Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PWS:Win32/Zbot.gen!Y


  • This topic is locked This topic is locked
11 replies to this topic

#1 Bradalee

Bradalee

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 14 February 2013 - 10:00 PM

Hey,

 

I found out earlier today that my computer is infected with a PWS:Win32/Zbot.gen!Y trojan, and it seems removing it can be tricky, so i thought i'd make a topic here in the hope that someone who actually knows what they're doing can help me remove it!

 

The virus was found by windows defender after installing updates and restarting, but it said that it couldn't remove it. And i haven't noticed any effects such as slowdown or anything as of yet.

 

Thanks for any help!

 

---------------------------------------

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.13.2
Run by HOME USER at 2:51:11 on 2013-02-15
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2047.1062 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\HOME USER\Local Settings\Apps\F.lux\flux.exe
C:\Users\HOME USER\AppData\Local\Akamai\netsession_win.exe
C:\Users\HOME USER\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\HOME USER\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\HOME USER\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Users\HOME USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HOME USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HOME USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HOME USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
C:\Users\HOME USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HOME USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HOME USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uProxyOverride = 127.0.0.1:9421;<local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Steam] "c:\program files\steaaam\steam.exe" -silent
uRun: [Google Update] "c:\users\home user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [F.lux] "c:\users\home user\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Akamai NetSession Interface] "c:\users\home user\appdata\local\akamai\netsession_win.exe"
uRun: [Spotify Web Helper] "c:\users\home user\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [AdobeBridge] <no file>
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless N DWA-140] c:\program files\d-link\d-link wireless n dwa-140\AirNCFG.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Wondershare Helper Compact.exe] c:\program files\common files\wondershare\wondershare helper compact\WSHelper.exe
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\homeus~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\home user\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {00001026-A15C-11D4-97A4-0050BF0FBE67} - hxxp://download.netmarble.net/web/nmstarter/NMStarter26_20101209.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab
DPF: {6678BE91-1E04-4A4A-9C32-63145EA79C2A} - hxxp://fifa-online.easports.com/fo3-theme/addons/EAFO3AXLauncher.cab
DPF: {89F434A7-4A49-4394-AC02-007480331AE2} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} - hxxp://download.netmarble.net/NMChatX/NMTransX.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{153BD62F-7815-4C44-BCAE-E290F4B192DC} : DHCPNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\home user\appdata\roaming\mozilla\firefox\profiles\njyxik32.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55111
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\onlive\plugin\npolgdet.dll
FF - plugin: c:\users\home user\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\home user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\home user\appdata\roaming\electronic arts\game face\1.0.0.18\npGameFacePlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2009-10-07 02:17; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-11-15 94048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
R1 RapportCerberus_43926;RapportCerberus_43926;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\43926\RapportCerberus32_43926.sys [2012-10-4 272216]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-12-23 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-12-23 166840]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-10-7 21504]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-15 5814904]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-10-7 21504]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-12-10 1435568]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2010-11-27 398176]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-12-23 976728]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-12-29 383416]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2009-6-10 335872]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\futuremark\futuremark systeminfo\FMSISvc.exe [2011-4-10 130976]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-2-18 599040]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-12-23 65848]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]
.
=============== Created Last 30 ================
.
2013-02-14 13:56:40    768000    ----a-w-    c:\program files\common files\microsoft shared\vgx\VGX.dll
2013-02-13 13:19:35    2048512    ----a-w-    c:\windows\system32\win32k.sys
2013-02-13 13:19:32    1314816    ----a-w-    c:\windows\system32\quartz.dll
2013-02-13 13:19:30    905576    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-13 13:19:27    3550072    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-13 13:19:26    3602808    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-02-01 20:58:59    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-01-27 23:33:22    --------    d-----w-    c:\users\home user\appdata\local\sabnzbd
2013-01-27 23:31:46    --------    d-----w-    c:\program files\SABnzbd
2013-01-25 22:19:31    --------    d-----w-    C:\Riot Games
2013-01-22 18:52:09    --------    d-----w-    c:\programdata\AVG January 2013 Campaign
.
==================== Find3M  ====================
.
2013-02-01 20:58:21    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-02-01 20:58:21    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-01-23 20:51:09    697864    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-23 20:51:08    74248    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-08 22:11:21    1800704    ----a-w-    c:\windows\system32\jscript9.dll
2013-01-08 22:03:20    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-01-08 22:03:12    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-01-08 21:59:02    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-01-08 21:58:29    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-01-08 21:56:23    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2012-12-30 19:23:18    444952    ----a-w-    c:\windows\system32\wrap_oal.dll
2012-12-30 19:23:18    109080    ----a-w-    c:\windows\system32\OpenAL32.dll
2012-12-29 10:26:54    8904632    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2012-12-29 10:26:54    889784    ----a-w-    c:\windows\system32\nvdispgenco32.dll
2012-12-29 10:26:54    7931896    ----a-w-    c:\windows\system32\nvcuda.dll
2012-12-29 10:26:54    6263784    ----a-w-    c:\windows\system32\nvopencl.dll
2012-12-29 10:26:54    2720696    ----a-w-    c:\windows\system32\nvcuvid.dll
2012-12-29 10:26:54    2504248    ----a-w-    c:\windows\system32\nvapi.dll
2012-12-29 10:26:54    20450232    ----a-w-    c:\windows\system32\nvoglv32.dll
2012-12-29 10:26:54    1985976    ----a-w-    c:\windows\system32\nvcuvenc.dll
2012-12-29 10:26:54    17560504    ----a-w-    c:\windows\system32\nvcompiler.dll
2012-12-29 10:26:54    15129064    ----a-w-    c:\windows\system32\nvd3dum.dll
2012-12-29 10:26:54    12641120    ----a-w-    c:\windows\system32\nvwgf2um.dll
2012-12-29 10:26:54    1017272    ----a-w-    c:\windows\system32\nvdispco32.dll
2012-12-29 08:26:22    4129720    ----a-w-    c:\windows\system32\nvcpl.dll
2012-12-29 08:26:22    3001272    ----a-w-    c:\windows\system32\nvsvc.dll
2012-12-29 08:25:57    639928    ----a-w-    c:\windows\system32\nvvsvc.exe
2012-12-29 08:25:57    62904    ----a-w-    c:\windows\system32\nvshext.dll
2012-12-29 08:25:57    108984    ----a-w-    c:\windows\system32\nvmctray.dll
2012-12-29 02:54:24    550328    ----a-w-    c:\windows\system32\nvStreaming.exe
2012-12-23 22:13:34    65848    ----a-w-    c:\windows\system32\drivers\RapportKELL.sys
2012-12-16 13:12:54    34304    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 10:50:29    293376    ----a-w-    c:\windows\system32\atmfd.dll
2012-11-20 04:22:50    204288    ----a-w-    c:\windows\system32\ncrypt.dll
.
============= FINISH:  2:52:31.63 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:25 AM

Posted 16 February 2013 - 04:39 AM

Hello, my name is Elise and I'll assist you with this issue. smile.png

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
  • It is pretty much certain that if you continue to use P2P programs, you will get infected again.
    I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.


We need to run a scan with Combofix:
  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    download.png
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    cf-preparing.jpg
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.

    However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    recovery-console-prompt.jpg

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    cf-log.jpg
  • More information about downloading and using ComboFix can be found here if needed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Bradalee

Bradalee
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 17 February 2013 - 11:39 AM

Thanks a lot Elise :)

 

---------------------------------

 

 

ComboFix 13-02-15.01 - HOME USER 17/02/2013  15:12:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2047.1044 [GMT 0:00]
Running from: c:\users\HOME USER\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Download and Sa
c:\programdata\Download and Sa\50a6787590cf9.html
c:\programdata\Download and Sa\50a6787590d31.js
c:\programdata\Download and Sa\kpkmbogbjahpkhjckenbpgfbimnjdnpp.crx
c:\programdata\Download and Sa\settings.ini
c:\programdata\Microsoft\Windows\Start Menu\Programs\Download and Sa
c:\users\HOME USER\AppData\Roaming\417A.39C
c:\users\HOME USER\AppData\Roaming\Love
c:\users\HOME USER\AppData\Roaming\Love\hawkthorne\gamesave-2.json
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-17 to 2013-02-17  )))))))))))))))))))))))))))))))
.
.
2013-02-17 15:28 . 2013-02-17 15:28    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-02-17 15:28 . 2013-02-17 15:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-17 04:28 . 2013-02-17 04:32    --------    d-----w-    C:\video_output
2013-02-17 04:27 . 2013-02-17 04:27    --------    d-----w-    c:\windows\system32\drivers\mycodec
2013-02-17 04:27 . 2013-02-17 04:29    --------    d-----w-    c:\program files\uConverter
2013-02-14 13:56 . 2013-01-08 22:01    768000    ----a-w-    c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2013-02-13 13:19 . 2013-01-04 01:38    2048512    ----a-w-    c:\windows\system32\win32k.sys
2013-02-13 13:19 . 2012-11-08 03:48    1314816    ----a-w-    c:\windows\system32\quartz.dll
2013-02-13 13:19 . 2013-01-04 11:28    905576    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-13 13:19 . 2013-01-05 05:26    3550072    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-13 13:19 . 2013-01-05 05:26    3602808    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-02-01 20:58 . 2013-02-01 20:58    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-01-27 23:33 . 2013-01-27 23:33    --------    d-----w-    c:\users\HOME USER\AppData\Local\sabnzbd
2013-01-27 23:31 . 2013-01-27 23:31    --------    d-----w-    c:\program files\SABnzbd
2013-01-25 22:19 . 2013-01-25 22:19    --------    d-----w-    C:\Riot Games
2013-01-22 18:52 . 2013-01-22 18:54    --------    d-----w-    c:\programdata\AVG January 2013 Campaign
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-01 20:58 . 2012-08-29 15:26    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-02-01 20:58 . 2010-04-21 17:32    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-01-23 20:51 . 2012-04-03 06:34    697864    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-23 20:51 . 2011-05-14 07:09    74248    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-30 19:23 . 2012-12-30 19:23    444952    ----a-w-    c:\windows\system32\wrap_oal.dll
2012-12-30 19:23 . 2012-12-30 19:23    109080    ----a-w-    c:\windows\system32\OpenAL32.dll
2012-12-29 10:26 . 2013-01-06 16:43    6263784    ----a-w-    c:\windows\system32\nvopencl.dll
2012-12-29 10:26 . 2013-01-06 16:43    20450232    ----a-w-    c:\windows\system32\nvoglv32.dll
2012-12-29 10:26 . 2013-01-06 16:43    12641120    ----a-w-    c:\windows\system32\nvwgf2um.dll
2012-12-29 10:26 . 2013-01-06 16:43    8904632    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2012-12-29 10:26 . 2013-01-06 16:43    2720696    ----a-w-    c:\windows\system32\nvcuvid.dll
2012-12-29 10:26 . 2013-01-06 16:43    7931896    ----a-w-    c:\windows\system32\nvcuda.dll
2012-12-29 10:26 . 2013-01-06 16:43    1985976    ----a-w-    c:\windows\system32\nvcuvenc.dll
2012-12-29 10:26 . 2013-01-06 16:43    17560504    ----a-w-    c:\windows\system32\nvcompiler.dll
2012-12-29 10:26 . 2012-10-10 21:14    889784    ----a-w-    c:\windows\system32\nvdispgenco32.dll
2012-12-29 10:26 . 2011-10-31 11:59    1017272    ----a-w-    c:\windows\system32\nvdispco32.dll
2012-12-29 10:26 . 2010-03-26 12:07    15129064    ----a-w-    c:\windows\system32\nvd3dum.dll
2012-12-29 10:26 . 2010-03-26 12:07    2504248    ----a-w-    c:\windows\system32\nvapi.dll
2012-12-29 08:26 . 2011-04-07 21:44    4129720    ----a-w-    c:\windows\system32\nvcpl.dll
2012-12-29 08:26 . 2011-04-07 21:44    3001272    ----a-w-    c:\windows\system32\nvsvc.dll
2012-12-29 08:25 . 2011-04-07 21:45    639928    ----a-w-    c:\windows\system32\nvvsvc.exe
2012-12-29 08:25 . 2011-04-07 21:45    108984    ----a-w-    c:\windows\system32\nvmctray.dll
2012-12-29 08:25 . 2010-03-16 02:15    62904    ----a-w-    c:\windows\system32\nvshext.dll
2012-12-29 02:54 . 2012-12-29 02:54    550328    ----a-w-    c:\windows\system32\nvStreaming.exe
2012-12-23 22:13 . 2012-12-23 22:13    65848    ----a-w-    c:\windows\system32\drivers\RapportKELL.sys
2012-12-16 13:12 . 2012-12-22 03:01    34304    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-22 03:01    293376    ----a-w-    c:\windows\system32\atmfd.dll
2012-11-20 04:22 . 2013-01-09 15:53    204288    ----a-w-    c:\windows\system32\ncrypt.dll
2012-05-09 17:05 . 2011-12-17 14:52    134104    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\HOME USER\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\HOME USER\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\HOME USER\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-09 39408]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-10-01 328056]
"Steam"="c:\program files\steaaam\steam.exe" [2013-02-14 1597864]
"F.lux"="c:\users\HOME USER\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"Akamai NetSession Interface"="c:\users\HOME USER\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
"Spotify Web Helper"="c:\users\HOME USER\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-10-26 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-140"="c:\program files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2008-04-15 1675264]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\HOME USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\HOME USER\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00    1983816    ----a-w-    c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40    767312    ----a-w-    c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 17:36    30040    ----a-w-    c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33    421160    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2012-12-10 17:29    2254768    ----a-w-    c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 01:54    4240760    ----a-w-    c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2012-11-27 20:32    3093624    ----a-w-    c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28    1233920    ----a-w-    c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33    17418928    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 08:21    648072    ----a-w-    c:\windows\WindowsMobile\wmdc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai    REG_MULTI_SZ       Akamai
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
bthsvcs    REG_MULTI_SZ       BthServ
WindowsMobile    REG_MULTI_SZ       wcescomm rapimgr
LocalServiceRestricted    REG_MULTI_SZ       WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc8cfaf7830a2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 21:10]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 21:10]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2810653096-2423526978-308438003-1000Core.job
- c:\users\HOME USER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-18 01:36]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2810653096-2423526978-308438003-1000UA.job
- c:\users\HOME USER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-18 01:36]
.
2013-01-23 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-22 21:16]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: {00001026-A15C-11D4-97A4-0050BF0FBE67} - hxxp://download.netmarble.net/web/nmstarter/NMStarter26_20101209.cab
DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab
DPF: {6678BE91-1E04-4A4A-9C32-63145EA79C2A} - hxxp://fifa-online.easports.com/fo3-theme/addons/EAFO3AXLauncher.cab
DPF: {89F434A7-4A49-4394-AC02-007480331AE2} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab
DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} - hxxp://download.netmarble.net/NMChatX/NMTransX.cab
FF - ProfilePath - c:\users\HOME USER\AppData\Roaming\Mozilla\Firefox\Profiles\njyxik32.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55111
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: !HIDDEN! 2009-10-07 02:17; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-FLV Player - k:\flv player\uninst.exe
AddRemove-FM Genie Scout 12_is1 - c:\fm genie scout 12\unins000.exe
AddRemove-PokerStars - c:\program files\PokerStars\PokerStarsUninstall.exe
AddRemove-SAMSUNG Mobile USB Modem - c:\windows\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
AddRemove-SAMSUNG Mobile USB Modem 1.0 - c:\windows\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
AddRemove-WinGimp-2.0_is1 - c:\program files\GIMP-2.0\setup\unins000.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{81797A41-73B1-4348-AE7A-3F49A177C833}_is1 - c:\program files\Fast Video Converter\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-17 15:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
c:\users\HOMEUS~1\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2810653096-2423526978-308438003-1000\Software\G*e*n*i*e*"!\FM Genie Scout 12]
"GameDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\games"
"ShortlistDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\shortlists"
"FMPath"=""
"ScreenshotsDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012"
"SaveDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\"
"HistoryDir"="c:\\FM Genie Scout 12\\History Points"
"LangDB"="c:\\FM Genie Scout 12\\lang_db.dat"
"LastSaveGame"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\games\\Pete & Blake Portugal AND BRAD.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:0000a044
"VersionOf201"=dword:0000007b
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"ShowGuidNotification"=dword:00000000
"ShowDonateNotification"=dword:00000000
"Version"=dword:000000ce
"UniqueID"="24-AA00-E09F"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"PlayerSearchFeatureNum"=dword:00000013
"StaffSearchFeatureNum"=dword:00000003
"ClubSearchFeatureNum"=dword:00000000
"FilterByClubFeatureNum"=dword:00000000
"CompareFeatureNum"=dword:00000000
"ShortlistFeatureNum"=dword:00000001
"ExportFeatureNum"=dword:00000000
"HistoryFeatureNum"=dword:00000000
"LanguageDBFeatureNum"=dword:00000013
"HintsFeatureNum"=dword:00000001
"GenieReportFeatureNum"=dword:00000000
"TopFormationFeatureNum"=dword:00000000
"ScreenshotFeatureNum"=dword:00000000
"AdClicksNum"=dword:00000002
"AdImpressionsNum"=dword:0000003e
"GameLoadedCounter"=dword:0000001a
.
Completion time: 2013-02-17  15:33:19
ComboFix-quarantined-files.txt  2013-02-17 15:33
.
Pre-Run: 20,739,465,216 bytes free
Post-Run: 33,737,400,320 bytes free
.
- - End Of File - - 8157B8A1ED1BDE8EED19D539322BCF74


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:25 AM

Posted 17 February 2013 - 12:40 PM

Hi again,

CF-SCRIPT
-------------
We need to execute a CF-script.
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>

Firefox::
FF - ProfilePath - c:\users\HOME USER\AppData\Roaming\Mozilla\Firefox\Profiles\njyxik32.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55111
FF - prefs.js: network.proxy.type - 4

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Bradalee

Bradalee
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 17 February 2013 - 02:02 PM

ComboFix 13-02-15.01 - HOME USER 17/02/2013  18:38:56.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2047.1040 [GMT 0:00]
Running from: c:\users\HOME USER\Desktop\ComboFix.exe
Command switches used :: c:\users\HOME USER\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-17 to 2013-02-17  )))))))))))))))))))))))))))))))
.
.
2013-02-17 18:54 . 2013-02-17 18:54    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-02-17 18:54 . 2013-02-17 18:54    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-17 04:28 . 2013-02-17 04:32    --------    d-----w-    C:\video_output
2013-02-17 04:27 . 2013-02-17 04:27    --------    d-----w-    c:\windows\system32\drivers\mycodec
2013-02-17 04:27 . 2013-02-17 04:29    --------    d-----w-    c:\program files\uConverter
2013-02-14 13:56 . 2013-01-08 22:01    768000    ----a-w-    c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2013-02-13 13:19 . 2013-01-04 01:38    2048512    ----a-w-    c:\windows\system32\win32k.sys
2013-02-13 13:19 . 2012-11-08 03:48    1314816    ----a-w-    c:\windows\system32\quartz.dll
2013-02-13 13:19 . 2013-01-04 11:28    905576    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-13 13:19 . 2013-01-05 05:26    3550072    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-13 13:19 . 2013-01-05 05:26    3602808    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-02-01 20:58 . 2013-02-01 20:58    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-01-27 23:33 . 2013-01-27 23:33    --------    d-----w-    c:\users\HOME USER\AppData\Local\sabnzbd
2013-01-27 23:31 . 2013-01-27 23:31    --------    d-----w-    c:\program files\SABnzbd
2013-01-25 22:19 . 2013-01-25 22:19    --------    d-----w-    C:\Riot Games
2013-01-22 18:52 . 2013-01-22 18:54    --------    d-----w-    c:\programdata\AVG January 2013 Campaign
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-01 20:58 . 2012-08-29 15:26    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-02-01 20:58 . 2010-04-21 17:32    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-01-23 20:51 . 2012-04-03 06:34    697864    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-23 20:51 . 2011-05-14 07:09    74248    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-30 19:23 . 2012-12-30 19:23    444952    ----a-w-    c:\windows\system32\wrap_oal.dll
2012-12-30 19:23 . 2012-12-30 19:23    109080    ----a-w-    c:\windows\system32\OpenAL32.dll
2012-12-29 10:26 . 2013-01-06 16:43    6263784    ----a-w-    c:\windows\system32\nvopencl.dll
2012-12-29 10:26 . 2013-01-06 16:43    20450232    ----a-w-    c:\windows\system32\nvoglv32.dll
2012-12-29 10:26 . 2013-01-06 16:43    12641120    ----a-w-    c:\windows\system32\nvwgf2um.dll
2012-12-29 10:26 . 2013-01-06 16:43    8904632    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2012-12-29 10:26 . 2013-01-06 16:43    2720696    ----a-w-    c:\windows\system32\nvcuvid.dll
2012-12-29 10:26 . 2013-01-06 16:43    7931896    ----a-w-    c:\windows\system32\nvcuda.dll
2012-12-29 10:26 . 2013-01-06 16:43    1985976    ----a-w-    c:\windows\system32\nvcuvenc.dll
2012-12-29 10:26 . 2013-01-06 16:43    17560504    ----a-w-    c:\windows\system32\nvcompiler.dll
2012-12-29 10:26 . 2012-10-10 21:14    889784    ----a-w-    c:\windows\system32\nvdispgenco32.dll
2012-12-29 10:26 . 2011-10-31 11:59    1017272    ----a-w-    c:\windows\system32\nvdispco32.dll
2012-12-29 10:26 . 2010-03-26 12:07    15129064    ----a-w-    c:\windows\system32\nvd3dum.dll
2012-12-29 10:26 . 2010-03-26 12:07    2504248    ----a-w-    c:\windows\system32\nvapi.dll
2012-12-29 08:26 . 2011-04-07 21:44    4129720    ----a-w-    c:\windows\system32\nvcpl.dll
2012-12-29 08:26 . 2011-04-07 21:44    3001272    ----a-w-    c:\windows\system32\nvsvc.dll
2012-12-29 08:25 . 2011-04-07 21:45    639928    ----a-w-    c:\windows\system32\nvvsvc.exe
2012-12-29 08:25 . 2011-04-07 21:45    108984    ----a-w-    c:\windows\system32\nvmctray.dll
2012-12-29 08:25 . 2010-03-16 02:15    62904    ----a-w-    c:\windows\system32\nvshext.dll
2012-12-29 02:54 . 2012-12-29 02:54    550328    ----a-w-    c:\windows\system32\nvStreaming.exe
2012-12-23 22:13 . 2012-12-23 22:13    65848    ----a-w-    c:\windows\system32\drivers\RapportKELL.sys
2012-12-16 13:12 . 2012-12-22 03:01    34304    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-22 03:01    293376    ----a-w-    c:\windows\system32\atmfd.dll
2012-11-20 04:22 . 2013-01-09 15:53    204288    ----a-w-    c:\windows\system32\ncrypt.dll
2012-05-09 17:05 . 2011-12-17 14:52    134104    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\HOME USER\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\HOME USER\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\users\HOME USER\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-09 39408]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-10-01 328056]
"Steam"="c:\program files\steaaam\steam.exe" [2013-02-14 1597864]
"F.lux"="c:\users\HOME USER\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"Akamai NetSession Interface"="c:\users\HOME USER\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
"Spotify Web Helper"="c:\users\HOME USER\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-10-26 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-140"="c:\program files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2008-04-15 1675264]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\HOME USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\HOME USER\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00    1983816    ----a-w-    c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40    767312    ----a-w-    c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 17:36    30040    ----a-w-    c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33    421160    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2012-12-10 17:29    2254768    ----a-w-    c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 01:54    4240760    ----a-w-    c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2012-11-27 20:32    3093624    ----a-w-    c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28    1233920    ----a-w-    c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33    17418928    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 08:21    648072    ----a-w-    c:\windows\WindowsMobile\wmdc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai    REG_MULTI_SZ       Akamai
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
bthsvcs    REG_MULTI_SZ       BthServ
WindowsMobile    REG_MULTI_SZ       wcescomm rapimgr
LocalServiceRestricted    REG_MULTI_SZ       WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc8cfaf7830a2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 21:10]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 21:10]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2810653096-2423526978-308438003-1000Core.job
- c:\users\HOME USER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-18 01:36]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2810653096-2423526978-308438003-1000UA.job
- c:\users\HOME USER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-18 01:36]
.
2013-01-23 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-22 21:16]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {00001026-A15C-11D4-97A4-0050BF0FBE67} - hxxp://download.netmarble.net/web/nmstarter/NMStarter26_20101209.cab
DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab
DPF: {6678BE91-1E04-4A4A-9C32-63145EA79C2A} - hxxp://fifa-online.easports.com/fo3-theme/addons/EAFO3AXLauncher.cab
DPF: {89F434A7-4A49-4394-AC02-007480331AE2} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab
DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} - hxxp://download.netmarble.net/NMChatX/NMTransX.cab
FF - ProfilePath - c:\users\HOME USER\AppData\Roaming\Mozilla\Firefox\Profiles\njyxik32.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - ExtSQL: !HIDDEN! 2009-10-07 02:17; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-17 18:55
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2810653096-2423526978-308438003-1000\Software\G*e*n*i*e*"!\FM Genie Scout 12]
"GameDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\games"
"ShortlistDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\shortlists"
"FMPath"=""
"ScreenshotsDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012"
"SaveDir"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\"
"HistoryDir"="c:\\FM Genie Scout 12\\History Points"
"LangDB"="c:\\FM Genie Scout 12\\lang_db.dat"
"LastSaveGame"="c:\\Users\\HOME USER\\Documents\\Sports Interactive\\Football Manager 2012\\games\\Pete & Blake Portugal AND BRAD.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:0000a044
"VersionOf201"=dword:0000007b
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"ShowGuidNotification"=dword:00000000
"ShowDonateNotification"=dword:00000000
"Version"=dword:000000ce
"UniqueID"="24-AA00-E09F"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"PlayerSearchFeatureNum"=dword:00000013
"StaffSearchFeatureNum"=dword:00000003
"ClubSearchFeatureNum"=dword:00000000
"FilterByClubFeatureNum"=dword:00000000
"CompareFeatureNum"=dword:00000000
"ShortlistFeatureNum"=dword:00000001
"ExportFeatureNum"=dword:00000000
"HistoryFeatureNum"=dword:00000000
"LanguageDBFeatureNum"=dword:00000013
"HintsFeatureNum"=dword:00000001
"GenieReportFeatureNum"=dword:00000000
"TopFormationFeatureNum"=dword:00000000
"ScreenshotFeatureNum"=dword:00000000
"AdClicksNum"=dword:00000002
"AdImpressionsNum"=dword:0000003e
"GameLoadedCounter"=dword:0000001a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7664)
c:\users\HOME USER\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
Completion time: 2013-02-17  18:59:40
ComboFix-quarantined-files.txt  2013-02-17 18:59
ComboFix2.txt  2013-02-17 15:33
.
Pre-Run: 24,859,336,704 bytes free
Post-Run: 24,747,319,296 bytes free
.
- - End Of File - - 572F7692861A1DF19D3E5474901D3689


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:25 AM

Posted 17 February 2013 - 02:12 PM

How is everything running at this point? Do you have any problem left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Bradalee

Bradalee
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 17 February 2013 - 02:34 PM

Well there weren't really any problems to begin with, i only knew i had it when i got a message from windows defender telling me i had this virus. If we're finished here for now i'll run a few scans and let you know if it's gone or not!

 

Thanks a lot for helping so far :)



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:25 AM

Posted 17 February 2013 - 02:52 PM

In that case lets just do some last steps to ensure your computer remains safe. smile.png

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u13.
  • Look for "JDK 7u13 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

 

 

Download Emsisoft Emergency Kit and save it to your desktop. Right-click on EmsisoftEmergencyKit.zip and select Extract All.... Leave all settings as they are and click Extract. You will now have a folder named EmsisoftEmergencyKit on your desktop.Open the EmsisoftEmergencyKit folder and double-click Start.exe.

  • A new window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Smart Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Bradalee

Bradalee
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 18 February 2013 - 06:23 AM

I ran the scan and it didn't show anything, so it looks like combofix has done it's job! Thanks a lot Elise :)

 

----------------------------------------

 

 

Emsisoft Emergency Kit - Version 3.0
Last update: 18/02/2013 00:01:25
 
Scan settings:
 
Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\Windows\, C:\Program Files\
 
Detect Riskware: Off
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start:    18/02/2013 00:02:28
 
 
Scanned    497973
Found    0
 
Scan end:    18/02/2013 04:11:56
Scan time:    4:09:28


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:25 AM

Posted 18 February 2013 - 06:43 AM

That looks excellent! smile.png

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.png

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.

      run-box.jpg
    • This will remove Combofix and other tools we used from your computer.
  • You can delete any other tool or log by simply deleting them.
  • Please read the following advice on how to prevent reinfecting your PC:
    • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
  • Some more links you might find of interest:Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Bradalee

Bradalee
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 19 February 2013 - 04:43 PM

Thank you very much for your help with this Elise, everything you said to do was easy and explained really well. And thanks for the tips on how to remain safe in the future :)



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:25 AM

Posted 19 February 2013 - 05:26 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users