Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/InstallCore.BL trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 n1ck

n1ck

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 29 June 2013 - 01:21 PM

Hi my computer became little slower and do some restart by itself.

I run esset online scaning and i found this"

 

C:\Documents and Settings\nikos\Local Settings\temp\ICReinstall_setup.exe    Win32/InstallCore.BL application
C:\Documents and Settings\nikos\????????? ????????\pc\pc security\setup.exe    Win32/InstallCore.BL application
C:\Documents and Settings\nikos\?? ??????? ???\???????? ??????\avira_free_antivirus_en.exe    a variant of Win32/Bundled.Toolbar.Ask application
C:\RECYCLER\S-1-5-21-682003330-583907252-725345543-1004\Dc2\ophcrack.exe    probably a variant of Win32/PSWTool.ophCrack.A application
C:\RECYCLER\S-1-5-21-682003330-583907252-725345543-1004\Dc2\ophcrack_nogui.exe    probably a variant of Win32/PSWTool.ophCrack.A application
C:\RECYCLER\S-1-5-21-682003330-583907252-725345543-1004\Dc2\pwdump\lsremora.dll    Win32/PSWTool.PWDump6 application
C:\RECYCLER\S-1-5-21-682003330-583907252-725345543-1004\Dc2\pwdump\pwdump6_setup.exe    Win32/PSWTool.PWDump6 application
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007930.exe    Win32/OpenCandy application
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007937.exe    Win32/OpenCandy application
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007960.exe    a variant of Win32/SoftonicDownloader.E application
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007961.exe    a variant of Win32/SoftonicDownloader.E application
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007962.exe    Win32/OpenCandy application
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP42\A0011102.exe    Win32/DownloadAdmin.G application
C:\WINDOWS\Installer\56f41a2.msi    a variant of Win32/Bundled.Toolbar.Ask.C application
 

Can you help me clean the trojan?



BC AdBot (Login to Remove)

 


#2 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 30 June 2013 - 07:59 AM

And i also forgot to say that my mouse freezes all the time and i have to put again the usb.



#3 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 July 2013 - 03:37 AM

DDS log

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by nikos at 11:32:55 on 2013-07-04
Microsoft Windows XP Home Edition  5.1.2600.3.1253.30.1032.18.1022.213 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.gr/
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: DVDVideoSoft WebPageAdjuster Class: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - c:\program files\common files\dvdvideosoft\bin\IEDownloadMenuAndBtns.dll
TB: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTAgent.exe" -autorun
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [AdobeBridge] <no file>
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [vProt] "c:\program files\avg safeguard toolbar\vprot.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] c:\windows\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Free YouTube to MP3 Converter - c:\program files\common files\dvdvideosoft\plugins\freeytmp3downloader.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - c:\program files\common files\dvdvideosoft\bin\IEDownloadMenuAndBtns.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342865647406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343592797421
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{EFB377AC-96E8-4F37-8178-FFF690A8E7C7} : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.2.0\ViProtocol.dll
AppInit_DLLs=  c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.110\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nikos\application data\mozilla\firefox\profiles\g91ugp91.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mysearch.avg.com?pid=safeguard&sg=0&cid=%7B2937c8b4-2ba3-45d1-9b85-7707f27fe22f%7D&mid=f5f6300ecf9b47d3a6baa90d304c2254-c63273c3ede41915fbd57ddcc35b67920ea539a9&ds=co011&v=15.2.0.5&lang=en&pr=sa&d=2013-06-20%2012%3A07%3A07&sap=hp
FF - plugin: c:\documents and settings\nikos\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\15.2.0\npsitesafety.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\npMSDM.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - ExtSQL: 2013-05-16 23:25; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-05-17 11:28; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\program files\common files\dvdvideosoft\plugins\ff
FF - ExtSQL: 2013-06-16 11:09; {46335786-33A3-49EE-B961-1403A9046B43}; c:\documents and settings\nikos\application data\mozilla\firefox\profiles\g91ugp91.default\extensions\{46335786-33A3-49EE-B961-1403A9046B43}
FF - ExtSQL: 2013-06-20 12:07; avg@toolbar; c:\documents and settings\all users\application data\avg safeguard toolbar\firefoxext\15.2.0.5
.
---- FIREFOX POLICIES ----
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);user_pref('extensions.blocklist.enabled', false);
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 195296]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-6-20 37664]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-3-11 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2012-3-11 32640]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-7-25 242240]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2012-3-11 1990464]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-6-20 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-6-20 701512]
R2 RalinkRegistryWriter;RalinkRegistryWriter;c:\program files\ralink\common\RaRegistry.exe [2013-4-30 375872]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2013-4-30 19072]
R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.2.0\ToolbarUpdater.exe [2013-6-20 1015984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-6-20 22856]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2013-4-30 1209408]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2012-6-17 137488]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 RaMediaServer;Ralink UPnP Media Server;c:\program files\ralink\common\RaMediaServer.exe [2013-4-30 625728]
S3 SNCT511;See U Camera;c:\windows\system32\drivers\snct511.sys [2012-8-3 219264]
S3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2013-6-5 155824]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-07-03 21:40:06    60872    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2ad3a379-5a6a-4516-a094-c8ea2582ad36}\offreg.dll
2013-06-30 13:21:31    7068072    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2ad3a379-5a6a-4516-a094-c8ea2582ad36}\mpengine.dll
2013-06-28 13:36:59    74136    ----a-w-    c:\program files\mozilla firefox\breakpadinjector.dll
2013-06-28 13:36:59    263576    ----a-w-    c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-06-28 13:36:59    19352    ----a-w-    c:\program files\mozilla firefox\AccessibleMarshal.dll
2013-06-28 09:46:34    --------    d-----w-    c:\program files\ESET
2013-06-24 09:29:25    7068072    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-06-20 14:21:54    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-06-20 14:21:54    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-06-20 09:07:59    --------    d-----w-    c:\documents and settings\nikos\local settings\application data\AVG SafeGuard toolbar
2013-06-20 09:07:17    --------    d-----w-    c:\documents and settings\all users\application data\AVG SafeGuard toolbar
2013-06-20 09:07:08    --------    d-----w-    c:\documents and settings\nikos\application data\AVG SafeGuard toolbar
2013-06-20 09:07:02    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2013-06-20 09:06:56    --------    d-----w-    c:\program files\common files\AVG Secure Search
2013-06-20 09:05:59    --------    d--h--w-    c:\documents and settings\all users\application data\Common Files
2013-06-17 07:42:00    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-06-17 07:42:00    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-06-17 07:42:00    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-06-17 07:42:00    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-06-17 07:42:00    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin.dll
2013-06-17 07:34:23    --------    d-----w-    c:\program files\iPod
2013-06-17 07:34:18    --------    d-----w-    c:\program files\iTunes
2013-06-17 07:34:18    --------    d-----w-    c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-16 08:51:05    --------    d-----w-    c:\windows\pss
2013-06-16 08:10:30    --------    d-----w-    c:\program files\MyPC Backup
2013-06-16 08:09:19    --------    d-----w-    c:\program files\OApps
2013-06-05 19:10:35    --------    d-----w-    c:\program files\Sony
.
==================== Find3M  ====================
.
2013-06-11 18:51:55    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-11 18:51:54    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-24 08:38:12    39048    ----a-w-    c:\windows\system32\drivers\tbhsd.sys
2013-05-21 21:30:52    1072544    ----a-w-    c:\windows\system32\nvdrsdb0.bin
2013-05-21 21:30:52    1    ----a-w-    c:\windows\system32\nvdrssel.bin
2013-05-21 21:30:37    1072544    ----a-w-    c:\windows\system32\nvdrsdb1.bin
2013-05-07 22:28:16    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-05-07 22:28:16    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-05-07 22:28:15    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29    385024    ------w-    c:\windows\system32\html.iec
2013-05-03 05:39:09    2157056    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 05:39:08    2035712    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-05-01 23:06:08    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-05-01 00:59:12    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2013-05-01 00:59:12    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2013-04-30 06:59:29    258    ----a-w-    c:\documents and settings\nikos\application data\_uninsep.bat
2013-04-16 21:18:17    81920    ------w-    c:\windows\system32\ieencode.dll
2013-04-12 14:00:53    1876608    ----a-w-    c:\windows\system32\win32k.sys
.
============= FINISH: 11:36:15,78 ===============
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 04 July 2013 - 07:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#5 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 July 2013 - 07:39 AM

Hi Nasdag,

 

this is report from adwcleaner

 

# AdwCleaner v2.304 - Logfile created 07/04/2013 at 15:31:31
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : nikos - NICK-A611B29939
# Boot Mode : Normal
# Running from : C:\Documents and Settings\nikos\Επιφάνεια εργασίας\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\nikos\Application Data\dvdvideosoftiehelpers
Folder Deleted : C:\Documents and Settings\nikos\Application Data\OpenCandy
Folder Deleted : C:\Program Files\OApps

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\Software\PIP
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{acaa314b-eeba-48e4-ad47-84e31c44796c}]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (el)

File : C:\Documents and Settings\nikos\Application Data\Mozilla\Firefox\Profiles\g91ugp91.default\prefs.js

C:\Documents and Settings\nikos\Application Data\Mozilla\Firefox\Profiles\g91ugp91.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");

-\\ Google Chrome v27.0.1453.110

File : C:\Documents and Settings\nikos\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [5671 octets] - [04/07/2013 15:31:31]

########## EOF - C:\AdwCleaner[S1].txt - [5731 octets] ##########



#6 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 July 2013 - 08:03 AM

jrt log

 

Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by nikos on Πεμ 04/07/2013 at 15:43:19,60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.1049.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.1049.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll



~~~ Folders

Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Πεμ 04/07/2013 at 16:00:12,90
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#7 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 July 2013 - 08:31 AM

combofix log

 

ComboFix 13-07-03.01 - nikos 04/07/2013  16:16:53.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1253.30.1032.18.1022.138 [GMT 3:00]
Running from: c:\documents and settings\nikos\Επιφάνεια εργασίας\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-04 to 2013-07-04  )))))))))))))))))))))))))))))))
.
.
2013-07-04 13:02 . 2013-06-12 04:18    7068072    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{26A68764-BC9E-4E53-931E-3BABC283C456}\mpengine.dll
2013-07-02 09:30 . 2013-07-02 09:30    --------    d-----w-    c:\documents and settings\LocalService\Επιφάνεια εργασίας
2013-06-30 05:27 . 2013-06-30 05:48    --------    d-----w-    c:\documents and settings\Game.of.Thrones.S02.Season.2.COMPLETE.720p.BluRay.x264.MIKY
2013-06-28 09:46 . 2013-06-28 09:46    --------    d-----w-    c:\program files\ESET
2013-06-24 09:29 . 2013-06-12 04:18    7068072    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-20 14:21 . 2013-06-20 14:22    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-06-20 14:21 . 2013-04-04 11:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-06-20 09:07 . 2013-06-20 09:08    --------    d-----w-    c:\documents and settings\nikos\Local Settings\Application Data\AVG SafeGuard toolbar
2013-06-20 09:07 . 2013-06-20 09:07    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
2013-06-20 09:07 . 2013-06-20 09:07    --------    d-----w-    c:\documents and settings\nikos\Application Data\AVG SafeGuard toolbar
2013-06-20 09:07 . 2013-06-20 09:06    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2013-06-20 09:06 . 2013-07-04 12:35    --------    d-----w-    c:\program files\Common Files\AVG Secure Search
2013-06-20 09:05 . 2013-06-20 09:05    --------    d--h--w-    c:\documents and settings\All Users\Application Data\Common Files
2013-06-17 07:42 . 2013-06-17 07:42    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-06-17 07:42 . 2013-06-17 07:41    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-06-17 07:42 . 2013-06-17 07:41    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-06-17 07:42 . 2013-06-17 07:41    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-06-17 07:42 . 2013-06-17 07:41    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-06-17 07:41 . 2013-06-17 07:41    --------    d-----w-    c:\program files\QuickTime
2013-06-17 07:34 . 2013-06-17 07:34    --------    d-----w-    c:\program files\iPod
2013-06-17 07:34 . 2013-06-17 07:35    --------    d-----w-    c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-17 07:34 . 2013-06-17 07:35    --------    d-----w-    c:\program files\iTunes
2013-06-16 08:10 . 2013-06-16 08:29    --------    d-----w-    c:\program files\MyPC Backup
2013-06-05 19:10 . 2013-06-05 19:10    --------    d-----w-    c:\program files\Sony
2013-06-05 19:10 . 2013-06-05 19:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\Sony
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-11 18:51 . 2012-07-21 11:04    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-11 18:51 . 2012-07-21 11:04    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-24 08:38 . 2013-05-24 08:38    39048    ----a-w-    c:\windows\system32\drivers\tbhsd.sys
2013-05-07 22:28 . 2006-03-02 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-05-07 22:28 . 2006-03-02 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-05-07 22:28 . 2006-03-02 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2006-03-02 12:00    385024    ------w-    c:\windows\system32\html.iec
2013-05-03 05:39 . 2006-03-02 12:00    2157056    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 05:39 . 2004-09-04 06:41    2035712    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-05-01 23:06 . 2012-07-21 10:44    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-05-01 00:59 . 2013-05-01 00:59    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2013-05-01 00:59 . 2013-05-01 00:59    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2013-04-30 06:59 . 2013-04-30 06:59    258    ----a-w-    c:\documents and settings\nikos\Application Data\_uninsep.bat
2013-04-16 21:18 . 2013-04-16 21:18    81920    ------w-    c:\windows\system32\ieencode.dll
2013-04-12 14:00 . 2006-03-02 12:00    1876608    ----a-w-    c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-04-26 3111744]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-06-17 466704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-04-19 18678376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-07-13 384232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2012-06-28 74752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-03-02 44544]
.
c:\documents and settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe -s [2013-4-30 13093736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ralink\\Common\\RaUI.exe"=
"c:\\Program Files\\Ralink\\Common\\RaMediaServer.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [20/6/2013 12:07 μμ 37664]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [11/3/2012 9:13 μμ 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/3/2012 9:13 μμ 32640]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [25/7/2012 6:59 μμ 242240]
R1 MpKsla4e94cab;MpKsla4e94cab;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2AD3A379-5A6A-4516-A094-C8EA2582AD36}\MpKsla4e94cab.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2AD3A379-5A6A-4516-A094-C8EA2582AD36}\MpKsla4e94cab.sys [?]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [30/4/2013 7:36 μμ 19072]
R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [20/6/2013 12:06 μμ 1015984]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [20/6/2013 5:21 μμ 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20/6/2013 5:21 μμ 701512]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [28/2/2013 6:45 μμ 161384]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/6/2013 5:21 μμ 22856]
S3 RaMediaServer;Ralink UPnP Media Server;c:\program files\Ralink\Common\RaMediaServer.exe [30/4/2013 7:36 μμ 625728]
S3 SNCT511;See U Camera;c:\windows\system32\drivers\snct511.sys [3/8/2012 1:58 μμ 219264]
S3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [5/6/2013 10:10 μμ 155824]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/2/2010 1:37 μμ 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 19:07    1165776    ----a-w-    c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-21 18:51]
.
2013-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 14:57]
.
2013-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-13 20:02]
.
2013-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-13 20:02]
.
2013-07-04 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 08:11]
.
2013-07-04 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 08:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube to MP3 Converter - c:\program files\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\nikos\Application Data\Mozilla\Firefox\Profiles\g91ugp91.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mysearch.avg.com?pid=safeguard&sg=0&cid=%7B2937c8b4-2ba3-45d1-9b85-7707f27fe22f%7D&mid=f5f6300ecf9b47d3a6baa90d304c2254-c63273c3ede41915fbd57ddcc35b67920ea539a9&ds=co011&v=15.2.0.5&lang=en&pr=sa&d=2013-06-20%2012%3A07%3A07&sap=hp
FF - ExtSQL: 2013-05-16 23:25; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-05-17 11:28; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\program files\Common Files\DVDVideoSoft\plugins\ff
FF - ExtSQL: 2013-06-16 11:09; {46335786-33A3-49EE-B961-1403A9046B43}; c:\documents and settings\nikos\Application Data\Mozilla\Firefox\Profiles\g91ugp91.default\extensions\{46335786-33A3-49EE-B961-1403A9046B43}
FF - ExtSQL: 2013-06-20 12:07; avg@toolbar; c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar\FireFoxExt\15.2.0.5
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
AddRemove-AVG SafeGuard toolbar - c:\program files\AVG SafeGuard toolbar\UNINSTALL.exe
AddRemove-ophcrack - c:\documents and settings\nikos\Επιφάνεια εργασίας\ophcrack\uninst.exe
AddRemove-sl-dlc - c:\program files\OApps\sl-dlc_uninstall.exe
AddRemove-{A62F9CD0-B2E0-4F2A-88F2-79254A3C8539} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~1\{A62F9~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-04 16:26
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(356)
c:\windows\system32\guard32.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(824)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2013-07-04  16:29:49
ComboFix-quarantined-files.txt  2013-07-04 13:29
.
Pre-Run: 8 Κατάλογοι 103.269.388.288 διαθέσιμα byte
Post-Run: 9 Κατάλογοι 103.972.884.480 διαθέσιμα byte
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 474F3E9FEE490EFDE7EA4F3144F1A24E
3C27C0429156ADC19E0F46AF77CD22D7
 



#8 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 July 2013 - 08:53 AM

Please take a look of a message that winpatrol alert me after combofix log.

 

 

C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ieframe.dll,OpenURL%l

 

A change was made to use the following program for this file type

 

rundll32 ieframe.dll,OpenURL%l

 

Is this change ok?

 

I must say yes or no.


Edited by n1ck, 04 July 2013 - 08:53 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 04 July 2013 - 09:01 AM


This sysearch.avg.com was removed.
If all is ok then accept the change.

FF - prefs.js: browser.startup.homepage - hxxp://mysearch.avg.com?pid=safeguard&sg=0&cid=%7B2937c8b4-2ba3-45d1-9b85-7707f27fe22f%7D&mid=f5f6300ecf9b47d3a6baa90d304c2254-c63273c3ede41915fbd57ddcc35b67920ea539a9&ds=co011&v=15.2.0.5&lang=en&pr=sa&d=2013-06-20%2012%3A07%3A07&sap=hp


Any other issues with this computer?

#10 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 July 2013 - 09:07 AM

this was the problem sysearch.avg.com?

 

Everything seems ok thank you very much.

 

The cursor of the mouse why is it freeze all the time?



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 04 July 2013 - 12:12 PM

If it's an external mouse make sure it's well connected.

Try to re-install it.

If still no joy execute this scan.

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#12 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 05 July 2013 - 10:01 AM

esset scan

 

C:\Documents and Settings\nikos\????????? ????????\pc\pc security\setup.exe    a variant of Win32/InstallCore.BY application    cleaned by deleting - quarantined
C:\Documents and Settings\nikos\?? ??????? ???\???????? ??????\avira_free_antivirus_en.exe    a variant of Win32/Bundled.Toolbar.Ask application    deleted - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007930.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007937.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007960.exe    a variant of Win32/SoftonicDownloader.E application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007961.exe    a variant of Win32/SoftonicDownloader.E application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP18\A0007962.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP42\A0011102.exe    Win32/DownloadAdmin.G application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP56\A0015032.exe    probably a variant of Win32/PSWTool.ophCrack.A application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP56\A0015033.exe    probably a variant of Win32/PSWTool.ophCrack.A application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP56\A0015035.dll    Win32/PSWTool.PWDump6 application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP56\A0015037.exe    Win32/PSWTool.PWDump6 application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{F86AF06F-7704-4959-9741-490B518A2738}\RP56\A0015130.exe    Win32/InstallCore.BL application    cleaned by deleting - quarantined
C:\WINDOWS\Installer\56f41a2.msi    a variant of Win32/Bundled.Toolbar.Ask.C application    deleted - quarantined
 



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 05 July 2013 - 10:41 AM

Is the issue with the mouse still pending?

#14 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 05 July 2013 - 11:07 AM

Yes  every 2-3 hours the cursor freezes and the red light under the mouse stops so i am taking of the usb cable  and i put it again.

The mouse is a simple mouse logitech.

 

Maybe i will answer tomorrow


Edited by n1ck, 05 July 2013 - 11:27 AM.


#15 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 05 July 2013 - 04:14 PM

My mouse did it again.Has any virus,trojan, this side effect?


Edited by n1ck, 05 July 2013 - 04:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users