Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware causes explorer.exe crash. Fault module is shell32.dll.


  • This topic is locked This topic is locked
42 replies to this topic

#1 varunkr

varunkr

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 16 April 2013 - 08:29 AM

Hi all. A few days ago, my computer got some malware through a friend's USB Drive. I tried scanning it using quite a few anti virus and anti malware softwares (avast pro, kaspersky, malwarebytes, even used a rescue disk and tried boot scanning) but it didn't detect anything and was unable to clean it.

I was unable to open MSConfig, System Restore or install any new applications. I ran windows in safe mode and disabled a few javascript files with weird names from startup in MSConfig. Now that problem is no longer there in normal mode and I can install applications and open MSConfig and System Restore (the previous restore points had been wiped off, though).

 

But in normal mode as well as safe mode, whenever I try to open the control panel or any of its components, either directly or through any other link, my explorer crashes and I am unable to open it. The fault module is shell32.dll.

 

Also, I was reading a different topic with a similar issue, wherein someone's explorer.exe crashed due to a different .dll file. A few commands executed in cmd was the solution provided there. Not knowing that it wouldn't really help, I applied the following  commands to shell32.dll and haven't reverted them yet:

takeown /a /f "c:\Program Files\Internet Explorer\shell32.dll"
cacls "c:\Program Files\Internet Explorer\shell32.dll" /g everyone:f

 

I did run sfc/scannow after reading somewhere about it but the verification finished without any errors reported. I do not want to format my hard drive if that is possible. Is there any other way out?

 

The DSS Log I obtained are produced below and the Attach.txt file is attached with the post:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.17.2
Run by Admin at 18:45:28 on 2013-04-16
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2013.845 [GMT 5.5:30]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Program Files\Lenovo\ATK Hotkey\ASLDRSrv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Windows\system32\PnkBstrA.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Stardock\ObjectDockFree\ObjectDock.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uProxyOverride = *.manipal.net;172.16.19.80;elearning;<local>
uURLSearchHooks: {687578b9-7132-4a7a-80e4-30ee31099e03} - <orphaned>
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [AdobeBridge] <no file>
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\LVOSDSVC.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\52285.js
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdockfree\ObjectDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoWindowsUpdate = 1
uPolicies-Explorer: NoControlPanel = 1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
TCP: NameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{46A1CB8F-6B49-4078-A190-3C7F5E63069E} : NameServer = 218.248.255.197,218.248.255.169
TCP: Interfaces\{46A1CB8F-6B49-4078-A190-3C7F5E63069E} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D787BD33-C518-4E07-BDF3-60F19848075B} : DHCPNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{D787BD33-C518-4E07-BDF3-60F19848075B}\94F4E404934786D224C6F636B6 : DHCPNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{D787BD33-C518-4E07-BDF3-60F19848075B}\94F4E404D416E6960716C6D294E646F6F627D233 : DHCPNameServer = 10.49.0.45 10.49.0.46
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
STS: ObjectDockShlExt Class - {1984D045-52CF-49cd-DB77-08F378FEA4DB} - c:\program files\stardock\objectdockfree\ODMenu.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\1ope3850.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\users\admin\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\admin\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-04-03 21:50; mozilla_cc@internetdownloadmanager.com; c:\users\admin\appdata\roaming\idm\idmmzcc5
.
============= SERVICES / DRIVERS ===============
.
R0 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2013-1-26 21576]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-3-11 49248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-1-26 765736]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-1-26 368176]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-12-21 13680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-1-26 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-1-26 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-3-11 45248]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2012-3-16 91936]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\lenovo\virtscrl\lvvsst.exe [2010-12-21 93032]
R2 LFKAS;Service of LFKA;c:\program files\lenovo\atk hotkey\LFKAS.exe [2010-12-21 208896]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-12-21 64440]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-15 127488]
R3 MTsensor32;PU ACPI UTILITY;c:\windows\system32\drivers\PuAcpi32.sys [2010-12-21 14344]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2010-10-18 7122944]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-9-9 21360]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-4-13 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-4-13 701512]
S3 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-3-11 164736]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-12-21 45736]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-12-21 29472]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-4-13 22856]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-12-21 75112]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-1 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-21 1343400]
.
=============== Created Last 30 ================
.
2013-04-14 19:50:44    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-13 09:39:41    --------    d-----w-    c:\users\admin\appdata\roaming\Malwarebytes
2013-04-13 09:39:27    --------    d-----w-    c:\programdata\Malwarebytes
2013-04-13 09:39:24    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-13 09:39:24    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-04-13 08:12:44    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-04-13 07:56:49    --------    d-----w-    c:\windows\pss
2013-04-13 06:19:33    --------    d-----w-    c:\users\admin\appdata\local\CrashDumps
2013-04-13 04:06:20    7108640    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{a9d45cd8-1f99-4e65-aebb-be6c163ddc22}\mpengine.dll
2013-04-12 16:17:59    --------    d-----w-    C:\CrashDumps
2013-04-10 18:13:19    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 18:13:14    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 18:13:14    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 18:13:12    69632    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 18:13:10    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 18:13:01    3217408    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 18:12:59    131584    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-10 18:12:58    36864    ----a-w-    c:\windows\system32\tsgqec.dll
2013-04-10 18:07:32    1212264    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-04 19:22:34    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0
2013-04-01 08:19:16    --------    d-----w-    c:\programdata\IDM
2013-03-29 20:26:09    --------    d-----w-    c:\program files\FileASSASSIN
2013-03-28 19:14:40    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-03-28 17:59:18    --------    d-----w-    c:\users\admin\appdata\local\Programs
2013-03-28 07:12:13    --------    d-----w-    C:\MOST sheets
2013-03-25 18:28:24    --------    d-sh--w-    c:\users\admin\appdata\roaming\137
2013-03-25 18:28:24    --------    d-sh--w-    c:\program files\0c74
2013-03-25 18:28:24    --------    d-sh--w-    C:\12b
.
==================== Find3M  ====================
.
2013-04-14 19:50:32    861088    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-04-14 19:50:32    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-03-15 07:29:58    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-15 07:29:58    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-11 19:40:56    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-06 23:33:24    765736    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-03-06 23:33:24    49248    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 23:33:24    164736    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-03-06 23:33:23    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 23:33:23    60656    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 23:33:22    21576    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2013-03-06 23:32:51    41664    ----a-w-    c:\windows\avastSS.scr
2013-02-22 03:46:00    1800704    ----a-w-    c:\windows\system32\jscript9.dll
2013-02-22 03:38:00    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-02-22 03:37:50    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-02-22 03:34:17    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-02-22 03:34:03    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-02-22 03:31:46    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
.
============= FINISH: 18:46:55.86 ===============
 

Thank you for your time and effort! :)

Attached Files


Edited by varunkr, 16 April 2013 - 08:43 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:10 PM

Posted 20 April 2013 - 03:26 PM

Greetings and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run this program for me.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 21 April 2013 - 08:21 PM

Hi Gary, thanks a lot for replying! My name's Varun.

I followed the steps mentioned and the ComboFix log is as follows:

ComboFix 13-04-21.03 - Admin 04/22/2013   6:18.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2013.913 [GMT 5.5:30]
Running from: c:\users\Admin\Downloads\Programs\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Admin\AppData\Roaming\137
c:\users\Admin\AppData\Roaming\137\056a.js
c:\windows\security\Database\tmp.edb
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-22 to 2013-04-22  )))))))))))))))))))))))))))))))
.
.
2013-04-22 01:01 . 2013-04-22 01:01    60872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{710588DF-C04A-4628-9BBA-DB637A57F597}\offreg.dll
2013-04-22 01:00 . 2013-04-22 01:03    --------    d-----w-    c:\users\Admin\AppData\Local\temp
2013-04-21 17:35 . 2013-04-10 03:08    6906960    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{710588DF-C04A-4628-9BBA-DB637A57F597}\mpengine.dll
2013-04-14 19:50 . 2013-04-14 19:50    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-14 19:50 . 2013-04-14 19:50    --------    d-----w-    c:\program files\Java
2013-04-14 12:06 . 2013-04-13 06:34    46759    ----a-w-    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\users\Admin\AppData\Roaming\Malwarebytes
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\programdata\Malwarebytes
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-04-13 09:39 . 2013-04-04 09:20    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-13 08:12 . 2013-04-13 08:12    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-04-13 06:19 . 2013-04-21 17:18    --------    d-----w-    c:\users\Admin\AppData\Local\CrashDumps
2013-04-12 16:17 . 2013-04-14 20:13    --------    d-----w-    C:\CrashDumps
2013-04-10 18:13 . 2013-03-01 03:09    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 18:13 . 2013-03-19 05:04    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 18:13 . 2013-03-19 05:04    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 18:13 . 2013-03-19 02:49    69632    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 18:13 . 2013-03-19 04:48    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 18:13 . 2013-02-15 04:37    3217408    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 18:12 . 2013-02-15 04:34    131584    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-10 18:12 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\system32\tsgqec.dll
2013-04-10 18:07 . 2013-03-02 05:07    1212264    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-04 19:22 . 2013-04-12 19:57    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0
2013-04-01 08:19 . 2013-04-01 08:19    --------    d-----w-    c:\programdata\IDM
2013-03-29 20:26 . 2013-03-29 20:26    --------    d-----w-    c:\program files\FileASSASSIN
2013-03-28 19:14 . 2013-02-12 03:32    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-03-28 17:59 . 2013-03-28 17:59    --------    d-----w-    c:\users\Admin\AppData\Local\Programs
2013-03-28 07:12 . 2013-03-28 07:12    --------    d-----w-    C:\MOST sheets
2013-03-25 18:28 . 2013-03-25 18:28    --------    d-----w-    C:\12b
2013-03-25 18:28 . 2013-03-25 18:28    --------    d-sh--w-    c:\program files\0c74
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-14 19:50 . 2012-10-30 22:45    861088    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-04-14 19:50 . 2011-06-09 01:56    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-03-15 07:29 . 2012-07-29 20:31    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-15 07:29 . 2012-07-29 20:26    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-11 19:40 . 2010-12-21 12:25    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-06 23:33 . 2013-03-11 16:34    164736    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-03-06 23:33 . 2013-03-11 16:34    49248    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 23:33 . 2013-01-26 12:35    368176    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-03-06 23:33 . 2013-01-26 12:35    62376    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-03-06 23:33 . 2013-01-26 12:35    765736    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-03-06 23:33 . 2013-01-26 12:35    60656    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 23:33 . 2013-01-26 12:34    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 23:33 . 2013-01-26 12:35    29816    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 23:33 . 2013-01-26 12:35    21576    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2013-03-06 23:32 . 2013-01-26 12:33    41664    ----a-w-    c:\windows\avastSS.scr
2013-03-06 23:32 . 2013-01-26 12:33    228600    ----a-w-    c:\windows\system32\aswBoot.exe
2013-04-11 20:57 . 2013-04-11 20:57    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32    121968    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49    22376    ----a-w-    c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"056a"="c:\users\Admin\AppData\Roaming\137\056a.js" [X]
"Facebook Update"="c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-31 138096]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2013-04-14 802136]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2013-04-03 3573624]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-07 149040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2010-11-29 64952]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-11-04 894312]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-25 1537320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-15 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-15 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-15 170520]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-07 161328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
52285.js [2013-4-13 46759]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDockFree\ObjectDock.exe [2010-10-7 3768176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-8-5 804128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files\Stardock\ObjectDockFree\ODMenu.dll" [2010-10-04 511344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"="1"
"AntiVirusOverride"="1"
.
R3 aswVmm;aswVmm; [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 aswKbd;aswKbd; [x]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MTsensor32;PU ACPI UTILITY;c:\windows\system32\DRIVERS\PuAcpi32.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-29 07:30]
.
2013-04-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000Core.job
- c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-31 18:22]
.
2013-04-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000UA.job
- c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-31 18:22]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-10 09:47]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-10 09:47]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000Core.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 18:30]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000UA.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 18:30]
.
2010-12-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-09-08 21:08]
.
2013-04-21 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-09-08 21:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.manipal.net;172.16.19.80;elearning;<local>
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{46A1CB8F-6B49-4078-A190-3C7F5E63069E}: NameServer = 218.248.255.197,218.248.255.169
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ope3850.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-04-03 21:50; mozilla_cc@internetdownloadmanager.com; c:\users\Admin\AppData\Roaming\IDM\idmmzcc5
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*¾úÄIC\*€Š*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*¾úÄIC\*€Š*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*i*TÑ¡&\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*+•qD\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*ò¤,\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*f*l*¾úÄIC\*€Š*]
@Allowed: (Read) (RestrictedCode)
"0"=hex:45,3a,5c,4e,65,77,20,66,6f,6c,64,65,72,5c,50,6f,72,6e,5c,4f,6c,69,76,
   69,61,20,64,65,6c,20,52,69,6f,20,6f,66,66,69,63,65,20,2d,20,58,4e,58,58,2e,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000_Classes\CLSID\{2727e0e7-bedb-4edb-bff0-b0bd5685bff9}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000100
"Therad"=dword:0000001e
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):af,a7,0d,79,31,4d,7d,bd,32,83,97,d6,5e,7f,cb,e4,cd,e9,fe,3c,98,
   9e,28,98,b8,78,ad,c9,98,55,b7,9e,97,8d,c6,07,ff,73,0c,ba,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2324)
c:\program files\Stardock\ObjectDockFree\ODMenu.dll
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Lenovo\ATK Hotkey\ASLDRSrv.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Lenovo\ATK Hotkey\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\ThinkPad\Bluetooth Software\btwdins.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\taskhost.exe
c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe
c:\program files\Lenovo\ATK Hotkey\LFKA.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-04-22  06:39:36 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-22 01:09
.
Pre-Run: 9,094,594,560 bytes free
Post-Run: 13,550,034,944 bytes free
.
- - End Of File - - F2309978620C8CC418133DE537BC95DC
 

 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:10 PM

Posted 22 April 2013 - 08:00 AM

Greetings Varun,

Nice to meet you. I am glad we have finally gotten together.

Can you tell me if this entry is familiar to you?

uProxyOverride = *.manipal.net;172.16.19.80;elearning;<local>

----------

I would like to caution you about one issue and then run a follow up Combofix script to delete some entries and dig a little deeper into others. Please do this.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.


===================================================

Running Combofix Script

-------------------
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text below into the Notepad document
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"056a"=-
File::
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js
RegLock::
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*¾úÄIC\**]
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*i*TÑ¡&]
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*+qD]
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*ò¤,]
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*f*l*¾úÄIC\**]
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000_Classes\CLSID\{2727e0e7-bedb-4edb-bff0-b0bd5685bff9}]
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
DirLook::
c:\users\admin\appdata\roaming\137
c:\program files\0c74
C:\12b
  • Save this on your desktop as CFScript.txt

CFScriptB-4.gif

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 22 April 2013 - 09:54 AM

Thanks a lot Gary for your time and effort. I truly appreciate it. :)

 

Regarding the entry you were asking me about (uProxyOverride = *.manipal.net;172.16.19.80;elearning;<local>), our university provides internet access inside the campus for students and (I think) they use a proxy. 172.16.19.80 is the address for the university intranet portal, so it is a very trusted address.

 

Also, as you mentioned, I do have utorrent installed. But I use it sparingly. I usually don't use it for more than two or three downloads a month. Even when I do, I make sure only to select the video/setup file that I require and deselect any other file that is added with it. Also, I check the feedback from other users and download torrents from trusted uploaders only before starting a download to make sure it is infection free. If you believe it is still risky for me to use it, I will uninstall the program.

 

I ran the script you asked me to run on ComboFix. After rebooitng, I can open Control Panel without explorer.exe crashing anymore. I think the malicious files have been deleted.

 

The log that was developed is as follows:

 

ComboFix 13-04-21.03 - Admin 04/22/2013  19:10:55.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2013.1072 [GMT 5.5:30]
Running from: c:\users\Admin\Downloads\Programs\ComboFix.exe
Command switches used :: c:\users\Admin\Downloads\Programs\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js"
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-22 to 2013-04-22  )))))))))))))))))))))))))))))))
.
.
2013-04-22 13:52 . 2013-04-22 13:52    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-04-22 01:01 . 2013-04-22 01:01    60872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{710588DF-C04A-4628-9BBA-DB637A57F597}\offreg.dll
2013-04-22 01:00 . 2013-04-22 13:54    --------    d-----w-    c:\users\Admin\AppData\Local\temp
2013-04-21 17:35 . 2013-04-10 03:08    6906960    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{710588DF-C04A-4628-9BBA-DB637A57F597}\mpengine.dll
2013-04-14 19:50 . 2013-04-14 19:50    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-14 19:50 . 2013-04-14 19:50    --------    d-----w-    c:\program files\Java
2013-04-14 12:06 . 2013-04-13 06:34    46759    ----a-w-    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\users\Admin\AppData\Roaming\Malwarebytes
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\programdata\Malwarebytes
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-04-13 09:39 . 2013-04-04 09:20    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-13 08:12 . 2013-04-13 08:12    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-04-13 06:19 . 2013-04-21 17:18    --------    d-----w-    c:\users\Admin\AppData\Local\CrashDumps
2013-04-12 16:17 . 2013-04-14 20:13    --------    d-----w-    C:\CrashDumps
2013-04-10 18:13 . 2013-03-01 03:09    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 18:13 . 2013-03-19 05:04    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 18:13 . 2013-03-19 05:04    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 18:13 . 2013-03-19 02:49    69632    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 18:13 . 2013-03-19 04:48    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 18:13 . 2013-02-15 04:37    3217408    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 18:12 . 2013-02-15 04:34    131584    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-10 18:12 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\system32\tsgqec.dll
2013-04-10 18:07 . 2013-03-02 05:07    1212264    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-04 19:22 . 2013-04-12 19:57    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0
2013-04-01 08:19 . 2013-04-01 08:19    --------    d-----w-    c:\programdata\IDM
2013-03-29 20:26 . 2013-03-29 20:26    --------    d-----w-    c:\program files\FileASSASSIN
2013-03-28 19:14 . 2013-02-12 03:32    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-03-28 17:59 . 2013-03-28 17:59    --------    d-----w-    c:\users\Admin\AppData\Local\Programs
2013-03-28 07:12 . 2013-03-28 07:12    --------    d-----w-    C:\MOST sheets
2013-03-25 18:28 . 2013-03-25 18:28    --------    d-----w-    C:\12b
2013-03-25 18:28 . 2013-03-25 18:28    --------    d-sh--w-    c:\program files\0c74
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-14 19:50 . 2012-10-30 22:45    861088    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-04-14 19:50 . 2011-06-09 01:56    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-03-15 07:29 . 2012-07-29 20:31    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-15 07:29 . 2012-07-29 20:26    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-11 19:40 . 2010-12-21 12:25    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-06 23:33 . 2013-03-11 16:34    164736    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-03-06 23:33 . 2013-03-11 16:34    49248    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 23:33 . 2013-01-26 12:35    368176    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-03-06 23:33 . 2013-01-26 12:35    62376    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-03-06 23:33 . 2013-01-26 12:35    765736    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-03-06 23:33 . 2013-01-26 12:35    60656    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 23:33 . 2013-01-26 12:34    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 23:33 . 2013-01-26 12:35    29816    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 23:33 . 2013-01-26 12:35    21576    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2013-03-06 23:32 . 2013-01-26 12:33    41664    ----a-w-    c:\windows\avastSS.scr
2013-03-06 23:32 . 2013-01-26 12:33    228600    ----a-w-    c:\windows\system32\aswBoot.exe
2013-04-11 20:57 . 2013-04-11 20:57    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\12b ----
.
2013-03-25 18:28 . 2013-04-13 06:34    10    ----a-w-    c:\12b\0fa
2013-03-25 18:28 . 2013-03-25 18:28    10    ----a-w-    c:\12b\046
2013-03-25 18:28 . 2013-03-25 18:28    1    ----a-w-    c:\12b\1b
2013-03-25 18:28 . 2013-03-25 18:28    6    ----a-w-    c:\12b\1f1f
2013-03-25 18:28 . 2013-03-25 18:28    12    ----a-w-    c:\12b\04700
.
---- Directory of c:\program files\0c74 ----
.
2013-03-25 18:28 . 2013-03-28 13:40    46759    ----a-w-    c:\program files\0c74\0d7.js
.
---- Directory of c:\users\admin\appdata\roaming\137 ----
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32    121968    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49    22376    ----a-w-    c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-31 138096]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2013-04-14 802136]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2013-04-03 3573624]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-07 149040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2010-11-29 64952]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-11-04 894312]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-25 1537320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-15 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-15 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-15 170520]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-07 161328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
52285.js [2013-4-13 46759]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDockFree\ObjectDock.exe [2010-10-7 3768176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-8-5 804128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files\Stardock\ObjectDockFree\ODMenu.dll" [2010-10-04 511344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"="1"
"AntiVirusOverride"="1"
.
R3 aswVmm;aswVmm; [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 aswKbd;aswKbd; [x]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MTsensor32;PU ACPI UTILITY;c:\windows\system32\DRIVERS\PuAcpi32.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-29 07:30]
.
2013-04-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000Core.job
- c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-31 18:22]
.
2013-04-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000UA.job
- c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-31 18:22]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-10 09:47]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-10 09:47]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000Core.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 18:30]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000UA.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 18:30]
.
2010-12-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-09-08 21:08]
.
2013-04-22 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-09-08 21:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.manipal.net;172.16.19.80;elearning;<local>
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{46A1CB8F-6B49-4078-A190-3C7F5E63069E}: NameServer = 218.248.255.197,218.248.255.169
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ope3850.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-04-03 21:50; mozilla_cc@internetdownloadmanager.com; c:\users\Admin\AppData\Roaming\IDM\idmmzcc5
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*¾úÄIC\*€Š*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*¾úÄIC\*€Š*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*i*TÑ¡&\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*+•qD\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*ò¤,\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*f*l*¾úÄIC\*€Š*]
@Allowed: (Read) (RestrictedCode)
"0"=hex:45,3a,5c,4e,65,77,20,66,6f,6c,64,65,72,5c,50,6f,72,6e,5c,4f,6c,69,76,
   69,61,20,64,65,6c,20,52,69,6f,20,6f,66,66,69,63,65,20,2d,20,58,4e,58,58,2e,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2816)
c:\program files\Stardock\ObjectDockFree\ODMenu.dll
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Lenovo\ATK Hotkey\ASLDRSrv.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Lenovo\ATK Hotkey\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe
c:\program files\Lenovo\ATK Hotkey\LFKA.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\ThinkPad\Bluetooth Software\btwdins.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-04-22  19:30:25 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-22 14:00
ComboFix2.txt  2013-04-22 01:09
.
Pre-Run: 12,888,948,736 bytes free
Post-Run: 12,823,855,104 bytes free
.
- - End Of File - - 1A4981D79DDDFFB7941E12C3F3DD8132
 

 



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:10 PM

Posted 22 April 2013 - 01:27 PM

Hi Varun,
 

I can open Control Panel without explorer.exe crashing anymore

:)

I thought the proxy was legitimate (after looking into it) but I just needed to be certain.

Peer to Peer is up to you but care must be taken and it sounds like you are well aware of the risks.

Let's do a little more poking around and cleaning out.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:dir
c:\12b /s
:filefind
*52285*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook log
  • AdwCleaner log
  • Junkware log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 22 April 2013 - 04:35 PM

Hi Gary, I've completed the scans that you mentioned.

The SystemLook Log is as follows:

SystemLook 30.07.11 by jpshortstuff
Log created at 02:40 on 23/04/2013 by Admin
Administrator - Elevation successful

========== dir ==========

c:\12b - Parameters: "/s"

---Files---
046    --a---- 10 bytes    [18:28 25/03/2013]    [18:28 25/03/2013]
04700    --a---- 12 bytes    [18:28 25/03/2013]    [18:28 25/03/2013]
0fa    --a---- 10 bytes    [18:28 25/03/2013]    [06:34 13/04/2013]
1b    --a---- 1 bytes    [18:28 25/03/2013]    [18:28 25/03/2013]
1f1f    --a---- 6 bytes    [18:28 25/03/2013]    [18:28 25/03/2013]

No folders found.

========== filefind ==========

Searching for "*52285*"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js    --a---- 46759 bytes    [12:06 14/04/2013]    [06:34 13/04/2013] CD26E2F9E9985A1E2F49E559CFC46E76
C:\Windows\winsxs\Manifests\x86_4828981bcc0e5522857536ceedd9d5a2_31bf3856ad364e35_6.1.7600.20907_none_96dd00f59ba96de0.manifest    ------- 698 bytes    [17:19 28/05/2011]    [17:19 28/05/2011] F44CDAF711B42D1ABFAE3DD6209347F9

-= EOF =-

The AdwCleaner Log:

# AdwCleaner v2.201 - Logfile created 04/23/2013 at 02:50:28
# Updated 21/04/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Admin - ADMIN-PC
# Boot Mode : Normal
# Running from : C:\Users\Admin\Downloads\Programs\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Users\Admin\AppData\Local\Conduit
Folder Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc
Folder Deleted : C:\Users\Admin\AppData\Local\PackageAware
Folder Deleted : C:\Users\Admin\AppData\LocalLow\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Google\Chrome\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ope3850.default\prefs.js

Deleted : user_pref("browser.search.defaultthis.engineName", "uTorrentControl2 Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&Sea[...]

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.8] : homepage = "hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=48",
Deleted [l.12] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=48"[...]
Deleted [l.36] : icon_url = "hxxp://search.conduit.com/fav.ico",
Deleted [l.39] : keyword = "search.conduit.com",
Deleted [l.42] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3[...]
Deleted [l.43] : suggest_url = "hxxp://search.conduit.com/"
Deleted [l.151] : homepage = "hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=48",
Deleted [l.291] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=48" ]

*************************

AdwCleaner[R1].txt - [2659 octets] - [23/04/2013 02:47:48]
AdwCleaner[S1].txt - [2636 octets] - [23/04/2013 02:50:28]

########## EOF - C:\AdwCleaner[S1].txt - [2696 octets] ##########


Junkware Removal Tool Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.8 (04.21.2013:2)
OS: Windows 7 Professional x86
Ran by Admin on Tue 04/23/2013 at  2:57:58.39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Admin\AppData\Roaming\mozilla\firefox\profiles\1ope3850.default\minidumps [135 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 04/23/2013 at  3:00:03.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 



#8 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 22 April 2013 - 05:01 PM

Also, my anti virus program ran a scheduled check and showed quite a few number of threats (all new) in the results. I'm posting a link to the screenshot of the result window. Should I be worried or is it just some confilct between the anti virus and the new programs that you've asked me to install?

 

http://img547.imageshack.us/img547/1107/antivirusg.jpg

 

And one more thing, which I probably should have mentioned earlier, is that I have a 500 GB external hard disk drive which is also infected with the same malware and a few others too. I've stopped connecting it to my computer since you've started helping me.

One virus on the external HDD makes all folders disappear, leaving behind a shortcut to a .exe file with the same name. Even after allowing hidden files to be seen, the folders are not shown. The folders are still there, only that I have to type the folder path in the address bar of Windows Explorer.

 

But, and I don't know how, the folders do appear when unhiding hidden folders on certain people's computers. Could you advise me about what I should do about it?

 



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:10 PM

Posted 22 April 2013 - 06:35 PM

Hu Varun,

Thanks for taking the steps. We will be running some additional scans so we won't worry about the results for now. Leave the external drive detached and we can address it once we are done with this computer.

Please do this.

===================================================

Running Combofix Script

-------------------
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text below into the Notepad document
Folder::
c:\12b
File::
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js
ClearJavaCache::
  • Save this on your desktop as CFScript.txt

CFScriptB-4.gif

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 April 2013 - 05:42 AM

Hi Gary,

 

I ran the script on ComboFix and after rebooting ran another complete scan on my computer using my anti virus. Now it doesn't show infected files anymore in the results. Thank you for that! :)

 

The ComboFix log is pasted below:

 

ComboFix 13-04-21.03 - Admin 04/23/2013   7:03.3.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2013.1061 [GMT 5.5:30]
Running from: c:\users\Admin\Downloads\Programs\ComboFix.exe
Command switches used :: c:\users\Admin\Downloads\Programs\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\12b
c:\12b\046
c:\12b\04700
c:\12b\0fa
c:\12b\1b
c:\12b\1f1f
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-23 to 2013-04-23  )))))))))))))))))))))))))))))))
.
.
2013-04-23 01:44 . 2013-04-23 01:46    --------    d-----w-    c:\users\Admin\AppData\Local\temp
2013-04-23 01:44 . 2013-04-23 01:44    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-04-22 21:27 . 2013-04-22 21:27    --------    d-----w-    c:\windows\ERUNT
2013-04-22 21:27 . 2013-04-22 21:27    --------    d-----w-    C:\JRT
2013-04-22 01:01 . 2013-04-22 01:01    60872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{710588DF-C04A-4628-9BBA-DB637A57F597}\offreg.dll
2013-04-21 17:35 . 2013-04-10 03:08    6906960    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{710588DF-C04A-4628-9BBA-DB637A57F597}\mpengine.dll
2013-04-14 19:50 . 2013-04-14 19:50    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-14 19:50 . 2013-04-14 19:50    --------    d-----w-    c:\program files\Java
2013-04-14 12:06 . 2013-04-13 06:34    46759    ----a-w-    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52285.js
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\users\Admin\AppData\Roaming\Malwarebytes
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\programdata\Malwarebytes
2013-04-13 09:39 . 2013-04-13 09:39    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-04-13 09:39 . 2013-04-04 09:20    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-13 08:12 . 2013-04-13 08:12    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-04-13 06:19 . 2013-04-21 17:18    --------    d-----w-    c:\users\Admin\AppData\Local\CrashDumps
2013-04-12 16:17 . 2013-04-14 20:13    --------    d-----w-    C:\CrashDumps
2013-04-10 18:13 . 2013-03-01 03:09    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 18:13 . 2013-03-19 05:04    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 18:13 . 2013-03-19 05:04    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 18:13 . 2013-03-19 02:49    69632    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 18:13 . 2013-03-19 04:48    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 18:13 . 2013-02-15 04:37    3217408    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 18:12 . 2013-02-15 04:34    131584    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-10 18:12 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\system32\tsgqec.dll
2013-04-10 18:07 . 2013-03-02 05:07    1212264    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-04 19:22 . 2013-04-12 19:57    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0
2013-04-01 08:19 . 2013-04-01 08:19    --------    d-----w-    c:\programdata\IDM
2013-03-29 20:26 . 2013-03-29 20:26    --------    d-----w-    c:\program files\FileASSASSIN
2013-03-28 19:14 . 2013-02-12 03:32    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-03-28 17:59 . 2013-03-28 17:59    --------    d-----w-    c:\users\Admin\AppData\Local\Programs
2013-03-28 07:12 . 2013-03-28 07:12    --------    d-----w-    C:\MOST sheets
2013-03-25 18:28 . 2013-03-25 18:28    --------    d-sh--w-    c:\program files\0c74
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-14 19:50 . 2012-10-30 22:45    861088    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-04-14 19:50 . 2011-06-09 01:56    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-03-15 07:29 . 2012-07-29 20:31    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-15 07:29 . 2012-07-29 20:26    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-11 19:40 . 2010-12-21 12:25    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-06 23:33 . 2013-03-11 16:34    164736    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-03-06 23:33 . 2013-03-11 16:34    49248    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 23:33 . 2013-01-26 12:35    368176    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-03-06 23:33 . 2013-01-26 12:35    62376    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-03-06 23:33 . 2013-01-26 12:35    765736    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-03-06 23:33 . 2013-01-26 12:35    60656    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 23:33 . 2013-01-26 12:34    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 23:33 . 2013-01-26 12:35    29816    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 23:33 . 2013-01-26 12:35    21576    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2013-03-06 23:32 . 2013-01-26 12:33    41664    ----a-w-    c:\windows\avastSS.scr
2013-03-06 23:32 . 2013-01-26 12:33    228600    ----a-w-    c:\windows\system32\aswBoot.exe
2013-04-11 20:57 . 2013-04-11 20:57    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32    121968    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49    22376    ----a-w-    c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-31 138096]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2013-04-14 802136]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2013-04-03 3573624]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-07 149040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2010-11-29 64952]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-11-04 894312]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-25 1537320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-15 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-15 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-15 170520]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-07 161328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
52285.js [2013-4-13 46759]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDockFree\ObjectDock.exe [2010-10-7 3768176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-8-5 804128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files\Stardock\ObjectDockFree\ODMenu.dll" [2010-10-04 511344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"="1"
"AntiVirusOverride"="1"
.
R3 aswVmm;aswVmm; [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 aswKbd;aswKbd; [x]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MTsensor32;PU ACPI UTILITY;c:\windows\system32\DRIVERS\PuAcpi32.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-29 07:30]
.
2013-04-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000Core.job
- c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-31 18:22]
.
2013-04-23 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000UA.job
- c:\users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-31 18:22]
.
2013-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-10 09:47]
.
2013-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-10 09:47]
.
2013-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000Core.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 18:30]
.
2013-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4109104723-3677082929-1988237929-1000UA.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 18:30]
.
2010-12-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-09-08 21:08]
.
2013-04-22 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-09-08 21:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.manipal.net;172.16.19.80;elearning;<local>
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{46A1CB8F-6B49-4078-A190-3C7F5E63069E}: NameServer = 218.248.255.197,218.248.255.169
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ope3850.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-04-03 21:50; mozilla_cc@internetdownloadmanager.com; c:\users\Admin\AppData\Roaming\IDM\idmmzcc5
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*¾úÄIC\*€Š*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*¾úÄIC\*€Š*\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*i*TÑ¡&\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*+•qD\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*ò¤,\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-4109104723-3677082929-1988237929-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*f*l*¾úÄIC\*€Š*]
@Allowed: (Read) (RestrictedCode)
"0"=hex:45,3a,5c,4e,65,77,20,66,6f,6c,64,65,72,5c,50,6f,72,6e,5c,4f,6c,69,76,
   69,61,20,64,65,6c,20,52,69,6f,20,6f,66,66,69,63,65,20,2d,20,58,4e,58,58,2e,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4044)
c:\program files\Stardock\ObjectDockFree\ODMenu.dll
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Lenovo\ATK Hotkey\ASLDRSrv.exe
c:\windows\system32\conhost.exe
c:\program files\Lenovo\ATK Hotkey\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe
c:\program files\Lenovo\ATK Hotkey\LFKA.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\ThinkPad\Bluetooth Software\btwdins.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-04-23  07:22:23 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-23 01:52
ComboFix2.txt  2013-04-22 14:00
ComboFix3.txt  2013-04-22 01:09
.
Pre-Run: 12,355,149,824 bytes free
Post-Run: 12,412,841,984 bytes free
.
- - End Of File - - 0E31E327545E46785B5B274562A26932
 

 



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:10 PM

Posted 23 April 2013 - 09:12 AM

Very nice!

Now please run these 2 scans for me.

===================================================

Rerun Malwarebytes (MBAM)

--------------------

Temporarily disable your antivirus program.
  • Please locate your Malwarebytes icon 1208__malwarebytes.png and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Malwarebytes results
  • ESET results (no log if nothing found)
  • How is your computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 April 2013 - 05:09 PM

Completed both the scans. Here are the logs that were created. My computer seems to be running fine now. No issues, at least none that are noticeable. :)

 

Malwarebytes Log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.23.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Admin :: ADMIN-PC [administrator]

Protection: Enabled

4/23/2013 9:51:46 PM
mbam-log-2013-04-23 (21-51-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209051
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

ESET Online Scanner Log:

 

Target                                                                           Threat                            Action

C:\Program Files\0c74\0d7.js                                       JS/Kryptik.AGQ trojan    cleaned by deleting - quarantined

 

C:\Users\Admin\Desktop\RK_Quarantine\056a.js.vir    JS/Kryptik.AGQ trojan    cleaned by deleting - quarantined

 

E:\New folder\Angry Birds-RIO\Patch\Patch.exe           a variant of Win32/HackTool.Patcher.U application    cleaned by       deleting - quarantined
 

 

 

 

 



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:10 PM

Posted 23 April 2013 - 05:29 PM

Greetings Varun.

I think we are done!

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean

--------------

Your machine appears to be clean. Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Please do the following to remove some of the tools we used during our time together: Following this step you may remove any other remaining tools or logs.


Delete the tools used during the disinfection:
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.

run-box.jpg

  • This will remove Combofix and other tools we used from your computer. You may also remove any other tools used or logs created during the steps taken.
Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read: Simple and easy ways to keep your computer safe and secure on the Internet.


In addition, here are some more links you might find of interest:I will leave this topic open for just a day or so in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 24 April 2013 - 12:44 AM

That sure is great news Gary! And I cannot thank you and Bleeping Computer enough for how much you have helped me! This is surely something that I will recommend to all my friends. It is like a hospital for computers, and you were a brilliant doctor! :)

But I do have a few concerns still. As I mentioned earlier, I still need to clean my external HDD which is heavily infected. Also, what can I do to avoid infections creeping into my computer through USB Drives, as that is the most common way of exchanging data here in college. I have auto run turned off for all new devices, but clearly that didn't help much!



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:10 PM

Posted 24 April 2013 - 10:41 AM

Hi Varun,

Let's close out this topic and start another topic so we can keep the issues separated. I will sen you a Personal Message.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users