Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown BHO and Internet slowdown...But no results from AV and Online Scanners


  • This topic is locked This topic is locked
8 replies to this topic

#1 Ajantes

Ajantes

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 15 May 2013 - 11:14 PM

After experiencing a prolonged (several hour) period of very slow internet connectivity, I ran HijackThis to see if anything unusual was showing up on the list. I got some results I hadn't seen before, so I ran the log through the automated analyser at the HijackThis website.

 

The results showed one entry which appeared to be malware of some sort. However, having taken your advice in the past, I don't now make alterations with HijackThis myself. Instead I updated and ran ESET's Online Scanner, updated and ran MalwareBytes Anti-Malware and then ran a full system scan using my AV Software (Norton Internet Security 2013).

 

Unfortunately, none of these found or removed any infected files, leaving me unsure whether my computer is truly infected or not.

 

Below and attached are the requested files from DDS.

 

Many thanks in advance for the selfless assistance,

 

Ajantes

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.7.2
Run by Houghton at 4:50:43 on 2013-05-16
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3325.1840 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\19.9.1.14\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\19.9.1.14\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - <orphaned>
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\19.9.1.14\coieplg.dll
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{1A7843B2-5F89-4479-86A8-8164FDF52C61} : DHCPNameServer = 172.11.0.1
TCP: Interfaces\{B5623776-CD9A-4AA5-894D-C63C3DE8A844} : DHCPNameServer = 192.168.1.254
Notify: AutorunsDisabled - <no file>
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\houghton\appdata\roaming\mozilla\firefox\profiles\4iidcp8j.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-04-09 15:53; afurladvisor@anchorfree.com; c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com
FF - ExtSQL: 2013-04-09 17:12; {5B52016C-D097-4aec-BE61-9F129D8FDDBA}; c:\users\houghton\appdata\roaming\mozilla\firefox\profiles\4iidcp8j.default\extensions\{5B52016C-D097-4aec-BE61-9F129D8FDDBA}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-4 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1309010.00e\symds.sys [2013-2-6 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1309010.00e\symefa.sys [2013-2-6 924320]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.5.0.145\definitions\bashdefs\20130502.001\BHDrvx86.sys [2013-5-7 1000024]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1309010.00e\ccsetx86.sys [2013-2-6 132768]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\drivers\hssdrv6.sys [2013-4-3 40136]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.5.0.145\definitions\ipsdefs\20130515.001\IDSvix86.sys [2013-5-15 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1309010.00e\ironx86.sys [2013-2-6 149624]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1309010.00e\symtdiv.sys [2013-2-6 345208]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.9.1.14\ccsvchst.exe [2013-2-6 138272]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2013-1-18 383264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-9 106656]
R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\drivers\taphss6.sys [2013-4-3 29184]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe --> c:\program files\hotspot shield\bin\hsswd.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2012-4-26 13224]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S4 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-7-25 1326176]
S4 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-7-25 681056]
S4 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2012-4-26 155320]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
.
=============== Created Last 30 ================
.
2013-05-15 20:53:41    712264    ----a-w-    c:\windows\isRS-000.tmp
2013-05-15 07:26:58    7016152    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{48d699d0-2ce0-4f1d-9211-48326d9b25be}\mpengine.dll
2013-05-15 07:19:50    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-05-15 03:12:53    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 03:12:53    37376    ----a-w-    c:\windows\system32\cdd.dll
2013-05-15 03:12:49    2049024    ----a-w-    c:\windows\system32\win32k.sys
2013-05-14 10:21:38    --------    d-----w-    c:\users\houghton\appdata\local\SWTORPerf
2013-05-06 03:55:23    --------    d-----w-    c:\program files\Cryptic Studios
.
==================== Find3M  ====================
.
2013-05-02 01:06:08    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-17 20:39:24    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-17 20:39:24    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-04 22:11:34    1800704    ----a-w-    c:\windows\system32\jscript9.dll
2013-04-04 22:02:59    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-04-04 22:02:17    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-04-04 21:58:51    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-04-04 21:57:45    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-04-04 13:50:32    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-03 00:59:50    29184    ----a-w-    c:\windows\system32\drivers\taphss6.sys
2013-04-03 00:48:22    40136    ----a-w-    c:\windows\system32\drivers\hssdrv6.sys
2013-03-11 13:25:50    3603816    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25:50    3551080    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45:04    49152    ----a-w-    c:\windows\system32\csrsrv.dll
2013-03-09 01:28:08    64000    ----a-w-    c:\windows\system32\smss.exe
2013-03-08 03:53:50    376320    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-08 03:52:22    2067968    ----a-w-    c:\windows\system32\mstscax.dll
2013-03-03 19:07:52    1082232    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-02-25 23:22:36    1985824    ----a-w-    c:\windows\system32\nvcuvenc.dll
2013-02-25 23:22:36    1017120    ----a-w-    c:\windows\system32\nvdispco32.dll
2013-02-25 23:22:34    6262608    ----a-w-    c:\windows\system32\nvopencl.dll
2013-02-25 23:22:32    892704    ----a-w-    c:\windows\system32\nvdispgenco32.dll
2013-02-25 23:22:32    2505144    ----a-w-    c:\windows\system32\nvapi.dll
2013-02-25 23:22:32    12641992    ----a-w-    c:\windows\system32\nvwgf2um.dll
2013-02-25 23:22:30    15129960    ----a-w-    c:\windows\system32\nvd3dum.dll
2013-02-25 23:22:26    7932256    ----a-w-    c:\windows\system32\nvcuda.dll
2013-02-25 23:22:22    17560352    ----a-w-    c:\windows\system32\nvcompiler.dll
2013-02-25 23:22:08    20449056    ----a-w-    c:\windows\system32\nvoglv32.dll
2013-02-25 23:22:06    8939296    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2013-02-25 23:22:06    2720544    ----a-w-    c:\windows\system32\nvcuvid.dll
.
============= FINISH:  4:51:13.24 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:11 AM

Posted 19 May 2013 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 20 May 2013 - 01:35 AM

Hi nasdaq, thanks very much for your assistance, it's really appreciated!

 

I do not currently have any highly visible malware problems with my PC. My internet connection has been suspiciously slow in the days between when I first posted and now, but there's nothing really obviously wrong. I have only just run the scans you asked for, so I'm not sure if this has affected my connection speed of not.

 

Here are the three logs you requested for your perusal.

 

 

AdwCleaner Log:-

 

 

# AdwCleaner v2.301 - Logfile created 05/20/2013 at 06:41:09
# Updated 16/05/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Houghton - HOUGHTON-PC
# Boot Mode : Normal
# Running from : C:\Users\Houghton\Desktop\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Mozilla Firefox\Extensions\afurladvisor@anchorfree.com

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKU\S-1-5-21-1901112112-2135519177-4131396829-1005\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Houghton\AppData\Roaming\Mozilla\Firefox\Profiles\4iidcp8j.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1749 octets] - [20/05/2013 06:39:09]
AdwCleaner[S1].txt - [1541 octets] - [20/05/2013 06:41:09]

########## EOF - C:\AdwCleaner[S1].txt - [1601 octets] ##########

 

 

 

 

ComboFix Log:-

 

ComboFix 13-05-18.04 - Houghton 20/05/2013   6:58.3.4 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3325.2226 [GMT 1:00]
Running from: c:\users\Houghton\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-20 to 2013-05-20  )))))))))))))))))))))))))))))))
.
.
2013-05-20 06:06 . 2013-05-20 06:06    --------    d-----w-    c:\users\Houghton\AppData\Local\temp
2013-05-20 06:06 . 2013-05-20 06:06    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-05-15 07:26 . 2013-05-13 06:19    7016152    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{48D699D0-2CE0-4F1D-9211-48326D9B25BE}\mpengine.dll
2013-05-15 07:19 . 2013-05-05 19:12    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-05-15 03:12 . 2013-04-15 14:20    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 03:12 . 2013-04-13 10:56    37376    ----a-w-    c:\windows\system32\cdd.dll
2013-05-15 03:12 . 2013-04-09 01:36    2049024    ----a-w-    c:\windows\system32\win32k.sys
2013-05-14 10:21 . 2013-05-14 10:21    --------    d-----w-    c:\users\Houghton\AppData\Local\SWTORPerf
2013-05-06 03:55 . 2013-05-06 05:55    --------    d-----w-    c:\program files\Cryptic Studios
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 01:06 . 2010-01-26 19:46    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-17 20:39 . 2012-09-20 13:06    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-17 20:39 . 2012-09-19 23:06    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-04 13:50 . 2012-09-15 15:38    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-03 00:59 . 2013-04-03 00:59    29184    ----a-w-    c:\windows\system32\drivers\taphss6.sys
2013-04-03 00:48 . 2013-04-03 00:48    40136    ----a-w-    c:\windows\system32\drivers\hssdrv6.sys
2013-03-11 13:25 . 2013-04-09 23:40    3603816    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25 . 2013-04-09 23:40    3551080    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45 . 2013-04-09 23:40    49152    ----a-w-    c:\windows\system32\csrsrv.dll
2013-03-09 01:28 . 2013-04-09 23:40    64000    ----a-w-    c:\windows\system32\smss.exe
2013-03-08 03:53 . 2013-04-09 23:40    376320    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-08 03:52 . 2013-04-09 23:40    2067968    ----a-w-    c:\windows\system32\mstscax.dll
2013-03-03 19:07 . 2013-04-09 23:40    1082232    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-02-25 23:22 . 2013-02-25 23:22    1985824    ----a-w-    c:\windows\system32\nvcuvenc.dll
2013-02-25 23:22 . 2012-10-10 21:14    1017120    ----a-w-    c:\windows\system32\nvdispco32.dll
2013-02-25 23:22 . 2013-02-25 23:22    6262608    ----a-w-    c:\windows\system32\nvopencl.dll
2013-02-25 23:22 . 2013-02-25 23:22    2505144    ----a-w-    c:\windows\system32\nvapi.dll
2013-02-25 23:22 . 2013-02-25 23:22    12641992    ----a-w-    c:\windows\system32\nvwgf2um.dll
2013-02-25 23:22 . 2012-10-10 21:14    892704    ----a-w-    c:\windows\system32\nvdispgenco32.dll
2013-02-25 23:22 . 2013-02-25 23:22    15129960    ----a-w-    c:\windows\system32\nvd3dum.dll
2013-02-25 23:22 . 2013-02-25 23:22    7932256    ----a-w-    c:\windows\system32\nvcuda.dll
2013-02-25 23:22 . 2013-02-25 23:22    17560352    ----a-w-    c:\windows\system32\nvcompiler.dll
2013-02-25 23:22 . 2013-02-25 23:22    20449056    ----a-w-    c:\windows\system32\nvoglv32.dll
2013-02-25 23:22 . 2013-02-25 23:22    8939296    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2013-02-25 23:22 . 2013-02-25 23:22    2720544    ----a-w-    c:\windows\system32\nvcuvid.dll
2009-05-01 21:02 . 2013-04-04 02:32    1044480    ----a-w-    c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2013-04-04 02:32    200704    ----a-w-    c:\program files\mozilla firefox\plugins\ssldivx.dll
2013-04-12 07:37 . 2013-04-04 02:32    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-04-16 15:10    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-04-16 15:10    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-04-16 15:10    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-04-16 15:10    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2011-10-31 15:20    13672    ----a-w-    c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35    946352    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-27 20:32    59280    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2013-04-16 15:10    19662744    ----a-w-    c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-09 22:30    421776    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2008-01-15 12:31    106496    ----a-w-    c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
2012-06-11 11:28    10996368    ------w-    c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-12-26 12:57    1354736    ----a-w-    c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 08:04    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs    REG_MULTI_SZ       BthServ
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 18:46]
.
2013-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 18:46]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
Trusted Zone: o2.co.uk\*.broadband
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Houghton\AppData\Roaming\Mozilla\Firefox\Profiles\4iidcp8j.default\
FF - ExtSQL: 2013-04-09 17:12; {5B52016C-D097-4aec-BE61-9F129D8FDDBA}; c:\users\Houghton\AppData\Roaming\Mozilla\Firefox\Profiles\4iidcp8j.default\extensions\{5B52016C-D097-4aec-BE61-9F129D8FDDBA}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-20 07:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\19.9.1.14\diMaster.dll\" /prefetch:1"
.
Completion time: 2013-05-20  07:08:33
ComboFix-quarantined-files.txt  2013-05-20 06:08
.
Pre-Run: 259,061,047,296 bytes free
Post-Run: 259,029,856,256 bytes free
.
- - End Of File - - DAEBF7B032267B0614C8F0383C2142A3
 

 

 

 

SecurityCheck Log:-

 

 

 Results of screen317's Security Check version 0.99.63  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Norton Internet Security   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Secunia PSI (3.0.0.3001)   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner (remove only)   
 JavaFX 2.1.1    
 Java 7 Update 7  
 Java version out of Date!
 Adobe Flash Player     11.7.700.169  
 Adobe Reader 10.1.6 Adobe Reader out of Date!  
 Mozilla Firefox (20.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:11 AM

Posted 20 May 2013 - 08:00 AM

Looking good.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 7

Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Please let me know if the problem persists.

#5 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 20 May 2013 - 09:55 AM

Thanks for the fast reply.

 

I've updated both Adobe Reader and Java, and SecurityCheck now recognises both programs as up to date.

 

My internet connection now seems to be back up to normal speed, so hopefully any problems are solved!

 

If I could trouble you with a couple more queries:

 

Based on the malware found and removed by both AdwCleaner and Combofix, would you recommend that I change important passwords and the like? I have not used anything particularly sensitive since the problems began (only email and online gaming log-ins) - would you recommend changing all passwords, no passwords or just the passwords I've used since my problems started?

 

I realise that it is ultimately my choice and my responsibility as to whether and what passwords I decide to change, but I was just wondering how concerned I should be and what your recommendations were, based on the types of malware detected and removed in the scans.

 

Many thanks again for all your assistance,

 

Rich


Edited by Ajantes, 20 May 2013 - 09:59 AM.


#6 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 20 May 2013 - 09:58 AM

I forgot to also ask: should I go ahead and remove the tools and scanners (including ComboFix) that were used in the cleanup process now?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:11 AM

Posted 20 May 2013 - 10:06 AM

The problem was caused by this AdWare.

AnchorFree URL Advisor Note: AdWare, PUP (Potentially Unwanted Program)


Nothing to worry about unless you did not install this.
http://www.anchorfree.com/hotspot-shield-VPN-download-windows.php

Source: http://www.systemlookup.com/FF_Extensions/78-afurladvisor_anchorfree_com.html

===

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#8 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 20 May 2013 - 08:23 PM

Everything appears to be working fine now and running at normal speed, and I installed Hotspot Shield myself, so I should be OK.

 

A thousand thanks for your fast, clear and effective assistance. The service you guys provide on this site is truly excellent, especially as you do it as volunteers!

 

Thanks again,

 

Rich



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:11 AM

Posted 21 May 2013 - 08:43 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users