Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

g249.js infected computer and external hard disk


  • This topic is locked This topic is locked
29 replies to this topic

#1 SatanicSaint

SatanicSaint

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 06 May 2013 - 11:51 AM

I am running Windows 7 32 bit. I use Microsoft Security Essentials as my antivirus and keep Malwarebytes as a backup

 

I gave my external hard disk to friend and that was a big mistake. I plugged it back to my own PC and clicked on Open Folder to View Files.

 

All my folders in the hard disk were made into shortcuts. I went to Folder Options and unchecked Hide Protected Operating System Files.

 

Soon enough I found my data in hidden folders and two more hidden folders called 3535 and System Volume Information.

 

3535 has 2 files named g249.js and i28282.js

 

When I click on System Volume Informantion, it says Access is denied.

 

If I delete the 3535 folder it comes back within 5 seconds. I can delete all the shortcuts and the autorun file but they come back once i reconnect the externla hard disk.

 

Worst thing is it infects everything I plug in like my pen drive. I even formatted it but the 3535 folder and the shortcuts were there after formatting.

 

I did a full scan of my PC and external hard disk using both Security Essentials and mbam but no effect :(

 

Also I had to change the name of mbam.exe and dds.exe to run these programs. I think the virus is somehow trying to block these programs.

 

Here is the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.17.2
Run by ACEr at 21:59:42 on 2013-05-06
Microsoft Windows 7 Professional   6.1.7601.1.1252.91.1033.18.1781.814 [GMT 5.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Connectify\ConnectifyService.exe
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Connectify\ConnectifyD.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Airtel NetXpert\bin\sprtsvc.exe
C:\Program Files\Airtel NetXpert\bin\tgsrvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TATA DOCOMO 3G\AssistantServices.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Launch Manager\LMworker.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Users\ACEr\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\WScript.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.linkzb.com
uWindow Title = Internet Explorer provided by Manipal University
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.Google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.linkzb.com
uProxyServer = hxxp=localhost:8118
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>
BHO: Complitly: {0FB6A909-6086-458F-BD92-1F8EE10042A0} - c:\users\acer\appdata\roaming\complitly\Complitly.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: SelectionLinks: {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - c:\program files\oapps\SelectionLinks.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [F.lux] "c:\users\acer\local settings\apps\f.lux\flux.exe" /noshow
uRun: [239] c:\users\acer\appdata\roaming\358\239.js
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\users\acer\appdata\roaming\microsoft\windows\start menu\programs\startup\77d9.js
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:3
mPolicies-Explorer: NoDriveAutoRun = dword:3
mPolicies-Explorer: NoDriveTypeAutoRun = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-00109-0002-0009-ABCDEFFEDCBC} - <orphaned>
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A} : NameServer = 10.49.0.45,10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A} : DHCPNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\1496274756C6 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\1496274756C6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\2656C6B696E6534376 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\2656C6B696E6534376 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\379646 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E40424C6F636B6D293 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E40424C6F636B6D293 : DHCPNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E404934786D224C6F636B6D22333 : DHCPNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E404D416E6960716C6D294E646F6F627 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E404D416E6960716C6D294E646F6F627 : DHCPNameServer = 10.49.0.45 10.49.0.46
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\acer\appdata\roaming\mozilla\firefox\profiles\8ji6twfj.default-1340277873667\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\acer\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\users\acer\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\acer\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\acer\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\acer\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1200112.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - ExtSQL: 2013-04-04 18:35; jid1-4P0kohSJxU1qGg@jetpack; c:\users\acer\appdata\roaming\mozilla\firefox\profiles\8ji6twfj.default-1340277873667\extensions\jid1-

4P0kohSJxU1qGg@jetpack.xpi
FF - ExtSQL: 2013-05-03 01:04; {213984A0-C438-4D02-9EF9-90BB7DB43E37}; c:\users\acer\appdata\roaming\mozilla\firefox\profiles\8ji6twfj.default-

1340277873667\extensions\{213984A0-C438-4D02-9EF9-90BB7DB43E37}
.
---- FIREFOX POLICIES ----
.
.
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);user_pref('extensions.blocklist.enabled',

false);
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\drivers\cnnctfy2.sys [2011-8-30 27248]
R2 Connectify;Connectify;c:\program files\connectify\ConnectifyService.exe [2012-5-3 65536]
R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2010-7-1 325200]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-3 418376]
R2 sprtsvc_netxpert;SupportSoft Sprocket Service (netxpert);c:\program files\airtel netxpert\bin\sprtsvc.exe [2011-12-19 206120]
R3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\drivers\cbfs3.sys [2012-11-5 299024]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-2-27 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-10-15 269824]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-7-1 274984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-3 22856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-3 701512]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-7-30 43944]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-7-30 29472]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-12-13 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-12-14 101120]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-1-11 32000]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-7-30 9216]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-2-22 22400]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 100328]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-1-16 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-1-16 49664]
S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2011-8-1 12800]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\ZTEusbvoice.sys [2011-7-30 105088]
.
=============== Created Last 30 ================
.
2013-05-05 14:05:27    6906960    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{a1a64864-6e18-4245-898d-edf807004506}\mpengine.dll
2013-05-03 15:00:49    6906960    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-05-02 20:28:29    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-05-02 20:28:29    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-05-02 20:07:13    --------    d-----w-    c:\users\acer\appdata\roaming\Zbshareware Lab
2013-05-02 20:07:13    --------    d-----w-    c:\programdata\Zbshareware Lab
2013-05-02 20:02:10    --------    d-----w-    c:\users\acer\appdata\local\Programs
2013-05-02 19:33:30    --------    d-----w-    c:\program files\OApps
2013-05-02 19:18:32    --------    d-----w-    C:\UsbFix
2013-05-02 17:00:05    --------    d-sh--w-    c:\users\acer\appdata\roaming\358
2013-05-02 17:00:05    --------    d-sh--w-    C:\347
2013-04-24 19:21:39    706640    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{61b2df11-7602-44db-82a8-d414847303e1}\gapaengine.dll
2013-04-24 14:27:20    1211752    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-12 08:52:24    --------    d-----w-    c:\users\acer\appdata\roaming\TeraCopy
2013-04-12 08:52:10    --------    d-----w-    c:\program files\TeraCopy
2013-04-10 20:03:58    817664    ----a-w-    c:\program files\common files\microsoft shared\vgx\VGX.dll
2013-04-10 20:03:57    1766912    ----a-w-    c:\windows\system32\wininet.dll
2013-04-10 20:03:56    770608    ----a-w-    c:\program files\internet explorer\iexplore.exe
2013-04-10 07:07:35    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 07:07:35    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 07:07:34    69632    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 07:07:33    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 06:07:02    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 06:03:16    196328    ----a-w-    c:\windows\system32\drivers\fvevol.sys
.
==================== Find3M  ====================
.
2013-05-02 15:28:50    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-22 13:15:39    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-22 13:15:39    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-03 00:44:16    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-03 00:44:11    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-04-03 00:44:11    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-02 14:09:52    4550656    ----a-w-    c:\windows\system32\GPhotos.scr
2013-02-21 10:29:39    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-02-21 10:29:37    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-02-21 10:29:37    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-02-19 12:01:03    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-02-19 11:10:53    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-02-12 04:48:31    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32:45    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
.
============= FINISH: 22:01:49.74 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 09 May 2013 - 09:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • ===

    --RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

  • Please paste the logs in your next reply, DO NOT ATTACH THEM
    Let me know what problem persists.


#3 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 10 May 2013 - 12:29 PM

AdwCleaner Log:

 

# AdwCleaner v2.300 - Logfile created 05/10/2013 at 21:11:17
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : ACEr - SATANICSAINT
# Boot Mode : Normal
# Running from : C:\Users\ACEr\Downloads\adw.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\ACEr\AppData\Local\Temp\Uninstall.exe
Folder Deleted : C:\Program Files\Complitly
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\ACEr\AppData\Local\APN
Folder Deleted : C:\Users\ACEr\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\ACEr\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Babylon
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Complitly
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\jetpack
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\Conduit
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\ConduitEngine
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\CT2786678
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\extensions\{33E0DAA6-3AF3-D8B5-6752-10E949C61516}
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\extensions\engine@conduit.com
Folder Deleted : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\StumbleUpon

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\Complitly
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C99FDC39-A1AE-4B24-8D71-E5274F8D7C54}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Complitly.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO
Key Deleted : HKLM\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlfienamagdnkekbbbocojppncdambda
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4FFBB818-B13C-11E0-931D-B2664824019B}_is1
Key Deleted : HKLM\Software\SimplyGen
Key Deleted : HKLM\SOFTWARE\Software
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-GB)

File : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\prefs.js

C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\user.js ... Deleted !

Deleted : user_pref("extensions.toolbar@ask.com.install-event-fired", true);

File : C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\prefs.js

C:\Users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\vffoqdrj.default\user.js ... Deleted !

Deleted : user_pref("keyword.URL", "hxxp://search.hotspotshield.com/g/results.php?c=s&q=");

-\\ Google Chrome v26.0.1410.64

File : C:\Users\ACEr\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [5824 octets] - [10/05/2013 21:11:17]

########## EOF - C:\AdwCleaner[S1].txt - [5884 octets] ##########
 

 

 

 

RogueKiller Log:

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : ACEr [Admin rights]
Mode : Scan -- Date : 05/10/2013 21:17:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][ROGUE ST] HKCU\[...]\Run : 239 (C:\Users\ACEr\AppData\Roaming\358\239.js) -> FOUND
[RUN][ROGUE ST] HKUS\S-1-5-21-1153995095-883336955-617581567-1003[...]\Run : 239 (C:\Users\ACEr\AppData\Roaming\358\239.js) -> FOUND
[TASK][SUSP PATH] Alarm : C:\Users\ACEr\Desktop\Formula.1.2011.Round.10.German.GP.mkv  [x] -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=localhost:8118) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A} : NameServer (10.49.0.45,10.49.0.46) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A} : NameServer (10.49.0.45,10.49.0.46) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 hl2rcv.adobe.com
127.0.0.1 adobeereg.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 3dns.adobe.com
127.0.0.1 3dns-1.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-4.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-1.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVT-22A23T0 ATA Device +++++
--- User ---
[MBR] 4a57eee0ea073ffe55f72f9ba70d88b4
[BSP] 5c07843d5dfbc7f3107cb3eb28dda520 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 77000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 157698048 | Size: 77000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 315394048 | Size: 84471 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05102013_02d2117.txt >>
RKreport[1]_S_05102013_02d2117.txt


 

 

One thing I want to tell you is that my AdwCleaner was also not running till I renamed it.

Also before these scans my homepage kept on changing. After scanning it is working all right till now. So am I infection free?

Also is there any way to clean my external hard disk. I am worried that if I connect it back it might infect the PC. Also I cant format it since it has all of my backup


Edited by SatanicSaint, 10 May 2013 - 12:31 PM.


#4 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 10 May 2013 - 01:00 PM

One more thing which I am getting is that whenever I search something in Google, a weird box on the top of the search named Selection Links.

I don't know if its a new feature by Google or a virus. I checked my friend's pc and it doesn't come on his.

Also I use Firefox. I have attached a screenshot of how it looks like.

Attached File  CaptureGoogle.PNG   36.18KB   3 downloads

 

 

 

Update: I checked my Firefox addons and there was an addon of it. I removed the addon and this thing seems to have gone.

Although it worries me because I never installed this addon.


Edited by SatanicSaint, 10 May 2013 - 01:08 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 10 May 2013 - 01:50 PM

Lets continue the cleaning.

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)

[RUN][ROGUE ST] HKCU\[...]\Run : 239 (C:\Users\ACEr\AppData\Roaming\358\239.js) -> FOUND
[RUN][ROGUE ST] HKUS\S-1-5-21-1153995095-883336955-617581567-1003[...]\Run : 239 (C:\Users\ACEr\AppData\Roaming\358\239.js) -> FOUND
[TASK][SUSP PATH] Alarm : C:\Users\ACEr\Desktop\Formula.1.2011.Round.10.German.GP.mkv [x] -> FOUND.


Now click Delete on the right hand column under Options

Post back the report which should be located on your desktop.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

p.s.
Do you use this proxy?
HKCU\[...]\Internet Settings : ProxyServer (hxxp=localhost:8118)

Post the logs and let me know what problem persists.

#6 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 10 May 2013 - 05:41 PM

Just to let you know that before doing this scan my home page had been changed.

Also I dont use a proxy but 2 days back I had to change my Firefox settings to No Proxy because it automatically started using a proxy.

Anyway thanks a lot for your help.

 

Here is the RogueKiller log. I didn't get the third item in the scan but I checked the other two and deleted.

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : ACEr [Admin rights]
Mode : Remove -- Date : 05/11/2013 04:04:29
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][ROGUE ST] HKCU\[...]\Run : 239 (C:\Users\ACEr\AppData\Roaming\358\239.js) -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=localhost:8118) -> NOT REMOVED, USE PROXYFIX
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A} : NameServer (10.49.0.45,10.49.0.46) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A} : NameServer (10.49.0.45,10.49.0.46) -> NOT REMOVED, USE DNSFIX

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 hl2rcv.adobe.com
127.0.0.1 adobeereg.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 3dns.adobe.com
127.0.0.1 3dns-1.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-4.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-1.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVT-22A23T0 ATA Device +++++
--- User ---
[MBR] 4a57eee0ea073ffe55f72f9ba70d88b4
[BSP] 5c07843d5dfbc7f3107cb3eb28dda520 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 77000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 157698048 | Size: 77000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 315394048 | Size: 84471 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05112013_02d0404.txt >>
RKreport[1]_S_05112013_02d0402.txt ; RKreport[2]_D_05112013_02d0404.txt


 

ComboFix Log coming up in short time.



#7 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 10 May 2013 - 06:03 PM

As soon as I run ComboFix.exe a window pops up and closes immediately.I renamed the file to Combo.exe and it starts running.
ComboFix claims that Microsoft Security Essentials is active even though I disabled the real time protection. Should I proceed with the scan.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 11 May 2013 - 06:58 AM

Yes ignore the MSE remark from ComboFix.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:8118 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.

#9 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 11 May 2013 - 08:42 AM

ComboFix log:

 

 

ComboFix 13-05-10.03 - ACEr 11-05-2013  18:41:59.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.91.1033.18.1781.1073 [GMT 5.5:30]
Running from: c:\users\ACEr\Desktop\Combo.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ACEr\ACEr1
c:\users\ACEr\ACEr1\VERSION.TXT
c:\users\ACEr\AppData\Roaming\358
c:\users\ACEr\AppData\Roaming\358\239.js
c:\users\ACEr\AppData\Roaming\Love
c:\users\ACEr\AppData\Roaming\Love\mari0\options.txt
c:\windows\system\bdt52exf.dll
c:\windows\system\bivbx31.32n
c:\windows\system\WING32.DLL
c:\windows\system32\tmp5C81.tmp
c:\windows\system32\tmp5D3D.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-11 to 2013-05-11  )))))))))))))))))))))))))))))))
.
.
2013-05-11 13:28 . 2013-05-11 13:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-05-10 22:30 . 2013-05-10 22:30    29904    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5586CAE1-CEEE-41D4-9E3D-F6951B0FF45B}\MpKsl5cb6063c.sys
2013-05-10 22:11 . 2013-04-10 03:08    6906960    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5586CAE1-CEEE-41D4-9E3D-F6951B0FF45B}\mpengine.dll
2013-05-10 18:21 . 2013-05-10 18:21    --------    d-----w-    c:\program files\CodeStuff
2013-05-09 02:00 . 2013-04-10 03:08    6906960    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-07 16:01 . 2013-05-07 16:14    --------    d-----w-    c:\program files\MCShield
2013-05-02 20:28 . 2013-05-02 20:30    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-05-02 20:28 . 2013-04-04 09:20    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-05-02 20:07 . 2013-05-03 12:25    --------    d-----w-    c:\programdata\Zbshareware Lab
2013-05-02 20:07 . 2013-05-02 20:07    --------    d-----w-    c:\users\ACEr\AppData\Roaming\Zbshareware Lab
2013-05-02 20:02 . 2013-05-02 20:02    --------    d-----w-    c:\users\ACEr\AppData\Local\Programs
2013-05-02 19:18 . 2013-05-02 19:20    --------    d-----w-    C:\UsbFix
2013-05-02 17:00 . 2013-05-02 17:00    --------    d-----w-    C:\347
2013-04-24 19:21 . 2013-04-24 19:19    706640    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{61B2DF11-7602-44DB-82A8-D414847303E1}\gapaengine.dll
2013-04-24 14:27 . 2013-04-12 13:45    1211752    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-12 08:52 . 2013-04-12 08:53    --------    d-----w-    c:\users\ACEr\AppData\Roaming\TeraCopy
2013-04-12 08:52 . 2013-04-12 08:53    --------    d-----w-    c:\program files\TeraCopy
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 15:28 . 2010-07-05 07:42    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-22 13:15 . 2012-04-21 08:16    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-22 13:15 . 2011-08-17 15:57    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-03 00:44 . 2013-04-03 00:44    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-03 00:44 . 2012-10-01 14:20    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-04-03 00:44 . 2010-07-05 08:58    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-02 14:09 . 2013-04-02 14:09    4550656    ----a-w-    c:\windows\system32\GPhotos.scr
2013-03-19 05:04 . 2013-04-10 07:07    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-10 07:07    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-10 07:07    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-10 07:07    69632    ----a-w-    c:\windows\system32\smss.exe
2013-03-15 08:16 . 2013-03-15 08:16    745472    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-15 08:16 . 2013-03-15 08:16    185344    ----a-w-    c:\windows\system32\elshyph.dll
2013-03-15 08:16 . 2013-03-15 08:16    523264    ----a-w-    c:\windows\system32\vbscript.dll
2013-03-15 08:16 . 2013-03-15 08:16    38400    ----a-w-    c:\windows\system32\imgutil.dll
2013-03-15 08:16 . 2013-03-15 08:16    158720    ----a-w-    c:\windows\system32\msls31.dll
2013-03-15 08:16 . 2013-03-15 08:16    150528    ----a-w-    c:\windows\system32\iexpress.exe
2013-03-15 08:16 . 2013-03-15 08:16    138752    ----a-w-    c:\windows\system32\wextract.exe
2013-03-15 08:16 . 2013-03-15 08:16    137216    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-03-15 08:16 . 2013-03-15 08:16    12800    ----a-w-    c:\windows\system32\mshta.exe
2013-03-15 08:16 . 2013-03-15 08:16    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-03-15 08:16 . 2013-03-15 08:16    73728    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-03-15 08:16 . 2013-03-15 08:16    719360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2013-03-15 08:16 . 2013-03-15 08:16    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-03-15 08:16 . 2013-03-15 08:16    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-03-15 08:16 . 2013-03-15 08:16    361984    ----a-w-    c:\windows\system32\html.iec
2013-03-15 08:16 . 2013-03-15 08:16    1441280    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-03-15 08:16 . 2013-03-15 08:16    23040    ----a-w-    c:\windows\system32\licmgr10.dll
2013-03-01 03:09 . 2013-04-10 06:07    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-02-21 10:30 . 2013-04-10 20:03    1766912    ----a-w-    c:\windows\system32\wininet.dll
2013-02-21 10:29 . 2013-04-10 20:04    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-02-21 10:29 . 2013-04-10 20:04    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-02-21 10:29 . 2013-04-10 20:04    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-02-19 12:01 . 2013-04-10 20:04    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-02-19 11:10 . 2013-04-10 20:04    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-02-12 04:48 . 2013-03-15 07:31    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-15 07:31    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32 . 2013-03-15 07:52    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-04-12 08:42 . 2013-03-08 13:04    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2012-04-09 10:57    158224    ----a-w-    c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F.lux"="c:\users\ACEr\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-02-26 1289296]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-10-22 233472]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-10 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-10 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-10 177944]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
taskbar.bat [2010-7-5 222]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 22:14    500208    ------w-    c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 07:38    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 09:24    91520    ----a-w-    c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Connectify]
2012-11-09 19:30    4007936    ----a-w-    c:\program files\Connectify\Connectify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04    1164584    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-14 12:36    136176    ----atw-    c:\users\ACEr\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 07:05    152392    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2013-04-04 09:20    532040    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\netxpert]
2010-05-10 03:32    206120    ----a-w-    c:\program files\Airtel NetXpert\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2012-01-20 15:33    719672    ----a-w-    c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2010-01-13 05:17    206208    ----a-w-    c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-24 21:42    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-11-01 20:30    90448    ----a-w-    c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
2011-08-26 12:48    10828392    ------w-    c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-02-25 02:09    1602984    ----a-w-    d:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 03:34    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIExec]
2010-12-16 10:08    138584    ----a-w-    c:\program files\TATA DOCOMO 3G\UIExec.exe
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv.sys [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy2.sys [x]
S1 MpKsl5cb6063c;MpKsl5cb6063c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5586CAE1-CEEE-41D4-9E3D-F6951B0FF45B}\MpKsl5cb6063c.sys [x]
S2 Connectify;Connectify;c:\program files\Connectify\ConnectifyService.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 sprtsvc_netxpert;SupportSoft Sprocket Service (netxpert);c:\program files\Airtel NetXpert\bin\sprtsvc.exe [x]
S2 tgsrvc_netxpert;SupportSoft Repair Service (netxpert);c:\program files\Airtel NetXpert\bin\tgsrvc.exe [x]
S2 UI Assistant Service;UI Assistant Service;c:\program files\TATA DOCOMO 3G\AssistantServices.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\DRIVERS\cbfs3.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
GPSvcGroup    REG_MULTI_SZ       GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-21 13:15]
.
2013-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-29 16:50]
.
2013-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-29 16:50]
.
2013-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1153995095-883336955-617581567-1003Core.job
- c:\users\ACEr\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-14 12:36]
.
2013-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1153995095-883336955-617581567-1003UA.job
- c:\users\ACEr\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-14 12:36]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://indiasearcher.in/r.asp#
mStart Page = hxxp://www.linkzb.com
uInternet Settings,ProxyServer = http=localhost:8118
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}: NameServer = 10.49.0.45,10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\1496274756C6: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\2656C6B696E6534376: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E40424C6F636B6D293: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E404D416E6960716C6D294E646F6F627: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\
FF - prefs.js: browser.startup.homepage - hxxp://indiasearcher.in/r.asp#
FF - prefs.js: keyword.URL - hxxp://indiasearcher.in/r.asp#
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-04-04 18:35; jid1-4P0kohSJxU1qGg@jetpack; c:\users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi
FF - user.js: keyword.URL - hxxp://indiasearcher.in/r.asp#);user_pref(browser.startup.homepage, http://indiasearcher.in/r.asp#
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
BHO-{7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - c:\program files\OApps\SelectionLinks.dll
Toolbar-Locked - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-BkupTray - c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-Microsoft Forefront Client Security Antimalware Service - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
MSConfigStartUp-NokiaMusic FastStart - c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
MSConfigStartUp-PDVD8LanguageShortcut - c:\program files\CyberLink\PowerDVD8\Language\Language.exe
MSConfigStartUp-RemoteControl8 - c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe
MSConfigStartUp-Simple DNS Plus - c:\program files\Simple DNS Plus\sdnsplus.exe
MSConfigStartUp-SwitchBoard - c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
MSConfigStartUp-SynTPEnh - c:\program files\Synaptics\SynTP\SynTPEnh.exe
AddRemove-sl-dlc - c:\program files\OApps\sl-dlc_uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:a8,a4,1f,60,58,2b,9d,fb,e5,22,93,63,0b,32,c2,cb,2b,bd,db,4f,1f,12,e5,
   64,a5,b0,e5,0c,38,b5,19,58,82,02,83,2e,f6,18,1c,af,58,00,df,10,b6,1b,bf,4d,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003\Software\SecuROM\License information*]
"datasecu"=hex:74,3c,81,2a,04,2f,ad,d0,c5,35,fb,ea,53,98,f0,b4,f8,a3,c4,38,06,
   07,47,56,d7,7c,42,13,ee,7e,e7,52,e1,77,f5,dd,2b,1e,a7,7a,fb,f0,ca,24,c8,dd,\
"rkeysecu"=hex:d3,a8,cc,29,a3,b8,60,61,60,8c,01,66,db,c4,9e,fc
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003_Classes\CLSID\{53e76f9e-f133-40b7-aed9-3b2860eb2eb1}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000159
"Therad"=dword:00000022
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,a5,15,d8,a6,04,59,b6,a3,fc,21,11,71,1f,dc,\
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):5e,f1,9d,70,7b,0a,c4,da,b6,9b,ee,4a,01,e2,40,85,b1,50,e3,e0,a9,
   98,c6,7b,d7,d3,01,7d,c9,ad,f7,2a,4b,12,31,ae,ef,85,66,e8,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3340)
c:\windows\system32\CbFsMntNtf3.dll
c:\windows\system32\CbFsNetRdr3.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Connectify\ConnectifyD.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-05-11  19:07:32 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-11 13:37
.
Pre-Run: 1,765,138,432 bytes free
Post-Run: 1,870,049,280 bytes free
.
- - End Of File - - B7FD3A0BE7ADA835A981DE20F633FB0C
 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 11 May 2013 - 10:47 AM



Open notepad and copy/paste the text in the quote box below into it:

ClearJavaCache::

Firefox::
FF - ExtSQL: 2013-05-03 01:04; {213984A0-C438-4D02-9EF9-90BB7DB43E37}; c:\users\acer\appdata\roaming\mozilla\firefox\profiles\8ji6twfj.default-1340277873667\extensions\{213984A0-C438-4D02-9EF9-90BB7DB43E37}
Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#11 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 11 May 2013 - 11:30 AM

ComboFix 13-05-10.03 - ACEr 11-05-2013  21:26:18.2.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.91.1033.18.1781.873 [GMT 5.5:30]
Running from: c:\users\ACEr\Desktop\Combo.exe
Command switches used :: c:\users\ACEr\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ACEr\AppData\Roaming\mIRC\logs\status.log
c:\windows\system\SYST.VBS
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\roboot.exe
c:\windows\winhelp.ini
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-11 to 2013-05-11  )))))))))))))))))))))))))))))))
.
.
2013-05-11 16:11 . 2013-05-11 16:11    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-05-11 16:11 . 2013-05-11 16:11    --------    d-----w-    c:\users\Administrator\AppData\Local\temp
2013-05-11 13:40 . 2013-04-10 03:08    6906960    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{38436B04-4D7A-4358-ACDA-C6405EDA9D3A}\mpengine.dll
2013-05-10 18:21 . 2013-05-11 15:38    --------    d-----w-    c:\program files\CodeStuff
2013-05-09 02:00 . 2013-04-10 03:08    6906960    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-07 16:01 . 2013-05-07 16:14    --------    d-----w-    c:\program files\MCShield
2013-05-02 20:28 . 2013-05-02 20:30    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-05-02 20:28 . 2013-04-04 09:20    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-05-02 20:07 . 2013-05-03 12:25    --------    d-----w-    c:\programdata\Zbshareware Lab
2013-05-02 20:07 . 2013-05-02 20:07    --------    d-----w-    c:\users\ACEr\AppData\Roaming\Zbshareware Lab
2013-05-02 20:02 . 2013-05-02 20:02    --------    d-----w-    c:\users\ACEr\AppData\Local\Programs
2013-05-02 19:18 . 2013-05-02 19:20    --------    d-----w-    C:\UsbFix
2013-05-02 17:00 . 2013-05-02 17:00    --------    d-----w-    C:\347
2013-04-24 19:21 . 2013-04-24 19:19    706640    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{61B2DF11-7602-44DB-82A8-D414847303E1}\gapaengine.dll
2013-04-24 14:27 . 2013-04-12 13:45    1211752    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-12 08:52 . 2013-04-12 08:53    --------    d-----w-    c:\users\ACEr\AppData\Roaming\TeraCopy
2013-04-12 08:52 . 2013-04-12 08:53    --------    d-----w-    c:\program files\TeraCopy
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 15:28 . 2010-07-05 07:42    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-22 13:15 . 2012-04-21 08:16    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-22 13:15 . 2011-08-17 15:57    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-03 00:44 . 2013-04-03 00:44    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-03 00:44 . 2012-10-01 14:20    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-04-03 00:44 . 2010-07-05 08:58    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-02 14:09 . 2013-04-02 14:09    4550656    ----a-w-    c:\windows\system32\GPhotos.scr
2013-03-19 05:04 . 2013-04-10 07:07    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-10 07:07    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-10 07:07    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-10 07:07    69632    ----a-w-    c:\windows\system32\smss.exe
2013-03-15 08:16 . 2013-03-15 08:16    745472    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-15 08:16 . 2013-03-15 08:16    185344    ----a-w-    c:\windows\system32\elshyph.dll
2013-03-15 08:16 . 2013-03-15 08:16    523264    ----a-w-    c:\windows\system32\vbscript.dll
2013-03-15 08:16 . 2013-03-15 08:16    38400    ----a-w-    c:\windows\system32\imgutil.dll
2013-03-15 08:16 . 2013-03-15 08:16    158720    ----a-w-    c:\windows\system32\msls31.dll
2013-03-15 08:16 . 2013-03-15 08:16    150528    ----a-w-    c:\windows\system32\iexpress.exe
2013-03-15 08:16 . 2013-03-15 08:16    138752    ----a-w-    c:\windows\system32\wextract.exe
2013-03-15 08:16 . 2013-03-15 08:16    137216    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-03-15 08:16 . 2013-03-15 08:16    12800    ----a-w-    c:\windows\system32\mshta.exe
2013-03-15 08:16 . 2013-03-15 08:16    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-03-15 08:16 . 2013-03-15 08:16    73728    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-03-15 08:16 . 2013-03-15 08:16    719360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2013-03-15 08:16 . 2013-03-15 08:16    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-03-15 08:16 . 2013-03-15 08:16    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-03-15 08:16 . 2013-03-15 08:16    361984    ----a-w-    c:\windows\system32\html.iec
2013-03-15 08:16 . 2013-03-15 08:16    1441280    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-03-15 08:16 . 2013-03-15 08:16    23040    ----a-w-    c:\windows\system32\licmgr10.dll
2013-03-01 03:09 . 2013-04-10 06:07    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-02-21 10:30 . 2013-04-10 20:03    1766912    ----a-w-    c:\windows\system32\wininet.dll
2013-02-21 10:29 . 2013-04-10 20:04    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-02-21 10:29 . 2013-04-10 20:04    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-02-21 10:29 . 2013-04-10 20:04    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-02-19 12:01 . 2013-04-10 20:04    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-02-19 11:10 . 2013-04-10 20:04    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-02-12 04:48 . 2013-03-15 07:31    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-15 07:31    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32 . 2013-03-15 07:52    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-04-12 08:42 . 2013-03-08 13:04    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2012-04-09 10:57    158224    ----a-w-    c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F.lux"="c:\users\ACEr\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-02-26 1289296]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-10-22 233472]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
taskbar.bat [2010-7-5 222]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 22:14    500208    ------w-    c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 07:38    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 09:24    91520    ----a-w-    c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Connectify]
2012-11-09 19:30    4007936    ----a-w-    c:\program files\Connectify\Connectify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04    1164584    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-14 12:36    136176    ----atw-    c:\users\ACEr\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 07:05    152392    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2013-04-04 09:20    532040    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\netxpert]
2010-05-10 03:32    206120    ----a-w-    c:\program files\Airtel NetXpert\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2012-01-20 15:33    719672    ----a-w-    c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2010-01-13 05:17    206208    ----a-w-    c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-24 21:42    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-11-01 20:30    90448    ----a-w-    c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
2011-08-26 12:48    10828392    ------w-    c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-02-25 02:09    1602984    ----a-w-    d:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 03:34    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIExec]
2010-12-16 10:08    138584    ----a-w-    c:\program files\TATA DOCOMO 3G\UIExec.exe
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv.sys [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy2.sys [x]
S2 Connectify;Connectify;c:\program files\Connectify\ConnectifyService.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 sprtsvc_netxpert;SupportSoft Sprocket Service (netxpert);c:\program files\Airtel NetXpert\bin\sprtsvc.exe [x]
S2 tgsrvc_netxpert;SupportSoft Repair Service (netxpert);c:\program files\Airtel NetXpert\bin\tgsrvc.exe [x]
S2 UI Assistant Service;UI Assistant Service;c:\program files\TATA DOCOMO 3G\AssistantServices.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\DRIVERS\cbfs3.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
GPSvcGroup    REG_MULTI_SZ       GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-21 13:15]
.
2013-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-29 16:50]
.
2013-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-29 16:50]
.
2013-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1153995095-883336955-617581567-1003Core.job
- c:\users\ACEr\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-14 12:36]
.
2013-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1153995095-883336955-617581567-1003UA.job
- c:\users\ACEr\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-14 12:36]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://indiasearcher.in/r.asp#
mStart Page = hxxp://www.linkzb.com
uInternet Settings,ProxyServer = http=localhost:8118
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.49.0.45 10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}: NameServer = 10.49.0.45,10.49.0.46
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\1496274756C6: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\2656C6B696E6534376: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E40424C6F636B6D293: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{E9AEF69F-44F4-456E-8796-26EE4D47984A}\94F4E404D416E6960716C6D294E646F6F627: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.URL - hxxp://indiasearcher.in/r.asp#
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-04-04 18:35; jid1-4P0kohSJxU1qGg@jetpack; c:\users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi
FF - user.js: keyword.URL - hxxp://indiasearcher.in/r.asp#);user_pref(browser.startup.homepage, http://indiasearcher.in/r.asp#
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:a8,a4,1f,60,58,2b,9d,fb,e5,22,93,63,0b,32,c2,cb,2b,bd,db,4f,1f,12,e5,
   64,a5,b0,e5,0c,38,b5,19,58,82,02,83,2e,f6,18,1c,af,58,00,df,10,b6,1b,bf,4d,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003\Software\SecuROM\License information*]
"datasecu"=hex:74,3c,81,2a,04,2f,ad,d0,c5,35,fb,ea,53,98,f0,b4,f8,a3,c4,38,06,
   07,47,56,d7,7c,42,13,ee,7e,e7,52,e1,77,f5,dd,2b,1e,a7,7a,fb,f0,ca,24,c8,dd,\
"rkeysecu"=hex:d3,a8,cc,29,a3,b8,60,61,60,8c,01,66,db,c4,9e,fc
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003_Classes\CLSID\{53e76f9e-f133-40b7-aed9-3b2860eb2eb1}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000159
"Therad"=dword:00000022
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,a5,15,d8,a6,04,59,b6,a3,fc,21,11,71,1f,dc,\
.
[HKEY_USERS\S-1-5-21-1153995095-883336955-617581567-1003_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):5e,f1,9d,70,7b,0a,c4,da,b6,9b,ee,4a,01,e2,40,85,b1,50,e3,e0,a9,
   98,c6,7b,d7,d3,01,7d,c9,ad,f7,2a,4b,12,31,ae,ef,85,66,e8,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3420)
c:\windows\system32\CbFsMntNtf3.dll
c:\windows\system32\CbFsNetRdr3.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Connectify\ConnectifyD.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-05-11  21:55:30 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-11 16:25
ComboFix2.txt  2013-05-11 13:37
.
Pre-Run: 1,985,650,688 bytes free
Post-Run: 1,968,087,040 bytes free
.
- - End Of File - - 7B68AF1F8C21E3354EAFEFA3B5E49609
 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 11 May 2013 - 12:37 PM


The bad extension was not removed.

FF - ExtSQL: 2013-04-04 18:35; jid1-4P0kohSJxU1qGg@jetpack; c:\users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi



Close Firefox and delete the file in bold.
FF - ExtSQL: 2013-04-04 18:35; jid1-4P0kohSJxU1qGg@jetpack; c:\users\ACEr\AppData\Roaming\Mozilla\Firefox\Profiles\8ji6twfj.default-1340277873667\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi

===

Let me know what problem persists.

#13 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 11 May 2013 - 01:35 PM

I have deleted that file. Is my computer now infection free. How can I clean my external hard disk?

Edit: I opened Firefox after deleting that file and my homepage was changed again.

Edited by SatanicSaint, 11 May 2013 - 01:39 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 11 May 2013 - 01:43 PM

Change to what page?

Is this itemjid1-4P0kohSJxU1qGg@jetpack still in your Firefox extention, if so remove it.

#15 SatanicSaint

SatanicSaint
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 11 May 2013 - 01:45 PM

Its not there. The home page was changed to http://indiasearcher.in/r.asp#


Edited by SatanicSaint, 11 May 2013 - 01:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users