Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some kind of key logger


  • This topic is locked This topic is locked
12 replies to this topic

#1 Gilfar

Gilfar

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 24 February 2013 - 07:42 AM

When I open Explorer or Word sometimes a message winow pop ups with an error "Key Hook" as message and  could not create file mapping object.

I've ran diagnostics but to no avail.

catchme from gmer is reporting some kind of hooks

 

 

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error
 
Combofix log
 
ComboFix 13-02-22.01 - AP 2013-02-23   1:36.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1250.48.1033.18.4095.2687 [GMT 1:00]
Uruchomiony z: c:\users\AP\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\AP\AppData\Local\unins000.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
F:\install.exe
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2013-01-23 do 2013-02-23  )))))))))))))))))))))))))))))))
.
.
2013-02-22 12:21 . 2013-02-08 00:28    9162192    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{71E9A086-08CF-49AF-A0AC-9B4466E6C50F}\mpengine.dll
2013-02-21 12:13 . 2013-02-08 00:28    9162192    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-02-18 13:48 . 2013-02-18 13:48    --------    d-----w-    c:\programdata\Apple Computer
2013-02-18 13:48 . 2010-11-29 17:38    94208    ----a-w-    c:\windows\SysWow64\QuickTimeVR.qtx
2013-02-18 13:48 . 2010-11-29 17:38    69632    ----a-w-    c:\windows\SysWow64\QuickTime.qts
2013-02-18 13:48 . 2010-11-29 17:38    180224    ----a-w-    c:\windows\SysWow64\QTCF.dll
2013-02-18 13:48 . 2013-02-18 13:48    --------    d-----w-    c:\program files (x86)\QT Lite
2013-02-18 13:20 . 2013-02-18 13:48    --------    d-----w-    c:\users\AP\AppData\Local\Apple Computer
2013-02-18 13:15 . 2013-02-18 13:15    --------    d-----w-    c:\programdata\Apple
2013-02-13 21:18 . 2013-02-13 21:18    --------    d-----w-    C:\contig
2013-02-13 21:18 . 2012-11-14 09:22    207960    ----a-w-    c:\windows\SysWow64\Contig.exe
2013-02-13 11:30 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 11:30 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 10:41 . 2013-01-05 05:53    5553512    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-13 10:41 . 2013-01-05 05:00    3967848    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-13 10:41 . 2013-01-05 05:00    3913064    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-13 10:41 . 2013-01-04 03:26    3153408    ----a-w-    c:\windows\system32\win32k.sys
2013-02-13 10:41 . 2013-01-04 05:46    215040    ----a-w-    c:\windows\system32\winsrv.dll
2013-02-13 10:41 . 2013-01-04 04:51    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2013-02-13 10:41 . 2013-01-04 02:47    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2013-02-13 10:41 . 2013-01-04 02:47    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2013-02-13 10:41 . 2013-01-04 02:47    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2013-02-13 10:41 . 2013-01-04 02:47    2048    ----a-w-    c:\windows\SysWow64\user.exe
2013-02-13 10:41 . 2013-01-03 06:00    1913192    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-13 10:41 . 2013-01-03 06:00    288088    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-11 17:48 . 2013-02-11 17:48    --------    d-----w-    c:\programdata\PDF Architect
2013-02-08 12:56 . 2013-02-08 13:56    16365936    ----a-w-    c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-02-06 23:10 . 2013-02-06 23:32    --------    d-----w-    c:\users\AP\AppData\Roaming\Orbit
2013-02-06 11:03 . 2013-02-06 11:03    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-05 10:40 . 2013-02-05 10:40    --------    d-----w-    c:\users\AP\AppData\Roaming\inkscape
2013-02-05 00:09 . 2013-02-05 00:19    --------    d-----w-    c:\program files (x86)\Inkscape
2013-02-03 20:24 . 2013-02-03 20:24    --------    d-----w-    c:\users\AP\AppData\Roaming\Malwarebytes
2013-02-03 20:24 . 2013-02-03 20:24    --------    d-----w-    c:\programdata\Malwarebytes
2013-02-03 20:24 . 2013-02-03 20:24    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
2013-02-03 20:24 . 2012-12-14 15:49    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-01 07:35 . 2013-02-01 07:35    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-02-01 07:35 . 2013-02-01 07:35    --------    d-----r-    c:\program files (x86)\Skype
2013-01-30 08:45 . 2013-01-30 08:45    --------    d-----w-    c:\programdata\ATI
2013-01-30 08:45 . 2013-01-30 08:45    --------    d-----w-    c:\program files (x86)\AMD AVT
2013-01-25 22:13 . 2013-01-26 10:04    --------    d-----w-    c:\users\AP\AppData\Roaming\skypePM
2013-01-25 22:13 . 2013-01-25 22:13    --------    d-----w-    c:\programdata\Skype Extras
2013-01-25 22:12 . 2013-02-23 00:40    --------    d-----w-    c:\users\AP\AppData\Roaming\Skype
2013-01-25 22:11 . 2013-02-01 07:35    --------    d-----w-    c:\programdata\Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-17 09:42 . 2012-04-02 17:40    71024    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-17 09:42 . 2012-04-02 17:40    691568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-13 11:33 . 2012-04-02 18:35    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-02-06 11:03 . 2012-08-15 23:30    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-02-06 11:03 . 2012-04-23 19:32    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-01-30 10:53 . 2010-11-21 03:27    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-11 10:39 . 2013-01-21 21:47    103936    ----a-w-    c:\windows\system32\pdfcmon.dll
2013-01-04 04:43 . 2013-02-13 10:41    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2013-01-02 14:40 . 2009-08-18 11:49    564632    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2013-01-02 14:40 . 2009-08-18 10:24    19696    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-12-16 17:11 . 2012-12-21 09:46    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 09:46    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 09:46    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 09:46    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-07 13:20 . 2013-01-09 09:07    441856    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 09:07    2746368    ----a-w-    c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 09:07    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 09:07    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 09:07    30720    ----a-w-    c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 09:07    43520    ----a-w-    c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 09:07    23552    ----a-w-    c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 09:07    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 09:07    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 09:07    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 09:07    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 09:07    20480    ----a-w-    c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 09:07    46592    ----a-w-    c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 09:07    40960    ----a-w-    c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 09:07    21504    ----a-w-    c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 09:07    15360    ----a-w-    c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 09:07    55296    ----a-w-    c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 09:07    51712    ----a-w-    c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 09:07    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 09:07    30720    ----a-w-    c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 09:07    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 09:07    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 09:07    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 09:07    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 09:07    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 09:07    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 09:07    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 09:07    21504    ----a-w-    c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 09:07    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 09:07    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 09:07    55296    ----a-w-    c:\windows\SysWow64\cero.rs
2012-12-07 10:46 . 2013-01-09 09:07    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
2012-11-30 05:45 . 2013-01-09 09:06    362496    ----a-w-    c:\windows\system32\wow64win.dll
2012-11-30 05:45 . 2013-01-09 09:06    243200    ----a-w-    c:\windows\system32\wow64.dll
2012-11-30 05:45 . 2013-01-09 09:06    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2012-11-30 05:43 . 2013-01-09 09:06    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2012-11-30 05:41 . 2013-01-09 09:06    424448    ----a-w-    c:\windows\system32\KernelBase.dll
2012-11-30 05:41 . 2013-01-09 09:06    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2012-11-30 05:38 . 2013-01-09 09:06    6144    ---ha-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    5120    ---ha-w-    c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 04:53 . 2013-01-09 09:06    274944    ----a-w-    c:\windows\SysWow64\KernelBase.dll
2012-11-30 04:45 . 2013-01-09 09:06    4608    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    5120    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 09:06    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files (x86)\NetMeter\NetMeter.exe"="c:\program files (x86)\NetMeter\NetMeter.exe" [2009-08-09 293888]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-01-08 18705664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-06-08 5123216]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 Desura Install Service;Desura Install Service;c:\program files (x86)\Common Files\Desura\desura_service.exe [2012-08-31 131912]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-01-15 117248]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [2012-01-15 417280]
R3 GPU-Z;GPU-Z;c:\users\AP\AppData\Local\Temp\GPU-Z.sys [x]
R3 h647906;DragonRise H647906 AMD64 Driver;c:\windows\system32\drivers\h647906.sys [2008-08-08 63856]
R3 h648103;DragonRise H648103 AMD64 Driver;c:\windows\system32\drivers\h648103.sys [2008-08-08 62960]
R3 hid7906;hid7906;c:\windows\system32\drivers\hid7906.sys [x]
R3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [x]
R3 hid8103;hid8103;c:\windows\system32\drivers\hid8103.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-02 1255736]
R3 yate;Yet Another Telephony Engine;c:\yate\yate-service.exe [2012-12-21 6656]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-11-16 238080]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2012-05-04 27760]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 h648101;DragonRise H648101 AMD64 Driver;c:\windows\system32\drivers\h648101.sys [2008-08-08 65776]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2012-01-15 87040]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-01 187392]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2012-05-04 2196592]
.
.
Zawartość folderu 'Zaplanowane zadania'
.
2013-02-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 09:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
.
------- Skan uzupełniający -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.pl/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&ksportuj do programu Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{768B3FDC-D0D9-4CDE-835F-9A4264981758}: NameServer = 193.41.112.14 193.41.112.18
FF - ProfilePath - c:\users\AP\AppData\Roaming\Mozilla\Firefox\Profiles\uray3q1m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
Wow6432Node-HKLM-Run-USB Gamepad - c:\windows\USB Vibration\dr100&110\USB Gamepad.exe
AddRemove-{81BF6353-3C5B-4E6E-A566-7E162A00BF72}_is1 - c:\users\AP\AppData\Local\unins000.exe
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Czas ukończenia: 2013-02-23  01:44:35
ComboFix-quarantined-files.txt  2013-02-23 00:44
.
Przed: 12 726 943 744 bytes free
Po: 14 091 276 288 bytes free
.
- - End Of File - - F13E8B3B5649856A80AA132C9C445BB2
 
 


BC AdBot (Login to Remove)

 


#2 Gilfar

Gilfar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 27 February 2013 - 05:22 PM

Today i got the same poppup in skype but with "CBT Hook" in the message and the process name was ielowutil. I'm wondering if this is a key logger or something broken with explorer but I tried resetting the settings, however it didn't help.



#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 28 February 2013 - 08:16 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Posted Image
m0le is a proud member of UNITE

#4 Gilfar

Gilfar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 01 March 2013 - 06:43 AM

Thanks for reply m0le, I hope we can find the root cause of these errors.

I've looked further into this issue and it might be caused by application ShiftWindow which uses keyhook.dll. There might be some kind of problem between this library and protected mode in explorer.

Edited by Gilfar, 01 March 2013 - 12:22 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 01 March 2013 - 08:42 PM

Yes, it may be system rather than malware.

Not every hook is malicious, of course, but if there is anything lurking we could find it

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply

    • Then

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

  • Please download AdwCleaner by Xplode onto your desktop.

Edited by m0le, 01 March 2013 - 08:42 PM.

Posted Image
m0le is a proud member of UNITE

#6 Gilfar

Gilfar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 02 March 2013 - 06:11 AM

aswMBR stops responding during AV scan, here's the log before

 

 

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-03-02 12:08:00
-----------------------------
12:08:00.470    OS Version: Windows x64 6.1.7601 Service Pack 1
12:08:00.470    Number of processors: 4 586 0xF07
12:08:00.471    ComputerName: QUAD  UserName: AP
12:08:01.035    Initialize success
12:08:09.221    AVAST engine defs: 13030100
12:08:15.243    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:08:15.243    Disk 0 Vendor: Maxtor_6H400F0 HA431D90 Size: 381554MB BusType: 3
12:08:15.243    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-5
12:08:15.253    Disk 1 Vendor: Maxtor_6Y200M0 YAR51HW0 Size: 194481MB BusType: 3
12:08:15.263    Disk 1 MBR read successfully
12:08:15.263    Disk 1 MBR scan
12:08:15.273    Disk 1 Windows XP default MBR code
12:08:15.273    Disk 1 Partition 1 00     07    HPFS/NTFS NTFS        51199 MB offset 63
12:08:15.295    Disk 1 Partition 2 00     07    HPFS/NTFS NTFS        51199 MB offset 104856255
12:08:15.314    Disk 1 Partition 3 00     07    HPFS/NTFS NTFS        51199 MB offset 209712510
12:08:15.347    Disk 1 scanning C:\Windows\system32\drivers
12:08:27.469    Service scanning
12:08:51.411    Modules scanning
12:08:51.419    Disk 1 trace - called modules:
12:08:51.432    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys 
12:08:51.438    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004823060]
12:08:51.443    3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> [0xfffffa8004219520]
12:08:51.448    5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0xfffffa80044c5060]
12:08:52.073    AVAST engine scan C:\Windows
12:08:53.532    AVAST engine scan C:\Windows\system32
12:09:03.505    Disk 1 MBR has been saved successfully to "C:\MBR.dat"
12:09:03.514    The log file has been saved successfully to "C:\aswMBR.txt"
 
adwCleaner log
 
# AdwCleaner v2.113 - Logfile created 03/02/2013 at 12:10:47
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : AP - QUAD
# Boot Mode : Normal
# Running from : C:\Users\AP\Downloads\adwcleaner.exe
# Option [Search]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16464
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v17.0 (pl)
 
File : C:\Users\AP\APpData\Roaming\Mozilla\Firefox\Profiles\uray3q1m.default\prefs.js
 
[OK] File is clean.
 
-\\ Chromium v    _signature: MxkLmU+ce6cH9z/QyAeP1MDLgzxPkQOafxpK33UTyUo=
 
File : C:\Users\AP\APpData\Local\Chromium\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R2].txt - [829 octets] - [02/03/2013 12:10:47]
 
########## EOF - C:\AdwCleaner[R2].txt - [888 octets] ##########
 


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 02 March 2013 - 09:11 PM

Please now run MBAM

Please download mbam-logo-new100_big.jpgMalwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Posted Image
m0le is a proud member of UNITE

#8 Gilfar

Gilfar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 03 March 2013 - 10:42 AM

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
 
Database version: v2013.03.03.03
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
AP :: QUAD [administrator]
 
2013-03-03 13:31:12
mbam-log-2013-03-03 (13-31-12).txt
 
Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1084627
Time elapsed: 3 hour(s), 7 minute(s), 48 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 03 March 2013 - 08:38 PM

It looks clean, One more scan which will pick up any little thing which may have kicked off an infection

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
  • If no log is generated that means nothing was found. Please let me know if this happens.

    If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.

Posted Image
m0le is a proud member of UNITE

#10 Gilfar

Gilfar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 March 2013 - 02:35 PM

only Cheat Engine which I use

 

 

C:\Program Files (x86)\Cheat Engine 6.2\cheatengine-i386.exe    a variant of Win32/HackTool.CheatEngine.AB application    cleaned by deleting - quarantined
C:\Program Files (x86)\Cheat Engine 6.2\standalonephase1.dat    a variant of Win32/HackTool.CheatEngine.AF application    cleaned by deleting - quarantined
C:\Users\AP\Downloads\CheatEngine62.exe    multiple threats    cleaned by deleting - quarantined


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 05 March 2013 - 08:12 PM

There doesn't seem to be any malware on the system and those tools prove it. Are you having any problems with the machine at this stage


Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 12 March 2013 - 08:11 PM

Hi,

I have not had a reply from you for 3 days.
Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 18 March 2013 - 07:48 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users