Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Assistance requested with possible rootkit infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 NickRiviera

NickRiviera

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 08 July 2013 - 06:41 AM

Hello,

 

When I run catchme I get this message:

 

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != -1375723995, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20,

ZwOpenFile 0 != -369091035, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

 

Now I read somewhere on this website that this is usually a dead giveaway that a rootkit is active.

I ran catchme because my computer is acting kinda strange lately (hard to explain, but i've been using this box for about 4 years and kept it in good shape always, so I can kinda "feel" when something is off)

 

Could you please help me further investigate and possibly remove this potential rootkit?

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 08 July 2013 - 06:48 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.

 

 

 

 

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 NickRiviera

NickRiviera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 08 July 2013 - 07:40 AM

Hello and thank you for assisting me.

 

Normally I run under a user account with admin rights, but since that account became troubled to work with I am now running in Safe mode under the built-in Administrator account, which is normally not active.

I ran defogger to disable any emulation CD drives.

 

Here is the results of the requested ark file:

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-08 14:37:51
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.01.0 931,51GB
Running: 1q1f7m1l.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kxtdapoc.sys

---- Processes - GMER 2.1 ----

Library  Ì÷! PH (*** suspicious ***) @ C:\Users\Administrator\Downloads\dds.scr [2560]                                 0000000010000000
Library  Ì÷! PH (*** suspicious ***) @ C:\Users\Administrator\Downloads\dds.scr [2560]                                 0000000000640000
Library  Ì÷! PH (*** suspicious ***) @ C:\Users\Administrator\Downloads\dds.scr [2560]                                 00000000003a0000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Export                                                 ????????volsnap?00??? ??????????????????@oem85.inf,%mfg%;Acronis, Inc.?4f2???????????????????????????????~???????????????????????????r??of????X??????????????????????b???????????????????????????????????????????????.??????????????????????????????????????LegacyDriver????STORAGE\Volume??????.NTAMD64?f???????o??????????6.0.1.5942???????????????9???????????????V??um??????????????????????AT<cr>??a1???????????????o??????????????umb\umbus????????????)????????N??????m????Ds (??Local???????????????#???http://www.nvidia.com????????????X???????????????????l???????????????????????????? ??|?????????????n? ??timounter?????????.??????????????  ?????????????????????????????????????????????????????????????????????????? ???/????????????????????????<???????????????N????????????????n??????l?????????????Microsoft????|?|?|??7.1.32.72?????>??????????????????????????????????????????????????????z???????????I??FU??????????????????????????{00000000-0000-0000-ffff-ffffffffffff}??????http://www.nvidia.com????????????????????????f?????????
Reg      HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Export                                            ??????????????????????????????????????????????????"?????????????6.1316.1209.2009????????????????????????? ?????????????????????0???????????????????????????????????n?????????????-??13????*?????????????????????????????????????sun_vboxnetfltmp?0??VBoxNetFltMP.ndi????????????????????WUDFRd???????????????0??03????"??????????????????s??????????????????????6-21-2006???WD 10EADS External USB Device???????????????????? ??????PnpPrinters???????N????????????D?????????????????????????@???????????????6???? ??????????????????????????8??se??????0???Intel® Core™ i3 CPU         530  @ 2.93GHz?pl???e?h?j?j?j?e?j?j?j?k?k?k????????????????????????s???? ?????????????????????0??L????????? ???????????? ???????????????????h?0????????"????????????????????e???e??????????MAX_PSP???????N???????????D?????? ??????????????enum????? ?????????????????????0????????????&????????????????????e??? ??????????????t\??????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0???????????
Reg      HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)           
Reg      HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                0
Reg      HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                             0x94 0xE9 0xD0 0x02 ...
Reg      HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                C:\Program Files (x86)\DAEMON Tools Lite\
Reg      HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)  
Reg      HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                       0xA0 0x02 0x00 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                               
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                            0
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                         0x94 0xE9 0xD0 0x02 ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                            C:\Program Files (x86)\DAEMON Tools Lite\
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                      
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                0x7D 0xD5 0x82 0x37 ...
Reg      HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)           
Reg      HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                0
Reg      HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                             0x94 0xE9 0xD0 0x02 ...
Reg      HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                C:\Program Files (x86)\DAEMON Tools Lite\
Reg      HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)  
Reg      HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                    0x7D 0xD5 0x82 0x37 ...

---- EOF - GMER 2.1 ----
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 08 July 2013 - 09:35 AM

Post up the DDS logs as well, please.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 NickRiviera

NickRiviera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 09 July 2013 - 04:30 PM

I ran these under my normal user account with admin rights.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.25.2
Run by Lars at 23:25:15 on 2013-07-09
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.31.1033.18.3959.1273 [GMT 2:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
D:\Symbols\Pery\platform\windows\cronsvc.exe
C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\OEM\USBDECTION\USBS3S4Detection.exe
C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Users\Lars\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\KORG\KORG USB-MIDI Driver\EsHelper2.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Users\Lars\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: Adobe Acrobat Create PDF Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [KORG USB-MIDI Driver] C:\Program Files (x86)\KORG\KORG USB-MIDI Driver\EsHelper2.exe /s
mRun: [WD Drive Unlocker] C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
mRun: [WD Quick View] C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Lars\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Lars\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Lars\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: Afbeelding knippen - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Kopieer selectie - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Kopieer URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: Nieuwe notitie - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html
IE: Pagina opemen - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NEP1-267/training/ieatgpc1.cab
TCP: NameServer = 192.168.1.1 213.46.228.196
TCP: Interfaces\{13036D4F-6903-42AD-9440-D1B5A4763E59} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{91C84BE5-1975-4375-8C6C-96FC4D129B12}\14355535 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD2C4E9C-6882-413B-AD36-9131094594C5} : DHCPNameServer = 192.168.1.1 213.46.228.196
TCP: Interfaces\{F09E7205-DC19-4C77-96D5-DA0D96F183B0}\6596275737024456475636475646 : DHCPNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
SSODL: WebCheck - <orphaned>
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-Run: [tvncontrol] "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Lars\AppData\Roaming\Mozilla\Firefox\Profiles\23t7aaty.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://nl.search.yahoo.com/search?fr=ytff-comodo&p=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8008
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-06-23 20:56; flashfirebug@o-minds.com; C:\Users\Lars\AppData\Roaming\Mozilla\Firefox\Profiles\23t7aaty.default\extensions\flashfirebug@o-minds.com
FF - ExtSQL: 2013-06-23 20:56; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; C:\Users\Lars\AppData\Roaming\Mozilla\Firefox\Profiles\23t7aaty.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - ExtSQL: 2013-06-23 20:56; {c45c406e-ab73-11d8-be73-000a95be3b12}; C:\Users\Lars\AppData\Roaming\Mozilla\Firefox\Profiles\23t7aaty.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
.
============= SERVICES / DRIVERS ===============
.
R0 vididr;Acronis Virtual Disk;C:\Windows\System32\drivers\vididr.sys [2011-8-4 210016]
R0 vidsflt53;Acronis Disk Storage Filter (53);C:\Windows\System32\drivers\vsflt53.sys [2011-8-4 141920]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-6-14 283200]
R1 ElRawDisk;ElRawDisk;C:\Windows\System32\drivers\dddskx64.sys [2011-7-18 26024]
R2 CronService;Cron Service for Prey;D:\Symbols\Pery\platform\windows\cronsvc.exe [2011-2-15 19968]
R2 DragonUpdater;COMODO Dragon Update Service;C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2013-6-4 2095752]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2013-3-22 93072]
R2 tvnserver;TightVNC Server;C:\Program Files\TightVNC\tvnserver.exe [2012-11-20 1696824]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-1-31 2314240]
R2 USBS3S4Detection;USBS3S4Detection;C:\OEM\USBDECTION\USBS3S4Detection.exe [2009-12-14 76320]
R2 WDBackup;WD Backup;C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [2012-6-14 1151424]
R2 WDDriveService;WD Drive Manager;C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [2012-6-13 248248]
R2 WDRulesService;WD Rules;C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [2012-6-14 1177536]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2009-11-17 283824]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-11-17 56344]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-9-1 17976]
R3 RDID1115;UM-ONE;C:\Windows\System32\drivers\Rdwm1115.sys [2013-3-4 81920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Tomcat5;Apache Tomcat;C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe [2010-9-4 78336]
S3 ACR122U;ACR122 Smart Card Reader;C:\Windows\System32\drivers\acr122.sys [2009-12-16 44800]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\System32\drivers\ssadadb.sys [2012-2-5 36328]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2012-10-12 102368]
S3 dgderdrv;dgderdrv;C:\Windows\System32\drivers\dgderdrv.sys [2010-7-26 20552]
S3 emnxbhp;{05DA76CF-3E08-482D-A748-3839973C5CA5};D:\ophcrack\pwdump\servpw.exe [2011-1-12 57344]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2011-6-25 16776]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2011-6-25 9096]
S3 GenericMount;Generic Mount Driver;C:\Windows\System32\drivers\GenericMount.sys [2009-9-21 54320]
S3 imhxn;{9B30EA14-AB8C-446C-A680-D90345E56FC4};D:\ophcrack\pwdump\servpw.exe [2011-1-12 57344]
S3 prwntdrv;prwntdrv;C:\Windows\System32\prwntdrv.sys [2011-6-24 16776]
S3 pwdrvio;pwdrvio;C:\Windows\System32\pwdrvio.sys [2010-9-14 19936]
S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2010-9-14 13280]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-15 19456]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8187.sys [2010-1-7 448512]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\System32\drivers\ssadbus.sys [2012-2-5 157672]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\System32\drivers\ssadmdfl.sys [2012-2-5 16872]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\System32\drivers\ssadmdm.sys [2012-2-5 177640]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2012-10-12 203104]
S3 TFsExDisk;TFsExDisk;C:\Windows\System32\drivers\TFsExDisk.sys [2010-9-9 16392]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-15 57856]
S3 Updater Service;Updater Service;C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2009-11-17 240160]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-5-10 51712]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2012-5-22 117080]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-9 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
.
=============== File Associations ===============
.
ShellExec: PortraitProfessional.exe: open="C:\Program Files (x86)\Portrait Professional 10 Trial\PortraitProfessionalTrial.exe" /P "%1"
.
=============== Created Last 30 ================
.
2013-07-09 21:11:36 -------- d-sh--w- C:\$RECYCLE.BIN
2013-07-08 13:10:28 -------- d-----w- C:\Users\Lars\AppData\Local\temp
2013-07-08 13:00:38 74136 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-07-08 13:00:38 263576 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-07-08 13:00:37 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2013-07-08 13:00:37 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2013-07-08 13:00:36 92056 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-07-08 13:00:36 26520 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-07-08 13:00:36 170232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2013-07-08 12:10:32 -------- d-----w- C:\Program Files\HitmanPro
2013-07-08 12:10:05 -------- d-----w- C:\ProgramData\HitmanPro
2013-07-05 00:31:34 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2013-07-05 00:29:30 59288 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2013-07-05 00:29:30 478104 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2013-07-05 00:29:30 3407256 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2013-07-05 00:29:30 3285912 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2013-07-05 00:29:30 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2013-07-05 00:29:30 193824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2013-07-05 00:29:30 16280 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2013-07-05 00:29:30 131480 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2013-07-05 00:29:30 117144 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2013-07-04 13:28:10 56072 ----a-w- C:\Windows\System32\certsentry.dll
2013-07-04 13:28:10 47368 ----a-w- C:\Windows\SysWow64\certsentry.dll
2013-06-23 20:08:22 -------- d-----w- C:\Program Files\TAP-Windows
2013-06-23 20:08:21 -------- d-----w- C:\Program Files\OpenVPN
2013-06-23 20:08:09 -------- d-----w- C:\Users\Lars\AppData\Roaming\AirVPN
2013-06-23 15:11:02 -------- d-----w- C:\Users\Lars\AppData\Local\Macromedia
2013-06-22 17:31:17 -------- d-----w- C:\Users\Lars\AppData\Roaming\Mp3tag
2013-06-22 17:30:57 -------- d-----w- C:\Program Files (x86)\Mp3tag
2013-06-22 11:15:00 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-17 20:53:24 -------- d-----w- C:\Program Files (x86)\Evernote
2013-06-11 18:36:50 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
==================== Find3M  ====================
.
2013-07-09 21:10:34 29 ----a-w- C:\Windows\SysWow64\TempWmicBatchFile.bat
2013-06-22 11:14:54 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-06-22 11:14:54 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-12 18:39:18 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 18:39:18 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-12 18:39:09 9089416 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-05-17 03:09:56 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-17 03:02:29 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-05-17 03:01:13 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-05-17 02:56:09 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-05-17 02:56:00 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-05-17 02:51:27 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-16 22:39:39 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-16 22:28:26 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-16 22:27:30 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-05-16 22:21:37 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-05-16 22:20:30 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-05-16 22:16:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-05-10 05:49:27 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-04-26 05:51:36 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-04-26 04:55:21 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-04-25 23:30:32 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-04-17 07:02:06 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24:46 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
.
============= FINISH: 23:25:34,61 ===============
 

 



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume2
Install Date: 9-9-2010 19:18:50
System Uptime: 9-7-2013 23:10:07 (0 hours ago)
.
Motherboard: Packard Bell |  | FIH57
Processor: Intel® Core™ i3 CPU         530  @ 2.93GHz | CPU 1 | 2933/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 253 GiB total, 94,969 GiB free.
D: is FIXED (NTFS) - 663 GiB total, 143,563 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is FIXED (NTFS) - 15 GiB total, 6,021 GiB free.
H: is FIXED (NTFS) - 1863 GiB total, 171,406 GiB free.
J: is FIXED (NTFS) - 932 GiB total, 423,854 GiB free.
L: is CDROM ()
V: is Removable
W: is Removable
X: is Removable
Y: is Removable
Z: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: System Attribute Cache
Device ID: ROOT\LEGACY_DISCACHE\0000
Manufacturer: 
Name: System Attribute Cache
PNP Device ID: ROOT\LEGACY_DISCACHE\0000
Service: discache
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: PEAUTH
Device ID: ROOT\LEGACY_PEAUTH\0000
Manufacturer: 
Name: PEAUTH
PNP Device ID: ROOT\LEGACY_PEAUTH\0000
Service: PEAUTH
.
==== System Restore Points ===================
.
RP105: 22-6-2013 13:13:04 - Installed Java 7 Update 25
RP106: 23-6-2013 17:17:33 - Removed EMET
RP107: 23-6-2013 17:21:09 - Removed EMET 4.0
RP108: 23-6-2013 22:08:28 - Device Driver Package Install: TAP-Windows Provider V9 Network adapters
RP110: 3-7-2013 15:15:52 - Scheduled Checkpoint
RP111: 4-7-2013 14:15:09 - Removed Facebook Password Extractor
RP112: 4-7-2013 14:17:45 - Removed HP WebInspect 9.0
RP113: 4-7-2013 14:31:39 - Removed Microsoft SQL Server 2005 Compact Edition [ENU]
RP114: 4-7-2013 14:43:26 - Removed Microsoft SQL Server 2008 R2 Native Client
RP115: 4-7-2013 14:44:12 - Removed Microsoft SQL Server Compact 3.5 SP2 ENU
RP116: 4-7-2013 14:45:07 - Removed Caesar IV
RP117: 9-7-2013 16:28:06 - ComboFix created restore point
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
7-Zip 4.65
Aangifte inkomstenbelasting 2011
Aangifte inkomstenbelasting 2012
ACR38/100/122 PC/SC Driver 1.1.2.0
Acronis True Image WD Edition
ACS CCID PCSC Driver 1.1.6.3
Adobe Acrobat XI Pro
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.7)
Advertising Center
AGEIA PhysX v7.11.13
All Media Fixer 9.11
Apache Tomcat 5.5 (remove only)
Application Verifier (x64)
ARAX Disk Doctor Data Recovery
ASIO4ALL
µTorrent
Attack Surface Analyzer
Audacity 2.0.2
Audiograbber 1.83 SE 
Bigasoft Total Video Converter 3.5.0.4265
Bit Che
Cain & Abel v4.9.36
CCleaner
Cisco WebEx Meetings
Comodo Dragon
Compatibility Pack for the 2007 Office system
Counter-Strike: Source
DAEMON Tools Lite
Debugging Tools for Windows (x64)
Dropbox
DVDFab 8.0.4.0 (11/11/2010)
EASEUS Partition Master 8.0.1 Home Edition
EASEUS Partition Recovery 5.0.1
EASEUS Photo Recovery 3.0.1 Demo
EasyBCD 2.0
Evernote v. 4.6.6
FileZilla Client 3.7.1
FinalBurner Free v2.24.0.195
Freez FLV to MP3 Converter
GetDataBack for FAT
GetDataBack for NTFS
GIMP 2.8.0
Google Drive
Google SketchUp Pro 8
Google Talk Plugin
Google Update Helper
GoToMeeting 5.1.0.880
Half-Life 2: Episode Two
HashTab 1.14 for x32
HDD Raw Copy Tool v1.02
Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
ICW COPSSHCP(remove only)
Identity Card
ImagXpress
Intel® Management Engine Components
Intel® Matrix Storage Manager
Java 7 Update 25
Java Auto Updater
Junk Mail filter update
K-Lite Codec Pack 8.8.0 (Basic)
Korg Legacy Collection v1.1.10
KORG USB-MIDI Driver Tools for Windows
Live 8.2.1
MagicDisc 2.7.106
MediaInfo 0.7.61
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Help Viewer 1.0
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (Dutch) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Dutch) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (Dutch) 2007
Microsoft Office InfoPath MUI (Dutch) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (Dutch) 2007
Microsoft Office Outlook MUI (Dutch) 2007
Microsoft Office PowerPoint MUI (Dutch) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proofing (Dutch) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (Dutch) 2007
Microsoft Office Shared 64-bit MUI (Dutch) 2007
Microsoft Office Shared MUI (Dutch) 2007
Microsoft Office Word MUI (Dutch) 2007
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 SP1
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Windows Debugging Symbols
Microsoft Windows Performance Toolkit
Microsoft Windows SDK for Windows 7 (7.1)
Microsoft Windows SDK MSHelp (30514)
Microsoft WSE 3.0 Runtime
MiniTool Partition Wizard Professional Edition 5.2
Mozilla Firefox 22.0 (x86 en-GB)
Mozilla Maintenance Service
MP3 Splitter & Joiner
Mp3tag v2.56
MSVC80_x64_v2
MSVC80_x86_v2
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
MyFreeCodec
MySQL Connector/ODBC 3.51
Nero 9 Essentials
Nero ControlCenter
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero StartSmart
Nero StartSmart Help
Nero StartSmart OEM
NeroExpress
neroxml
Next Generation Visualisations
Nmap 6.25
Nokia Connectivity Cable Driver
Nokia PC Suite
Nullsoft Install System
NVIDIA 3D Vision Driver 311.06
NVIDIA Control Panel 311.06
NVIDIA Display Control Panel
NVIDIA Graphics Driver 311.06
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.11.3
NVIDIA Update Components
OpenAL
OpenTTD 1.2.0${APPV_EXTRA}
OpenVPN 2.3.0-I001 
ophcrack 3.3.1
Oracle VM VirtualBox 4.2.6
Packard Bell Recovery Management
Packard Bell Updater
PC Connectivity Solution
Photo Stitcher
PokerStars.eu
Portrait Professional 10.8 Trial
Python 2.7.1
QuickTime Alternative 3.1.1
Realtek High Definition Audio Driver
Recuva
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
ScummVM 1.5.0
Secunia PSI (2.0.0.4003)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition 
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 
Sonic Foundry Sound Forge 6.0
SoulSeek 157 NS 13e
SoulseekQt
Steam
Stellar Phoenix JPEG Repair
TAP-Windows 9.9.2
Temp File Cleaner
TheMatrix Screen Saver version 1.14
TightVNC
TomTom HOME
TomTom HOME Visual Studio Merge Modules
touchatag 1.3
TrueCrypt
UM-ONE Driver
Universal Extractor 1.6.1
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817327) 32-Bit Edition
Update voor Microsoft Office Excel 2007 Help (KB963678)
Update voor Microsoft Office Powerpoint 2007 Help (KB963669)
Update voor Microsoft Office Word 2007 Help (KB963665)
Verzoek of wijziging voorlopige aanslag 2011
Verzoek of wijziging voorlopige aanslag 2012
Verzoek of wijziging voorlopige aanslag 2013
VirtuaGirl HD
VLC media player 2.0.7
WD Drive Utilities
WD Security
WD SmartWare
WhiteCap
Windows Driver Package - ACS (A38CCID) SmartCardReader  (08/30/2008 1.1.6.3)
Windows Driver Package - ACS (A38CCID) SmartCardReader  (12/16/2009 1.1.6.5)
Windows Driver Package - ACS (ACR122U) SmartCardReader  (12/16/2009 1.1.6.3)
Windows Driver Package - ACS (ACSSCR) SmartCardReader  (12/15/2009 1.1.6.2)
Windows Driver Package - Nokia Modem  (06/09/2010 7.01.0.8)
Windows Driver Package - Nokia Modem  (10/07/2010 4.6)
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
Windows Mobile Device Center
WinPcap 4.1.2
WinRAR archiver
Wireshark 1.6.11 (64-bit)
WM Recorder 14
World of Warcraft
.
==== Event Viewer Messages From Past Week ========
.
9-7-2013 23:12:42, Error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
9-7-2013 23:12:42, Error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
9-7-2013 23:10:40, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache
9-7-2013 23:10:34, Error: Service Control Manager [7024]  - The Apache Tomcat service terminated with service-specific error The operation completed successfully..
9-7-2013 23:10:33, Error: Service Control Manager [7000]  - The PEAUTH service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9-7-2013 16:44:22, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.
9-7-2013 16:33:36, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
9-7-2013 16:27:46, Error: Service Control Manager [7031]  - The Virtual Disk service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
9-7-2013 16:19:06, Error: Service Control Manager [7022]  - The Intel® Management & Security Application User Notification Service service hung on starting.
9-7-2013 14:43:34, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Adobe Flash Player Update Service service to connect.
9-7-2013 14:43:34, Error: Service Control Manager [7000]  - The Adobe Flash Player Update Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
9-7-2013 14:06:53, Error: Service Control Manager [7034]  - The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).
9-7-2013 14:06:46, Error: Service Control Manager [7034]  - The COMODO Dragon Update Service service terminated unexpectedly.  It has done this 1 time(s).
9-7-2013 14:06:38, Error: Service Control Manager [7034]  - The NVIDIA Display Driver Service service terminated unexpectedly.  It has done this 1 time(s).
9-7-2013 14:06:32, Error: Service Control Manager [7034]  - The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly.  It has done this 1 time(s).
9-7-2013 14:06:27, Error: Service Control Manager [7034]  - The Updater Service service terminated unexpectedly.  It has done this 1 time(s).
9-7-2013 14:06:22, Error: Service Control Manager [7034]  - The Acronis Scheduler2 Service service terminated unexpectedly.  It has done this 1 time(s).
9-7-2013 13:24:53, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the WD Rules service to connect.
9-7-2013 13:24:53, Error: Service Control Manager [7001]  - The WD Backup service depends on the WD Rules service which failed to start because of the following error:  The service did not respond to the start or control request in a timely fashion.
9-7-2013 13:24:53, Error: Service Control Manager [7000]  - The WD Rules service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
9-7-2013 10:59:33, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the USBS3S4Detection service.
8-7-2013 15:24:00, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
8-7-2013 15:23:59, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
8-7-2013 15:23:59, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8-7-2013 15:23:59, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8-7-2013 15:23:58, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8-7-2013 15:23:52, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8-7-2013 15:19:25, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  cmdGuard discache ElRawDisk spldr truecrypt VBoxDrv VBoxUSBMon Wanarpv6
8-7-2013 15:16:40, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8-7-2013 15:15:59, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WDRulesService with arguments "" in order to run the server: {C004E60F-2D62-4BE1-98C4-C39A8046B6BB}
8-7-2013 15:15:59, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service WDBackup with arguments "" in order to run the server: {81213AB4-5937-4340-88CD-66B4BC80DF73}
8-7-2013 15:09:08, Error: Application Popup [1060]  - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
8-7-2013 15:03:28, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
8-7-2013 14:06:18, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C}
8-7-2013 14:03:44, Error: sptd [4]  - Driver detected an internal error in its data structures for .
8-7-2013 14:01:23, Error: Service Control Manager [7034]  - The Secunia Update Agent service terminated unexpectedly.  It has done this 1 time(s).
8-7-2013 14:01:01, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
8-7-2013 13:07:51, Error: Service Control Manager [7031]  - The Intel® Management and Security Application Local Management Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
7-7-2013 22:44:37, Error: Service Control Manager [7034]  - The COMODO Internet Security Helper Service service terminated unexpectedly.  It has done this 1 time(s).
.
==== End Of File ===========================


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 10 July 2013 - 01:50 AM

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 NickRiviera

NickRiviera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 10 July 2013 - 05:31 AM

Hi, the log was named system-log.txt by the way ;)

It only shows 1 registry entry which seems to be a leftover of legal keylogger software I tried out months ago.

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, G:\ DRIVE_FIXED, H:\ DRIVE_FIXED, J:\ DRIVE_FIXED
CPU speed: 2.926000 GHz
Memory total: 4151410688, free: 3153563648

Downloaded database version: v2013.07.10.03
Initializing...
------------ Kernel report ------------
     07/10/2013 12:17:47
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\vsflt53.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\vididr.sys
\SystemRoot\system32\DRIVERS\timntr.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\system32\DRIVERS\snapman.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\dtsoftbus01.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\VBoxUSBMon.sys
\SystemRoot\system32\DRIVERS\VBoxDrv.sys
\SystemRoot\System32\drivers\truecrypt.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Windows\system32\drivers\dddskx64.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\Drivers\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\VBoxNetAdp.sys
\SystemRoot\system32\DRIVERS\tap0901.sys
\SystemRoot\System32\Drivers\pcouffin.sys
\SystemRoot\system32\DRIVERS\mcdbus.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\VBoxNetFlt.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\Drivers\rdwm1115.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\npf.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\psi_mf.sys
\SystemRoot\system32\DRIVERS\e1k62x64.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\rpcrt4.dll
\Windows\System32\clbcatq.dll
\Windows\System32\ws2_32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\nsi.dll
\Windows\System32\kernel32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\advapi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\wininet.dll
\Windows\System32\urlmon.dll
\Windows\System32\usp10.dll
\Windows\System32\normaliz.dll
\Windows\System32\setupapi.dll
\Windows\System32\user32.dll
\Windows\System32\msctf.dll
\Windows\System32\difxapi.dll
\Windows\System32\sechost.dll
\Windows\System32\Wldap32.dll
\Windows\System32\ole32.dll
\Windows\System32\gdi32.dll
\Windows\System32\psapi.dll
\Windows\System32\lpk.dll
\Windows\System32\shlwapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\shell32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\imm32.dll
\Windows\System32\comctl32.dll
\Windows\System32\crypt32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\devobj.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk7\DR7
Upper Device Object: 0xfffffa8006b22060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a8\
Lower Device Object: 0xfffffa8006b14060
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk6\DR6
Upper Device Object: 0xfffffa8006b1c790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a7\
Lower Device Object: 0xfffffa8006af5060
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR5
Upper Device Object: 0xfffffa8006b17790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a6\
Lower Device Object: 0xfffffa8006aea060
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xfffffa8006b16060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a5\
Lower Device Object: 0xfffffa8006aec060
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8006a4a790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a3\
Lower Device Object: 0xfffffa8006a47b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa80069c6790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000009f\
Lower Device Object: 0xfffffa80069bb060
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa80066fa790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000096\
Lower Device Object: 0xfffffa800656aac0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004c42060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004943050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004c42060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004b02940, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa8004c42b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004c42060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004b02b50, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa8004943050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 86719BAF

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 31457280

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 31459328  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 31664128  Numsec = 530585600

    Partition 3 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 562258936  Numsec = 1391262728

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa80066fa790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80064419d0, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa800670eaf0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80066fa790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80064619d0, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa800656aac0, DeviceName: \Device\00000096\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: EBF97359

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3907024896

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 2000398934016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xfffffa80069c6790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80069bc5f0, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa80069c7040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80069c6790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80069ab610, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa80069bb060, DeviceName: \Device\0000009f\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 512
Drive: 3, DevicePointer: 0xfffffa8006a4a790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006a4a560, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa8006a48040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006a4a790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006a48cd0, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa8006a47b60, DeviceName: \Device\000000a3\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 3
Scanning MBR on drive 3...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: E8900690

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 1953520002

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xfffffa8006b16060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006b05bb0, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa8006b16b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006b16060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006afaa60, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa8006aec060, DeviceName: \Device\000000a5\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 5, DevicePointer: 0xfffffa8006b17790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006b1be30, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa8006b2b040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006b17790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006b2a940, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa8006aea060, DeviceName: \Device\000000a6\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 6, DevicePointer: 0xfffffa8006b1c790, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006b1e1c0, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa8006b1fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006b1c790, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006b1d5f0, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa8006af5060, DeviceName: \Device\000000a7\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 7, DevicePointer: 0xfffffa8006b22060, DeviceName: \Device\Harddisk7\DR7\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006b21350, DeviceName: Unknown, DriverName: \Driver\snapman\
DevicePointer: 0xfffffa8006b22b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006b22060, DeviceName: \Device\Harddisk7\DR7\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006b20e30, DeviceName: Unknown, DriverName: \Driver\vidsflt53\
DevicePointer: 0xfffffa8006b14060, DeviceName: \Device\000000a8\, DriverName: \Driver\USBSTOR\
------------ End ----------
Infected: HKLM\SOFTWARE\Refog Software --> [Refog.Keylogger]
Scan finished
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 10 July 2013 - 05:38 AM

Looks good!

 

 

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 NickRiviera

NickRiviera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 10 July 2013 - 08:37 AM

Hi, here are the results:

I'm in the Ethical Hacking business and besides from the quarantined files all the other can be accounted for and are harmless if handled with care.

The only thing I don't understand is why Daemon Tools Lite is marked as OpenCandy?

 

C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0000\tsk0002.dta    Win32/Olmarik.AYV trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0000\tsk0003.dta    Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0000\tsk0004.dta    Win64/Olmarik.D trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0000\tsk0005.dta    a variant of Win32/Olmarik.AFW trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0000\tsk0006.dta    Win64/Olmarik.D trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0000\tsk0007.dta    a variant of Win32/Olmarik.ADZ trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0000\tsk0008.dta    Win64/Olmarik.A trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0001\tsk0002.dta    Win32/Olmarik.AYV trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0001\tsk0003.dta    Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0001\tsk0004.dta    Win64/Olmarik.D trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0001\tsk0005.dta    a variant of Win32/Olmarik.AFW trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0001\tsk0006.dta    Win64/Olmarik.D trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0001\tsk0007.dta    a variant of Win32/Olmarik.ADZ trojan
C:\TDSSKiller_Quarantine\21.11.2012_21.45.53\tdlfs0001\tsk0008.dta    Win64/Olmarik.A trojan
D:\h4x\Cain\Abel.exe    a variant of Win32/CainAbel.AA application
D:\h4x\Cain\Cain.exe    a variant of Win32/CainAbel application
D:\h4x\CEH files\Day 2\NAAS\nc.exe    Win32/RemoteAdmin application
D:\h4x\jtr\john1701\run\john-386.exe    Win32/HackTool.John application
D:\h4x\jtr\john1701\run\unafs.exe    Win32/HackTool.John application
D:\h4x\jtr\john1701\run\unique.exe    Win32/HackTool.John application
D:\h4x\jtr\john1701\run\unshadow.exe    Win32/HackTool.John application
D:\h4x\Release\fgdump.exe    Win32/PSWTool.Fgdump.A application
D:\ophcrack\ophcrack.exe    a variant of Win32/PSWTool.ophCrack.A application
D:\ophcrack\ophcrack_nogui.exe    a variant of Win32/PSWTool.ophCrack.A application
D:\ophcrack\pwdump\lsremora.dll    Win32/PSWTool.PWDump6 application
D:\ophcrack\pwdump\pwdump6_setup.exe    Win32/PSWTool.PWDump6 application
D:\ophcrack\pwdump\servpw.exe    Win32/PSWTool.PWDump6 application
H:\HP Laptop\16G Samsung\DTLite4413-0173.exe    Win32/OpenCandy application
H:\HP Laptop\Hacktemp\Training CISSP\Training\ISC2\CISSP-ACE Training\Labs\Lab3\AVBypass\nc.exe    Win32/RemoteAdmin application
H:\HP Laptop\Hacktemp\Training CISSP\Training\ISC2\CISSP-ACE Training\Labs\Lab3\AVBypass\UPX Packer\upx303w\joer0x.exe    Win32/RemoteAdmin application
H:\HP Laptop\Hacktemp\Training CISSP\Training\ISC2\CISSP-ACE Training\Labs\Lab3\AVBypass\UPX Packer\upx303w\joe_packed_hexed    Win32/RemoteAdmin application
H:\HP Laptop\Hacktemp\Training CISSP\Training\ISC2\CISSP-ACE Training\Labs\Lab3\AVBypass\UPX Packer\upx303w\nc.exe    Win32/RemoteAdmin application
H:\HP Laptop\Hacktemp\Training CISSP\Training\ISC2\CISSP-ACE Training\Labs\Lab3\AVBypass\UPX Packer\upx303w\nc_hexed    Win32/RemoteAdmin application
H:\HP Laptop\Hacktemp\Training CISSP\Training\ISC2\CISSP-ACE Training\Labs\Lab3\AVBypass\UPX Packer\upx303w\nc_packed.exe    Win32/RemoteAdmin application
H:\HP Laptop\Stuff from Caitlin\Network Toolkit ALL\bin\auditing\cain_abel\Cain.exe    a variant of Win32/CainAbel application
H:\HP Laptop\Stuff from Caitlin\Network Toolkit ALL\bin\cmdlinetools\john_the_ripper\unique.exe    Win32/HackTool.John application
H:\HP Laptop\Stuff from Caitlin\Network Toolkit ALL\bin\monitors\adapterwatch\awatch.exe    a variant of Win32/AdapterWatch.A application
H:\HP Laptop\Stuff from Caitlin\THESE WILL ONLY WORK ON AN EXTERNAL DRIVE\PornStick\Run\PornDetectionUI_Admin.exe    a variant of Win32/Packed.Themida application
H:\HP Laptop\Stuff from Caitlin\THESE WILL ONLY WORK ON AN EXTERNAL DRIVE\PornStick\Run\PornDetectionUI_Client.exe    a variant of Win32/Packed.Themida application
H:\Recover\CEH files\Day 2\ophcrack-win32-installer-3.3.1.exe    multiple threats
H:\Recover\CEH files\Day 2\NAAS\nc.exe    Win32/RemoteAdmin application
H:\Recover\CEH files\Day 3\Day 3\RDP Brute Forcing POC\tsgrinder.exe    a variant of Win32/HackTool.TSGrinder.AA application
H:\Recover\CEH files\Day 4\brutus-aet2\BrutusA2.exe    Win32/PSWTool.Brutus application
H:\Recover\CEH files\Day 5\brutus-aet2\BrutusA2.exe    Win32/PSWTool.Brutus application
H:\Samsung Galaxy S\SD card backup\DTLite4413-0173.exe    Win32/OpenCandy application
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 10 July 2013 - 09:28 AM

OpenCandy means that this tool brings some unwanted software with it, see here: http://en.wikipedia.org/wiki/OpenCandy

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.

 

  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2



  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Edited by TB-Psychotic, 10 July 2013 - 09:29 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 NickRiviera

NickRiviera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 11 July 2013 - 07:11 AM

# AdwCleaner v2.304 - Logfile created 07/11/2013 at 14:06:04
# Updated 03/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Lars - LARS-PB
# Boot Mode : Normal
# Running from : C:\Users\Lars\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\FreeRIP
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Lars\AppData\Roaming\vghd

***** [Registry] *****

Key Deleted : HKCU\Software\AutocompleteProBHO
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [support@predictad.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16496

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-GB)

File : C:\Users\Lars\AppData\Roaming\Mozilla\Firefox\Profiles\23t7aaty.default\prefs.js

[OK] File is clean.

File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ahp951oe.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1715 octets] - [11/07/2013 14:05:14]
AdwCleaner[S1].txt - [1672 octets] - [11/07/2013 14:06:04]

########## EOF - C:\AdwCleaner[S1].txt - [1732 octets] ##########
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 11 July 2013 - 07:16 AM

Then we need the checkup.txt from SecurityCheck as well...


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 NickRiviera

NickRiviera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 11 July 2013 - 07:16 AM

 Results of screen317's Security Check version 0.99.68  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
McAfee VirusScan Enterprise   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Secunia PSI (2.0.0.4003)   
 Java 7 Update 25  
 Adobe Flash Player 11.8.800.94  
 Adobe Reader 10.1.7 Adobe Reader out of Date!  
 Mozilla Firefox (22.0) 
````````Process Check: objlist.exe by Laurent````````  
 McAfee VirusScan Enterprise VsTskMgr.exe  
 McAfee VirusScan Enterprise mfeann.exe  
 McAfee VirusScan Enterprise SHSTAT.EXE  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 11 July 2013 - 07:19 AM

Your System is all clean now! :)

 

 

Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 NickRiviera

NickRiviera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 11 July 2013 - 07:23 AM

Great! Thanks for your help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users