Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infections removed by AVG and MBAM, now RunDLL popups at boot-up


  • This topic is locked This topic is locked
13 replies to this topic

#1 lugnuts9

lugnuts9

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 23 January 2013 - 08:54 AM

Hello, and thanks in advance!

Laptop computer running Windows 7 and IE. AVG Free 2013 and MBAM, updated and ran several times per week.

Machine has been running OK. AVG suddenly discovers 9 infections: ***EDIT - Added here***

Virus found Win32/Cryptor (2 of them in SysWOW64\rundll32.exe)
Virus found Win32/Cryptor (4 of them in iexploer.exe)
Virus found Win32/Cryptor (1 found in SysWOW64\Macromed\Flash....)
Trojan horse Agent4.TON (found in \Users\name\rxvovabaqwrjnyllkyzv.exe)
Found registry key with reference to infected file C\Users\AppData\Roaming\nesiz.dll

All 9 were removed according to AVG


Now, on startup, I am getting 2 popup windows: (Run DLL) There was a problem starting C\Users\AppData\Roaming\dsynes/dll (and nesiz.dll)



Below is what MBAM found during the last 2 scans: (Below that is DDS logs)

---------------------------------------
First object found:

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|uishe (Trojan.RedirRdll2.Gen) -> Data: rundll32.exe "C:\Users\Kevin\AppData\Roaming\uishe.dll",HrIsStreamUnicode -> Quarantined and deleted successfully.

Files Detected: 1
C:\Users\Kevin\AppData\Roaming\uishe.dll (Trojan.RedirRdll2.Gen) -> Quarantined and deleted successfully.
--------------------------------------------------
Last object found:

Files Detected: 2
C:\Users\Kevin\AppData\Local\Temp\msimg32.dll (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\Users\Kevin\pmomrebcktfpodtfglyuew.exe (Backdoor.0Access) -> Quarantined and deleted successfully.
--------------------------------------------------


DDS Logs:


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.10.2
Run by Kevin at 8:37:29 on 2013-01-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3819.1703 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CxAudMsg64.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://gmail.com/
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [nesiz] "C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\nesiz.dll",OverflowError
uRun: [dsynes] "C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\dsynes.dll",EvalFrameEx
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{900D72B3-9BE0-474A-B242-BB3D473EBBB9} : DHCPNameServer = 192.168.182.1
TCP: Interfaces\{F353B5B9-4D1C-4A3D-90C1-5854C14EC346} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{F353B5B9-4D1C-4A3D-90C1-5854C14EC346}\16074757E696E676 : DHCPNameServer = 68.87.64.146 68.87.75.194 192.168.1.1
TCP: Interfaces\{F353B5B9-4D1C-4A3D-90C1-5854C14EC346}\45D2D4F62696C656022427F616462616E6469353 : DHCPNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{F353B5B9-4D1C-4A3D-90C1-5854C14EC346}\5434646403 : DHCPNameServer = 192.168.1.1 71.242.0.12
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Acer\Acer VCM\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://acer.msn.com
x64-mDefault_Page_URL = hxxp://acer.msn.com
x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-11-15 111968]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2011-4-18 22912]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2011-4-18 20328]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2011-4-18 62584]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-18 203776]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-15 5814904]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\System32\CxAudMsg64.exe [2011-7-7 198784]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-4-18 352336]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-7-7 868224]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-4-18 244624]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 RS_Service;Raw Socket Service;C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [2011-4-18 260640]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-11-9 2358656]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-3-19 2666880]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-4-18 115216]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-4-18 77424]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-7-7 44672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-9-27 172912]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-4-18 250984]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\System32\drivers\silabenm.sys [2011-10-1 27336]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;C:\Windows\System32\drivers\silabser.sys [2011-9-28 71168]
S3 Svk2pl;GigawareX USB to Serial Driver;C:\Windows\System32\drivers\Svk2pl64.sys [2010-4-1 97280]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-9-8 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-01-22 17:35:15 -------- d-----w- C:\ProgramData\AVG January 2013 Campaign
2013-01-14 03:04:56 -------- d-----w- C:\Users\Kevin\AppData\Local\{81DD2DFC-D507-4090-8B9D-B003870E2330}
2013-01-11 07:04:02 -------- d-----w- C:\Users\Kevin\AppData\Local\{FA529025-FA72-4A81-B29B-9090BF2AF5A3}
2013-01-09 01:03:08 750592 ----a-w- C:\Windows\System32\win32spl.dll
2013-01-09 01:03:07 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-01-09 01:01:50 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-01-06 05:13:55 -------- d-----w- C:\Users\Kevin\AppData\Local\{51580A6C-1142-4324-84EC-46280535D32B}
2013-01-03 17:44:21 -------- d-----w- C:\Users\Kevin\AppData\Roaming\Malwarebytes
2013-01-03 17:44:00 -------- d-----w- C:\ProgramData\Malwarebytes
2013-01-03 17:43:58 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-01-03 17:43:58 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-03 17:42:53 -------- d-----w- C:\Users\Kevin\AppData\Local\Programs
2012-12-27 17:24:47 95184 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
==================== Find3M ====================
.
2013-01-09 07:43:53 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 07:43:53 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-27 17:24:29 859072 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-12-27 17:24:29 779704 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-11-30 22:42:12 76464 ----a-w- C:\Windows\System32\drivers\ftdibus.sys
2012-11-30 22:42:12 256944 ----a-w- C:\Windows\System32\ftd2xx.dll
2012-11-30 22:42:12 219056 ----a-w- C:\Windows\SysWow64\ftd2xx.dll
2012-11-30 22:42:12 214960 ----a-w- C:\Windows\System32\FTLang.dll
2012-11-30 22:42:12 108976 ----a-w- C:\Windows\System32\ftbusui.dll
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:26:31 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-11-16 04:33:24 111968 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-11-01 05:43:42 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2012-11-01 05:43:42 1882624 ----a-w- C:\Windows\System32\msxml3.dll
2012-11-01 04:47:54 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-11-01 04:47:54 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
.
============= FINISH: 8:38:31.68 ===============


-----------------------------------------------------------------------------------------------------------------
DDS Attach file:



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 9/7/2011 4:01:58 PM
System Uptime: 1/23/2013 7:30:38 AM (1 hours ago)
.
Motherboard: Acer | | AO722
Processor: AMD C-50 Processor | Socket FT1 | 1000/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 453 GiB total, 380.623 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP107: 12/13/2012 5:18:28 PM - Windows Update
RP108: 12/22/2012 11:59:52 PM - Windows Update
RP109: 12/24/2012 9:28:19 PM - Removed Times Reader
RP110: 12/24/2012 9:30:14 PM - Removed eBay Worldwide
RP111: 12/24/2012 9:31:14 PM - Removed eBay Worldwide
RP112: 12/27/2012 12:22:47 PM - Installed Java 7 Update 10
RP113: 1/4/2013 10:33:50 PM - Scheduled Checkpoint
RP114: 1/9/2013 3:00:40 AM - Windows Update
RP115: 1/17/2013 8:49:25 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Acer Crystal Eye Webcam
Acer ePower Management
Acer eRecovery Management
Acer Games
Acer Registration
Acer ScreenSaver
Acer Updater
Acer VCM
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.3 MUI
Agatha Christie - 4:50 from Paddington
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
ATI Catalyst Install Manager
Autronic calibration program AUTO TUNE
Autronic SM4 5v2x
AVG 2013
Bejeweled 2 Deluxe
Bonjour
Build-a-lot 2
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
Chuzzle Deluxe
Conexant HD Audio
Contrôle ActiveX Windows Live Mesh pour connexions à distance
D3DX10
Diner Dash 2 Restaurant Rescue
Dora's World Adventure
EurodyneFlash 4.4.6
FATE - The Traitor Soul
Final Drive: Nitro
Galerie de photos Windows Live
Haltech Data Log Viewer 1.0.3
Haltech ECU Manager 1.10.2
Hondata s300 ECU Editor
HP ePrint
HP Postscript Converter
HP Unified IO
Identity Card
Java 7 Update 10
Java Auto Updater
Java™ 7 (64-bit)
JavaFX 2.0.3
Jewel Quest Heritage
Junk Mail filter update
Launch Manager
Maestro 3.4.2
Malwarebytes Anti-Malware version 1.70.0.1100
MegaLogViewer
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MoTeC Comms Drivers 1.0
MoTeC ECU Manager 3.5
MoTeC i2 Standard
MSVCRT
MSVCRT_amd64
Mystery P.I. - Stolen in San Francisco
MyWinLocker
MyWinLocker 4
MyWinLocker Suite
Namco All-Stars: PAC-MAN
newsXpresso
NOOK for PC
Norton Online Backup
Penguins!
PL-2303 USB-to-Serial
Plants vs. Zombies - Game of the Year
Poker Superstars III
Polar Bowler
Polar Golfer
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Shredder
Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
Synaptics Pointing Device Driver
TeamViewer 6
TeamViewer 7
Torchlight
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update Installer for WildTangent Games App
VemsTune
Vi-PEC USB ECU (Driver Removal)
Virtual Villagers 4 - The Tree of Life
Visual Studio 2008 x64 Redistributables
Visual Studio 2010 x64 Redistributables
VTS V4.8.5
Welcome Center
WildTangent Games App (Acer Games)
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00)
Windows Driver Package - MoTeC Pty Ltd MoTeC USB Driver Package (03/18/2011 2.08.14)
Windows Live
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinPEP 7
WMV9/VC-1 Video Playback
XChat 2 (remove only)
Yahoo! Messenger
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
1/23/2013 7:31:50 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
1/23/2013 7:31:30 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
1/22/2013 3:23:20 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:23:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/22/2013 3:23:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/22/2013 3:23:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
1/22/2013 3:23:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/22/2013 3:23:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/22/2013 3:23:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/22/2013 3:22:38 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AVGIDSDriver Avgldx64 Avgtdia cdrom DfsC discache mwlPSDFilter mwlPSDNServ mwlPSDVDisk NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The Conexant Audio Message Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
1/22/2013 3:22:38 PM, Error: Service Control Manager [7001] - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2013 3:02:43 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
.
==== End Of File ===========================

Edited by lugnuts9, 23 January 2013 - 09:53 AM.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:58 AM

Posted 26 January 2013 - 11:48 AM

Hi lugnuts9, and welcome to the Malware Removal Forum! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.

==========

Your logs are showing evidence of a nasty rootkit called ZeroAcess:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you'd still like to go on with the cleaning process, then continue reading.

==========

TeamViewer 6
TeamViewer 7

Are you aware that this program are installed on your computer?

==========

Step :step1:

Run RogueKiller

Download RogueKiller from here or here and save it to your desktop.

  • Close all programs and disconnect any USB or external drives before running the tool.
  • Right-click RogueKiller.exe and select Run as Administrator.
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", click Delete.
  • When the Status box shows "Deleting Finished", click Report and then copy and paste the log in your next reply.
  • The log can also be found at RKreport[1].txt on your desktop.

==========

Step :step2:

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

==========

Step :step3:

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

==========

In your next reply, please include the following:

  • The RogueKiller log
  • The adwCleaner log
  • The aswMBR log
  • How is the computer running now?

bloopie

#3 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 26 January 2013 - 04:14 PM

Thanks bloopie for the reply and the help! Yes, I use TV6 and TV7 myself for my work.

RougeKiller generated 2 logs, one before deleting and one after. Both are included.

The computer has been working fine before and now.

I do not have a Windows disc, I bought this computer brand new and it was already installed.

-------------------------------------------------------------------------------------

RogueKiller V8.4.3 [Jan 26 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Kevin [Admin rights]
Mode : Scan -- Date : 01/26/2013 15:43:58
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : nesiz ("C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\nesiz.dll",OverflowError) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : dsynes ("C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\dsynes.dll",EvalFrameEx) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3590067006-1983762720-3159152320-1000[...]\Run : nesiz ("C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\nesiz.dll",OverflowError) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3590067006-1983762720-3159152320-1000[...]\Run : dsynes ("C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\dsynes.dll",EvalFrameEx) -> FOUND
[TASK][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 -> FOUND
[TASK][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT1 ATA Device +++++
--- User ---
[MBR] 3b0652f596a8ae0aaabfa5367bd7a1f6
[BSP] 5fc1458c3914bb319a30267da866a35c : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27469824 | Size: 463526 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_01262013_02d1543.txt >>
RKreport[1]_S_01262013_02d1543.txt

-----------------------------------------------------------------------------------------


RogueKiller V8.4.3 [Jan 26 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Kevin [Admin rights]
Mode : Remove -- Date : 01/26/2013 15:45:44
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : nesiz ("C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\nesiz.dll",OverflowError) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : dsynes ("C:\Windows\System32\rundll32.exe" "C:\Users\Kevin\AppData\Roaming\dsynes.dll",EvalFrameEx) -> DELETED
[TASK][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 -> DELETED
[TASK][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\n.) -> REPLACED (C:\Windows\system32\shell32.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-3590067006-1983762720-3159152320-1000\$af61fd11fd05f2f4976f019f160c7d35\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT1 ATA Device +++++
--- User ---
[MBR] 3b0652f596a8ae0aaabfa5367bd7a1f6
[BSP] 5fc1458c3914bb319a30267da866a35c : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27265024 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27469824 | Size: 463526 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_01262013_02d1545.txt >>
RKreport[1]_S_01262013_02d1543.txt ; RKreport[2]_D_01262013_02d1545.txt

-------------------------------------------------------------------------------------------------



# AdwCleaner v2.108 - Logfile created 01/26/2013 at 15:49:38
# Updated 24/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Kevin - ACEROFBASER
# Boot Mode : Normal
# Running from : C:\Users\Kevin\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\Software\AVG Secure Search

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [565 octets] - [26/01/2013 15:49:38]

########## EOF - C:\AdwCleaner[S1].txt - [624 octets] ##########

-----------------------------------------------------------------------------------------------------------



aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-26 15:55:10
-----------------------------
15:55:10.952 OS Version: Windows x64 6.1.7601 Service Pack 1
15:55:10.952 Number of processors: 2 586 0x100
15:55:10.952 ComputerName: ACEROFBASER UserName: Kevin
15:55:13.152 Initialize success
15:56:36.452 AVAST engine defs: 13012601
15:56:48.807 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:56:48.807 Disk 0 Vendor: WDC_WD5000BPVT-22HXZT1 01.01A01 Size: 476940MB BusType: 11
15:56:48.870 Disk 0 MBR read successfully
15:56:48.870 Disk 0 MBR scan
15:56:48.901 Disk 0 Windows 7 default MBR code
15:56:48.932 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
15:56:48.963 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
15:56:48.994 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463526 MB offset 27469824
15:56:49.041 Disk 0 scanning C:\Windows\system32\drivers
15:57:06.404 Service scanning
15:57:48.259 Modules scanning
15:57:48.275 Disk 0 trace - called modules:
15:57:48.321 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:57:48.337 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80042a5060]
15:57:48.353 3 CLASSPNP.SYS[fffff880019a943f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8003dc65c0]
15:57:50.474 AVAST engine scan C:\Windows
15:57:54.967 AVAST engine scan C:\Windows\system32
16:04:14.266 AVAST engine scan C:\Windows\system32\drivers
16:04:36.028 AVAST engine scan C:\Users\Kevin
16:05:44.122 Disk 0 MBR has been saved successfully to "C:\Users\Kevin\Desktop\MBR.dat"
16:05:44.138 The log file has been saved successfully to "C:\Users\Kevin\Desktop\aswMBR.txt"

-------------------------------------------------------------------------------------------------------------------

End of logs.

Edited by lugnuts9, 26 January 2013 - 04:18 PM.


#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:58 AM

Posted 27 January 2013 - 11:21 AM

Hi again,

Yes, your system was infected with the nasty rootkit and probably would have gotten reinfected without removing those critical files and folders. However, we're not done yet:

Step :step1:

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

Step :step2:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

==========

In your next reply, please include the following:

  • The Combofix log
  • The FSS log
  • Everything still running okay?
bloopie

#5 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 27 January 2013 - 04:58 PM

Logs as requested. The computer is working well. Thanks!





ComboFix 13-01-27.03 - Kevin 01/27/2013 16:31:12.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3819.2582 [GMT -5:00]
Running from: C:\Users\Kevin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((( Files Created from 2012-12-27 to 2013-01-27 )))))))))))))))))))))))))))))))


2013-01-27 21:42:03 . 2013-01-27 21:42:03 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-01-24 23:35:21 . 2013-01-12 08:30:18 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-23 15:14:18 . 2013-01-23 15:14:18 -------- d-----w- C:\Program Files (x86)\ESET
2013-01-22 17:35:15 . 2013-01-22 17:37:02 -------- d-----w- C:\ProgramData\AVG January 2013 Campaign
2013-01-10 17:00:12 . 2013-01-10 17:00:12 -------- d-----w- C:\Users\Default\AppData\Roaming\TuneUp Software
2013-01-09 01:03:08 . 2012-11-09 05:45:32 750592 ----a-w- C:\Windows\system32\win32spl.dll
2013-01-09 01:03:07 . 2012-11-09 04:43:04 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-01-09 01:01:50 . 2012-11-30 05:41:07 424448 ----a-w- C:\Windows\system32\KernelBase.dll
2013-01-03 17:44:21 . 2013-01-03 17:44:21 -------- d-----w- C:\Users\Kevin\AppData\Roaming\Malwarebytes
2013-01-03 17:44:00 . 2013-01-03 17:44:00 -------- d-----w- C:\ProgramData\Malwarebytes
2013-01-03 17:43:58 . 2013-01-03 17:44:06 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-03 17:43:58 . 2012-12-14 21:49:28 24176 ----a-w- C:\Windows\system32\drivers\mbam.sys
2013-01-03 17:42:53 . 2013-01-03 17:42:53 -------- d-----w- C:\Users\Kevin\AppData\Local\Programs
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-01-09 08:06:03 . 2011-09-11 02:33:42 67599240 ----a-w- C:\Windows\system32\MRT.exe
2013-01-09 07:43:53 . 2012-05-29 22:42:18 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-01-09 07:43:53 . 2011-12-05 01:24:55 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-27 17:24:29 . 2012-04-21 17:56:46 859072 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-12-27 17:24:29 . 2011-09-16 23:57:42 779704 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-12-16 17:11:22 . 2012-12-23 05:00:51 46080 ----a-w- C:\Windows\system32\atmlib.dll
2012-12-16 14:45:03 . 2012-12-23 05:00:50 367616 ----a-w- C:\Windows\system32\atmfd.dll
2012-12-16 14:13:28 . 2012-12-23 05:00:49 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 . 2012-12-23 05:00:51 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 76464 ----a-w- C:\Windows\system32\drivers\ftdibus.sys
2012-11-30 22:42:12 . 2012-11-30 22:42:12 256944 ----a-w- C:\Windows\system32\ftd2xx.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 219056 ----a-w- C:\Windows\SysWow64\ftd2xx.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 214960 ----a-w- C:\Windows\system32\FTLang.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 108976 ----a-w- C:\Windows\system32\ftbusui.dll
2012-11-30 04:45:10 . 2013-01-09 01:01:48 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-11-16 04:33:24 . 2012-11-16 04:33:24 111968 ----a-w- C:\Windows\system32\drivers\avgmfx64.sys
2012-11-14 07:06:18 . 2012-12-12 11:13:15 17811968 ----a-w- C:\Windows\system32\mshtml.dll
2012-11-14 06:32:33 . 2012-12-12 11:13:13 10925568 ----a-w- C:\Windows\system32\ieframe.dll
2012-11-14 06:11:44 . 2012-12-12 11:13:37 2312704 ----a-w- C:\Windows\system32\jscript9.dll
2012-11-14 06:04:44 . 2012-12-12 11:13:38 1346048 ----a-w- C:\Windows\system32\urlmon.dll
2012-11-14 06:04:11 . 2012-12-12 11:13:33 1392128 ----a-w- C:\Windows\system32\wininet.dll
2012-11-14 06:02:49 . 2012-12-12 11:13:37 1494528 ----a-w- C:\Windows\system32\inetcpl.cpl
2012-11-14 06:02:04 . 2012-12-12 11:13:40 237056 ----a-w- C:\Windows\system32\url.dll
2012-11-14 05:59:52 . 2012-12-12 11:13:31 85504 ----a-w- C:\Windows\system32\jsproxy.dll
2012-11-14 05:58:36 . 2012-12-12 11:13:28 816640 ----a-w- C:\Windows\system32\jscript.dll
2012-11-14 05:57:46 . 2012-12-12 11:13:28 599040 ----a-w- C:\Windows\system32\vbscript.dll
2012-11-14 05:57:35 . 2012-12-12 11:13:41 173056 ----a-w- C:\Windows\system32\ieUnatt.exe
2012-11-14 05:55:45 . 2012-12-12 11:13:27 2144768 ----a-w- C:\Windows\system32\iertutil.dll
2012-11-14 05:55:26 . 2012-12-12 11:13:36 729088 ----a-w- C:\Windows\system32\msfeeds.dll
2012-11-14 05:53:22 . 2012-12-12 11:13:45 96768 ----a-w- C:\Windows\system32\mshtmled.dll
2012-11-14 05:52:40 . 2012-12-12 11:13:47 2382848 ----a-w- C:\Windows\system32\mshtml.tlb
2012-11-14 05:46:25 . 2012-12-12 11:13:41 248320 ----a-w- C:\Windows\system32\ieui.dll
2012-11-14 02:09:22 . 2012-12-12 11:13:29 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 . 2012-12-12 11:13:37 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 . 2012-12-12 11:13:33 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 . 2012-12-12 11:13:41 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 . 2012-12-12 11:13:44 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 . 2012-12-12 11:13:46 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 . 2012-12-12 00:20:22 2048 ----a-w- C:\Windows\system32\tzres.dll
2012-11-09 04:42:49 . 2012-12-12 00:20:22 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-02 05:59:11 . 2012-12-12 00:19:32 478208 ----a-w- C:\Windows\system32\dpnet.dll
2012-11-02 05:11:31 . 2012-12-12 00:19:32 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SuiteTray"="C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-09-28 02:00:56 340336]
"EgisTecPMMUpdate"="C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-09-17 23:10:16 407920]
"EgisUpdate"="C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-09-17 23:10:02 201584]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 14:39:05 41208]
"LManager"="C:\Program Files (x86)\Launch Manager\LManager.exe" [2011-03-14 11:44:34 1081424]
"StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-11 20:42:36 336384]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 07:35:28 946352]
"AVG_UI"="C:\Program Files (x86)\AVG\AVG2013\avgui.exe" [2012-12-11 08:52:44 3147384]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 14:04:54 252848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 03:24:28 73216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 18:27:14 138576]
R3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-09-28 01:09:54 172912]
R3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 17:59:12 206072]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\Drivers\RtsUStor.sys [2010-12-01 08:12:06 250984]
R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\system32\DRIVERS\silabenm.sys [2010-07-28 14:19:28 27336]
R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;C:\Windows\system32\DRIVERS\silabser.sys [2011-09-28 22:03:12 71168]
R3 Svk2pl;GigawareX USB to Serial Driver;C:\Windows\system32\DRIVERS\Svk2pl64.sys [2010-04-01 11:54:22 97280]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-21 03:24:33 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys [2010-11-21 03:23:47 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-09-08 21:42:35 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 01:10:10 57184]
S0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys [2012-10-15 08:48:50 63328]
S0 Avgloga;AVG Logging Driver;C:\Windows\system32\DRIVERS\avgloga.sys [2012-09-21 08:46:00 225120]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys [2012-11-16 04:33:24 111968]
S0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 08:05:18 40800]
S1 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 18:02:44 154464]
S1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys [2012-10-02 08:30:38 185696]
S1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys [2012-09-21 08:46:04 200032]
S1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [2011-04-19 04:16:28 22912]
S1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [2011-04-19 04:16:28 20328]
S1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [2011-04-19 04:16:28 62584]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [2011-01-11 05:49:46 203776]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-16 04:34:30 5814904]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 18:05:08 196664]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 19:22:40 822624]
S2 CxAudMsg;Conexant Audio Message Service;C:\Windows\system32\CxAudMsg64.exe [2010-12-16 23:18:08 198784]
S2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-03-14 11:44:35 352336]
S2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-01-28 15:44:08 868224]
S2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-01-08 13:21:22 23584]
S2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-01-31 20:55:14 244624]
S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RS_Service;Raw Socket Service;C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [2010-01-29 23:52:58 260640]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 13:30:18 508776]
S2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-11-03 18:25:09 2358656]
S2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 11:38:46 2666880]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys [2010-11-16 23:04:32 115216]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys [2011-01-25 03:48:03 77424]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 13:30:10 764264]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 13:30:18 268648]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 13:30:18 25960]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 13:30:22 22376]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 13:30:22 219496]
S3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys [2010-11-28 19:50:38 44672]


Contents of the 'Scheduled Tasks' folder

2013-01-27 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-29 22:42:20 . 2013-01-09 07:43:55]


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer ePower Management"="C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe" [2011-01-28 15:44:10 862088]

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://gmail.com/
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mLocal Page = C:\Windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-SLABCOMM&10C4&EA60 - C:\Windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
AddRemove-VIPECOMM&12B8&EC62 - C:\Program Files (x86)\ViPEC\USBDrivers\DriverUninstaller.exe VCP CP210x Cardinal\VIPECOMM&12B8&EC62


-------------------------------------------------------------------------------------------------------------------------------------------------



Farbar Service Scanner Version: 16-01-2013
Ran by Kevin (administrator) on 27-01-2013 at 16:51:26
Running from "C:\Users\Kevin\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:58 AM

Posted 27 January 2013 - 05:19 PM

Hi again,

Excellent work!

Now, let's just run a CF script, and then get an extra report:

Step :step1:

Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:

ClearJavaCache::
Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Step :step2:

Please update MBAM to the latest definitions, and run a quick scan.

==========

Step :step3:


Then I'd like you to run ESET again with these instructions:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

==========

In your next reply, please include the following:

  • The Combofix log
  • The MBAM log
  • The ESET log
bloopie

#7 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 27 January 2013 - 09:47 PM

Not finished yet (This ESET scan is taking forever, 2+ hours), but I wanted to give you some feedback.
So far it found the following:

JS/Redirector.NCG trojan


Thanks, and I will post the logs when ESET is finished.

#8 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 27 January 2013 - 10:52 PM

Here are all 3 complete logs, thanks.


ComboFix 13-01-27.03 - Kevin 01/27/2013 18:13:47.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3819.2740 [GMT -5:00]
Running from: C:\Users\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Users\Kevin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((( Files Created from 2012-12-27 to 2013-01-27 )))))))))))))))))))))))))))))))


2013-01-27 23:23:35 . 2013-01-27 23:23:35 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-01-24 23:35:21 . 2013-01-12 08:30:18 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-23 15:14:18 . 2013-01-23 15:14:18 -------- d-----w- C:\Program Files (x86)\ESET
2013-01-22 17:35:15 . 2013-01-22 17:37:02 -------- d-----w- C:\ProgramData\AVG January 2013 Campaign
2013-01-10 17:00:12 . 2013-01-10 17:00:12 -------- d-----w- C:\Users\Default\AppData\Roaming\TuneUp Software
2013-01-09 01:03:08 . 2012-11-09 05:45:32 750592 ----a-w- C:\Windows\system32\win32spl.dll
2013-01-09 01:03:07 . 2012-11-09 04:43:04 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-01-09 01:01:50 . 2012-11-30 05:41:07 424448 ----a-w- C:\Windows\system32\KernelBase.dll
2013-01-03 17:44:21 . 2013-01-03 17:44:21 -------- d-----w- C:\Users\Kevin\AppData\Roaming\Malwarebytes
2013-01-03 17:44:00 . 2013-01-03 17:44:00 -------- d-----w- C:\ProgramData\Malwarebytes
2013-01-03 17:43:58 . 2013-01-03 17:44:06 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-03 17:43:58 . 2012-12-14 21:49:28 24176 ----a-w- C:\Windows\system32\drivers\mbam.sys
2013-01-03 17:42:53 . 2013-01-03 17:42:53 -------- d-----w- C:\Users\Kevin\AppData\Local\Programs
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-01-09 08:06:03 . 2011-09-11 02:33:42 67599240 ----a-w- C:\Windows\system32\MRT.exe
2013-01-09 07:43:53 . 2012-05-29 22:42:18 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-01-09 07:43:53 . 2011-12-05 01:24:55 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-27 17:24:29 . 2012-04-21 17:56:46 859072 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-12-27 17:24:29 . 2011-09-16 23:57:42 779704 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-12-16 17:11:22 . 2012-12-23 05:00:51 46080 ----a-w- C:\Windows\system32\atmlib.dll
2012-12-16 14:45:03 . 2012-12-23 05:00:50 367616 ----a-w- C:\Windows\system32\atmfd.dll
2012-12-16 14:13:28 . 2012-12-23 05:00:49 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 . 2012-12-23 05:00:51 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 76464 ----a-w- C:\Windows\system32\drivers\ftdibus.sys
2012-11-30 22:42:12 . 2012-11-30 22:42:12 256944 ----a-w- C:\Windows\system32\ftd2xx.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 219056 ----a-w- C:\Windows\SysWow64\ftd2xx.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 214960 ----a-w- C:\Windows\system32\FTLang.dll
2012-11-30 22:42:12 . 2012-11-30 22:42:12 108976 ----a-w- C:\Windows\system32\ftbusui.dll
2012-11-30 04:45:10 . 2013-01-09 01:01:48 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-11-16 04:33:24 . 2012-11-16 04:33:24 111968 ----a-w- C:\Windows\system32\drivers\avgmfx64.sys
2012-11-14 07:06:18 . 2012-12-12 11:13:15 17811968 ----a-w- C:\Windows\system32\mshtml.dll
2012-11-14 06:32:33 . 2012-12-12 11:13:13 10925568 ----a-w- C:\Windows\system32\ieframe.dll
2012-11-14 06:11:44 . 2012-12-12 11:13:37 2312704 ----a-w- C:\Windows\system32\jscript9.dll
2012-11-14 06:04:44 . 2012-12-12 11:13:38 1346048 ----a-w- C:\Windows\system32\urlmon.dll
2012-11-14 06:04:11 . 2012-12-12 11:13:33 1392128 ----a-w- C:\Windows\system32\wininet.dll
2012-11-14 06:02:49 . 2012-12-12 11:13:37 1494528 ----a-w- C:\Windows\system32\inetcpl.cpl
2012-11-14 06:02:04 . 2012-12-12 11:13:40 237056 ----a-w- C:\Windows\system32\url.dll
2012-11-14 05:59:52 . 2012-12-12 11:13:31 85504 ----a-w- C:\Windows\system32\jsproxy.dll
2012-11-14 05:58:36 . 2012-12-12 11:13:28 816640 ----a-w- C:\Windows\system32\jscript.dll
2012-11-14 05:57:46 . 2012-12-12 11:13:28 599040 ----a-w- C:\Windows\system32\vbscript.dll
2012-11-14 05:57:35 . 2012-12-12 11:13:41 173056 ----a-w- C:\Windows\system32\ieUnatt.exe
2012-11-14 05:55:45 . 2012-12-12 11:13:27 2144768 ----a-w- C:\Windows\system32\iertutil.dll
2012-11-14 05:55:26 . 2012-12-12 11:13:36 729088 ----a-w- C:\Windows\system32\msfeeds.dll
2012-11-14 05:53:22 . 2012-12-12 11:13:45 96768 ----a-w- C:\Windows\system32\mshtmled.dll
2012-11-14 05:52:40 . 2012-12-12 11:13:47 2382848 ----a-w- C:\Windows\system32\mshtml.tlb
2012-11-14 05:46:25 . 2012-12-12 11:13:41 248320 ----a-w- C:\Windows\system32\ieui.dll
2012-11-14 02:09:22 . 2012-12-12 11:13:29 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 . 2012-12-12 11:13:37 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 . 2012-12-12 11:13:33 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 . 2012-12-12 11:13:41 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 . 2012-12-12 11:13:44 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 . 2012-12-12 11:13:46 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 . 2012-12-12 00:20:22 2048 ----a-w- C:\Windows\system32\tzres.dll
2012-11-09 04:42:49 . 2012-12-12 00:20:22 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-02 05:59:11 . 2012-12-12 00:19:32 478208 ----a-w- C:\Windows\system32\dpnet.dll
2012-11-02 05:11:31 . 2012-12-12 00:19:32 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SuiteTray"="C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-09-28 02:00:56 340336]
"EgisTecPMMUpdate"="C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-09-17 23:10:16 407920]
"EgisUpdate"="C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-09-17 23:10:02 201584]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 14:39:05 41208]
"LManager"="C:\Program Files (x86)\Launch Manager\LManager.exe" [2011-03-14 11:44:34 1081424]
"StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-11 20:42:36 336384]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 07:35:28 946352]
"AVG_UI"="C:\Program Files (x86)\AVG\AVG2013\avgui.exe" [2012-12-11 08:52:44 3147384]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 14:04:54 252848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 03:24:28 73216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-16 04:34:30 5814904]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 18:27:14 138576]
R3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-09-28 01:09:54 172912]
R3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 17:59:12 206072]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\Drivers\RtsUStor.sys [2010-12-01 08:12:06 250984]
R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\system32\DRIVERS\silabenm.sys [2010-07-28 14:19:28 27336]
R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;C:\Windows\system32\DRIVERS\silabser.sys [2011-09-28 22:03:12 71168]
R3 Svk2pl;GigawareX USB to Serial Driver;C:\Windows\system32\DRIVERS\Svk2pl64.sys [2010-04-01 11:54:22 97280]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-21 03:24:33 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys [2010-11-21 03:23:47 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-09-08 21:42:35 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 01:10:10 57184]
S0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys [2012-10-15 08:48:50 63328]
S0 Avgloga;AVG Logging Driver;C:\Windows\system32\DRIVERS\avgloga.sys [2012-09-21 08:46:00 225120]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys [2012-11-16 04:33:24 111968]
S0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 08:05:18 40800]
S1 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 18:02:44 154464]
S1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys [2012-10-02 08:30:38 185696]
S1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys [2012-09-21 08:46:04 200032]
S1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [2011-04-19 04:16:28 22912]
S1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [2011-04-19 04:16:28 20328]
S1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [2011-04-19 04:16:28 62584]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [2011-01-11 05:49:46 203776]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 18:05:08 196664]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 19:22:40 822624]
S2 CxAudMsg;Conexant Audio Message Service;C:\Windows\system32\CxAudMsg64.exe [2010-12-16 23:18:08 198784]
S2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-03-14 11:44:35 352336]
S2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-01-28 15:44:08 868224]
S2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-01-08 13:21:22 23584]
S2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-01-31 20:55:14 244624]
S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RS_Service;Raw Socket Service;C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [2010-01-29 23:52:58 260640]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 13:30:18 508776]
S2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-11-03 18:25:09 2358656]
S2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 11:38:46 2666880]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys [2010-11-16 23:04:32 115216]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys [2011-01-25 03:48:03 77424]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 13:30:10 764264]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 13:30:18 268648]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 13:30:18 25960]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 13:30:22 22376]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 13:30:22 219496]
S3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys [2010-11-28 19:50:38 44672]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WS2IFSL

Contents of the 'Scheduled Tasks' folder

2013-01-27 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-29 22:42:20 . 2013-01-09 07:43:55]


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Acer ePower Management"="C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe" [2011-01-28 15:44:10 862088]

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://gmail.com/
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mLocal Page = C:\Windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
AddRemove-SLABCOMM&10C4&EA60 - C:\Windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
AddRemove-VIPECOMM&12B8&EC62 - C:\Program Files (x86)\ViPEC\USBDrivers\DriverUninstaller.exe VCP CP210x Cardinal\VIPECOMM&12B8&EC62




-------------------------------------------------------------------------------------------------------


Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.27.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kevin :: ACEROFBASER [administrator]

1/27/2013 6:29:18 PM
mbam-log-2013-01-27 (18-29-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207840
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

----------------------------------------------------------------------------------------------------------

ESET log:

C:\Users\Kevin\AppData\Local\e5bb0a0d-d5cd-407b-93ce-4b91a012df62.crx JS/Redirector.NCG trojan

#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:58 AM

Posted 28 January 2013 - 03:47 PM

Hi again,

Good to hear! :)

Now, lets remove what was found in the ESET scan with a batch, and then we'll do some updates:

Step :step1:
  • Hold the "WindowsPosted Image" key and press "R" to open the runbox and type in notepad and click Ok.
  • Copy the text in the code box below then paste it into the blank Notepad and save it to your Desktop as DelFile.bat
@echo off
del /f /s /q "C:\Users\Kevin\AppData\Local\e5bb0a0d-d5cd-407b-93ce-4b91a012df62.crx"
del %0
  • ---->>The batch file should now look like this: Posted Image<--in Windows Vista/7 and this:Posted Image<--in Windows XP
  • Now double click on the DelFile.bat on your Desktop and the batch will quickly run and delete itself for you.
  • Now reboot the machine.

==========

Step :step2:
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!

==========

Step :step3:
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
    64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u7-windows-i586.exe (or jre-7u7-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

==========

Let me know if you had any trouble with the above steps! We're nearly finished! :thumbup2:

bloopie

#10 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 28 January 2013 - 05:16 PM

All went well, file written and deleted, Adobe and Java are updated.

AVG picked this up during the updates:
Corrupt exe file C\users\AppData\Local\Microsoft\Windows\ (blah blah) \install_reader11_en_gtbd_chrd_dn_aih[1].exe

Dinner bell is ringing, let me know if you need me to expand on this technical description, lol.

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:58 AM

Posted 28 January 2013 - 06:21 PM

Hi again,

(blah blah) \install_reader11

No, not to worry about that. That's the Adobe Reader installer file that is corrupt, and you can just grab a fresh one anytime from the Adobe Reader link I gave above if you have any problems in the future. :thumbup2:

And on that note....:


Your machine appears to be clean! :thumbsup:

Let's do some housekeeping now:



The following steps will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.


Step :step1:

DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


Step :step2:

Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


Step :step3:

Uninstall adwCleaner:

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


Step :step4:

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Any programs and logs that are left over you can just delete from the desktop.


Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine :thumbup2:



The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. you can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:
  • Avast (home use only)
  • Avira (shows nag screen to purchase full product when updating, home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:
If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

Please respond to this post so I can close the thread unless you have any other questions.


Best of regards, and happy surfing!! :wink:

bloopie

#12 lugnuts9

lugnuts9
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 30 January 2013 - 11:47 AM

It is running great and I have piece of mind now, thank you!

What is your Paypal info?

#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:58 AM

Posted 30 January 2013 - 12:15 PM

It is running great and I have piece of mind now, thank you!

Glad to hear! My pleasure! :)

What is your Paypal info?

No need... my services are free. Glad I could help! :thumbup2:

bloopie

#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:58 AM

Posted 31 January 2013 - 09:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users