Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential rootkit infection, need assistance


  • This topic is locked This topic is locked
12 replies to this topic

#1 RanmaRanma

RanmaRanma

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 23 July 2013 - 05:56 AM

Spybot keeps returning level 5 threats, even when I remove them even in safe mode. Also, GMER seems to be reporting rootkits but I just started using it so I may be confused. Below is my DDS and below that is my quick scan in GMER

 

 

DDS:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.25.2
Run by Ranma at 6:44:17 on 2013-07-23
Microsoft Windows 7 Home Premium   6.1.7601.1.932.81.1033.18.4094.1960 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\Ranma\AppData\Local\Akamai\netsession_win.exe
C:\Users\Ranma\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Users\Ranma\Downloads\efvp2kxv.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://g.live.com/1rewlive4startup/home
mWinlogon: Userinit = userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
uRun: [Akamai NetSession Interface] "C:\Users\Ranma\AppData\Local\Akamai\netsession_win.exe"
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Image Tools] "C:\Program Files (x86)\Image Tools\ImageTools.exe" /minimized
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Ranma\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Logitech\Ereg\eReg.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{AA0ED639-0408-4B0C-B36D-53D956F67A44} : NameServer = 75.75.75.75,75.75.76.76
TCP: Interfaces\{AA0ED639-0408-4B0C-B36D-53D956F67A44} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{B1C8F40D-AF01-4CAC-8F32-FDD92EFEC592} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ranma\AppData\Roaming\Mozilla\Firefox\Profiles\gxe53i3c.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - plugin: C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\npBrowserPlugin.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1203133.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-06-24 13:33; {73a6fe31-595d-460b-a920-fcc0f8843232}; C:\Users\Ranma\AppData\Roaming\Mozilla\Firefox\Profiles\gxe53i3c.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
R0 NBVol;Nero Backup Volume Filter Driver;C:\Windows\System32\drivers\NBVol.sys [2012-6-25 72240]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\Windows\System32\drivers\NBVolUp.sys [2012-6-25 15920]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-6-27 283200]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 139616]
R2 RosettaStoneDaemon;RosettaStoneDaemon;C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2011-3-31 1646056]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-23 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-23 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-23 168384]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-7-12 3289472]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-3-14 383264]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;C:\Windows\System32\drivers\BazisVirtualCDBus.sys [2011-6-4 198480]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-6-20 366600]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-7 161384]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-9-21 351520]
S3 LVUVC64;Logitech HD Pro Webcam C920(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-9-21 4763680]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-12-12 19456]
S3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;C:\Windows\System32\drivers\Rtnic64.sys [2008-7-22 60416]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-12 57856]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2010-1-24 18216]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-15 1255736]
.
=============== Created Last 30 ================
.
2013-07-23 03:41:40 9460976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0DA76B9D-C464-448B-8988-161883490553}\mpengine.dll
2013-07-23 00:58:46 -------- d-----w- C:\Users\Ranma\.instagiffer
2013-07-23 00:58:30 -------- d-----w- C:\Program Files (x86)\Instagiffer
2013-07-23 00:43:21 -------- d-----w- C:\Program Files (x86)\LICEcap
2013-07-23 00:02:17 -------- d-----w- C:\Program Files (x86)\FreeTime
2013-07-22 18:12:35 9460976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-21 17:45:09 -------- d-----w- C:\Windows\System32\MRT
2013-07-17 03:08:11 941720 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BBD5C2F7-12AD-47CA-BE00-537F67F2CD82}\gapaengine.dll
2013-07-14 01:48:53 -------- d-----w- C:\Users\Ranma\AppData\Local\Red 5 Studios
2013-07-14 00:45:56 -------- d-----w- C:\Program Files (x86)\Xiph.Org
2013-07-12 18:42:18 6129024 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-07-12 18:42:18 6129024 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-07-12 03:10:22 92056 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-07-12 02:19:56 -------- d-----w- C:\Windows\SysWow64\Adobe
2013-07-11 08:29:12 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
2013-07-11 08:29:12 392704 ----a-w- C:\Program Files (x86)\Windows Defender\MpClient.dll
2013-07-11 08:29:12 1011712 ----a-w- C:\Program Files\Windows Defender\MpSvc.dll
2013-07-11 08:29:11 9216 ----a-w- C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
2013-07-11 08:29:11 624128 ----a-w- C:\Windows\System32\qedit.dll
2013-07-11 08:29:11 54784 ----a-w- C:\Program Files (x86)\Windows Defender\MpOAV.dll
2013-07-11 08:29:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2013-07-11 08:29:11 4608 ----a-w- C:\Program Files (x86)\Windows Defender\MsMpLics.dll
2013-07-11 08:29:11 314880 ----a-w- C:\Program Files\Windows Defender\MpCommu.dll
2013-07-11 08:29:08 1887744 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-11 08:29:08 1620480 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-11 08:28:59 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-07-11 08:28:58 1732608 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2013-07-11 08:28:57 936448 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 08:28:57 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2013-07-11 08:28:57 1393152 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2013-07-11 08:28:57 1367040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 08:28:44 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2013-07-11 08:28:44 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-07-08 05:52:38 -------- d-----w- C:\Users\Ranma\AppData\Roaming\Rogue Legacy
2013-07-08 05:52:12 -------- d-----w- C:\Program Files (x86)\Microsoft XNA
2013-07-04 00:31:31 -------- d-----w- C:\Windows\Downloaded Installations
2013-06-28 04:24:16 -------- d-----w- C:\Program Files (x86)\WinCDEmu
2013-06-28 03:53:08 283200 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2013-06-28 03:53:01 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite
2013-06-25 08:06:46 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-24 20:04:55 -------- d-----w- C:\Users\Ranma\AppData\Local\Logitech? Webcam Software
2013-06-24 20:01:21 53248 ----a-r- C:\Users\Ranma\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-06-24 19:48:43 -------- d-----w- C:\Program Files (x86)\CamStudio 2.7
.
==================== Find3M  ====================
.
2013-07-12 13:41:43 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-12 13:41:43 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-25 08:06:40 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-06-25 08:06:39 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-19 01:50:08 247216 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2013-06-19 01:50:08 139616 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2013-06-12 20:20:09 9089416 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-06-11 23:43:37 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-06-11 23:43:00 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-06-11 23:42:58 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-06-11 23:42:58 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-06-11 23:26:20 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-06-11 23:25:16 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-06-11 23:25:13 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-06-11 23:25:13 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-06-11 22:51:45 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-06-11 22:50:58 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-07 03:22:18 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-06-07 02:37:52 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-05-10 05:49:27 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-05-08 06:39:01 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-26 05:51:36 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-04-26 04:55:21 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-04-25 23:30:32 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
.
============= FINISH:  6:44:52.86 ===============
 

 

 

GMER:

 

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-23 06:52:28
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500KS-00MJB0 rev.02.01C03 232.89GB
Running: efvp2kxv.exe; Driver: C:\Users\Ranma\AppData\Local\Temp\uglorpoc.sys
 
 
---- Kernel code sections - GMER 2.1 ----
 
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560                                                                        fffff80002e00000 45 bytes [00, 10, 00, 00, 00, 00, 00, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607                                                                        fffff80002e0002f 16 bytes [00, 00, 30, 00, 00, 00, 00, ...]
 
---- User code sections - GMER 2.1 ----
 
.text     C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1804] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69              0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1804] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155             00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Users\Ranma\AppData\Local\Akamai\netsession_win.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                      0000000076631465 2 bytes [63, 76]
.text     C:\Users\Ranma\AppData\Local\Akamai\netsession_win.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                     00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Users\Ranma\AppData\Local\Akamai\netsession_win.exe[3248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                      0000000076631465 2 bytes [63, 76]
.text     C:\Users\Ranma\AppData\Local\Akamai\netsession_win.exe[3248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                     00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3280] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69               0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3280] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155              00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                 0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[4076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69   0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[4076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155  00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                 0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
?         C:\Windows\system32\mssprxy.dll [3496] entry point in ".rdata" section                                                                    00000000751c71e6
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5                0000000077d9f991 7 bytes {MOV EDX, 0x684a28; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5                     0000000077d9fbd5 7 bytes {MOV EDX, 0x684a68; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5                         0000000077d9fc05 7 bytes {MOV EDX, 0x6849a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5                  0000000077d9fc1d 7 bytes {MOV EDX, 0x684928; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5                    0000000077d9fc35 7 bytes {MOV EDX, 0x684b28; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5                  0000000077d9fc65 7 bytes {MOV EDX, 0x684b68; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5                   0000000077d9fce5 7 bytes {MOV EDX, 0x684ae8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5                  0000000077d9fcfd 7 bytes {MOV EDX, 0x684aa8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5                            0000000077d9fd49 7 bytes {MOV EDX, 0x684868; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5                 0000000077d9fe41 7 bytes {MOV EDX, 0x6848a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5                          0000000077da0099 7 bytes {MOV EDX, 0x684828; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5                    0000000077da10a5 7 bytes {MOV EDX, 0x6849e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5                          0000000077da111d 7 bytes {MOV EDX, 0x684968; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5             0000000077da1321 7 bytes {MOV EDX, 0x6848e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                 0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5                0000000077d9f991 7 bytes {MOV EDX, 0x7b1e28; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5                     0000000077d9fbd5 7 bytes {MOV EDX, 0x7b1e68; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5                         0000000077d9fc05 7 bytes {MOV EDX, 0x7b1da8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5                  0000000077d9fc1d 7 bytes {MOV EDX, 0x7b1d28; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5                    0000000077d9fc35 7 bytes {MOV EDX, 0x7b1f28; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5                  0000000077d9fc65 7 bytes {MOV EDX, 0x7b1f68; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5                   0000000077d9fce5 7 bytes {MOV EDX, 0x7b1ee8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5                  0000000077d9fcfd 7 bytes {MOV EDX, 0x7b1ea8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5                            0000000077d9fd49 7 bytes {MOV EDX, 0x7b1c68; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5                 0000000077d9fe41 7 bytes {MOV EDX, 0x7b1ca8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5                          0000000077da0099 7 bytes {MOV EDX, 0x7b1c28; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5                    0000000077da10a5 7 bytes {MOV EDX, 0x7b1de8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5                          0000000077da111d 7 bytes {MOV EDX, 0x7b1d68; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5             0000000077da1321 7 bytes {MOV EDX, 0x7b1ce8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                 0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5                0000000077d9f991 7 bytes {MOV EDX, 0x717228; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5                     0000000077d9fbd5 7 bytes {MOV EDX, 0x717268; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5                         0000000077d9fc05 7 bytes {MOV EDX, 0x7171a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5                  0000000077d9fc1d 7 bytes {MOV EDX, 0x717128; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5                    0000000077d9fc35 7 bytes {MOV EDX, 0x717328; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5                  0000000077d9fc65 7 bytes {MOV EDX, 0x717368; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5                   0000000077d9fce5 7 bytes {MOV EDX, 0x7172e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5                  0000000077d9fcfd 7 bytes {MOV EDX, 0x7172a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5                            0000000077d9fd49 7 bytes {MOV EDX, 0x717068; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5                 0000000077d9fe41 7 bytes {MOV EDX, 0x7170a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5                          0000000077da0099 7 bytes {MOV EDX, 0x717028; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5                    0000000077da10a5 7 bytes {MOV EDX, 0x7171e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5                          0000000077da111d 7 bytes {MOV EDX, 0x717168; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5             0000000077da1321 7 bytes {MOV EDX, 0x7170e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                 0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5                0000000077d9f991 7 bytes {MOV EDX, 0x6fe628; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5                     0000000077d9fbd5 7 bytes {MOV EDX, 0x6fe668; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5                         0000000077d9fc05 7 bytes {MOV EDX, 0x6fe5a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5                  0000000077d9fc1d 7 bytes {MOV EDX, 0x6fe528; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5                    0000000077d9fc35 7 bytes {MOV EDX, 0x6fe728; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5                  0000000077d9fc65 7 bytes {MOV EDX, 0x6fe768; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5                   0000000077d9fce5 7 bytes {MOV EDX, 0x6fe6e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5                  0000000077d9fcfd 7 bytes {MOV EDX, 0x6fe6a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5                            0000000077d9fd49 7 bytes {MOV EDX, 0x6fe468; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5                 0000000077d9fe41 7 bytes {MOV EDX, 0x6fe4a8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5                          0000000077da0099 7 bytes {MOV EDX, 0x6fe428; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5                    0000000077da10a5 7 bytes {MOV EDX, 0x6fe5e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5                          0000000077da111d 7 bytes {MOV EDX, 0x6fe568; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5             0000000077da1321 7 bytes {MOV EDX, 0x6fe4e8; JMP RDX}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                 0000000076631465 2 bytes [63, 76]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                00000000766314bb 2 bytes [63, 76]
.text     ...                                                                                                                                       * 2
 
---- EOF - GMER 2.1 ----
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 23 July 2013 - 06:19 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 RanmaRanma

RanmaRanma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 23 July 2013 - 06:55 AM

Firstly, I want to thank you for your help, Marius. I have done exactly as you instructed. Attached is the log file.

 

I am in need of dire sleep, but I will check this topic as soon as I awaken for further instructions.

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 23 July 2013 - 07:31 AM

Nothing to see...

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 RanmaRanma

RanmaRanma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 23 July 2013 - 04:51 PM

I did as you asked. Here are the results. I did not remove the infection.

 

 

Malwarebytes:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.07.23.06
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Ranma :: RANMA-PC [administrator]
 
7/23/2013 2:33:05 PM
mbam-log-2013-07-23 (14-33-05).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 495594
Time elapsed: 1 hour(s), 22 minute(s), 39 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 

 

ESET:

 

C:\Users\Ranma\AppData\Local\Temp\AskPIP_FF_.exe a variant of Win32/Bundled.Toolbar.Ask.D application


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 23 July 2013 - 11:52 PM

No malware here, but delete the file ESET mentioned as it contains security risks.

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 RanmaRanma

RanmaRanma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 24 July 2013 - 03:08 PM

I deleted the file and ran both checks. Here are the results.
 
 
AdwCleaner:
 
# AdwCleaner v2.306 - Logfile created 07/24/2013 at 15:53:37
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Ranma - RANMA-PC
# Boot Mode : Normal
# Running from : C:\Users\Ranma\Downloads\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16635
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v22.0 (en-US)
 
File : C:\Users\Ranma\AppData\Roaming\Mozilla\Firefox\Profiles\gxe53i3c.default\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v28.0.1500.72
 
File : C:\Users\Ranma\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [2127 octets] - [24/07/2013 15:53:37]
 
########## EOF - C:\AdwCleaner[S1].txt - [2187 octets] ##########
 

 

SecurityCheck:

 

 

 Results of screen317's Security Check version 0.99.71  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 25  
 Adobe Flash Player 11.8.800.94  
 Adobe Reader XI  
 Mozilla Firefox (22.0) 
 Google Chrome 28.0.1500.71  
 Google Chrome 28.0.1500.72  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Spybot Teatimer.exe is disabled! 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 25 July 2013 - 02:51 AM

Your system is all clean now! :)

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 RanmaRanma

RanmaRanma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 25 July 2013 - 03:49 AM

I did everything you asked. However, I then ran Spybot and it  still returns results. This is what prompted me to make this topic to start with, as every time I ran it and fixed the problems, It would find more. Should I be concerned?

 

 

Spybot:

 

Search results from Spybot - Search & Destroy
 
7/25/2013 4:47:11 AM
Scan took 00:27:36.
11 items found.
 
Log: [SBI $8E73A7FB]  Install: setupact.log (File, nothing done)
  C:\Windows\setupact.log
  Properties.size=616
  Properties.md5=F35695256E326493AAF877F2EDF19514
  Properties.filedate=1374698883
  Properties.filedatetext=2013-07-24 16:48:02
 
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\Microsoft\Direct3D\MostRecentApplication\Name
 
MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\Microsoft\DirectInput\MostRecentApplication\Name
 
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\Microsoft\DirectInput\MostRecentApplication\Id
 
MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
 
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
 
Windows Explorer: [SBI $AA0766B5] Stream history (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 
WinRAR: [SBI $0B56E92B] Recent file list (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\WinRAR\ArcHistory
 
WinRAR: [SBI $B84F9965] Last used directory (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\WinRAR\General\LastFolder
 
WinRAR: [SBI $B510882E] Extraction directory history (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-2224775589-2721758345-273242546-1001\Software\WinRAR\DialogEditHistory\ExtrPath
 
Cache: [SBI $49804B54] Browser: Cache (35) (Browser: Cache, nothing done)
  
 
 
--- Spybot - Search & Destroy version: 2.0.12.131  DLL (build: 20121113) ---
 
2012-11-13 blindman.exe (2.0.12.151)
2012-11-13 explorer.exe (2.0.12.173)
2012-11-13 SDBootCD.exe (2.0.12.109)
2012-11-13 SDCleaner.exe (2.0.12.110)
2012-11-13 SDDelFile.exe (2.0.12.94)
2012-11-13 SDFiles.exe (2.0.12.135)
2012-11-13 SDFileScanHelper.exe (2.0.12.1)
2012-11-13 SDFSSvc.exe (2.0.12.205)
2012-11-13 SDImmunize.exe (2.0.12.130)
2012-11-13 SDLogReport.exe (2.0.12.107)
2012-11-13 SDPESetup.exe (2.0.12.3)
2012-11-13 SDPEStart.exe (2.0.12.86)
2012-11-13 SDPhoneScan.exe (2.0.12.27)
2012-11-13 SDPRE.exe (2.0.12.13)
2012-11-13 SDPrepPos.exe (2.0.12.10)
2012-11-13 SDQuarantine.exe (2.0.12.103)
2012-11-13 SDRootAlyzer.exe (2.0.12.116)
2012-11-13 SDSBIEdit.exe (2.0.12.39)
2012-11-13 SDScan.exe (2.0.12.173)
2012-11-13 SDScript.exe (2.0.12.53)
2012-11-13 SDSettings.exe (2.0.12.130)
2012-11-13 SDShred.exe (2.0.12.105)
2012-11-13 SDSysRepair.exe (2.0.12.101)
2012-11-13 SDTools.exe (2.0.12.150)
2012-11-13 SDTray.exe (2.0.12.127)
2012-11-13 SDUpdate.exe (2.0.12.89)
2012-11-13 SDUpdSvc.exe (2.0.12.76)
2012-11-13 SDWelcome.exe (2.0.12.126)
2012-11-13 SDWSCSvc.exe (2.0.12.2)
2012-11-23 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2012-11-13 SDAdvancedCheckLibrary.dll (2.0.12.98)
2012-11-13 SDECon32.dll (2.0.12.113)
2012-11-13 SDECon64.dll (2.0.12.113)
2012-11-13 SDEvents.dll (2.0.12.2)
2012-11-13 SDFileScanLibrary.dll (2.0.12.9)
2012-11-13 SDHelper.dll (2.0.12.88)
2012-11-13 SDImmunizeLibrary.dll (2.0.12.2)
2012-11-13 SDLists.dll (2.0.12.4)
2012-11-13 SDResources.dll (2.0.12.7)
2012-11-13 SDScanLibrary.dll (2.0.12.131)
2012-11-13 SDTasks.dll (2.0.12.15)
2012-11-13 SDWinLogon.dll (2.0.12.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2012-11-13 Tools.dll (2.0.12.36)
2012-11-13 UninsSrv.dll (2.0.12.52)
2012-12-18 Includes\Adware.sbi (*)
2013-07-03 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2012-11-14 Includes\DialerC.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2012-11-14 Includes\HijackersC.sbi (*)
2012-11-14 Includes\iPhone.sbi (*)
2013-06-25 Includes\Keyloggers.sbi (*)
2012-12-18 Includes\KeyloggersC.sbi (*)
2013-05-29 Includes\Malware.sbi (*)
2013-07-09 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2013-07-09 Includes\PUPSC.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2012-11-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2013-05-22 Includes\Spyware.sbi (*)
2013-06-19 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2012-11-19 Includes\Tracks.uti (*)
2013-01-16 Includes\Trojans.sbi (*)
2013-05-13 Includes\TrojansC-02.sbi (*)
2013-07-17 Includes\TrojansC-03.sbi (*)
2013-03-14 Includes\TrojansC-04.sbi (*)
2013-05-08 Includes\TrojansC-05.sbi (*)
2013-04-19 Includes\TrojansC.sbi (*)
 

 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 25 July 2013 - 04:14 AM

You configured Spybot to log any traces of computer ise, that´s what it found.

No more malware on your system! :-)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 RanmaRanma

RanmaRanma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 25 July 2013 - 04:51 AM

Hrm, I haven't touched spybot's settings since installing it years ago. I wonder if an update changed things recently, since this never happened before. Do you know how to prevent it from returning these values or should I just leave it be? Anyway, I won't bother you further from now on. Thank you so very much for your help! It's been invaluable and put my mind at ease.



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 25 July 2013 - 06:19 AM

go int osettings, start "categories", uncheck "tracks".

Tracks won´t be detected again.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 29 July 2013 - 01:50 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users