 23:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-16 18:42:54 1174993 ----a-w- C:\Windows\unins001.exe
2012-09-16 18:41:47 1174993 ----a-w- C:\Windows\unins000.exe
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-09-09 01:02:38 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-09-09 01:02:38 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-09-08 05:31:00 86528 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2012-09-08 05:31:00 76800 ----a-w- C:\Windows\SysWow64\SetIEInstalledDate.exe
2012-09-08 05:31:00 74752 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2012-09-08 05:31:00 74752 ----a-w- C:\Windows\SysWow64\iesetup.dll
2012-09-08 05:31:00 63488 ----a-w- C:\Windows\SysWow64\tdc.ocx
2012-09-08 05:31:00 48640 ----a-w- C:\Windows\SysWow64\mshtmler.dll
2012-09-08 05:31:00 367104 ----a-w- C:\Windows\SysWow64\html.iec
2012-09-08 05:31:00 23552 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2012-09-08 05:31:00 161792 ----a-w- C:\Windows\SysWow64\msls31.dll
2012-09-08 05:31:00 152064 ----a-w- C:\Windows\SysWow64\wextract.exe
2012-09-08 05:31:00 150528 ----a-w- C:\Windows\SysWow64\iexpress.exe
2012-09-08 05:31:00 110592 ----a-w- C:\Windows\SysWow64\IEAdvpack.dll
2012-09-08 03:24:20 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-09-08 03:24:20 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-09-08 03:24:20 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-09-08 03:24:19 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-09-08 03:17:18 231376 ----a-w- C:\Windows\System32\drivers\truecrypt.sys
2012-09-08 03:17:01 916456 ----a-w- C:\Windows\System32\deployJava1.dll
2012-09-08 03:17:01 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-31 02:03:48 228768 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2012-08-31 02:03:48 128456 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-28 14:05:04 4659712 ----a-w- C:\Windows\SysWow64\Redemption.dll
2012-08-24 18:13:17 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-08-24 18:09:34 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 18:05:03 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-08-24 18:04:18 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-08-24 18:03:09 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-24 16:57:40 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-08-24 16:57:40 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-08-24 16:57:37 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-08-24 16:53:35 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-08-23 14:13:11 243200 ----a-w- C:\Windows\System32\rdpudd.dll
2012-08-23 14:10:20 19456 ----a-w- C:\Windows\System32\drivers\rdpvideominiport.sys
2012-08-23 14:07:35 57856 ----a-w- C:\Windows\System32\drivers\TsUsbFlt.sys
2012-08-23 13:47:20 46592 ----a-w- C:\Windows\SysWow64\MsRdpWebAccess.dll
2012-08-23 13:46:20 16896 ----a-w- C:\Windows\SysWow64\wksprtPS.dll
2012-08-23 13:41:52 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
2012-08-23 13:40:56 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2012-08-23 13:24:57 15360 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2012-08-23 13:20:40 54272 ----a-w- C:\Windows\System32\MsRdpWebAccess.dll
2012-08-23 13:18:14 37376 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2012-08-23 13:17:54 18432 ----a-w- C:\Windows\System32\wksprtPS.dll
2012-08-23 13:06:58 43520 ----a-w- C:\Windows\System32\TsUsbGDCoInstaller.dll
2012-08-23 12:52:53 44032 ----a-w- C:\Windows\System32\tsgqec.dll
2012-08-23 11:20:06 62976 ----a-w- C:\Windows\System32\TSWbPrxy.exe
2012-08-23 11:15:57 269312 ----a-w- C:\Windows\SysWow64\aaclient.dll
2012-08-23 11:14:09 384000 ----a-w- C:\Windows\System32\wksprt.exe
2012-08-23 11:12:17 192000 ----a-w- C:\Windows\SysWow64\rdpendp_winip.dll
2012-08-23 10:54:24 322560 ----a-w- C:\Windows\System32\aaclient.dll
2012-08-23 10:51:14 228864 ----a-w- C:\Windows\System32\rdpendp_winip.dll
2012-08-23 10:39:24 1048064 ----a-w- C:\Windows\SysWow64\mstsc.exe
2012-08-23 10:22:22 1123840 ----a-w- C:\Windows\System32\mstsc.exe
2012-08-23 09:51:57 3174912 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-08-23 08:19:01 4916224 ----a-w- C:\Windows\SysWow64\mstscax.dll
2012-08-23 08:13:07 5773824 ----a-w- C:\Windows\System32\mstscax.dll
2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
.
============= FINISH: 14:46:07.51 ===============

#4 attackedBYspam

attackedBYspam
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 03 November 2012 - 02:23 PM

Help?

#5 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:02:48 PM

Posted 04 November 2012 - 01:40 PM

Hello attackedBYspam :)

sorry for replying so late, but because I'm a trainee my replies need to be checked out by an instructor first. Your topic will be not overlooked.

I noticed you have installed µTorrent on your computer. Please refrain to use it until the cleaning activities are finished.

Please download AdwCleaner, RogueKiller and OTL onto your desktop, then

1- Run Adwcleaner by Xplode
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner icon to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Close it and quit AdwCleaner
2- Run RogueKiller by Tigzy
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • right-click on the RogueKiller icon and select "Run as Administrator to start"
  • Wait until Prescan has finished ...
  • Click on Scan button
  • Wait until the Status box shows "Scan Finished"
  • Close RogueKiller
3- Run OTL by OldTimer
  • Double click on the OTL icon on your desktop.
  • Click the Scan All Users checkbox.
  • Change the Extra Registry option to SafeList
  • Click on the Run Scan button.
  • Two reports will open, OTL.txt and Extra.txt
  • Close them and quit OTL
In your next reply please copy and paste the logs contents of:

  • AdwCleaner => it is C:\AdwCleaner[S1].txt
  • Roguekiller => RKreport[1].txt that is on your desktop.
  • OTL => OTL.txt and Extras.txt that are on your Desktop

Regards


[EDIT:typo]

Edited by Clairvoyant, 04 November 2012 - 05:42 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 PM

Posted 06 November 2012 - 02:02 AM

It looks like this may be the same help request as posted here: http://forums.malwarebytes.org/index.php?showtopic=117646

If this is the case this topic will be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 PM

Posted 08 November 2012 - 05:20 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users