Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef/ZeroAccess-Infected-Microsoft Security Essentials Disabled


  • This topic is locked This topic is locked
20 replies to this topic

#1 Bokkman

Bokkman

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 19 June 2013 - 09:35 AM

Hello,

 

From post: http://www.bleepingcomputer.com/forums/t/498328/suspected-sirefef-infection/

 

It started from when Windows notified me that my antivirus, firewall and a driver was disabled.

I cannot run, change, uninstall or download* Microsoft Security Essentials. The warning prompt says I do not have permission or the application/file was not found. I checked acct permission, all OK. I checked file/application location, all OK. Googling lead me to suspect Sirefef infection.

 

*Using my default Internet Explorer 10 browser, I am unable to download anything that merely resembles a program. This even includes photo's or videos from a browser-Email program (Hotmail). The download notice says the file was a virus and has been deleted, and I think deletes the file from the computer (I've tried looking). I tried saving as a filename that looked innocent - to no avail. I believe I have found a workaround by using Firefox to (as of this post) download and run Rkill and DDS from a USB stick. I expect to be able to download and run any necessary tool/application that I need via Firefox.

 

I've shut-down and started the computer once, and also did a restart. There seems to be no other noticeable activity - no change in boot times, no changes in windows activity (weird system tray icons etc), no other notifications, PC is running at regular speed, no noticeable changes in browser activity or redirections. Everything seems fine, other than my AV disabled.

 

Attached is the DDS 'Attach' log. I will post the other log after this to keep the thread clean.

 

Note that it is currently 2:30am where I am - I will be back in approx four hours but may be unable to do anything until approx 16 hours. If you need to prioritise something else, or go to sleep or do anything else - feel free to do so :)

 

Thank-you.



DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16611  BrowserJavaVersion: 10.5.1
Run by Business at 2:13:49 on 2013-06-20
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.64.1033.18.3687.1657 [GMT 12:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
c:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\windows\System32\WUDFHost.exe
C:\windows\System32\MsSpellCheckingFacility.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe,
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - c:\Program Files (x86)\AMD\SteadyVideo\SteadyVideo.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [NPSStartup] <no file>
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: Interfaces\{54D40571-529C-4D57-929E-3AB98D959E1D} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{D30F6E56-7631-48BE-9CBD-CFB7B895B4B1} : NameServer = 192.168.0.1
TCP: Interfaces\{D30F6E56-7631-48BE-9CBD-CFB7B895B4B1}\75962756C656373702C696E6B6 : DHCPNameServer = 202.180.64.10 202.180.64.11
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - c:\Program Files\AMD\SteadyVideo\SteadyVideo.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [SmartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SACpl.exe /t
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Business\AppData\Roaming\Mozilla\Firefox\Profiles\n936ajd4.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-06-04 19:59; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\windows\System32\drivers\amd_sata.sys [2012-3-5 75904]
R0 amd_xata;amd_xata;C:\windows\System32\drivers\amd_xata.sys [2012-3-5 38016]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2012-10-10 204288]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-4-5 361984]
R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe [2010-1-29 249200]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2009-3-11 46448]
R2 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2011-4-27 130008]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-5-14 3289208]
R3 amdiox64;AMD IO Driver;C:\windows\System32\drivers\amdiox64.sys [2012-10-10 46136]
R3 ETD;ELAN PS/2 Port Input Device;C:\windows\System32\drivers\ETD.sys [2010-11-12 137512]
R3 FwLnk;FwLnk Driver;C:\windows\System32\drivers\FwLnk.sys [2012-3-5 9216]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2011-4-20 169584]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\windows\System32\drivers\LGBusEnum.sys [2009-11-24 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\windows\System32\drivers\LGVirHid.sys [2009-11-24 16008]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2012-3-5 38096]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2012-3-5 1109096]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-6 137560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 BEService;BattlEye Service;C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [2013-4-5 49152]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\windows\System32\drivers\BVRPMPR5a64.SYS [2013-1-18 35840]
S3 fssfltr;fssfltr;C:\windows\System32\drivers\fssfltr.sys [2012-3-5 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;C:\windows\System32\drivers\LGSHidFilt.Sys [2012-2-8 66328]
S3 NisSrv;NisSrv;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2012-10-27 19456]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-3-5 243712]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2012-3-5 51576]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2012-10-27 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2012-10-27 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-3-4 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== Created Last 30 ================
.
2013-06-18 09:23:50    --------    d-----w-    C:\Program Files (x86)\ESET
2013-06-15 09:12:11    76232    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{87688882-D23B-44DF-8C7E-F7FEACEFEF06}\offreg.dll
2013-06-14 08:07:18    964552    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{99B5C9B0-D1C4-431E-9322-C9822AF01611}\gapaengine.dll
2013-06-14 08:06:54    9460464    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{87688882-D23B-44DF-8C7E-F7FEACEFEF06}\mpengine.dll
2013-06-13 06:22:12    9460464    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-11 19:05:44    279040    ----a-w-    C:\Program Files\Internet Explorer\sqmapi.dll
2013-06-11 19:03:50    30720    ----a-w-    C:\windows\System32\cryptdlg.dll
2013-06-11 19:02:17    1887232    ----a-w-    C:\windows\System32\d3d11.dll
2013-06-11 19:02:17    1505280    ----a-w-    C:\windows\SysWow64\d3d11.dll
2013-06-10 08:35:05    --------    d-----w-    C:\Program Files\iPod
2013-06-10 08:35:03    --------    d-----w-    C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-10 08:35:03    --------    d-----w-    C:\Program Files\iTunes
2013-06-10 08:35:03    --------    d-----w-    C:\Program Files (x86)\iTunes
2013-06-04 07:57:16    --------    d-----w-    C:\Program Files\DivX
2013-06-04 07:57:04    --------    d-----w-    C:\Program Files (x86)\Common Files\DivX Shared
2013-06-04 07:54:13    --------    d-----w-    C:\Program Files (x86)\DivX
2013-06-04 07:52:33    --------    d-----w-    C:\ProgramData\DivX
2013-05-21 07:56:55    964552    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AAF99B6B-9F9E-4D26-8C03-D830241136CD}\gapaengine.dll
.
==================== Find3M  ====================
.
2013-06-12 19:15:41    71048    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 19:15:41    692104    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2013-06-08 12:28:46    2706432    ----a-w-    C:\windows\System32\mshtml.tlb
2013-06-08 11:13:19    2706432    ----a-w-    C:\windows\SysWow64\mshtml.tlb
2013-05-17 01:25:57    1767936    ----a-w-    C:\windows\SysWow64\wininet.dll
2013-05-17 01:25:27    2877440    ----a-w-    C:\windows\SysWow64\jscript9.dll
2013-05-17 01:25:26    61440    ----a-w-    C:\windows\SysWow64\iesetup.dll
2013-05-17 01:25:26    109056    ----a-w-    C:\windows\SysWow64\iesysprep.dll
2013-05-17 00:59:03    2241024    ----a-w-    C:\windows\System32\wininet.dll
2013-05-17 00:58:10    3958784    ----a-w-    C:\windows\System32\jscript9.dll
2013-05-17 00:58:08    67072    ----a-w-    C:\windows\System32\iesetup.dll
2013-05-17 00:58:08    136704    ----a-w-    C:\windows\System32\iesysprep.dll
2013-05-14 12:23:25    89600    ----a-w-    C:\windows\System32\RegisterIEPKEYs.exe
2013-05-14 08:40:13    71680    ----a-w-    C:\windows\SysWow64\RegisterIEPKEYs.exe
2013-05-13 05:51:01    184320    ----a-w-    C:\windows\System32\cryptsvc.dll
2013-05-13 05:51:00    1464320    ----a-w-    C:\windows\System32\crypt32.dll
2013-05-13 05:51:00    139776    ----a-w-    C:\windows\System32\cryptnet.dll
2013-05-13 05:50:40    52224    ----a-w-    C:\windows\System32\certenc.dll
2013-05-13 04:45:55    140288    ----a-w-    C:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55    1160192    ----a-w-    C:\windows\SysWow64\crypt32.dll
2013-05-13 04:45:55    103936    ----a-w-    C:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55    1192448    ----a-w-    C:\windows\System32\certutil.exe
2013-05-13 03:08:10    903168    ----a-w-    C:\windows\SysWow64\certutil.exe
2013-05-13 03:08:06    43008    ----a-w-    C:\windows\SysWow64\certenc.dll
2013-05-10 03:20:54    24576    ----a-w-    C:\windows\SysWow64\cryptdlg.dll
2013-05-08 06:39:01    1910632    ----a-w-    C:\windows\System32\drivers\tcpip.sys
2013-05-02 15:29:56    278800    ------w-    C:\windows\System32\MpSigStub.exe
2013-04-26 05:51:36    751104    ----a-w-    C:\windows\System32\win32spl.dll
2013-04-26 04:55:21    492544    ----a-w-    C:\windows\SysWow64\win32spl.dll
2013-04-18 07:08:14    4659712    ----a-w-    C:\windows\SysWow64\Redemption.dll
2013-04-17 07:02:06    1230336    ----a-w-    C:\windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24:46    1424384    ----a-w-    C:\windows\System32\WindowsCodecs.dll
2013-04-13 05:49:23    135168    ----a-w-    C:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19    350208    ----a-w-    C:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19    308736    ----a-w-    C:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19    111104    ----a-w-    C:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16    474624    ----a-w-    C:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15    2176512    ----a-w-    C:\windows\apppatch\AcGenral.dll
2013-04-12 14:45:08    1656680    ----a-w-    C:\windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54    265064    ----a-w-    C:\windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53    983400    ----a-w-    C:\windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50    3153920    ----a-w-    C:\windows\System32\win32k.sys
2013-04-04 02:50:32    25928    ----a-w-    C:\windows\System32\drivers\mbam.sys
2013-04-03 17:30:50    208216    ----a-w-    C:\windows\System32\drivers\19582545.sys
2013-04-03 07:58:08    1919168    ----a-w-    C:\windows\System32\WdfCoInstaller01005.dll
2013-04-03 07:58:08    1919168    ----a-w-    C:\windows\System32\drivers\WdfCoInstaller01005.dll
2013-04-03 07:58:08    17736    ----a-w-    C:\windows\System32\drivers\ssadwh.sys
2013-04-03 07:58:08    17224    ----a-w-    C:\windows\System32\drivers\ssadcm.sys
2013-04-01 06:03:35    78680    ----a-w-    C:\windows\System32\mcupdate_AuthenticAMD.dll
2013-03-23 01:09:28    354656    ----a-w-    C:\windows\SysWow64\DivXControlPanelApplet.cpl
.
============= FINISH:  2:14:18.02 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 20 June 2013 - 08:00 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 20 June 2013 - 01:50 PM

FRST log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-06-2013 01
Ran by Business (administrator) on 21-06-2013 06:46:26
Running from E:\BChelp
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\windows\system32\atiesrxx.exe
(AMD) C:\windows\system32\atieclxx.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(Advanced Micro Devices, Inc.) c:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(TOSHIBA Corporation) C:\windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
(Microsoft Corporation) C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: []  [x]
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-29] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-11] (TOSHIBA Corporation)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2588456 2010-11-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-20] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-12] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38304 2010-07-10] (TOSHIBA Corporation)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
HKLM\...\Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized [6900024 2012-07-24] (Logitech Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SACpl.exe /t [1647616 2012-06-13] (Conexant Systems, Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
HKCU\...\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [x]
HKCU\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-11] (Google Inc.)
HKCU\...\Policies\system: [DisableRegistryTools] 0
HKCU\...\Policies\system: [DisableTaskMgr] 0
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [NPSStartup]  [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [10752 2012-02-20] ()
HKLM-x32\...\Run: [EaseUS EPM tray] C:\Program Files (x86)\EaseUS\EaseUS Partition Master 9.2.2\bin\EpmNews.exe [x]
HKLM-x32\...\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-05-20] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1263952 2013-02-13] ()
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)

==================== Internet (Whitelisted) ====================

HKCU SearchScopes: DefaultScope {EC1542C5-0022-4B1E-9932-C91E3188F66F} URL = http://searchou.com/?q={searchTerms}&id=80d71d7d000000000000e0ca94babd9a&r=916
SearchScopes: HKCU - {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = http://amazon.smart-search.com/websearch/ref=bit_bds-y47_serp_ie_us_display?ie=UTF8&tagbase=bds-y47&tbrId=v1_bds-y47_95b4b96c512d45ea9c8067c274dc77be_1010_1001_20130403_NZ_ie_ds_&query={searchTerms}
SearchScopes: HKCU - {EC1542C5-0022-4B1E-9932-C91E3188F66F} URL = http://searchou.com/?q={searchTerms}&id=80d71d7d000000000000e0ca94babd9a&r=916
BHO: SteadyVideoBHO Class - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: SteadyVideoBHO Class - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: HKLM-x32 {E6F480FC-BD44-4CBA-B74A-89AF7842937D} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Tcpip\..\Interfaces\{D30F6E56-7631-48BE-9CBD-CFB7B895B4B1}: [NameServer]192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Business\AppData\Roaming\Mozilla\Firefox\Profiles\n936ajd4.default
FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.5.0 - C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: MaagniePic - C:\Users\Business\AppData\Roaming\Mozilla\Firefox\Profiles\n936ajd4.default\Extensions\ycckua@st-oiu.org

==================== Services (Whitelisted) =================

R2 AMD FUEL Service; c:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-04-05] (Advanced Micro Devices, Inc.)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [49152 2013-04-05] ()
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] ()

==================== Drivers (Whitelisted) ====================

R2 AODDriver4.1; c:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [66328 2012-02-08] (Logitech Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 dgderdrv; System32\drivers\dgderdrv.sys [x]
S1 oqxrrvey; \??\C:\windows\system32\drivers\oqxrrvey.sys [x]
S3 TFsExDisk; \??\C:\windows\System32\Drivers\TFsExDisk.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-21 06:46 - 2013-06-21 06:46 - 00000000 ____D C:\FRST
2013-06-20 02:14 - 2013-06-20 02:14 - 00020541 ____A C:\Users\Business\Desktop\dds.txt
2013-06-20 02:14 - 2013-06-20 02:14 - 00009393 ____A C:\Users\Business\Desktop\attach.txt
2013-06-19 21:34 - 2013-06-19 21:34 - 20896392 ____A (Microsoft Corporation) C:\Users\Business\Downloads\Windows-KB890830-x64-V5.1.exe
2013-06-19 21:30 - 2013-06-19 21:31 - 00014908 ____A C:\Users\Business\Desktop\Rkill.txt
2013-06-19 21:27 - 2013-06-19 21:27 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\Business\Downloads\rkill.com
2013-06-19 21:22 - 2013-06-19 21:22 - 00688992 ____A (Swearware) C:\Users\Business\Downloads\dds.com
2013-06-18 21:23 - 2013-06-18 21:23 - 00000000 ____D C:\Program Files (x86)\ESET
2013-06-12 07:07 - 2013-05-17 13:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-12 07:07 - 2013-05-17 13:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-12 07:07 - 2013-05-17 13:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-12 07:07 - 2013-05-17 13:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-12 07:07 - 2013-05-17 13:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-12 07:07 - 2013-05-17 13:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-12 07:07 - 2013-05-17 13:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-12 07:07 - 2013-05-17 13:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-12 07:07 - 2013-05-17 12:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 07:07 - 2013-05-17 12:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-12 07:07 - 2013-05-17 12:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 07:07 - 2013-05-17 12:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 07:07 - 2013-05-17 12:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 07:07 - 2013-05-17 12:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-12 07:07 - 2013-05-17 12:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-12 07:07 - 2013-05-17 12:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 07:07 - 2013-05-17 12:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-12 07:07 - 2013-05-15 00:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-12 07:07 - 2013-05-14 20:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-12 07:05 - 2013-06-09 02:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-12 07:05 - 2013-06-09 02:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-12 07:05 - 2013-06-09 02:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-12 07:05 - 2013-06-09 02:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-12 07:05 - 2013-06-09 02:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-12 07:05 - 2013-06-09 00:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-12 07:05 - 2013-06-08 23:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-12 07:05 - 2013-06-08 23:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-12 07:05 - 2013-06-08 23:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-12 07:05 - 2013-06-08 23:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-12 07:05 - 2013-06-08 23:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-12 07:05 - 2013-06-08 23:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-12 07:03 - 2013-05-13 17:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 07:03 - 2013-05-13 17:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 07:03 - 2013-05-13 17:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 07:03 - 2013-05-13 17:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 07:03 - 2013-05-13 16:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-12 07:03 - 2013-05-13 16:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-12 07:03 - 2013-05-13 16:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-12 07:03 - 2013-05-13 15:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-12 07:03 - 2013-05-13 15:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-12 07:03 - 2013-05-13 15:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-12 07:03 - 2013-05-10 17:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-12 07:03 - 2013-05-10 15:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-12 07:03 - 2013-05-08 18:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 07:03 - 2013-04-26 17:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 07:03 - 2013-04-26 16:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-12 07:03 - 2013-04-17 19:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-12 07:03 - 2013-04-17 18:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-12 07:02 - 2013-04-26 11:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-12 07:02 - 2013-04-01 10:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-10 20:36 - 2013-06-10 20:36 - 00001749 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-10 20:35 - 2013-06-10 20:36 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-10 20:35 - 2013-06-10 20:36 - 00000000 ____D C:\Program Files\iTunes
2013-06-10 20:35 - 2013-06-10 20:36 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-10 20:35 - 2013-06-10 20:35 - 00000000 ____D C:\Program Files\iPod
2013-06-06 18:18 - 2013-06-06 18:18 - 00014335 ____A C:\Users\Business\Documents\Apple.odt
2013-06-04 20:04 - 2013-06-04 20:04 - 00001193 ____A C:\Users\Business\Desktop\FrostWire 5.5.6.lnk
2013-06-04 20:01 - 2013-06-04 20:01 - 00000000 ____D C:\Users\Business\AppData\Roaming\DivX
2013-06-04 19:58 - 2013-06-04 19:58 - 00001082 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
2013-06-04 19:57 - 2013-06-04 19:58 - 00000000 ____D C:\Program Files\DivX
2013-06-04 19:54 - 2013-06-04 19:59 - 00000000 ____D C:\Program Files (x86)\DivX
2013-06-04 19:52 - 2013-06-04 19:59 - 00000000 ____D C:\ProgramData\DivX
2013-06-04 19:52 - 2013-06-04 19:52 - 00000000 ____A C:\END
2013-06-04 19:44 - 2013-06-20 18:07 - 00000000 ____D C:\Users\Business\AppData\Roaming\vlc
2013-06-04 19:44 - 2013-06-04 19:44 - 00001036 ____A C:\Users\Public\Desktop\VLC media player.lnk
2013-05-22 08:44 - 2013-05-22 08:44 - 00000017 ____A C:\Users\Business\AppData\Local\resmon.resmoncfg

==================== One Month Modified Files and Folders =======

2013-06-21 06:46 - 2013-06-21 06:46 - 00000000 ____D C:\FRST
2013-06-21 06:45 - 2009-07-14 17:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-21 06:42 - 2012-03-11 18:06 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-21 06:41 - 2012-08-18 07:27 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-20 21:15 - 2012-03-05 07:12 - 01903293 ____A C:\Windows\WindowsUpdate.log
2013-06-20 19:51 - 2012-03-25 17:11 - 00000000 ____D C:\Users\Business\Documents\Alicia
2013-06-20 19:00 - 2012-07-31 19:00 - 00000416 ____A C:\Windows\Tasks\Final Media Player Update Checker.job
2013-06-20 18:07 - 2013-06-04 19:44 - 00000000 ____D C:\Users\Business\AppData\Roaming\vlc
2013-06-20 18:04 - 2012-08-16 21:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-20 07:11 - 2012-03-11 18:06 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-20 02:14 - 2013-06-20 02:14 - 00020541 ____A C:\Users\Business\Desktop\dds.txt
2013-06-20 02:14 - 2013-06-20 02:14 - 00009393 ____A C:\Users\Business\Desktop\attach.txt
2013-06-19 21:34 - 2013-06-19 21:34 - 20896392 ____A (Microsoft Corporation) C:\Users\Business\Downloads\Windows-KB890830-x64-V5.1.exe
2013-06-19 21:31 - 2013-06-19 21:30 - 00014908 ____A C:\Users\Business\Desktop\Rkill.txt
2013-06-19 21:27 - 2013-06-19 21:27 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\Business\Downloads\rkill.com
2013-06-19 21:22 - 2013-06-19 21:22 - 00688992 ____A (Swearware) C:\Users\Business\Downloads\dds.com
2013-06-19 06:46 - 2012-03-11 18:06 - 00000000 ____D C:\Users\Business\AppData\Local\Google
2013-06-18 21:23 - 2013-06-18 21:23 - 00000000 ____D C:\Program Files (x86)\ESET
2013-06-18 20:33 - 2009-07-14 15:20 - 00000000 ____D C:\Windows\rescache
2013-06-17 21:55 - 2009-07-14 16:45 - 00025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-17 21:55 - 2009-07-14 16:45 - 00025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-17 21:33 - 2009-07-14 17:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-17 21:33 - 2009-07-14 16:51 - 00095165 ____A C:\Windows\setupact.log
2013-06-17 21:09 - 2013-04-03 19:48 - 00000000 ____D C:\ProgramData\MaagniePic
2013-06-13 07:15 - 2012-04-03 18:57 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-13 07:15 - 2012-03-04 18:44 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-10 20:36 - 2013-06-10 20:36 - 00001749 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-10 20:36 - 2013-06-10 20:35 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-10 20:36 - 2013-06-10 20:35 - 00000000 ____D C:\Program Files\iTunes
2013-06-10 20:36 - 2013-06-10 20:35 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-10 20:35 - 2013-06-10 20:35 - 00000000 ____D C:\Program Files\iPod
2013-06-10 19:12 - 2013-01-29 06:10 - 00000000 ____D C:\Users\Business\.frostwire5
2013-06-09 02:08 - 2013-06-12 07:05 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-09 02:07 - 2013-06-12 07:05 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-09 02:06 - 2013-06-12 07:05 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-09 02:06 - 2013-06-12 07:05 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-09 02:06 - 2013-06-12 07:05 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-09 00:28 - 2013-06-12 07:05 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 23:42 - 2013-06-12 07:05 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 23:40 - 2013-06-12 07:05 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 23:40 - 2013-06-12 07:05 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 23:40 - 2013-06-12 07:05 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 23:40 - 2013-06-12 07:05 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 23:13 - 2013-06-12 07:05 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-06 18:18 - 2013-06-06 18:18 - 00014335 ____A C:\Users\Business\Documents\Apple.odt
2013-06-05 06:31 - 2009-07-14 16:45 - 00308816 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-05 06:30 - 2010-11-21 15:47 - 00270878 ____A C:\Windows\PFRO.log
2013-06-04 20:11 - 2012-03-04 16:46 - 00065160 ____A C:\Users\Business\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-04 20:04 - 2013-06-04 20:04 - 00001193 ____A C:\Users\Business\Desktop\FrostWire 5.5.6.lnk
2013-06-04 20:04 - 2013-01-29 05:59 - 00000000 ____D C:\Program Files (x86)\FrostWire 5
2013-06-04 20:01 - 2013-06-04 20:01 - 00000000 ____D C:\Users\Business\AppData\Roaming\DivX
2013-06-04 19:59 - 2013-06-04 19:54 - 00000000 ____D C:\Program Files (x86)\DivX
2013-06-04 19:59 - 2013-06-04 19:52 - 00000000 ____D C:\ProgramData\DivX
2013-06-04 19:58 - 2013-06-04 19:58 - 00001082 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
2013-06-04 19:58 - 2013-06-04 19:57 - 00000000 ____D C:\Program Files\DivX
2013-06-04 19:52 - 2013-06-04 19:52 - 00000000 ____A C:\END
2013-06-04 19:44 - 2013-06-04 19:44 - 00001036 ____A C:\Users\Public\Desktop\VLC media player.lnk
2013-06-03 18:16 - 2012-03-04 18:37 - 75898224 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-01 09:50 - 2012-03-05 08:30 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-01 09:50 - 2012-03-05 08:30 - 00000000 ____D C:\ProgramData\Skype
2013-05-28 07:04 - 2009-07-14 15:20 - 00000000 ____D C:\Windows\System32\NDF
2013-05-26 16:36 - 2013-01-29 19:50 - 00000000 ____D C:\Users\Business\Desktop\Kindle Books
2013-05-22 08:44 - 2013-05-22 08:44 - 00000017 ____A C:\Users\Business\AppData\Local\resmon.resmoncfg

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2981602802-2011743305-2068375498-1000\$1e3b707c3408abdd8daa6951740ce4d9

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$1e3b707c3408abdd8daa6951740ce4d9

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client


LastRegBack: 2013-06-15 13:38

==================== End Of Log ============================


Edited by Bokkman, 20 June 2013 - 01:53 PM.


#4 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 20 June 2013 - 01:54 PM

Attached is addition log.

Attached Files



#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 20 June 2013 - 05:05 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
S1 oqxrrvey; \??\C:\windows\system32\drivers\oqxrrvey.sys [x]
C:\$Recycle.Bin\S-1-5-21-2981602802-2011743305-2068375498-1000\$1e3b707c3408abdd8daa6951740ce4d9
C:\$Recycle.Bin\S-1-5-18\$1e3b707c3408abdd8daa6951740ce4d9
C:\windows\system32\drivers\oqxrrvey.sys
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.


Please include the following in your next post:
  • Fixlog.txt report

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 21 June 2013 - 12:39 AM

Hi Randall (I've read the book :P )

 

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-06-2013 01
Ran by Business at 2013-06-21 17:38:00 Run:1
Running from E:\BChelp
Boot Mode: Normal
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
oqxrrvey => Service deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2981602802-2011743305-2068375498-1000\$1e3b707c3408abdd8daa6951740ce4d9 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$1e3b707c3408abdd8daa6951740ce4d9 => Moved successfully.
C:\windows\system32\drivers\oqxrrvey.sys => File/Directory not found.

==== End of Fixlog ====



#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 21 June 2013 - 12:51 AM

Please do this next:

icon11.gif  Go to this page and download Malwarebytes Anti-Rootkit (MBAR)

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • MBAR will create logs that you will find in the same folder you found MBAR.exe.  Please post those for me to review.

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • MBAR log (s)
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 21 June 2013 - 05:15 AM

I downloaded and ran MBAR, but it didn't find anything.

 

ComboFix log:

 

ComboFix 13-06-21.01 - Business 21/06/2013  18:33:35.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.64.1033.18.3687.2144 [GMT 12:00]
Running from: c:\users\Business\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\MaagniePic
c:\programdata\MaagniePic\515be70dd646a.tlb
c:\programdata\MaagniePic\515be88d77ade.tlb
c:\programdata\MaagniePic\data\MaagniePic.dat
c:\programdata\MaagniePic\settings.ini
c:\windows\SysWow64\System32\MASetupCleaner.exe
c:\windows\SysWow64\System32\muzapp.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-21 to 2013-06-21  )))))))))))))))))))))))))))))))
.
.
2013-06-21 06:43 . 2013-06-21 06:43    --------    d-----w-    c:\users\hedev\AppData\Local\temp
2013-06-21 06:43 . 2013-06-21 06:43    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-06-21 06:04 . 2013-06-21 06:28    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-20 18:46 . 2013-06-20 18:46    --------    d-----w-    C:\FRST
2013-06-18 09:23 . 2013-06-18 09:23    --------    d-----w-    c:\program files (x86)\ESET
2013-06-15 09:12 . 2013-06-15 09:12    76232    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{87688882-D23B-44DF-8C7E-F7FEACEFEF06}\offreg.dll
2013-06-14 08:07 . 2013-05-21 07:56    964552    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{99B5C9B0-D1C4-431E-9322-C9822AF01611}\gapaengine.dll
2013-06-14 08:06 . 2013-05-13 06:37    9460464    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{87688882-D23B-44DF-8C7E-F7FEACEFEF06}\mpengine.dll
2013-06-13 06:22 . 2013-05-13 06:37    9460464    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-11 19:05 . 2013-06-08 14:08    279040    ----a-w-    c:\program files\Internet Explorer\sqmapi.dll
2013-06-11 19:03 . 2013-05-10 05:49    30720    ----a-w-    c:\windows\system32\cryptdlg.dll
2013-06-11 19:02 . 2013-04-25 23:30    1505280    ----a-w-    c:\windows\SysWow64\d3d11.dll
2013-06-11 19:02 . 2013-03-31 22:52    1887232    ----a-w-    c:\windows\system32\d3d11.dll
2013-06-10 08:35 . 2013-06-10 08:35    --------    d-----w-    c:\program files\iPod
2013-06-10 08:35 . 2013-06-10 08:36    --------    d-----w-    c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-10 08:35 . 2013-06-10 08:36    --------    d-----w-    c:\program files\iTunes
2013-06-10 08:35 . 2013-06-10 08:36    --------    d-----w-    c:\program files (x86)\iTunes
2013-06-04 08:01 . 2013-06-04 08:01    --------    d-----w-    c:\users\Business\AppData\Roaming\DivX
2013-06-04 07:57 . 2013-06-04 07:58    --------    d-----w-    c:\program files\DivX
2013-06-04 07:57 . 2013-06-04 07:58    --------    d-----w-    c:\program files (x86)\Common Files\DivX Shared
2013-06-04 07:54 . 2013-06-04 07:59    --------    d-----w-    c:\program files (x86)\DivX
2013-06-04 07:52 . 2013-06-04 07:59    --------    d-----w-    c:\programdata\DivX
2013-06-04 07:44 . 2013-06-20 06:07    --------    d-----w-    c:\users\Business\AppData\Roaming\vlc
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 19:15 . 2012-04-03 06:57    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-12 19:15 . 2012-03-04 06:44    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-03 06:16 . 2012-03-04 06:37    75898224    ----a-w-    c:\windows\system32\MRT.exe
2013-05-21 07:56 . 2013-05-21 07:56    964552    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAF99B6B-9F9E-4D26-8C03-D830241136CD}\gapaengine.dll
2013-05-21 07:56 . 2012-06-13 09:27    964552    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-05-15 05:58 . 2010-06-24 19:33    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 15:29 . 2010-11-21 03:27    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-18 07:08 . 2012-04-08 09:21    4659712    ----a-w-    c:\windows\SysWow64\Redemption.dll
2013-04-13 05:49 . 2013-05-15 05:29    135168    ----a-w-    c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-15 05:29    350208    ----a-w-    c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-15 05:29    308736    ----a-w-    c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-15 05:29    111104    ----a-w-    c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-15 05:29    474624    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 05:29    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-24 08:04    1656680    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-10 06:01 . 2013-05-15 05:29    265064    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 06:01 . 2013-05-15 05:29    983400    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 03:30 . 2013-05-15 05:28    3153920    ----a-w-    c:\windows\system32\win32k.sys
2013-04-04 02:50 . 2013-02-26 08:57    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-03 17:30 . 2013-04-03 17:30    208216    ----a-w-    c:\windows\system32\drivers\19582545.sys
2013-04-03 07:58 . 2013-05-17 09:10    1919168    ----a-w-    c:\windows\system32\WdfCoInstaller01005.dll
2013-04-03 07:58 . 2013-05-17 09:10    1919168    ----a-w-    c:\windows\system32\drivers\WdfCoInstaller01005.dll
2013-04-03 07:58 . 2013-05-17 09:10    17736    ----a-w-    c:\windows\system32\drivers\ssadwh.sys
2013-04-03 07:58 . 2013-05-17 09:10    17224    ----a-w-    c:\windows\system32\drivers\ssadcm.sys
2013-04-01 06:03 . 2013-05-15 05:28    78680    ----a-w-    c:\windows\system32\mcupdate_AuthenticAMD.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-03-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-05 641664]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2013-05-20 450560]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-30 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 BEService;BattlEye Service;c:\program files (x86)\Common Files\BattlEye\BEService.exe;c:\program files (x86)\Common Files\BattlEye\BEService.exe [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys;c:\windows\SYSNATIVE\drivers\dgderdrv.sys [x]
R3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;c:\windows\system32\DRIVERS\LGSHidFilt.Sys;c:\windows\SYSNATIVE\DRIVERS\LGSHidFilt.Sys [x]
R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys;c:\windows\SYSNATIVE\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys;c:\windows\SYSNATIVE\drivers\LGBusEnum.sys [x]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys;c:\windows\SYSNATIVE\drivers\LGVirHid.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 19:15]
.
2013-06-20 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files (x86)\FinalMediaPlayer\FMPCheckForUpdates.exe [2012-07-31 07:40]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11 06:06]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11 06:06]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2012-07-24 6900024]
"SmartAudio"="c:\program files\CONEXANT\SAII\SACpl.exe" [2012-06-12 1647616]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: Interfaces\{D30F6E56-7631-48BE-9CBD-CFB7B895B4B1}: NameServer = 192.168.0.1
FF - ProfilePath - c:\users\Business\AppData\Roaming\Mozilla\Firefox\Profiles\n936ajd4.default\
FF - ExtSQL: 2013-06-04 19:59; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; c:\program files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-NPSStartup - (no file)
Wow6432Node-HKLM-Run-EaseUS EPM tray - c:\program files (x86)\EaseUS\EaseUS Partition Master 9.2.2\bin\EpmNews.exe
SafeBoot-47591223.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
AddRemove-BattlEye for A2 - c:\program files (x86)\Steam\steamapps\common\Arma 2BattlEye\UnInstallBE.exe
AddRemove-SP_008a99b9 - c:\program files (x86)\MagniPic\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-21  18:47:04
ComboFix-quarantined-files.txt  2013-06-21 06:47
.
Pre-Run: 102,736,134,144 bytes free
Post-Run: 105,720,070,144 bytes free
.
- - End Of File - - 472A8300B2F610F40777E36FA1C343E1
5B5E648D12FCADC244C1EC30318E1EB9
 



#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 21 June 2013 - 09:47 AM

How is your computer running now?  Please do this next:

icon11.gif   Download AdwCleaner from  here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

icon11.gif   Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Please include the following in your next post:
  • How is the computer running now?
  • AdwCleaner log
  • JRT log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 21 June 2013 - 05:42 PM

Hi RPMcMurphy,

 

I've only checked this just now, but MsSE has run. On program startup, the window was red, warning me it had been disabled. It had an option to enable. It seems to all be fine now.

The original notification from Windows (that antivirus, firewall and a driver was disabled) now just mentions the driver issue.

I'll continue with your latest instructions and see how it goes.



#11 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 21 June 2013 - 06:13 PM

ADWCleaner log:

 

# AdwCleaner v2.303 - Logfile created 06/22/2013 at 10:47:38
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Business - BUSINESS-P
# Boot Mode : Normal
# Running from : C:\Users\Business\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\END

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\PrivitizeVPNInstallDates
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SP_008a99b9
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16611

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

File : C:\Users\Business\AppData\Roaming\Mozilla\Firefox\Profiles\n936ajd4.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R2].txt - [1017 octets] - [05/04/2013 18:32:13]
AdwCleaner[R3].txt - [1138 octets] - [05/04/2013 18:39:55]
AdwCleaner[R4].txt - [1642 octets] - [22/06/2013 10:46:46]
AdwCleaner[S1].txt - [2840 octets] - [05/04/2013 16:47:15]
AdwCleaner[S2].txt - [1078 octets] - [05/04/2013 18:32:46]
AdwCleaner[S3].txt - [1199 octets] - [05/04/2013 18:41:00]
AdwCleaner[S4].txt - [1595 octets] - [22/06/2013 10:47:38]

########## EOF - C:\AdwCleaner[S4].txt - [1655 octets] ##########
 

------------------------------------------------------------------

 

JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Home Premium x64
Ran by Business on Sat 22/06/2013 at 10:57:11.76
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EC1542C5-0022-4B1E-9932-C91E3188F66F}



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Business\AppData\Roaming\mozilla\firefox\profiles\n936ajd4.default\prefs.js

user_pref("extensions.AMAZONNEW_NS_PH.searchconf", "{\n  \"google\" : {\n    \"urlexp\" : \"hxxp(s)?:\\\\/\\\\/www\\\\.google\\\\..*\\\\/.*[?#&]q=([^&]+)\",\n    \"rankometer\



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 22/06/2013 at 11:07:03.68
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 22 June 2013 - 09:49 AM

Please do this next:

icon11.gif   Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • FSS log
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 23 June 2013 - 01:28 PM

FSS log:

 

Farbar Service Scanner Version: 16-06-2013
Ran by Business (administrator) on 23-06-2013 at 20:02:23
Running from "C:\Users\Business\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-06-12 07:03] - [2013-05-08 18:39] - 1910632 ____A (Microsoft Corporation) 9849EA3843A2ADBDD1497E97A85D8CAE

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

 

ESET log:

 

C:\Program Files (x86)\FrostWire 5\frostwire-installer.exe multiple threats
C:\Program Files (x86)\FrostWire 5\OCSetupHlp.dll Win32/OpenCandy application
C:\Users\Business\.frostwire5\updates\frostwire-5.5.6.windows.exe multiple threats
 



#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 24 June 2013 - 09:39 AM

ESET is detecting Froswire as potentially unwanted due to its adware properties.  I'll leave that one up to you - if you no longer want it, just uninstall it.

 

Are you still seeing that alert about a driver?  If so, can you please tell me exactly what the message is?


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 24 June 2013 - 01:32 PM

Would you know of a safer alternative to FrostWire? I don't use it a lot, so I'd consider binning it.

 

As for the driver notification:

In my system tray there is a white flag with a mouse-over of "Solve PC issue". Clicking it opens it further and says "Troubleshoot a problem with a device or driver".

The fixes it suggests are:

- Run Windows updates and install what is necessary (This I do on a regular basis anyway).

- Scan your computer for viruses.

- Check your hard disk for errors. I've scheduled a disk check & error fix next time I start the PC, later in the day.

 

I haven't changed any drivers, or any hardware recently. The only thing that sometimes errors are one of my other USB drives - it sometimes doesn't display. It doesn't show any error pop-ups, and the USB drivers should be basic enough to just run anyway and not cause any issues.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users