Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad infection from a trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 Slayer90

Slayer90

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 13 March 2013 - 07:42 PM

My computer's symptom is opening files on my desktop being very slow and unresponsive. My computer would freeze for at least 1 minute often. When I double click on Notepad or file folders. It takes 5 to 10 minutes to open. Many times folder files and notpad won't open. The same applies with firefox and internet explorer browsers taking 5 minutes to open upon double click. It takes a very long time to connect to load to sites and sometimes the sites fail to load and I get a DDOS. I scanned with the most updated malwarebytes, Eset, F-secure, Avast!, AGV, TdSSkiller and ADW Cleaner seperately of course and they found nothing. I tried using rkill and did not find any malware. This symptoms still continues to accur and My computer was working fine last week. I'm using Windows 7 32 bit. What ever it is its a very advance and sophisicated trojan. I'm using cable so I'm connected to the internet at all times. When Do disconnect my computer start to run normal which clear sign of malware infection.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16521  BrowserJavaVersion: 10.17.2
Run by Alfred at 17:28:25 on 2013-03-13
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2935.2020 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{3E06D39C-22A2-47C8-8B09-3047A290ADEE} : DHCPNameServer = 192.168.0.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\25.0.1364.160\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alfred\appdata\roaming\mozilla\firefox\profiles\kmo4j686.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-03-05 21:42; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\alfred\appdata\roaming\mozilla\firefox\profiles\kmo4j686.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-03-05 22:50; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys [2012-12-28 70824]
R0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys [2012-12-28 34984]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-3-5 49248]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-3-5 164736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-3-5 765736]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-3-5 368176]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-6 163328]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-3-5 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-3-5 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-3-13 45248]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-3-5 398184]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-3-5 682344]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2011-12-23 90736]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-3-5 21104]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-3-6 14848]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-3-6 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-3-6 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-3-5 1343400]
.
=============== Created Last 30 ================
.
2013-03-13 19:48:27    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-03-13 19:36:47    98816    ----a-w-    c:\windows\sed.exe
2013-03-13 19:36:47    256000    ----a-w-    c:\windows\PEV.exe
2013-03-13 19:36:47    208896    ----a-w-    c:\windows\MBR.exe
2013-03-13 03:42:57    --------    d-----w-    c:\programdata\Samsung
2013-03-13 03:42:54    25088    ----a-w-    c:\windows\system32\spool\prtprocs\w32x86\ssa3mpc.dll
2013-03-13 03:31:13    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-03-13 03:23:47    6954968    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{d8b5b41a-1772-4aab-a1ed-44d16b59615d}\mpengine.dll
2013-03-13 01:35:38    --------    d-----w-    c:\users\alfred\appdata\roaming\QuickScan
2013-03-10 05:14:47    4126720    ----a-w-    c:\program files\GUTD2C7.tmp
2013-03-10 05:14:47    --------    d-----w-    c:\program files\GUMD2C6.tmp
2013-03-10 05:09:56    --------    d-----w-    c:\users\alfred\appdata\local\Google
2013-03-10 05:09:51    --------    d-----w-    c:\users\alfred\appdata\roaming\SUPERAntiSpyware.com
2013-03-09 03:48:16    --------    d-----w-    c:\users\alfred\appdata\roaming\f-secure
2013-03-09 03:48:01    --------    d-----w-    c:\programdata\F-Secure
2013-03-08 22:24:21    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-03-08 22:24:21    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-03-08 22:24:11    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-03-08 19:15:38    6954968    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2013-03-08 04:51:10    --------    d-----w-    c:\users\alfred\appdata\local\Gas Powered Games
2013-03-08 04:42:03    --------    d-----w-    c:\programdata\Media Center Programs
2013-03-08 04:29:12    --------    d-----w-    c:\program files\THQ
2013-03-08 04:23:00    --------    d-----w-    c:\windows\system32\directx
2013-03-07 22:11:04    --------    d-----w-    c:\windows\system32\RTCOM
2013-03-07 22:11:04    --------    d-----w-    c:\program files\Realtek
2013-03-07 22:04:15    187392    ----a-w-    c:\windows\system32\UIAnimation.dll
2013-03-07 22:04:02    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-03-07 03:26:35    12288    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2013-03-07 03:25:01    247808    ----a-w-    c:\windows\system32\schannel.dll
2013-03-07 03:25:00    369856    ----a-w-    c:\windows\system32\drivers\cng.sys
2013-03-07 03:25:00    136560    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-03-07 03:24:59    1039360    ----a-w-    c:\windows\system32\lsasrv.dll
2013-03-07 03:24:54    514560    ----a-w-    c:\windows\system32\qdvd.dll
2013-03-07 02:36:13    43008    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-03-07 02:36:12    75776    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-03-07 02:36:12    5888    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-03-07 02:36:12    284672    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-03-07 02:36:12    258560    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-03-07 02:36:12    24064    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-03-07 02:36:12    20480    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-03-07 02:35:50    80256    ----a-w-    c:\windows\system32\drivers\amdsata.sys
2013-03-07 02:35:50    74240    ----a-w-    c:\windows\system32\fsutil.exe
2013-03-07 02:35:50    332160    ----a-w-    c:\windows\system32\drivers\iaStorV.sys
2013-03-07 02:35:50    1699328    ----a-w-    c:\windows\system32\esent.dll
2013-03-07 02:35:50    148864    ----a-w-    c:\windows\system32\drivers\storport.sys
2013-03-07 02:35:49    22400    ----a-w-    c:\windows\system32\drivers\amdxata.sys
2013-03-07 02:35:49    143744    ----a-w-    c:\windows\system32\drivers\nvstor.sys
2013-03-07 02:35:49    117120    ----a-w-    c:\windows\system32\drivers\nvraid.sys
2013-03-07 01:56:50    --------    d-----w-    c:\program files\psx emulation cheater
2013-03-07 00:10:13    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-03-06 22:55:18    --------    d-----w-    c:\windows\lhsp
2013-03-06 22:55:11    --------    d-----w-    c:\program files\CFS-Technologies
2013-03-06 20:31:09    --------    d-----w-    c:\program files\PowerISO
2013-03-06 20:20:55    --------    d-----w-    c:\programdata\regid.1986-12.com.adobe
2013-03-06 20:10:32    --------    d-----w-    c:\users\alfred\appdata\local\Adobe
2013-03-06 19:18:30    --------    d-----w-    c:\program files\VideoLAN
2013-03-06 18:38:25    --------    d-----w-    c:\users\alfred\appdata\roaming\URSoft
2013-03-06 18:38:17    --------    d-----w-    c:\program files\Your Uninstaller 2010
2013-03-06 06:51:23    60656    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 06:51:21    765736    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-03-06 06:51:21    164736    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-03-06 06:51:20    49248    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 06:51:14    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 06:50:31    --------    d-sh--w-    c:\windows\Installer
2013-03-06 06:50:02    41664    ----a-w-    c:\windows\avastSS.scr
2013-03-06 06:49:39    --------    d-----w-    c:\program files\AVAST Software
2013-03-06 06:48:44    --------    d-----w-    c:\programdata\AVAST Software
2013-03-06 06:39:03    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-03-06 06:39:03    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-03-06 06:30:07    --------    d-----w-    c:\windows\system32\Wat
2013-03-06 06:17:28    0    ----a-w-    c:\windows\ativpsrm.bin
2013-03-06 06:09:35    70656    ----a-w-    c:\windows\system32\fontsub.dll
2013-03-06 06:09:35    295424    ----a-w-    c:\windows\system32\atmfd.dll
2013-03-06 06:09:34    34304    ----a-w-    c:\windows\system32\atmlib.dll
2013-03-06 05:52:01    --------    d-----w-    c:\users\alfred\appdata\local\ElevatedDiagnostics
2013-03-06 05:49:45    --------    d-----w-    c:\users\alfred\appdata\roaming\BitTorrent
2013-03-06 05:41:38    --------    d-----w-    c:\users\alfred\appdata\local\Macromedia
2013-03-06 05:39:24    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-06 05:39:24    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-06 05:37:51    --------    d-----w-    c:\users\alfred\appdata\local\Mozilla
2013-03-06 05:37:34    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-03-06 05:34:17    526952    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-03-06 05:34:17    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-03-06 05:34:16    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-03-06 05:33:07    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-03-06 05:33:07    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-03-06 05:33:07    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-03-06 05:33:07    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-03-06 05:33:06    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2013-03-06 05:33:06    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-03-06 05:33:06    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-03-06 05:32:29    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-03-06 05:32:29    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-03-06 05:32:29    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-03-06 05:24:26    --------    d-----w-    c:\users\alfred\appdata\roaming\Malwarebytes
2013-03-06 05:24:20    --------    d-----w-    c:\programdata\Malwarebytes
2013-03-06 05:24:12    --------    d-----w-    c:\users\alfred\appdata\local\Programs
2013-03-06 05:22:29    400896    ----a-w-    c:\windows\system32\srcore.dll
2013-03-06 05:21:53    55296    ----a-w-    c:\windows\system32\cero.rs
2013-03-06 05:20:57    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-03-06 05:19:54    2342400    ----a-w-    c:\windows\system32\msi.dll
2013-03-06 05:18:52    169984    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-06 05:18:32    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-03-06 05:07:57    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2013-03-06 05:07:57    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-03-06 05:07:55    219008    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-03-06 05:02:06    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-03-06 05:01:59    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-03-06 05:01:49    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-03-06 05:01:49    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-03-06 04:54:35    --------    d-----w-    c:\users\alfred\appdata\roaming\WinBatch
2013-03-06 04:42:19    --------    d-----w-    c:\users\alfred\appdata\local\Diagnostics
2013-03-06 04:37:04    --------    d-----w-    c:\users\alfred\appdata\local\VirtualStore
2013-03-06 04:20:16    --------    d-----w-    c:\windows\Panther
.
==================== Find3M  ====================
.
2013-02-12 04:48:31    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-01-21 19:12:12    2121856    ----a-w-    c:\windows\system32\coin93.dll
2013-01-17 09:28:58    232336    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-13 21:17:03    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17:02    2560    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16:42    10752    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12:46    3584    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11:21    4096    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11:08    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11:07    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 21:11:07    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11:07    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31:00    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-01-13 20:30:34    906240    ----a-w-    c:\windows\system32\FntCache.dll
2013-01-13 20:22:22    1988096    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-01-13 20:20:31    293376    ----a-w-    c:\windows\system32\dxgi.dll
2013-01-13 20:09:00    249856    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-01-13 20:08:43    220160    ----a-w-    c:\windows\system32\d3d10core.dll
2013-01-13 20:08:35    1504768    ----a-w-    c:\windows\system32\d3d11.dll
2013-01-13 19:54:01    604160    ----a-w-    c:\windows\system32\d3d10level9.dll
2013-01-13 19:53:58    207872    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2013-01-13 19:48:47    161792    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-01-13 19:46:25    1080832    ----a-w-    c:\windows\system32\d3d10.dll
2013-01-13 19:43:21    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-01-13 19:37:57    3419136    ----a-w-    c:\windows\system32\d2d1.dll
2013-01-13 18:34:58    364544    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2013-01-13 17:26:42    1158144    ----a-w-    c:\windows\system32\XpsPrint.dll
2013-01-05 05:00:15    3967848    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:00:11    3913064    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-04 06:11:21    2284544    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2013-01-04 03:00:29    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-01-03 05:05:20    1293672    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-01-03 05:04:43    187752    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2012-12-28 20:52:04    70824    ----a-w-    c:\windows\system32\drivers\amd_sata.sys
2012-12-28 20:52:04    34984    ----a-w-    c:\windows\system32\drivers\amd_xata.sys
.
============= FINISH: 17:29:41.85 ===============
 


Edited by Slayer90, 13 March 2013 - 07:43 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 AM

Posted 15 March 2013 - 12:58 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
  • Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner
by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • Please post the logs for my review. Let me know what problem persists.


#3 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 March 2013 - 02:25 PM

ComboFix 13-03-15.02 - Alfred 03/15/2013  12:38:21.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2935.2045 [GMT -7:00]
Running from: c:\users\Alfred\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-13 to 2013-03-13  )))))))))))))))))))))))))))))))
.
.
2013-03-13 19:47 . 2013-03-13 19:47    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-03-13 19:44 . 2013-03-13 19:44    60872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D8B5B41A-1772-4AAB-A1ED-44D16B59615D}\offreg.dll
2013-03-13 03:42 . 2013-03-13 03:42    --------    d-----w-    c:\programdata\Samsung
2013-03-13 03:42 . 2012-07-19 17:15    25088    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\ssa3mpc.dll
2013-03-13 03:31 . 2013-02-12 03:32    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-03-13 03:23 . 2013-02-19 11:58    6954968    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D8B5B41A-1772-4AAB-A1ED-44D16B59615D}\mpengine.dll
2013-03-10 05:14 . 2013-03-10 05:14    4126720    ----a-w-    c:\program files\GUTD2C7.tmp
2013-03-10 05:14 . 2013-03-10 05:14    --------    d-----w-    c:\program files\GUMD2C6.tmp
2013-03-10 05:09 . 2013-03-10 05:11    --------    d-----w-    c:\program files\Google
2013-03-09 03:48 . 2013-03-09 03:48    --------    d-----w-    c:\programdata\F-Secure
2013-03-08 22:29 . 2013-03-08 22:29    --------    d-----w-    c:\program files\Common Files\Java
2013-03-08 22:24 . 2013-03-08 22:23    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-03-08 22:24 . 2013-03-08 22:23    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-03-08 22:24 . 2013-03-08 22:24    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-03-08 22:23 . 2013-03-08 22:23    --------    d-----w-    c:\program files\Java
2013-03-08 04:42 . 2013-03-08 04:42    --------    d-----w-    c:\programdata\Media Center Programs
2013-03-08 04:29 . 2013-03-08 04:29    --------    d-----w-    c:\program files\THQ
2013-03-08 04:27 . 2013-03-08 04:27    --------    d--h--w-    c:\program files\InstallShield Installation Information
2013-03-07 22:11 . 2013-03-07 22:11    --------    d-----w-    c:\windows\system32\RTCOM
2013-03-07 22:11 . 2013-03-07 22:11    --------    d-----w-    c:\program files\Realtek
2013-03-07 22:04 . 2013-01-13 19:53    187392    ----a-w-    c:\windows\system32\UIAnimation.dll
2013-03-07 22:04 . 2013-01-13 19:02    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-03-07 03:26 . 2012-08-23 14:10    12288    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2013-03-07 03:25 . 2012-08-24 16:57    247808    ----a-w-    c:\windows\system32\schannel.dll
2013-03-07 03:25 . 2012-08-24 17:05    136560    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-03-07 03:25 . 2012-08-24 17:02    369856    ----a-w-    c:\windows\system32\drivers\cng.sys
2013-03-07 03:24 . 2012-08-24 16:56    1039360    ----a-w-    c:\windows\system32\lsasrv.dll
2013-03-07 03:24 . 2012-05-04 09:59    514560    ----a-w-    c:\windows\system32\qdvd.dll
2013-03-07 02:36 . 2011-03-25 02:57    43008    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-03-07 02:36 . 2011-03-25 02:58    258560    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-03-07 02:36 . 2011-03-25 02:58    284672    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-03-07 02:36 . 2011-03-25 02:58    75776    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-03-07 02:36 . 2011-03-25 02:57    20480    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-03-07 02:36 . 2011-03-25 02:57    24064    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-03-07 02:36 . 2011-03-25 02:57    5888    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-03-07 02:35 . 2011-03-11 05:39    148864    ----a-w-    c:\windows\system32\drivers\storport.sys
2013-03-07 02:35 . 2011-03-11 05:38    332160    ----a-w-    c:\windows\system32\drivers\iaStorV.sys
2013-03-07 02:35 . 2011-03-11 05:38    80256    ----a-w-    c:\windows\system32\drivers\amdsata.sys
2013-03-07 02:35 . 2011-03-11 05:33    1699328    ----a-w-    c:\windows\system32\esent.dll
2013-03-07 02:35 . 2011-03-11 05:31    74240    ----a-w-    c:\windows\system32\fsutil.exe
2013-03-07 02:35 . 2011-03-11 05:39    143744    ----a-w-    c:\windows\system32\drivers\nvstor.sys
2013-03-07 02:35 . 2011-03-11 05:39    117120    ----a-w-    c:\windows\system32\drivers\nvraid.sys
2013-03-07 02:35 . 2011-03-11 05:38    22400    ----a-w-    c:\windows\system32\drivers\amdxata.sys
2013-03-07 01:56 . 2013-03-07 01:56    --------    d-----w-    c:\program files\psx emulation cheater
2013-03-07 00:10 . 2013-03-07 22:21    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-03-06 22:55 . 2013-03-06 22:55    --------    d-----w-    c:\windows\lhsp
2013-03-06 22:55 . 2013-03-06 22:55    --------    d-----w-    c:\program files\CFS-Technologies
2013-03-06 20:31 . 2013-03-06 20:31    --------    d-----w-    c:\program files\PowerISO
2013-03-06 20:20 . 2013-03-06 20:29    --------    d-----w-    c:\programdata\regid.1986-12.com.adobe
2013-03-06 20:15 . 2013-03-06 20:15    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2013-03-06 20:11 . 2013-03-06 20:19    --------    d-----w-    c:\program files\Common Files\Adobe
2013-03-06 19:18 . 2013-03-06 19:18    --------    d-----w-    c:\program files\VideoLAN
2013-03-06 18:38 . 2013-03-06 18:38    --------    d-----w-    c:\program files\Your Uninstaller 2010
2013-03-06 18:34 . 2013-03-06 18:34    --------    d-----w-    c:\program files\Smart Projects
2013-03-06 07:10 . 2013-03-06 07:10    --------    d-----w-    c:\program files\Microsoft.NET
2013-03-06 06:51 . 2013-02-28 08:36    368248    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-03-06 06:51 . 2013-02-28 08:36    29880    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 06:51 . 2013-02-28 08:36    60728    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 06:51 . 2013-02-28 08:36    62448    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-03-06 06:51 . 2013-02-28 08:36    765808    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-03-06 06:51 . 2013-02-28 08:36    163784    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-03-06 06:51 . 2013-02-28 08:36    49320    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 06:51 . 2013-02-28 08:36    66408    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 06:51 . 2013-02-28 08:35    228600    ----a-w-    c:\windows\system32\aswBoot.exe
2013-03-06 06:50 . 2013-03-10 16:19    --------    d-sh--w-    c:\windows\Installer
2013-03-06 06:50 . 2013-02-28 08:36    41664    ----a-w-    c:\windows\avastSS.scr
2013-03-06 06:49 . 2013-03-06 06:49    --------    d-----w-    c:\program files\AVAST Software
2013-03-06 06:48 . 2013-03-06 06:49    --------    d-----w-    c:\programdata\AVAST Software
2013-03-06 06:39 . 2013-03-06 06:39    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-03-06 06:39 . 2012-12-15 00:49    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-03-06 06:30 . 2013-03-06 06:30    --------    d-----w-    c:\windows\system32\Wat
2013-03-06 06:17 . 2013-03-06 06:17    0    ----a-w-    c:\windows\ativpsrm.bin
2013-03-06 06:09 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\system32\atmfd.dll
2013-03-06 06:09 . 2010-09-30 06:47    70656    ----a-w-    c:\windows\system32\fontsub.dll
2013-03-06 06:09 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\system32\atmlib.dll
2013-03-06 05:39 . 2013-03-13 05:10    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-06 05:39 . 2013-03-13 05:10    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-06 05:39 . 2013-03-06 05:39    --------    d-----w-    c:\windows\system32\Macromed
2013-03-06 05:37 . 2013-03-08 03:59    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-03-06 05:34 . 2012-07-26 03:39    526952    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-03-06 05:34 . 2012-07-26 03:39    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-03-06 05:34 . 2012-07-26 02:46    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-03-06 05:33 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-03-06 05:33 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-03-06 05:33 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-03-06 05:33 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-03-06 05:33 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-03-06 05:33 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2013-03-06 05:33 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-03-06 05:32 . 2012-03-01 05:46    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-03-06 05:32 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-03-06 05:32 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-03-06 05:24 . 2013-03-06 05:24    --------    d-----w-    c:\programdata\Malwarebytes
2013-03-06 05:22 . 2012-05-05 07:46    400896    ----a-w-    c:\windows\system32\srcore.dll
2013-03-06 05:21 . 2012-12-07 12:26    308736    ----a-w-    c:\windows\system32\Wpc.dll
2013-03-06 05:20 . 2011-04-25 02:18    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-03-06 05:19 . 2012-04-07 11:26    2342400    ----a-w-    c:\windows\system32\msi.dll
2013-03-06 05:18 . 2013-01-04 04:50    169984    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-06 05:18 . 2012-11-09 04:42    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-03-06 05:07 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2013-03-06 05:07 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-03-06 05:07 . 2011-02-03 05:54    219008    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-03-06 05:02 . 2012-06-02 22:19    53784    ----a-w-    c:\windows\system32\wuauclt.exe
2013-03-06 05:02 . 2012-06-02 22:19    45080    ----a-w-    c:\windows\system32\wups2.dll
2013-03-06 05:02 . 2012-06-02 22:19    1933848    ----a-w-    c:\windows\system32\wuaueng.dll
2013-03-06 05:02 . 2012-06-02 22:12    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-03-06 05:01 . 2012-06-02 22:19    35864    ----a-w-    c:\windows\system32\wups.dll
2013-03-06 05:01 . 2012-06-02 22:19    577048    ----a-w-    c:\windows\system32\wuapi.dll
2013-03-06 05:01 . 2012-06-02 22:12    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-03-06 05:01 . 2012-06-02 23:19    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-03-06 05:01 . 2012-06-02 23:12    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-03-06 04:36 . 2013-03-06 04:37    --------    d-----w-    c:\users\Alfred
2013-03-06 04:36 . 2013-03-11 19:32    --------    d-----w-    C:\Recovery
2013-03-06 04:20 . 2013-03-06 04:36    --------    d-----w-    c:\windows\Panther
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-12 04:48 . 2013-03-13 03:22    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 03:22    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-01-21 19:12 . 2013-01-21 19:12    2121856    ----a-w-    c:\windows\system32\coin93.dll
2012-12-28 20:52 . 2012-12-28 20:52    70824    ----a-w-    c:\windows\system32\drivers\amd_sata.sys
2012-12-28 20:52 . 2012-12-28 20:52    34984    ----a-w-    c:\windows\system32\drivers\amd_xata.sys
2013-03-08 03:12 . 2013-03-08 03:12    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-02-28 08:35    121968    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-02-28 4767304]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2012-02-09 312376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R3 aswVmm;aswVmm; [x]
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\users\Alfred\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
GPSvcGroup    REG_MULTI_SZ       GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-10 05:11    1630672    ----a-w-    c:\program files\Google\Chrome\Application\25.0.1364.160\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-06 05:10]
.
2013-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-10 05:09]
.
2013-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-10 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Alfred\AppData\Roaming\Mozilla\Firefox\Profiles\kmo4j686.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - ExtSQL: 2013-03-05 21:42; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Alfred\AppData\Roaming\Mozilla\Firefox\Profiles\kmo4j686.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-03-05 22:50; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
SafeBoot-42024988.sys
AddRemove-Microsoft Mouse and Keyboard Center - c:\program files\Microsoft Mouse and Keyboard Center\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-13  12:49:30
ComboFix-quarantined-files.txt  2013-03-13 19:49
.
Pre-Run: 143,665,696,768 bytes free
Post-Run: 143,976,964,096 bytes free
.
- - End Of File - - D3B25A98A68E07957288C62C3FFE5912
 



#4 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 March 2013 - 02:35 PM

Results of screen317's Security Check version 0.99.61  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.70.0.1100  
 Java 7 Update 17  
 Adobe Flash Player     11.6.602.180  
 Mozilla Firefox (19.0.2)
 Google Chrome 25.0.1364.160  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 8%
````````````````````End of Log``````````````````````
 



#5 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 March 2013 - 02:44 PM

# AdwCleaner v2.114 - Logfile created 03/15/2013 at 12:37:18
# Updated 05/03/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Alfred - ALFRED-PC
# Boot Mode : Normal
# Running from : C:\Users\Alfred\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16521

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Users\Alfred\AppData\Roaming\Mozilla\Firefox\Profiles\kmo4j686.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S4].txt - [674 octets] - [15/03/2013 12:37:18]

########## EOF - C:\AdwCleaner[S4].txt - [733 octets] ##########
 



#6 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 March 2013 - 09:36 PM

The symptoms still keeps happening. It it possible for this malware to be a trojan so sophisticated that even the most updated advance anti malware can't detect it? Its possible I have both trojan and rootkit infection. When I disconnect from the internet the computer seems to run normally. So its most definitely a malicious software that enable a hacker gain unrestricted access to my computer. Could it possible the hacker did change some stuff with regedit? Is there way to scan or find out if the regedit has been tampered with?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 AM

Posted 16 March 2013 - 07:40 AM

Your logs are clean.

Try this.

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/

#8 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 March 2013 - 01:05 PM

That still doesn't explain why my computer is slow and freeze. Not to mention I get DDOS. I have experinace in the past that there are trojans and rookits that have evaded detection even by the best anti malware such as malwarebytes, Eset.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 AM

Posted 16 March 2013 - 01:42 PM

Did your flush your dns as previously requested?

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.

Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
====

#10 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 March 2013 - 03:13 PM

Yes I did the DNS slush with command Prompt.

 

 

RogueKiller V8.5.3 [Mar 16 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Alfred [Admin rights]
Mode : Scan -- Date : 03/16/2013 13:08:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : BitTorrent ("C:\Users\Alfred\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-339028451-1951248535-1030407522-1000[...]\Run : BitTorrent ("C:\Users\Alfred\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED) [7] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 adobe.activate.com
127.0.0.1 adobeereg.com
127.0.0.1 www.adobeereg.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 125.252.224.90
127.0.0.1 125.252.224.91
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST325082 0AS SATA Disk Device +++++
--- User ---
[MBR] 4b3aba3b5eb7e54b484ec12532e959ad
[BSP] 6507b6d15654bc8d4ea1ea8c8c2faea2 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 208374 Mo
2 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 426956800 | Size: 29999 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03162013_02d1308.txt >>
RKreport[1]_S_03162013_02d1308.txt


 



#11 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 March 2013 - 07:25 PM

I just have couple question I need to ask. Will combofix damage or affect any of my install programs such as PC games, notepad Documents, Application software, MP3s, images, Movie formats, RAR Files and updates, Firefox long with its add ons? Also can we please leave this topic open for one more day just in case the same problem happens again?


Edited by Slayer90, 16 March 2013 - 10:36 PM.


#12 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 March 2013 - 08:11 PM

My computer is still slow and running application programs seems to have exit itself without me doing anything.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 AM

Posted 17 March 2013 - 07:30 AM



Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)

[RUN][SUSP PATH] HKCU\[...]\Run : BitTorrent ("C:\Users\Alfred\AppData\Roaming\BitTorrent\BitTorrent.exe" /MINIMIZED) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-339028451-1951248535-1030407522-1000[...]\Run : BitTorrent ("C:\Users\Alfred\AppData\Roaming\BitTorrent\BitTorrent.exe" /MINIMIZED) [7] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Now click Delete on the right hand column under Options

Post back the report which should be located on your desktop.
===

As for ComboFix if will not have any effect on your files.
If anything is remove it will be quarantined. It can then be restored if it's a false positive.

#14 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 17 March 2013 - 09:50 AM

I deleted the following stuff.

 

RogueKiller V8.5.3 [Mar 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Alfred [Admin rights]
Mode : Scan -- Date : 03/17/2013 07:33:12
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] BitTorrent.exe -- C:\Users\Alfred\AppData\Roaming\BitTorrent\BitTorrent.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : BitTorrent ("C:\Users\Alfred\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-339028451-1951248535-1030407522-1000[...]\Run : BitTorrent ("C:\Users\Alfred\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED) [7] -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 adobe.activate.com
127.0.0.1 adobeereg.com
127.0.0.1 www.adobeereg.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 125.252.224.90
127.0.0.1 125.252.224.91
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST325082 0AS SATA Disk Device +++++
--- User ---
[MBR] 4b3aba3b5eb7e54b484ec12532e959ad
[BSP] 6507b6d15654bc8d4ea1ea8c8c2faea2 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 208374 Mo
2 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 426956800 | Size: 29999 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_S_03172013_02d0733.txt >>
RKreport[1]_S_03162013_02d1720.txt ; RKreport[2]_S_03172013_02d0733.txt


 



#15 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 17 March 2013 - 10:20 AM

My computer acting strange. Files duplicate all by themselves. My user folder and my computer folder duplicate suddenly appear in my desktop. I wasn't using the computer so I didn't see what happen. Also the bittorrent seems to exit itself. It did this yesterday, just now a few minutes ago. I wasn't even doing anything. Never have I experience this before. All this happen i think 20 minute after I delete this files with RogueKiller. Is this the result of RogueKiller or something else?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users