Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit.


  • This topic is locked This topic is locked
28 replies to this topic

#16 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 11 June 2013 - 09:16 PM


Hello DarkImpulses

We are not done yet so stay with me a little while longer

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

BC AdBot (Login to Remove)

 


#17 DarkImpulses

DarkImpulses
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 11 June 2013 - 09:45 PM

ComboFix 13-06-08.02 - anita 06/11/2013  22:26:32.2.2 - x86
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.1.1033.18.1791.755 [GMT -4:00]
Running from: c:\users\anita\Desktop\AntiVirus\ComboFix.exe
Command switches used :: c:\users\anita\Desktop\CFScript.txt
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-12 to 2013-06-12  )))))))))))))))))))))))))))))))
.
.
2013-06-12 02:39 . 2013-06-12 02:39 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-06-12 02:39 . 2013-06-12 02:39 -------- d-----w- c:\users\hedev\AppData\Local\temp
2013-06-12 02:39 . 2013-06-12 02:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-11 23:09 . 2013-06-11 23:09 -------- d-----w- c:\users\anita\.minecraft
2013-06-11 22:19 . 2013-06-11 23:06 -------- d-----w- c:\users\anita\AppData\Roaming\.technic
2013-06-11 20:45 . 2013-06-12 02:39 -------- d-----w- c:\users\anita\AppData\Local\temp
2013-06-11 14:16 . 2013-06-11 14:20 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-11 01:23 . 2013-06-11 01:24 172 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-10 13:03 . 2013-06-10 13:03 -------- d-----w- c:\windows\ERUNT
2013-06-10 13:02 . 2013-06-11 21:09 -------- dc----w- C:\JRT
2013-06-08 17:29 . 2013-06-08 17:29 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-08 17:12 . 2013-06-08 17:12 -------- d-sh--w- c:\windows\system32\%APPDATA%
2013-06-08 16:47 . 2013-06-10 12:09 -------- d-----w- c:\users\anita\AppData\Roaming\tropico 4
2013-06-08 14:38 . 2013-06-11 20:44 -------- d-----w- c:\users\anita\AppData\Local\assembly
2013-06-08 14:37 . 2013-06-08 14:40 -------- d-----w- c:\program files\NCSoft
2013-06-07 18:59 . 2013-06-07 18:59 -------- d-----w- c:\programdata\Research In Motion
2013-06-07 18:58 . 2013-06-07 18:58 -------- d-----w- c:\program files\Research In Motion
2013-06-07 12:50 . 2013-06-07 12:50 -------- d-----w- c:\windows\46ED2B6485C74E1F920CA555B21F2E4C.TMP
2013-06-05 01:45 . 2013-06-05 01:45 -------- d-----w- c:\users\anita\AppData\Local\FalloutNV
2013-06-05 01:38 . 2013-06-05 01:38 -------- d-----w- c:\users\anita\AppData\Roaming\bsnes
2013-06-04 13:28 . 2012-12-10 19:48 35840 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2013-06-04 13:25 . 2013-06-04 13:38 -------- d-----w- c:\program files\Common Files\XCPCSync.OEM
2013-06-04 13:04 . 2013-06-04 13:04 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2013-06-04 11:47 . 2013-06-07 02:48 -------- d-----w- c:\program files\Bethesda Softworks
2013-06-03 17:23 . 2013-06-03 17:23 -------- d-----w- c:\program files\Common Files\Overwolf
2013-06-03 16:13 . 2013-06-04 12:37 -------- d-----w- c:\users\anita\AppData\Local\SKIDROW
2013-06-03 00:27 . 2013-06-03 00:27 -------- d-----w- c:\users\anita\AppData\Local\CAPCOM
2013-06-02 19:11 . 2013-06-02 19:11 -------- d-----w- c:\program files\Firaxis Games
2013-05-31 01:53 . 2013-05-31 01:53 -------- d-----w- c:\programdata\Overwolf
2013-05-31 01:53 . 2013-06-03 17:23 -------- d-----w- c:\program files\Overwolf
2013-05-31 01:51 . 2013-06-11 14:19 -------- d-----w- c:\users\anita\AppData\Local\Overwolf
2013-05-30 23:54 . 2013-05-30 23:54 -------- d-----w- c:\users\anita\AppData\Local\Gameforge4d
2013-05-30 23:53 . 2013-06-07 14:18 -------- d-----w- c:\program files\GameforgeLive
2013-05-25 18:10 . 2013-05-25 18:10 -------- dc----w- C:\SearchProtect
2013-05-23 20:15 . 2013-06-10 22:34 -------- d-----w- c:\users\anita\AppData\Roaming\.minecraft
2013-05-23 12:13 . 2009-03-18 22:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2013-05-23 12:12 . 2013-05-23 12:12 -------- d-----w- c:\program files\LogMeIn Hamachi
2013-05-21 20:41 . 2013-05-22 21:23 -------- dc----w- C:\Perfect World Entertainment
2013-05-19 04:35 . 2013-05-19 04:35 -------- d-----w- c:\users\anita\AppData\Local\Chromium
2013-05-19 04:27 . 2013-05-19 04:27 -------- d-----w- c:\users\anita\AppData\Local\ApplicationHistory
2013-05-19 04:22 . 2013-05-19 04:31 -------- d-----w- c:\users\anita\AppData\Local\Turbine
2013-05-19 04:21 . 2013-05-19 04:21 -------- d-----w- c:\windows\system32\URTTEMP
2013-05-18 17:34 . 2013-06-07 00:28 -------- d-----w- c:\program files\MicroVolts
2013-05-18 17:24 . 2013-05-18 17:30 -------- dc----w- C:\MicroVolts Package
2013-05-17 21:34 . 2013-05-20 16:38 -------- d-----w- c:\users\anita\AppData\Roaming\SPORE
2013-05-17 21:23 . 2013-05-18 04:41 -------- d-----w- c:\program files\Electronic Arts
2013-05-17 21:17 . 2013-05-17 21:17 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-05-17 21:17 . 2013-06-02 17:48 -------- d-----w- c:\users\anita\AppData\Roaming\DAEMON Tools Pro
2013-05-17 21:16 . 2013-05-17 21:17 -------- d-----w- c:\program files\DAEMON Tools Pro
2013-05-17 21:16 . 2013-05-17 21:19 -------- d-----w- c:\programdata\DAEMON Tools Pro
2013-05-17 19:17 . 2013-06-07 00:29 -------- d-----w- c:\users\anita\AppData\Roaming\Atari
2013-05-17 19:04 . 2013-05-17 19:04 -------- d-----w- c:\users\anita\AppData\Roaming\Leadertech
2013-05-16 07:17 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-15 07:11 . 2013-04-15 14:20 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 07:11 . 2013-04-13 10:56 37376 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 07:11 . 2013-04-09 01:36 2049024 ----a-w- c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-08 17:29 . 2011-06-25 22:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-11 16:54 . 2010-06-24 15:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-04 18:50 . 2011-04-06 00:35 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 09:35 . 2013-04-28 01:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-23 17:48 . 2012-12-29 17:58 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-23 17:48 . 2011-04-07 19:46 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-23 07:05 . 2013-03-23 07:05 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-12-11 15:59 . 2012-12-11 15:59 4096000 ----a-w- c:\program files\GUT1D31.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BIBLauncher"="c:\program files\Business-in-a-Box\BIBLauncher.exe" [2011-03-15 901600]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2013-01-02 3093624]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-04-19 18678376]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2013-05-13 3111456]
"Overwolf"="c:\program files\Overwolf\Overwolf.exe" [2013-03-05 35256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2012-06-28 74752]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2013-05-15 2255184]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-01-17 267792]
.
c:\users\anita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-10-4 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^anita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\anita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^anita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\anita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:23 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 06:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2013-01-31 09:01 3970848 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-01-31 09:00 108832 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2013-01-31 09:01 2859296 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 13:19 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 11:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:21 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 13:19 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:23 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xvid]
2011-01-17 19:41 8192 ----a-w- c:\program files\Xvid\CheckUpdate.exe
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 51640121
*NewlyCreated* - TRUESIGHT
*Deregistered* - 51640121
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 16:58 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-08 17:29]
.
2013-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-06 14:34]
.
2013-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-06 14:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\TurboTax 2012\ic2012pp.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-11 22:39
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\20.3.1.22\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NCO]
"ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2013.3.3.19\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2013.3.3.19\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-81207361-1857050813-3622411667-1000\*& ¢*t*]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:94,74,83,73,10,56,65,00
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
Completion time: 2013-06-11  22:42:51
ComboFix-quarantined-files.txt  2013-06-12 02:42
ComboFix2.txt  2013-06-11 20:56
.
Pre-Run: 65,703,952,384 bytes free
Post-Run: 65,739,145,216 bytes free
.
- - End Of File - - 34A403A027C855388C9A33175CC0570F
5C616939100B85E558DA92B899A0FC36


#18 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 11 June 2013 - 10:29 PM


Hello DarkImpulses

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#19 DarkImpulses

DarkImpulses
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 12 June 2013 - 08:16 AM

 Update for Microsoft Office 2007 (KB2508958)
µTorrent
32 Bit HP CIO Components Installer
3DVIA player 5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.6
Apple Application Support
AudibleManager
AVS Update Manager 1.0
AVS Video Converter 7
AVS4YOU Software Navigator 1.4
Bandisoft MPEG-1 Decoder
BlackBerry Desktop Software 6.1
Bonjour
Business-in-a-Box
Counter-Strike: Source
D3DX10
DAEMON Tools Pro
DEVIL MAY CRY 4
DivX Setup
DJ_AIO_03_F4200_Software_Min
Dwarfs F2P
Fallout 3 - Game of the Year Edition
Fallout Mod Manager 0.12.6
Geometry Wars: Retro Evolved
Google Chrome
Google Earth
Google Update Helper
Grand Chase version 041013
Happy Cloud Client
Home Bookkeeping Lite
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet F4200 All-In-One Driver 11.0 03
HyperCam 3
Java 7 Update 21
Java Auto Updater
Java™ 6 Update 23
Java™ 6 Update 38
Junk Mail filter update
League of Legends
Logitech Gaming Software 5.10
LogMeIn Hamachi
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.75.0.1300
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft XNA Framework Redistributable 3.1
Morrowind
Mouse Recorder Pro 1.3
MP3 Rocket
MPlayer (remove only)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton AntiVirus
Norton Identity Safe
Norton Internet Security
NVIDIA Control Panel 307.83
NVIDIA Drivers
NVIDIA Graphics Driver 307.83
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA Update 1.10.8
NVIDIA Update Components
Oblivion mod manager 1.1.12
Overwolf
Pando Media Booster
Portal 2
Project64 1.6
Quake
Razer Lycosa
RuneScape Launcher 1.2.2
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition 
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 
Segoe UI
SGC 2.0.1.251
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Sid Meier's Pirates!
Skype Click to Call
Skype™ 6.3
SPORE™
Steam
swMSM
TeamViewer 8
The Elder Scrolls IV: Oblivion 
The Sims 2
The Sims 2 Nightlife
The Sims™ 2 Bon Voyage
The Sims™ 2 Seasons
Toolbox
Tropico 4
TurboTax 2012
Unity Web Player
Unofficial Oblivion Patch v3.4.3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817359) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.4053
Winamp
Winamp Detector Plug-in
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.01 (32-bit)
Xvid Video Codec


#20 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 12 June 2013 - 12:46 PM



Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.These logs are looking allot better. But we still have some work to do.


uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job
  • Programs to remove

    • µTorrent
      Adobe Reader X (10.0.1)
      Java™ 6 Update 23
      Java™ 6 Update 38
      MP3 Rocket



  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Update Adobe reader
  • Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
    • If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see you have MBAM installed - I think this is a great program and would like you to run a quick scan at this time
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#21 DarkImpulses

DarkImpulses
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 13 June 2013 - 04:29 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.06.08.05
 
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
anita :: ANITA-PC [administrator]
 
6/13/2013 8:51:26 AM
mbam-log-2013-06-13 (08-51-26).txt
 
Scan type: Full scan (C:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 471229
Time elapsed: 8 hour(s), 37 minute(s), 5 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 

Hijack this report
 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:48:10 AM, on 6/13/2013
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16490)
Boot mode: Normal
 
Running processes:
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Norton Identity Safe\Engine\2013.3.3.19\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\20.3.1.22\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\windows defender\MSASCui.exe
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files\Winamp\winamp.exe
G:\Games\The Sims 2\Bon Voyage\TSBin\Sims2EP6.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\anita\Desktop\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\20.3.1.22\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Norton Identity Protection - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine\2013.3.3.19\coIEPlg.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2013.3.3.19\coIEPlg.dll
O3 - Toolbar: (no name) - !{A13C2648-91D4-4bf3-BC6D-0079707C4389} - (no file)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-21-81207361-1857050813-3622411667-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-81207361-1857050813-3622411667-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'UpdatusUser')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: BlackBerry Device Manager (Blackberry Device Manager) - Research In Motion Limited - C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\20.3.1.22\ccSvcHst.exe
O23 - Service: Norton Identity Safe (NCO) - Symantec Corporation - C:\Program Files\Norton Identity Safe\Engine\2013.3.3.19\ccSvcHst.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Overwolf Updater Service (OverwolfUpdaterService) - Overwolf Ltd - C:\Program Files\Overwolf\OverwolfUpdater.exe
O23 - Service: SGC Updater - Unknown owner - C:\Program Files\Social Grammar Checker\ExtensionUpdaterService.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
 
--
End of file - 9212 bytes


#22 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 13 June 2013 - 09:21 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-21-81207361-1857050813-3622411667-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
      O4 - HKUS\S-1-5-21-81207361-1857050813-3622411667-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'UpdatusUser')
      O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
    • NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete
  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo

Edited by gringo_pr, 13 June 2013 - 09:21 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#23 DarkImpulses

DarkImpulses
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 14 June 2013 - 04:25 PM

The online scan didn't find anything and I can disable the start up programs myself I don't want them deleted some of them I do use the DivX update and java update and something else I got rid of though they are pretty well useless.



#24 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 14 June 2013 - 09:10 PM


Hello DarkImpulses

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

:Why we need to remove some of our tools:
  • Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
    They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

    The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.
  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK.
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png
:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

About Java
  • During the cleaning process if I found that Java was installed I asked for it to be uninstalled, Many home users will not miss it. If you use OpenOffice, play online games or use business applications which require Java, Then you need to install the latest version and make sure to disable it in your web browsers.

    If an application or website requires it, you should receive a notification indicating that when you attempt to launch that application or access that website.

    Link to download latest version. - install Java

    How to disable java in your web browsers - Disable Java

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.
  • Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

    CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

    Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.
  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus
:Security awareness:


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.


The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internetHere is some more reading for you from some of my collegesquoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#25 DarkImpulses

DarkImpulses
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 15 June 2013 - 02:07 AM

So after I run all these programs my cpu functions normally for a day or so and then just goes back to using 50% of my phsyical memory on absolutely nothing ? I mean I don't know what is going on but it is really starting to annoy me. It runs perfectly fine all day and all of a sudden it just decides that 50% of my resources need to be taken up. Besides that I will uninstall combofix in the morning and I have removed all the other programs except MBAR , MBAM and the JRT/Adware removal I think I will keep up with those ones so they can do the tedious tasks of cleaning out all the junk files for me. 



#26 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 15 June 2013 - 01:32 PM


Hello

MBAR, Jrt and adwarecleaner are update all the time keeping them today may do no good tomorrow and may even be dangerous down the road.

It sound like something else is going on besides malware to start investigating this you can start by doing this.

I want you to run things in selective startup, this will help pinpoint the type of problem it is



1. push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
2. In the Open box, type msconfig and then click OK. The System Configuration Utility appears.
3. Click the "services" tab.
4. Put a checkmark in "hide all Microsofts services".
5. Uncheck anything that is left.
6. click on the "startup" tab
7. uncheck all under this tab
8. click on the apply button


Restat the computer and see how things are doing, If things are doing better then repeat the process but this time start with the services and start by adding the first half back and apply the changes

If things go bad again then you know the problem is in the services that you restarted and you can keep searching untill you find the one it is

if you restart all the services and things are still ok then go back and do the same thing for the startup programs



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#27 DarkImpulses

DarkImpulses
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 16 June 2013 - 12:39 PM

I turned off all start ups and everything that wasn't antivirus in services and apparently I am still using 50% I mean my computer is junk but I never used to use 50% on start up before 20% was the maximum. I can't even run Minecraft or simple stuff without tremendous lag



#28 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 16 June 2013 - 05:51 PM

Hello

you can use this tool to help narrow down what is causing the problem

http://www.bleepingcomputer.com/forums/t/354690/process-explorer-mini-guide-and-screenshots/

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#29 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 22 June 2013 - 07:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users