Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent unknown infection, please help!


  • This topic is locked This topic is locked
16 replies to this topic

#1 Gnostiko

Gnostiko

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 22 May 2013 - 04:30 AM

Hi all,

 

Decided to register and post this as I've been having an ongoing issue and it seems the help and support given here is top notch.

 

I'm no stranger to spyware/malware/virus infection and removal but this latest issue I'm having is a complete pain. It started with a random command prompt request when I wasn't doing anything that would require a command prompt, I felt it was suspicious when I hit the cancel button and the request kept popping up. I had to keep rapidly clicking cancel, but whilst attempting to click something else I ended up hitting 'ok', presumably infecting my system. I noticed that my Internet Explorer was frequently hanging and crashing after that; tellingly, every time I try to access any kind of website to do with spyware/malware/virus removal, Internet Explorer conveniently cannot load the page. More infuriatingly, I can't download anything, anything at all, from .jpegs to info files, to even patching an MMORPG. Downloads simply hang, or the downloader box just disappears midstream.

 

I've booted the computer into safe mode numerous times to try to fix the problem; I've run rkill, MBAM, SuperAntiSpyware, and even Combofix, but no success with any of those. SuperAntiSpyware reveals the same problem each time - it detects 3 'DisabledSecurityOptions' and a bunch of tracking cookies. Whilst SAS tells me it has successfully quarantined/deleted them, they show up again on the next scan. Related to the download problem above, I cannot update the database for SAS, as I get a 'download fail' message when attempting to update the definitions. MBAM reveals a Hijack and 3 other errors I've never heard of; again, though MBAM reports a successful quarantine/delete, they show up again in the next scan. Combofix, which usually blitzes my problems, doesn't seem to do anything at all. This is also the first time I've had to rename Combofix.exe as the program previously shutdown midway through the installer. Eset.com, which is also a reliable scanner I've used in the past can't update it's definition database to being scanning.

 

I'm at my wits end here, any help would be apreciated!

 

Combofix log attached, per admin instruction:

 

ComboFix 13-05-21.01 - Ben 21/05/2013  23:44:06.15.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.44.1033.18.3325.2362 [GMT 1:00]
Running from: c:\users\Ben\Desktop\blab.exe
AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ben\AppData\Local\agkdybvr.log
c:\users\Ben\AppData\Local\hjapnajd.log
c:\users\Ben\AppData\Local\iahdjaqa.log
c:\users\Ben\AppData\Local\jwwshhqq.log
c:\users\Ben\AppData\Local\msukpvau.log
c:\users\Ben\AppData\Local\tybqhsrq.log
c:\users\Ben\AppData\Local\vurntrvt.log
c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-21 to 2013-05-21  )))))))))))))))))))))))))))))))
.
.
2013-05-21 23:21 . 2013-05-21 23:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\user\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\Mom\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-20 22:53 . 2013-05-21 23:28 -------- d-----w- c:\users\Ben\AppData\Local\temp
2013-05-04 16:07 . 2013-03-15 05:46 8952608 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-05-04 16:07 . 2013-03-15 05:46 892704 ----a-w- c:\windows\system32\nvdispgenco3231422.dll
2013-05-04 16:07 . 2013-03-15 05:46 6271872 ----a-w- c:\windows\system32\nvopencl.dll
2013-05-04 16:07 . 2013-03-15 05:46 2728736 ----a-w- c:\windows\system32\nvcuvid.dll
2013-05-04 16:07 . 2013-03-15 05:46 20542752 ----a-w- c:\windows\system32\nvoglv32.dll
2013-05-04 16:07 . 2013-03-15 05:46 1995552 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-05-04 16:07 . 2013-03-15 05:46 13088000 ----a-w- c:\windows\system32\nvwgf2um.dll
2013-05-04 16:07 . 2013-03-15 05:46 1012512 ----a-w- c:\windows\system32\nvdispco3231422.dll
2013-05-04 16:07 . 2013-03-15 05:46 7959000 ----a-w- c:\windows\system32\nvcuda.dll
2013-05-04 16:07 . 2013-03-15 05:46 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-18 13:30 . 2012-07-17 20:15 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-18 13:29 . 2011-12-11 17:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-01 07:08 . 2009-08-18 11:24 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-04 13:50 . 2011-09-27 05:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-15 05:46 . 2008-10-07 12:33 2539128 ----a-w- c:\windows\system32\nvapi.dll
2013-03-15 05:46 . 2008-10-07 12:33 15042928 ----a-w- c:\windows\system32\nvd3dum.dll
2013-03-15 02:59 . 2011-01-07 21:06 4119328 ----a-w- c:\windows\system32\nvcpl.dll
2013-03-15 02:59 . 2011-01-07 21:06 3014432 ----a-w- c:\windows\system32\nvsvc.dll
2013-03-15 02:59 . 2011-01-07 21:06 634144 ----a-w- c:\windows\system32\nvvsvc.exe
2013-03-15 02:59 . 2011-01-07 21:06 223008 ----a-w- c:\windows\system32\nvmctray.dll
2013-03-15 02:59 . 2009-06-10 07:34 62752 ----a-w- c:\windows\system32\nvshext.dll
2009-12-06 17:18 26624 --sh--w- c:\windows\bfcs2.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
"GdnWubog"="c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-10-17 11430504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2011-10-21 09:09 198032 ----a-w- c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-12-19 14:39 41208 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 13:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 19:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 12:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 10:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monegf]
c:\users\Ben\AppData\Roaming\monegf.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-09-23 00:47 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-09-17 12:41 254896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"ANTIVIRUSDISABLENOTIFY"=dword:00000001
"FIREWALLDISABLENOTIFY"=dword:00000001
"UPDATESDISABLENOTIFY"=dword:00000001
"UacDisableNotify"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-21 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2012-07-12 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wikipedia.org/
mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9851
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: filefront.com\www
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{76AF2689-2852-4DF7-9323-46D205CFBB99}: NameServer = 8.8.8.8,8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-22 00:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:08,27,78,55,53,f5,43,ee,b7,e6,bf,17,5e,ad,07,dd,bd,3d,68,32,b2,0e,68,
   26,31,cd,95,66,e5,0c,ea,b9,10,53,11,a4,24,1f,db,77,ce,55,21,56,52,95,c2,a3,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\License information*]
"datasecu"=hex:20,f0,23,37,b7,fc,56,ba,c5,9d,54,bf,a8,7f,8c,4a,56,9f,f4,00,98,
   17,c5,11,5c,fb,90,16,a1,86,89,41,b8,eb,30,b1,58,78,27,9e,f6,85,71,96,44,15,\
"rkeysecu"=hex:26,9c,e9,a6,6d,50,71,66,6d,d9,81,70,dc,1e,37,00
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxbccoms.exe
c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\program files\Ad-Aware Antivirus\SBAMSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2013-05-22  00:35:54 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-21 23:35
ComboFix2.txt  2013-05-20 23:15
ComboFix3.txt  2013-05-19 15:59
ComboFix4.txt  2013-05-19 12:32
ComboFix5.txt  2013-05-21 22:42
.
Pre-Run: 133,324,431,360 bytes free
Post-Run: 133,336,989,696 bytes free
.
- - End Of File - - D125DD5928868FC599D8D095A07BFE31

 

 



BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 25 May 2013 - 12:13 PM

Gnostiko,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.
 

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

 

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.


:step1: Rerun Combofix

Please download a NEW version of Combofix from one of these links, and save it to your desktop.
Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<

3. Open notepad and copy/paste the text in the box below into it:

http://www.bleepingcomputer.com/forums/t/495418/persistent-unknown-infection-please-help/

Collect::
c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

Save this as CFScript.txt on your Desktop


CFScriptB-4.gif


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When it finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

 

In your next reply, please include:

  • New Combofix log
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 Gnostiko

Gnostiko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 28 May 2013 - 03:34 PM

Hi Jason,

 

Thanks for the reply; I followed your steps as advised. Please see the new Combofix log:

 

ComboFix 13-05-21.01 - Ben 21/05/2013  23:44:06.15.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.44.1033.18.3325.2362 [GMT 1:00]
Running from: c:\users\Ben\Desktop\blab.exe
AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ben\AppData\Local\agkdybvr.log
c:\users\Ben\AppData\Local\hjapnajd.log
c:\users\Ben\AppData\Local\iahdjaqa.log
c:\users\Ben\AppData\Local\jwwshhqq.log
c:\users\Ben\AppData\Local\msukpvau.log
c:\users\Ben\AppData\Local\tybqhsrq.log
c:\users\Ben\AppData\Local\vurntrvt.log
c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-21 to 2013-05-21  )))))))))))))))))))))))))))))))
.
.
2013-05-21 23:21 . 2013-05-21 23:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\user\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\Mom\AppData\Local\temp
2013-05-21 23:21 . 2013-05-21 23:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-20 22:53 . 2013-05-21 23:28 -------- d-----w- c:\users\Ben\AppData\Local\temp
2013-05-04 16:07 . 2013-03-15 05:46 8952608 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-05-04 16:07 . 2013-03-15 05:46 892704 ----a-w- c:\windows\system32\nvdispgenco3231422.dll
2013-05-04 16:07 . 2013-03-15 05:46 6271872 ----a-w- c:\windows\system32\nvopencl.dll
2013-05-04 16:07 . 2013-03-15 05:46 2728736 ----a-w- c:\windows\system32\nvcuvid.dll
2013-05-04 16:07 . 2013-03-15 05:46 20542752 ----a-w- c:\windows\system32\nvoglv32.dll
2013-05-04 16:07 . 2013-03-15 05:46 1995552 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-05-04 16:07 . 2013-03-15 05:46 13088000 ----a-w- c:\windows\system32\nvwgf2um.dll
2013-05-04 16:07 . 2013-03-15 05:46 1012512 ----a-w- c:\windows\system32\nvdispco3231422.dll
2013-05-04 16:07 . 2013-03-15 05:46 7959000 ----a-w- c:\windows\system32\nvcuda.dll
2013-05-04 16:07 . 2013-03-15 05:46 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-18 13:30 . 2012-07-17 20:15 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-18 13:29 . 2011-12-11 17:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-01 07:08 . 2009-08-18 11:24 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-04 13:50 . 2011-09-27 05:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-15 05:46 . 2008-10-07 12:33 2539128 ----a-w- c:\windows\system32\nvapi.dll
2013-03-15 05:46 . 2008-10-07 12:33 15042928 ----a-w- c:\windows\system32\nvd3dum.dll
2013-03-15 02:59 . 2011-01-07 21:06 4119328 ----a-w- c:\windows\system32\nvcpl.dll
2013-03-15 02:59 . 2011-01-07 21:06 3014432 ----a-w- c:\windows\system32\nvsvc.dll
2013-03-15 02:59 . 2011-01-07 21:06 634144 ----a-w- c:\windows\system32\nvvsvc.exe
2013-03-15 02:59 . 2011-01-07 21:06 223008 ----a-w- c:\windows\system32\nvmctray.dll
2013-03-15 02:59 . 2009-06-10 07:34 62752 ----a-w- c:\windows\system32\nvshext.dll
2009-12-06 17:18 26624 --sh--w- c:\windows\bfcs2.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
"GdnWubog"="c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-10-17 11430504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2011-10-21 09:09 198032 ----a-w- c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-12-19 14:39 41208 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 13:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 19:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 12:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 10:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monegf]
c:\users\Ben\AppData\Roaming\monegf.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-09-23 00:47 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-09-17 12:41 254896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"ANTIVIRUSDISABLENOTIFY"=dword:00000001
"FIREWALLDISABLENOTIFY"=dword:00000001
"UPDATESDISABLENOTIFY"=dword:00000001
"UacDisableNotify"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-21 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2012-07-12 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wikipedia.org/
mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9851
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: filefront.com\www
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{76AF2689-2852-4DF7-9323-46D205CFBB99}: NameServer = 8.8.8.8,8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-22 00:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:08,27,78,55,53,f5,43,ee,b7,e6,bf,17,5e,ad,07,dd,bd,3d,68,32,b2,0e,68,
   26,31,cd,95,66,e5,0c,ea,b9,10,53,11,a4,24,1f,db,77,ce,55,21,56,52,95,c2,a3,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\License information*]
"datasecu"=hex:20,f0,23,37,b7,fc,56,ba,c5,9d,54,bf,a8,7f,8c,4a,56,9f,f4,00,98,
   17,c5,11,5c,fb,90,16,a1,86,89,41,b8,eb,30,b1,58,78,27,9e,f6,85,71,96,44,15,\
"rkeysecu"=hex:26,9c,e9,a6,6d,50,71,66,6d,d9,81,70,dc,1e,37,00
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxbccoms.exe
c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\program files\Ad-Aware Antivirus\SBAMSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2013-05-22  00:35:54 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-21 23:35
ComboFix2.txt  2013-05-20 23:15
ComboFix3.txt  2013-05-19 15:59
ComboFix4.txt  2013-05-19 12:32
ComboFix5.txt  2013-05-21 22:42
.
Pre-Run: 133,324,431,360 bytes free
Post-Run: 133,336,989,696 bytes free
.
- - End Of File - - D125DD5928868FC599D8D095A07BFE31

 

Computer still seems to be affected, as the problems I had before are still present. I'm hopeful we can fix this :)



#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 28 May 2013 - 03:42 PM

I do think we can fix this. :)

 

That appears to be an older Combofix log, but you did follow my instructions correctly. Here's the latest log (just so I see it posted here). I'll post back shortly with further instructions.

 

ComboFix 13-05-28.02 - Ben 28/05/2013  20:01:43.16.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.44.1033.18.3325.2188 [GMT 1:00]
Running from: C:\Users\Ben\Desktop\barb.exe
Command switches used :: C:\Users\Ben\Desktop\cfscript.txt
AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

file zipped: c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Users\Ben\AppData\Local\agkdybvr.log
C:\Users\Ben\AppData\Local\hjapnajd.log
C:\Users\Ben\AppData\Local\iahdjaqa.log
C:\Users\Ben\AppData\Local\jwwshhqq.log
C:\Users\Ben\AppData\Local\msukpvau.log
C:\Users\Ben\AppData\Local\tybqhsrq.log
C:\Users\Ben\AppData\Local\vurntrvt.log
C:\Users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe
C:\Windows\system32\drivers\etc\hosts.ics

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service

(((((((((((((((((((((((((   Files Created from 2013-04-28 to 2013-05-28  )))))))))))))))))))))))))))))))

2013-05-28 19:35:58 . 2013-05-28 19:38:26 -------- d-----w- C:\Users\Ben\AppData\Local\temp
2013-05-28 19:35:58 . 2013-05-28 19:35:58 -------- d-----w- C:\Users\user\AppData\Local\temp
2013-05-28 19:35:58 . 2013-05-28 19:35:58 -------- d-----w- C:\Users\UpdatusUser\AppData\Local\temp
2013-05-28 19:35:58 . 2013-05-28 19:35:58 -------- d-----w- C:\Users\Public\AppData\Local\temp
2013-05-28 19:35:58 . 2013-05-28 19:35:58 -------- d-----w- C:\Users\Mom\AppData\Local\temp
2013-05-28 19:35:58 . 2013-05-28 19:35:58 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-05-04 16:07:27 . 2013-03-15 05:46:27 8952608 ----a-w- C:\Windows\system32\drivers\nvlddmkm.sys
2013-05-04 16:07:27 . 2013-03-15 05:46:27 892704 ----a-w- C:\Windows\system32\nvdispgenco3231422.dll
2013-05-04 16:07:27 . 2013-03-15 05:46:27 6271872 ----a-w- C:\Windows\system32\nvopencl.dll
2013-05-04 16:07:27 . 2013-03-15 05:46:27 2728736 ----a-w- C:\Windows\system32\nvcuvid.dll
2013-05-04 16:07:27 . 2013-03-15 05:46:27 20542752 ----a-w- C:\Windows\system32\nvoglv32.dll
2013-05-04 16:07:27 . 2013-03-15 05:46:27 1995552 ----a-w- C:\Windows\system32\nvcuvenc.dll
2013-05-04 16:07:27 . 2013-03-15 05:46:27 13088000 ----a-w- C:\Windows\system32\nvwgf2um.dll
2013-05-04 16:07:27 . 2013-03-15 05:46:27 1012512 ----a-w- C:\Windows\system32\nvdispco3231422.dll
2013-05-04 16:07:26 . 2013-03-15 05:46:27 7959000 ----a-w- C:\Windows\system32\nvcuda.dll
2013-05-04 16:07:26 . 2013-03-15 05:46:27 17560352 ----a-w- C:\Windows\system32\nvcompiler.dll
.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-05-18 13:30:00 . 2012-07-17 20:15:29 692104 ----a-w- C:\Windows\system32\FlashPlayerApp.exe
2013-05-18 13:29:59 . 2011-12-11 17:00:08 71048 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-05-01 07:08:11 . 2009-08-18 11:24:10 22240 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-04 13:50:32 . 2011-09-27 05:32:10 22856 ----a-w- C:\Windows\system32\drivers\mbam.sys
2013-03-15 05:46:27 . 2008-10-07 12:33:00 2539128 ----a-w- C:\Windows\system32\nvapi.dll
2013-03-15 05:46:27 . 2008-10-07 12:33:00 15042928 ----a-w- C:\Windows\system32\nvd3dum.dll
2013-03-15 02:59:30 . 2011-01-07 21:06:34 4119328 ----a-w- C:\Windows\system32\nvcpl.dll
2013-03-15 02:59:30 . 2011-01-07 21:06:14 3014432 ----a-w- C:\Windows\system32\nvsvc.dll
2013-03-15 02:59:27 . 2011-01-07 21:06:02 634144 ----a-w- C:\Windows\system32\nvvsvc.exe
2013-03-15 02:59:26 . 2011-01-07 21:06:02 223008 ----a-w- C:\Windows\system32\nvmctray.dll
2013-03-15 02:59:26 . 2009-06-10 07:34:46 62752 ----a-w- C:\Windows\system32\nvshext.dll
2009-12-06 17:18:14 26624 --sh--w- C:\Windows\bfcs2.dll

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 18:25:38 81920]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 08:25:10 3108480]
"GdnWubog"="C:\Users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-10-17 07:13:56 11430504]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 21:20:00 41056]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 21:06:36 958576]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 13:08:14 59720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2013-02-20 12:35:28 152392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 00:02:18 113024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,,C:\Users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54:14 551296 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2011-10-21 09:09:36 198032 ----a-w- C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06:36 958576 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2013-05-08 21:20:00 41056 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 13:08:14 59720 ----a-w- C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 19:03:40 152872 ----a-w- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08:12 1259376 ----a-w- C:\Program Files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GdnWubog]
C:\Users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 12:35:28 152392 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 10:16:32 2363392 ----a-w- C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monegf]
C:\Users\Ben\AppData\Roaming\monegf.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-09-23 00:47:30 4240760 ----a-w- C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57:24 153136 ----a-w- C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-09-17 12:41:54 254896 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"ANTIVIRUSDISABLENOTIFY"=dword:00000001
"FIREWALLDISABLENOTIFY"=dword:00000001
"UPDATESDISABLENOTIFY"=dword:00000001
"UacDisableNotify"=dword:00000001

S2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 Ad-Aware Service;Ad-Aware Service;C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 10:14:42 451872 ----a-w- C:\Program Files\Common Files\LightScribe\LSRunOnce.exe

Contents of the 'Scheduled Tasks' folder

2012-09-21 C:\Windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- C:\PROGRA~1\AD-AWA~1\AdAwareLauncher.exe [2012-07-12 17:32:20 . 2012-07-12 17:32:20]

------- Supplementary Scan -------

uStart Page = hxxp://www.wikipedia.org/
mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9851
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - C:\Users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - C:\Users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: filefront.com\www
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{76AF2689-2852-4DF7-9323-46D205CFBB99}: NameServer = 8.8.8.8,8.8.4.4

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-28 20:38:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

C:\Windows\system32\drivers\etc\hosts.ics 374 bytes
C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gdnwubog.exe 181760 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:08,27,78,55,53,f5,43,ee,b7,e6,bf,17,5e,ad,07,dd,bd,3d,68,32,b2,0e,68,
   26,31,cd,95,66,e5,0c,ea,b9,10,53,11,a4,24,1f,db,77,ce,55,21,56,52,95,c2,a3,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\License information*]
"datasecu"=hex:20,f0,23,37,b7,fc,56,ba,c5,9d,54,bf,a8,7f,8c,4a,56,9f,f4,00,98,
   17,c5,11,5c,fb,90,16,a1,86,89,41,b8,eb,30,b1,58,78,27,9e,f6,85,71,96,44,15,\
"rkeysecu"=hex:26,9c,e9,a6,6d,50,71,66,6d,d9,81,70,dc,1e,37,00

------------------------ Other Running Processes ------------------------

C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbccoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe

**************************************************************************

Completion time: 2013-05-28  20:47:57 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-28 19:47:54
ComboFix2.txt  2013-05-21 23:35:55
ComboFix3.txt  2013-05-20 23:15:44
ComboFix4.txt  2013-05-19 15:59:26
ComboFix5.txt  2013-05-28 18:58:29

Pre-Run: 132,726,206,464 bytes free
Post-Run: 132,956,057,600 bytes free

- - End Of File - - 42A527FDBED56245436D529E7C5DD287


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 28 May 2013 - 04:13 PM

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 Gnostiko

Gnostiko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 30 May 2013 - 01:09 PM

Unable to update Avast! log as I cannot download or update anything, from anti-spyware definition databases to Word documents.

Log:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-30 18:43:14
-----------------------------
18:43:14.427    OS Version: Windows 6.0.6002 Service Pack 2
18:43:14.427    Number of processors: 2 586 0x100
18:43:14.427    ComputerName: GNOSTIKO  UserName: Ben
18:43:17.001    Initialize success
18:43:30.939    AVAST engine download error: 0
18:43:48.364    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
18:43:48.364    Disk 0 Vendor: Hitachi_HDP725050GLA360 GM4OA52A Size: 476940MB BusType: 3
18:43:48.551    Disk 0 MBR read successfully
18:43:48.551    Disk 0 MBR scan
18:43:48.567    Disk 0 Windows VISTA default MBR code
18:43:48.567    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       476938 MB offset 2048
18:43:48.567    Disk 0 scanning sectors +976771072
18:43:48.645    Disk 0 scanning C:\Windows\system32\drivers
18:43:58.738    Service scanning
18:44:18.160    Modules scanning
18:44:24.728    Disk 0 trace - called modules:
18:44:24.743    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS amdide.sys PCIIDEX.SYS atapi.sys
18:44:24.743    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862ce518]
18:44:25.243    3 CLASSPNP.SYS[8b9ac8b3] -> nt!IofCallDriver -> [0x86139848]
18:44:25.243    5 acpi.sys[8060a6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x8613db98]
18:44:25.243    Scan finished successfully
18:50:53.977    Disk 0 MBR has been saved successfully to "C:\Users\Ben\Desktop\MBR.dat"
18:50:53.977    The log file has been saved successfully to "C:\Users\Ben\Desktop\aswMBR.txt"

 



#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 30 May 2013 - 11:29 PM

Rerun Combofix
Please download a NEW version of Combofix from one of these links, save it to a USB flashdrive, and then copy it to your desktop.
Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<

3. Open notepad and copy/paste the text in the box below into it:


File::
C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gdnwubog.exe
C:\Windows\system32\drivers\etc\hosts.ics
C:\Users\Ben\AppData\Roaming\monegf.dll
C:\Users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GdnWubog"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GdnWubog]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monegf]

Save this as CFScript.txt on your Desktop


CFScriptB-4.gif


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

 

In your next reply, please include:

  • New Combofix log
  • How's your computer running now? Please be as descriptive as possible.

Edited by jntkwx, 31 May 2013 - 03:55 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 Gnostiko

Gnostiko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 01 June 2013 - 06:33 PM

Still infected! :s

 

Latest Combofix log:

 

ComboFix 13-06-01.01 - Ben 01/06/2013  23:28:06.18.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.44.1033.18.3325.2057 [GMT 1:00]
Running from: c:\users\Ben\Desktop\DB.exe
AV: Lavasoft Ad-Aware *Enabled/Outdated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Enabled/Outdated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-01 to 2013-06-01  )))))))))))))))))))))))))))))))
.
.
2013-06-01 22:48 . 2013-06-01 22:49 -------- d-----w- c:\users\Ben\AppData\Local\temp
2013-06-01 22:48 . 2013-06-01 22:48 -------- d-----w- c:\users\user\AppData\Local\temp
2013-06-01 22:48 . 2013-06-01 22:48 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-06-01 22:48 . 2013-06-01 22:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-06-01 22:48 . 2013-06-01 22:48 -------- d-----w- c:\users\Mom\AppData\Local\temp
2013-06-01 22:48 . 2013-06-01 22:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-04 16:07 . 2013-03-15 05:46 8952608 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-05-04 16:07 . 2013-03-15 05:46 892704 ----a-w- c:\windows\system32\nvdispgenco3231422.dll
2013-05-04 16:07 . 2013-03-15 05:46 6271872 ----a-w- c:\windows\system32\nvopencl.dll
2013-05-04 16:07 . 2013-03-15 05:46 2728736 ----a-w- c:\windows\system32\nvcuvid.dll
2013-05-04 16:07 . 2013-03-15 05:46 20542752 ----a-w- c:\windows\system32\nvoglv32.dll
2013-05-04 16:07 . 2013-03-15 05:46 1995552 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-05-04 16:07 . 2013-03-15 05:46 13088000 ----a-w- c:\windows\system32\nvwgf2um.dll
2013-05-04 16:07 . 2013-03-15 05:46 1012512 ----a-w- c:\windows\system32\nvdispco3231422.dll
2013-05-04 16:07 . 2013-03-15 05:46 7959000 ----a-w- c:\windows\system32\nvcuda.dll
2013-05-04 16:07 . 2013-03-15 05:46 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-18 13:30 . 2012-07-17 20:15 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-18 13:29 . 2011-12-11 17:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-01 07:08 . 2009-08-18 11:24 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-04 13:50 . 2011-09-27 05:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-15 05:46 . 2008-10-07 12:33 2539128 ----a-w- c:\windows\system32\nvapi.dll
2013-03-15 05:46 . 2008-10-07 12:33 15042928 ----a-w- c:\windows\system32\nvd3dum.dll
2013-03-15 02:59 . 2011-01-07 21:06 4119328 ----a-w- c:\windows\system32\nvcpl.dll
2013-03-15 02:59 . 2011-01-07 21:06 3014432 ----a-w- c:\windows\system32\nvsvc.dll
2013-03-15 02:59 . 2011-01-07 21:06 634144 ----a-w- c:\windows\system32\nvvsvc.exe
2013-03-15 02:59 . 2011-01-07 21:06 223008 ----a-w- c:\windows\system32\nvmctray.dll
2013-03-15 02:59 . 2009-06-10 07:34 62752 ----a-w- c:\windows\system32\nvshext.dll
2009-12-06 17:18 26624 --sh--w- c:\windows\bfcs2.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-10-17 11430504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2011-10-21 09:09 198032 ----a-w- c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2013-05-08 21:20 41056 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 13:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 19:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 12:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 10:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-09-23 00:47 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-09-17 12:41 254896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-21 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2012-07-12 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wikipedia.org/
mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9851
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: filefront.com\www
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{76AF2689-2852-4DF7-9323-46D205CFBB99}: NameServer = 8.8.8.8,8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-01 23:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:08,27,78,55,53,f5,43,ee,b7,e6,bf,17,5e,ad,07,dd,bd,3d,68,32,b2,0e,68,
   26,31,cd,95,66,e5,0c,ea,b9,10,53,11,a4,24,1f,db,77,ce,55,21,56,52,95,c2,a3,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\License information*]
"datasecu"=hex:20,f0,23,37,b7,fc,56,ba,c5,9d,54,bf,a8,7f,8c,4a,56,9f,f4,00,98,
   17,c5,11,5c,fb,90,16,a1,86,89,41,b8,eb,30,b1,58,78,27,9e,f6,85,71,96,44,15,\
"rkeysecu"=hex:26,9c,e9,a6,6d,50,71,66,6d,d9,81,70,dc,1e,37,00
.
Completion time: 2013-06-01  23:56:46
ComboFix-quarantined-files.txt  2013-06-01 22:56
ComboFix2.txt  2013-06-01 18:32
ComboFix3.txt  2013-05-28 20:14
ComboFix4.txt  2013-05-21 23:35
ComboFix5.txt  2013-06-01 22:27
.
Pre-Run: 133,534,023,680 bytes free
Post-Run: 133,527,162,880 bytes free
.
- - End Of File - - 18BDA22A1453DDAD09C733974EED3D90
 



#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 01 June 2013 - 06:36 PM

Try following my previous instructions again. The script we tried to run didn't seem to work this time.

Rerun Combofix
Please download a NEW version of Combofix from one of these links, save it to a USB flashdrive, and then copy it to your desktop.
Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<

3. Open notepad and copy/paste the text in the box below into it:

File::
C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gdnwubog.exe
C:\Windows\system32\drivers\etc\hosts.ics
C:\Users\Ben\AppData\Roaming\monegf.dll
C:\Users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GdnWubog"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GdnWubog]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monegf]
Save this as CFScript.txt on your Desktop


CFScriptB-4.gif


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.
 
In your next reply, please include:
  • New Combofix log
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 Gnostiko

Gnostiko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 04 June 2013 - 05:44 PM

I'll run Combofix again this eve and post the results here tomorrow...



#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 06 June 2013 - 03:00 PM

I'll run Combofix again this eve and post the results here tomorrow...

 

Just wondering if you've had a chance to run Combofix yet. :)


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 Gnostiko

Gnostiko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 08 June 2013 - 10:31 AM

I've run Combofix again, system still infected :-\

 

Log:

ComboFix 13-06-07.03 - Ben 07/06/2013  20:18:44.19.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.44.1033.18.3325.2185 [GMT 1:00]
Running from: c:\users\Ben\Desktop\DB.exe
Command switches used :: c:\users\Ben\Desktop\cfscript.txt
AV: Lavasoft Ad-Aware *Enabled/Outdated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Enabled/Outdated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"c:\users\Ben\AppData\Local\xwvgyyhm\gdnwubog.exe"
"c:\users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gdnwubog.exe"
"c:\users\Ben\AppData\Roaming\monegf.dll"
"c:\windows\system32\drivers\etc\hosts.ics"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-07 to 2013-06-07  )))))))))))))))))))))))))))))))
.
.
2013-06-07 19:39 . 2013-06-07 19:41 -------- d-----w- c:\users\Ben\AppData\Local\temp
2013-06-07 19:39 . 2013-06-07 19:39 -------- d-----w- c:\users\user\AppData\Local\temp
2013-06-07 19:39 . 2013-06-07 19:39 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-06-07 19:39 . 2013-06-07 19:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-06-07 19:39 . 2013-06-07 19:39 -------- d-----w- c:\users\Mom\AppData\Local\temp
2013-06-07 19:39 . 2013-06-07 19:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-05 20:40 . 2013-06-06 21:52 -------- d-----w- c:\users\Ben\AppData\Roaming\Awesomium
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-18 13:30 . 2012-07-17 20:15 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-18 13:29 . 2011-12-11 17:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-01 07:08 . 2009-08-18 11:24 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-04 13:50 . 2011-09-27 05:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-15 05:46 . 2013-05-04 16:07 8952608 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-03-15 05:46 . 2013-05-04 16:07 892704 ----a-w- c:\windows\system32\nvdispgenco3231422.dll
2013-03-15 05:46 . 2013-05-04 16:07 6271872 ----a-w- c:\windows\system32\nvopencl.dll
2013-03-15 05:46 . 2013-05-04 16:07 2728736 ----a-w- c:\windows\system32\nvcuvid.dll
2013-03-15 05:46 . 2013-05-04 16:07 20542752 ----a-w- c:\windows\system32\nvoglv32.dll
2013-03-15 05:46 . 2013-05-04 16:07 1995552 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-03-15 05:46 . 2013-05-04 16:07 13088000 ----a-w- c:\windows\system32\nvwgf2um.dll
2013-03-15 05:46 . 2013-05-04 16:07 1012512 ----a-w- c:\windows\system32\nvdispco3231422.dll
2013-03-15 05:46 . 2013-05-04 16:07 7959000 ----a-w- c:\windows\system32\nvcuda.dll
2013-03-15 05:46 . 2013-05-04 16:07 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
2013-03-15 05:46 . 2008-10-07 12:33 2539128 ----a-w- c:\windows\system32\nvapi.dll
2013-03-15 05:46 . 2008-10-07 12:33 15042928 ----a-w- c:\windows\system32\nvd3dum.dll
2013-03-15 02:59 . 2011-01-07 21:06 4119328 ----a-w- c:\windows\system32\nvcpl.dll
2013-03-15 02:59 . 2011-01-07 21:06 3014432 ----a-w- c:\windows\system32\nvsvc.dll
2013-03-15 02:59 . 2011-01-07 21:06 634144 ----a-w- c:\windows\system32\nvvsvc.exe
2013-03-15 02:59 . 2011-01-07 21:06 223008 ----a-w- c:\windows\system32\nvmctray.dll
2013-03-15 02:59 . 2009-06-10 07:34 62752 ----a-w- c:\windows\system32\nvshext.dll
2009-12-06 17:18 26624 --sh--w- c:\windows\bfcs2.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-10-17 11430504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2011-10-21 09:09 198032 ----a-w- c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2013-05-08 21:20 41056 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 13:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 19:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 12:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 10:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-09-23 00:47 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-09-17 12:41 254896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-09-09 116608]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [2012-07-12 1239952]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-21 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2012-07-12 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wikipedia.org/
mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9851
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\Ben\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: filefront.com\www
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{76AF2689-2852-4DF7-9323-46D205CFBB99}: NameServer = 8.8.8.8,8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-07 20:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
 [0] 0x74006500
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:08,27,78,55,53,f5,43,ee,b7,e6,bf,17,5e,ad,07,dd,bd,3d,68,32,b2,0e,68,
   26,31,cd,95,66,e5,0c,ea,b9,10,53,11,a4,24,1f,db,77,ce,55,21,56,52,95,c2,a3,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
[HKEY_USERS\S-1-5-21-2248850226-3509068054-1813070806-1001\Software\SecuROM\License information*]
"datasecu"=hex:20,f0,23,37,b7,fc,56,ba,c5,9d,54,bf,a8,7f,8c,4a,56,9f,f4,00,98,
   17,c5,11,5c,fb,90,16,a1,86,89,41,b8,eb,30,b1,58,78,27,9e,f6,85,71,96,44,15,\
"rkeysecu"=hex:26,9c,e9,a6,6d,50,71,66,6d,d9,81,70,dc,1e,37,00
.
Completion time: 2013-06-07  20:47:39
ComboFix-quarantined-files.txt  2013-06-07 19:47
ComboFix2.txt  2013-06-01 22:56
ComboFix3.txt  2013-06-01 18:32
ComboFix4.txt  2013-05-28 20:14
ComboFix5.txt  2013-06-07 19:17
.
Pre-Run: 133,131,612,160 bytes free
Post-Run: 133,313,458,176 bytes free
.
- - End Of File - - 8F01A048E058384B1229218633E7EC01
5C616939100B85E558DA92B899A0FC36
 



#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 08 June 2013 - 10:44 AM

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:22 AM

Posted 12 June 2013 - 05:25 PM

Gnostiko,
 
It has been four days since my last post. Do you still need help?
 
If you do, please follow my previous instructions. :thumbup2:


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Gnostiko

Gnostiko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 13 June 2013 - 03:41 PM

Sorry about the late reply; system is still infected, I haven't been able to report in as I've been borrowing a friend's laptop (who wanted it back), as my own infected computer can't access these forums. Downloading your recommended program now...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users