Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Bitcoin Mining Virus? GPU Usage at 90%+ on Idle


  • This topic is locked This topic is locked
10 replies to this topic

#1 ANDEEZY

ANDEEZY

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 26 July 2013 - 01:26 AM

Recently my computer has been running very slow while playing games that I run maxed out fine.  I started to notice my FPS drop from 100-200 to 20-30.  I started to worry that maybe my graphics card was dying but is not the case after switching out graphic cards.  I checked MSI afterburner and it was showing my gpu usage at 90%+ on idle.  I checked around the internet and found out it could be a bitcoin mining virus. Hope you guys can help me out  :)

 
Also I noticed something strange when starting up desktop everytime.  I get a window that pops up like when you open a file that doesn't have a file type and it says open this file with what type of program.  The file that is asking to be opened is called "False" which is located in C:\Users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\False

I never seen this pop up before until recently along with my gpu usage being very high on idle.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by ANDEEZY at 23:14:38 on 2013-07-25
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3454.1490 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
Z:\Program Files\Hi-Rez Studios\HiPatchService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre7\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hauppauge\DeviceCentral\HcwDCTrayTool.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\user.exe
C:\Program Files\MSI Afterburner\MSIAfterburner.exe
C:\Windows\system32\conhost.exe
C:\PROGRA~1\Raptr\raptr.exe
C:\Windows\system32\DllHost.exe
C:\PROGRA~1\Raptr\raptr_im.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
mURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Funmoods Helper Object: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - 
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - c:\program files\logitech\setpointp\SetPointSmooth.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: uTorrentControl2 Toolbar: {687578B9-7132-4A7A-80E4-30EE31099E03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
TB: Funmoods Toolbar: {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - 
uRun: [RGSC] z:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
uRun: [Steam] "z:\program files\steam\steam.exe" -silent
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [AdobeBridge] <no file>
mRun: [VMware Tools] "c:\program files\vmware\vmware tools\VMwareTray.exe"
mRun: [VMware User Process] "c:\program files\vmware\vmware tools\vmtoolsd.exe" -n vmusr
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [DBAgent] "c:\program files\seagate\seagate dashboard 2.0\DBAgent.exe" /WinStart
mRun: [Launch LCore] c:\program files\logitech gaming software\LCore.exe /minimized
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\False
StartupFolder: c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\false.vbs
StartupFolder: c:\users\andeezy\appdata\roaming\micros~1\windows\startm~1\programs\startup\hauppa~1.lnk - c:\program files\hauppauge\devicecentral\HcwDCTrayTool.exe
StartupFolder: c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\phoenix.cfg
StartupFolder: c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\Taskhost.exe
StartupFolder: c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\user.exe
StartupFolder: c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\doc\cpu.py
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: %SystemRoot%\system32\vsocklib.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{690CB5EC-3336-43F0-BB4F-5D44CC60F350} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{E86E1AF8-4E9E-4897-A6A9-3A152490ACA7} : DHCPNameServer = 7.254.254.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.72\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andeezy\appdata\roaming\mozilla\firefox\profiles\qbbzua38.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\andeezy\appdata\local\application data\npwangwang\npwangwang.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - false
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDyByC0ByB0E0DtD0ByC0DtN0D0Tzu0CtByCyEtN1L2XzutBtFtCtFtCtFtAtCtB&cr=479585892
FF - user.js: extensions.funmoods.dfltSrch - false
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDyByC0ByB0E0DtD0ByC0DtN0D0Tzu0CtByCyEtN1L2XzutBtFtCtFtCtFtAtCtB&cr=479585892
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDyByC0ByB0E0DtD0ByC0DtN0D0Tzu0CtByCyEtN1L2XzutBtFtCtFtCtFtAtCtB&cr=479585892&q=
FF - user.js: extensions.funmoods.id - 001E9076B7ED0B6D
FF - user.js: extensions.funmoods.instlDay - 15603
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2223:44:34
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - axl
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - axl
FF - user.js: extensions.funmoods.dfltLng - 
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
============= SERVICES / DRIVERS ===============
.
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;z:\program files\hi-rez studios\HiPatchService.exe [2012-8-5 8704]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 MpKsl6c48fd47;MpKsl6c48fd47;c:\programdata\microsoft\microsoft antimalware\definition updates\{f0540f09-622a-4238-8e6e-c7bb8cf6c772}\MpKsl6c48fd47.sys [2013-7-25 29904]
R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [2012-4-29 144112]
R1 vmrawdsk;VMware Vista Physical Disk Helper;c:\program files\vmware\vmware tools\vmrawdsk.sys [2012-1-17 37872]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 100328]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 VMMEMCTL;Memory Control Driver;c:\program files\common files\vmware\drivers\memctl\vmmemctl.sys [2012-1-17 15088]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;c:\windows\system32\drivers\LGSHidFilt.Sys [2012-10-2 42040]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
R3 RTCore32;RTCore32;c:\program files\msi afterburner\RTCore32.sys [2011-9-6 5632]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2012-10-22 27136]
RUnknown MpKsl9649bc6b;MpKsl9649bc6b; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Seagate Dashboard Services;Seagate Dashboard Services;"c:\program files\seagate\seagate dashboard 2.0\seagate.dashboard.daswindowsservice.exe" --> c:\program files\seagate\seagate dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [?]
S2 VMTools;VMware Tools;c:\program files\vmware\vmware tools\vmtoolsd.exe [2012-1-17 62576]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Desura Install Service;Desura Install Service;c:\program files\common files\desura\desura_service.exe [2012-5-3 131912]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2012-4-29 62464]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-11-13 49664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-9-12 1512448]
S3 hcwE5bda;Hauppauge Siena Video Capture;c:\windows\system32\drivers\hcwE5bda.sys [2013-4-27 623744]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-4-29 15872]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2012-4-29 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2012-4-29 25600]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2010-8-2 263496]
S3 TPVCGateway;TP VC Gateway Service;c:\program files\vmware\vmware tools\TPVCGateway.exe [2010-10-7 394104]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-4-29 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-4-29 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2012-4-29 112640]
S3 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2012-10-22 743320]
S3 vm3dmp;vm3dmp;c:\windows\system32\drivers\vm3dmp.sys [2012-1-17 108144]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2012-1-17 11440]
S3 vmvss;VMware Snapshot Provider;c:\windows\system32\dllhost.exe [2009-7-13 7168]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-4-29 1343400]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\razer\razer game booster\driver\WinRing0.sys [2013-5-23 14416]
.
=============== Created Last 30 ================
.
2013-07-26 06:06:19 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f0540f09-622a-4238-8e6e-c7bb8cf6c772}\MpKsl6c48fd47.sys
2013-07-26 06:02:44 7143960 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f0540f09-622a-4238-8e6e-c7bb8cf6c772}\mpengine.dll
2013-07-22 07:14:28 118 ---ha-r- c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\false.vbs
2013-07-22 07:14:25 96701 ----a-r- c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\Taskhost.exe
2013-07-22 07:14:24 5389566 ---ha-r- c:\users\andeezy\appdata\roaming\microsoft\windows\start menu\programs\startup\user.exe
2013-07-22 05:50:44 92056 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2013-07-22 05:50:44 20636568 ----a-w- c:\program files\mozilla firefox\xul.dll
2013-07-22 05:50:43 170232 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2013-07-22 05:50:42 867088 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2013-07-22 05:50:42 272792 ----a-w- c:\program files\mozilla firefox\updater.exe
2013-07-22 05:50:40 152984 ----a-w- c:\program files\mozilla firefox\softokn3.dll
2013-07-22 05:50:38 108536 ----a-w- c:\program files\mozilla firefox\plugins\npwangwang.dll
2013-07-22 05:50:37 26520 ----a-w- c:\program files\mozilla firefox\plugin-hang-ui.exe
2013-07-22 05:50:37 186584 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-07-22 05:50:37 163256 ----a-w- c:\program files\mozilla firefox\plugins\np-mswmp.dll
2013-07-22 05:50:36 17304 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2013-07-21 22:20:21 -------- d-----w- c:\users\andeezy\appdata\roaming\library_dir
2013-07-21 15:42:01 7143960 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-07-18 05:41:12 698504 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{52344b68-af2d-4517-af7a-f95fe36f3dda}\gapaengine.dll
2013-07-17 22:51:02 -------- d-----w- c:\users\andeezy\appdata\roaming\.minecraft
2013-07-17 09:53:04 -------- d-----w- c:\program files\Roller Coaster Tycoon 3 Platinum  - CarlesNeo !
2013-07-16 10:21:15 -------- d-----w- c:\program files\Euro Truck Simulator 2
2013-07-16 03:21:41 -------- d-----w- c:\users\andeezy\appdata\local\ElevatedDiagnostics
2013-07-15 09:49:25 -------- d-----w- c:\program files\AirBuccaneers
2013-07-14 11:48:57 -------- d-----w- c:\users\andeezy\appdata\roaming\gd.sos.McPixel
2013-07-14 02:41:24 -------- d-----w- c:\users\andeezy\appdata\roaming\FEZ
2013-07-14 02:39:31 -------- d-----w- C:\GOG Games
2013-07-13 23:39:27 -------- d-----w- c:\programdata\SystemRequirementsLab
.
==================== Find3M  ====================
.
2013-07-18 21:42:37 139048 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-07-18 21:42:12 282296 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-07-18 21:42:12 282296 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-07-17 20:51:43 282296 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-07-06 09:40:44 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2013-06-15 22:48:45 138904 ----a-w- c:\users\andeezy\appdata\roaming\PnkBstrK.sys
2013-06-15 22:48:18 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2013-06-12 04:02:19 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 04:02:19 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 19:51:07 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-05-03 05:27:42 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-02 09:15:30 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
============= FINISH: 23:17:12.83 ===============

Attached Files


Edited by ANDEEZY, 26 July 2013 - 01:35 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 26 July 2013 - 02:15 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 ANDEEZY

ANDEEZY
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 26 July 2013 - 03:05 AM

Hi Marius thanks for helping me out!

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
 
Account is Administrative
 
Internet Explorer version: 10.0.9200.16576
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Z:\ DRIVE_FIXED
CPU speed: 2.712000 GHz
Memory total: 3622264832, free: 2169511936
 
Downloaded database version: v2013.07.26.02
Downloaded database version: v2013.07.15.01
Initializing...
------------ Kernel report ------------
     07/26/2013 00:38:34
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\vmci.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\nvstor.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\Program Files\VMware\VMware Tools\vmrawdsk.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\vmhgfs.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{55D87507-BBED-4A17-9B6B-18598D5B61B9}\MpKsl9649bc6b.sys
\SystemRoot\System32\Drivers\ElbyCDIO.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdk8.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\AN983.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\Rt86win7.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\tap0901t.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\VClone.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\AmdLLD.sys
\SystemRoot\system32\drivers\LGBusEnum.sys
\SystemRoot\system32\drivers\WmBEnum.sys
\SystemRoot\system32\drivers\WmXlCore.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\nvhda32v.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\LGSHidFilt.Sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\??\C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WmVirHid.sys
\SystemRoot\system32\drivers\LGVirHid.sys
\??\C:\Program Files\MSI Afterburner\RTCore32.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\??\C:\Users\ANDEEZY\AppData\Local\Temp\mbr.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff86c62030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000069\
Lower Device Object: 0xffffffff8637dc68
Lower Device Driver Name: \Driver\nvstor\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86c61860
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff86351030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86c61860, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86c61498, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff86c61860, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86392900, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff86351030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 2EE12EE0
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 390512640
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 200049647616 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-390701968-390721968)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff86c62030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86c62d10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff86c62030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85a5f700, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8637dc68, DeviceName: \Device\00000069\, DriverName: \Driver\nvstor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4C5F4C5F
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1953519616
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Done!
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|svchost --> [Backdoor.Bot]
Infected: c:\Program Files\Java\jre7\bin\javaw.exe --> [Backdoor.Bot]
Infected: c:\Program Files\Java\jre7\bin\javaw.exe --> [Backdoor.Bot]
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...
Removal finished

Edited by ANDEEZY, 26 July 2013 - 03:06 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 26 July 2013 - 03:08 AM

Fix with Malwarebytes Anti-Rootkit

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 ANDEEZY

ANDEEZY
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 26 July 2013 - 03:50 AM

GPU usage still 90%+ and the file "False" still asking to be opened.

 

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org
 
Database version: v2013.07.26.03
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16576
ANDEEZY :: ANDEEZY-DESKTOP [administrator]
 
7/26/2013 1:12:36 AM
mbar-log-2013-07-26 (01-12-36).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 274625
Time elapsed: 16 minute(s), 42 second(s)
 
Memory Processes Detected: 1
c:\Program Files\Java\jre7\bin\javaw.exe (Backdoor.Bot) -> 3340 -> Delete on reboot.
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 1
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|svchost (Backdoor.Bot) -> Data: "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\ANDEEZY\AppData\Roaming\svchost-1745986186.jar" -> Delete on reboot.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
c:\Program Files\Java\jre7\bin\javaw.exe (Backdoor.Bot) -> Delete on reboot.
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)

Edited by ANDEEZY, 26 July 2013 - 04:13 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 26 July 2013 - 04:14 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Edited by TB-Psychotic, 26 July 2013 - 04:15 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 ANDEEZY

ANDEEZY
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 26 July 2013 - 04:45 AM

ComboFix 13-07-25.02 - ANDEEZY 07/26/2013   2:22.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3454.1211 [GMT -7:00]
Running from: c:\users\ANDEEZY\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ANDEEZY\AppData\Local\Temp\7zS3EAB\HPSLPSVC32.DLL
c:\windows\system32\tmp2975.tmp
c:\windows\system32\tmp29B5.tmp
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_HPSLPSVC
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-26 to 2013-07-26  )))))))))))))))))))))))))))))))
.
.
2013-07-26 08:59 . 2013-07-26 08:59 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-26 08:49 . 2013-07-26 08:49 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9138CB46-7A1C-4A11-8608-82A1628F7A06}\MpKslf80e90f5.sys
2013-07-26 08:11 . 2013-07-26 08:11 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-07-26 07:38 . 2013-07-26 07:38 -------- d-----w- c:\programdata\Malwarebytes
2013-07-26 06:16 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9138CB46-7A1C-4A11-8608-82A1628F7A06}\mpengine.dll
2013-07-26 06:02 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-24 07:59 . 2013-07-24 07:59 -------- d-----w- c:\program files\AGEIA Technologies
2013-07-23 06:43 . 2013-07-23 06:43 -------- d-----w- c:\programdata\HP
2013-07-22 07:14 . 2013-06-07 07:53 118 ---ha-r- c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\false.vbs
2013-07-22 07:14 . 2013-06-13 01:04 96701 ----a-r- c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Taskhost.exe
2013-07-22 07:14 . 2012-04-07 07:30 5389566 ---ha-r- c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\user.exe
2013-07-21 22:20 . 2013-07-21 22:20 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\library_dir
2013-07-18 05:41 . 2013-07-18 05:39 698504 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{52344B68-AF2D-4517-AF7A-F95FE36F3DDA}\gapaengine.dll
2013-07-17 22:51 . 2013-07-22 01:42 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\.minecraft
2013-07-17 09:53 . 2013-07-17 10:00 -------- d-----w- c:\program files\Roller Coaster Tycoon 3 Platinum  - CarlesNeo !
2013-07-16 10:21 . 2013-07-16 10:33 -------- d-----w- c:\program files\Euro Truck Simulator 2
2013-07-16 03:21 . 2013-07-16 03:21 -------- d-----w- c:\users\ANDEEZY\AppData\Local\ElevatedDiagnostics
2013-07-15 09:49 . 2013-07-15 09:59 -------- d-----w- c:\program files\AirBuccaneers
2013-07-14 11:48 . 2013-07-14 11:48 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\gd.sos.McPixel
2013-07-14 02:41 . 2013-07-14 03:57 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\FEZ
2013-07-14 02:39 . 2013-07-14 04:54 -------- d-----w- C:\GOG Games
2013-07-13 23:39 . 2013-07-13 23:39 -------- d-----w- c:\programdata\SystemRequirementsLab
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-26 08:59 . 2012-06-23 00:40 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-26 08:59 . 2012-06-23 00:40 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-18 21:42 . 2012-05-04 06:47 139048 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-07-18 21:42 . 2012-05-04 06:56 282296 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-07-18 21:42 . 2012-05-04 06:47 282296 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-07-17 20:51 . 2012-05-04 06:47 282296 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-07-06 09:40 . 2013-04-13 05:23 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2013-06-25 06:15 . 2012-06-12 23:36 724464 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-06-15 22:48 . 2012-05-04 06:47 138904 ----a-w- c:\users\ANDEEZY\AppData\Roaming\PnkBstrK.sys
2013-06-15 22:48 . 2012-05-04 06:47 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2013-06-12 04:02 . 2012-05-04 05:09 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 04:02 . 2012-05-04 05:09 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 19:51 . 2013-01-14 06:48 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-05-03 05:27 . 2012-09-24 22:11 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2013-05-02 15:28 . 2012-04-29 19:24 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-02 09:21 . 2012-07-17 22:37 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 09:15 . 2012-09-24 22:11 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{687578B9-7132-4A7A-80E4-30EE31099E03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-11-14 03:00 220632 ----a-w- c:\users\ANDEEZY\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-11-14 03:00 220632 ----a-w- c:\users\ANDEEZY\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-11-14 03:00 220632 ----a-w- c:\users\ANDEEZY\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RGSC"="z:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [BU]
"Steam"="z:\program files\Steam\steam.exe" [2013-07-26 1807272]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [BU]
"AdobeBridge"="" [BU]
"Uploader"="c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe" [BU]
"Raptr"="c:\progra~1\Raptr\raptrstub.exe" [2013-07-18 55360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2012-01-17 58480]
"VMware User Process"="c:\program files\VMware\VMware Tools\vmtoolsd.exe" [2012-01-17 62576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-10 1073312]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2012-11-04 1851192]
"DBAgent"="c:\program files\Seagate\Seagate Dashboard 2.0\DBAgent.exe" [BU]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2012-11-29 5479224]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [BU]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-15 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
False [2013-7-26 357312]
false.vbs [2013-6-7 118]
Hauppauge Device Central Tray Tool.lnk - c:\program files\Hauppauge\DeviceCentral\HcwDCTrayTool.exe [2013-4-27 478696]
phoenix.cfg [2013-6-14 781]
Taskhost.exe [2013-6-12 96701]
user.exe [2012-4-7 5389566]
.
c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doc\
cpu.py [2012-2-21 6847]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2012-10-01 07:22 66360 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
R2 VMTools;VMware Tools;c:\program files\VMware\VMware Tools\vmtoolsd.exe [2012-01-17 62576]
R3 Desura Install Service;Desura Install Service;c:\program files\Common Files\Desura\desura_service.exe [2012-05-04 131912]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 hcwE5bda;Hauppauge Siena Video Capture;c:\windows\system32\drivers\hcwE5bda.sys [2012-12-20 623744]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-07-26 31560]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RTCore32;RTCore32;c:\program files\MSI Afterburner\RTCore32.sys [2011-09-06 5632]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2010-08-02 263496]
R3 TPVCGateway;TP VC Gateway Service;c:\program files\VMware\VMware Tools\TPVCGateway.exe [2010-10-07 394104]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2012-10-03 743320]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vm3dmp;vm3dmp;c:\windows\system32\DRIVERS\vm3dmp.sys [2012-01-17 108144]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2012-01-17 11440]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-30 1343400]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\Razer\Razer Game Booster\Driver\WinRing0.sys [2012-08-01 14416]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-01-17 98928]
S1 MpKslf80e90f5;MpKslf80e90f5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9138CB46-7A1C-4A11-8608-82A1628F7A06}\MpKslf80e90f5.sys [2013-07-26 29904]
S1 vmhgfs;vmhgfs;c:\windows\system32\DRIVERS\vmhgfs.sys [2012-01-17 144112]
S1 vmrawdsk;VMware Vista Physical Disk Helper;c:\program files\VMware\VMware Tools\vmrawdsk.sys [2012-01-17 37872]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S2 VMMEMCTL;Memory Control Driver;c:\program files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [2012-01-17 15088]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 19720]
S3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;c:\windows\system32\DRIVERS\LGSHidFilt.Sys [2012-10-02 42040]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 14856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ   HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 03:30 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 04:02]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-17 03:43]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-17 03:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
LSP: %SystemRoot%\system32\vsocklib.dll
Trusted Zone: apple.com\www
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\ANDEEZY\AppData\Roaming\Mozilla\Firefox\Profiles\qbbzua38.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - user.js: extensions.funmoods.hmpg - false
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDyByC0ByB0E0DtD0ByC0DtN0D0Tzu0CtByCyEtN1L2XzutBtFtCtFtCtFtAtCtB&cr=479585892
FF - user.js: extensions.funmoods.dfltSrch - false
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDyByC0ByB0E0DtD0ByC0DtN0D0Tzu0CtByCyEtN1L2XzutBtFtCtFtCtFtAtCtB&cr=479585892
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDyByC0ByB0E0DtD0ByC0DtN0D0Tzu0CtByCyEtN1L2XzutBtFtCtFtCtFtAtCtB&cr=479585892&q=
FF - user.js: extensions.funmoods.id - 001E9076B7ED0B6D
FF - user.js: extensions.funmoods.instlDay - 15603
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2223:44
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - axl
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - axl
FF - user.js: extensions.funmoods.dfltLng - 
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ArnA 2: Combined Operations - z:\program files\ArmA 2\uninstall.exe
AddRemove-GoldenEye: Source - z:\program files\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe
AddRemove-Sniper Elite: Nazi Zombie Army_is1 - c:\program files\Sniper Elite Nazi Zombie Army\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3441309628-415962082-4169549075-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3441309628-415962082-4169549075-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-3441309628-415962082-4169549075-1000\Software\SecuROM\License information*]
"datasecu"=hex:aa,19,49,34,ee,28,34,74,20,64,2c,2b,eb,97,c6,e1,47,ab,4d,39,a3,
   58,e9,bd,15,97,a3,8e,fe,3c,e9,16,84,08,ed,45,9d,1b,6b,ea,23,69,d1,11,87,e8,\
"rkeysecu"=hex:0a,15,a2,5f,aa,36,7d,57,6b,34,fd,a6,4e,5c,4b,a4
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
z:\program files\Hi-Rez Studios\HiPatchService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\windows\System32\msdtc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\user.exe
c:\windows\system32\conhost.exe
c:\progra~1\Raptr\raptr.exe
c:\windows\system32\DllHost.exe
c:\progra~1\Raptr\raptr_im.exe
.
**************************************************************************
.
Completion time: 2013-07-26  02:43:17 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-26 09:43
ComboFix2.txt  2013-07-24 09:52
.
Pre-Run: 29,931,151,360 bytes free
Post-Run: 29,475,221,504 bytes free
.
- - End Of File - - BC61E2D554A48CD9D6BE405EC67BB60A
A36C5E4F47E84449FF07ED3517B43A31


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 26 July 2013 - 05:40 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 ANDEEZY

ANDEEZY
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 26 July 2013 - 03:35 PM

ComboFix 13-07-25.02 - ANDEEZY 07/26/2013   4:00.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3454.1762 [GMT -7:00]
Running from: c:\users\ANDEEZY\Desktop\ComboFix.exe
Command switches used :: c:\users\ANDEEZY\Downloads\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\false.vbs
file zipped: c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Taskhost.exe
file zipped: c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\user.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-26 to 2013-07-26  )))))))))))))))))))))))))))))))
.
.
2013-07-26 11:09 . 2013-07-26 11:09 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-07-26 11:09 . 2013-07-26 11:09 -------- d-----w- c:\users\John Tran\AppData\Local\temp
2013-07-26 11:09 . 2013-07-26 11:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-26 08:59 . 2013-07-26 08:59 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-26 08:11 . 2013-07-26 08:11 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-07-26 07:38 . 2013-07-26 07:38 -------- d-----w- c:\programdata\Malwarebytes
2013-07-26 06:16 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9138CB46-7A1C-4A11-8608-82A1628F7A06}\mpengine.dll
2013-07-26 06:02 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-24 07:59 . 2013-07-24 07:59 -------- d-----w- c:\program files\AGEIA Technologies
2013-07-23 06:43 . 2013-07-23 06:43 -------- d-----w- c:\programdata\HP
2013-07-22 07:14 . 2013-06-07 07:53 118 ---ha-r- c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\false.vbs
2013-07-22 07:14 . 2013-06-13 01:04 96701 ----a-r- c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Taskhost.exe
2013-07-22 07:14 . 2012-04-07 07:30 5389566 ---ha-r- c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\user.exe
2013-07-21 22:20 . 2013-07-21 22:20 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\library_dir
2013-07-18 05:41 . 2013-07-18 05:39 698504 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{52344B68-AF2D-4517-AF7A-F95FE36F3DDA}\gapaengine.dll
2013-07-17 22:51 . 2013-07-22 01:42 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\.minecraft
2013-07-17 09:53 . 2013-07-17 10:00 -------- d-----w- c:\program files\Roller Coaster Tycoon 3 Platinum  - CarlesNeo !
2013-07-16 10:21 . 2013-07-16 10:33 -------- d-----w- c:\program files\Euro Truck Simulator 2
2013-07-16 03:21 . 2013-07-16 03:21 -------- d-----w- c:\users\ANDEEZY\AppData\Local\ElevatedDiagnostics
2013-07-15 09:49 . 2013-07-15 09:59 -------- d-----w- c:\program files\AirBuccaneers
2013-07-14 11:48 . 2013-07-14 11:48 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\gd.sos.McPixel
2013-07-14 02:41 . 2013-07-14 03:57 -------- d-----w- c:\users\ANDEEZY\AppData\Roaming\FEZ
2013-07-14 02:39 . 2013-07-14 04:54 -------- d-----w- C:\GOG Games
2013-07-13 23:39 . 2013-07-13 23:39 -------- d-----w- c:\programdata\SystemRequirementsLab
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-26 08:59 . 2012-06-23 00:40 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-26 08:59 . 2012-06-23 00:40 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-18 21:42 . 2012-05-04 06:47 139048 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-07-18 21:42 . 2012-05-04 06:56 282296 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-07-18 21:42 . 2012-05-04 06:47 282296 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-07-17 20:51 . 2012-05-04 06:47 282296 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-07-06 09:40 . 2013-04-13 05:23 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2013-06-25 06:15 . 2012-06-12 23:36 724464 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-06-15 22:48 . 2012-05-04 06:47 138904 ----a-w- c:\users\ANDEEZY\AppData\Roaming\PnkBstrK.sys
2013-06-15 22:48 . 2012-05-04 06:47 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2013-06-12 04:02 . 2012-05-04 05:09 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 04:02 . 2012-05-04 05:09 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 19:51 . 2013-01-14 06:48 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-05-03 05:27 . 2012-09-24 22:11 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2013-05-02 15:28 . 2012-04-29 19:24 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-02 09:21 . 2012-07-17 22:37 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 09:15 . 2012-09-24 22:11 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{687578B9-7132-4A7A-80E4-30EE31099E03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-11-14 03:00 220632 ----a-w- c:\users\ANDEEZY\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-11-14 03:00 220632 ----a-w- c:\users\ANDEEZY\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-11-14 03:00 220632 ----a-w- c:\users\ANDEEZY\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RGSC"="z:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [BU]
"Steam"="z:\program files\Steam\steam.exe" [2013-07-26 1807272]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [BU]
"AdobeBridge"="" [BU]
"Uploader"="c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe" [BU]
"Raptr"="c:\progra~1\Raptr\raptrstub.exe" [2013-07-18 55360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2012-01-17 58480]
"VMware User Process"="c:\program files\VMware\VMware Tools\vmtoolsd.exe" [2012-01-17 62576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-10 1073312]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2012-11-04 1851192]
"DBAgent"="c:\program files\Seagate\Seagate Dashboard 2.0\DBAgent.exe" [BU]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2012-11-29 5479224]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [BU]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-15 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
False [2013-7-26 367514]
false.vbs [2013-6-7 118]
Hauppauge Device Central Tray Tool.lnk - c:\program files\Hauppauge\DeviceCentral\HcwDCTrayTool.exe [2013-4-27 478696]
phoenix.cfg [2013-6-14 781]
Taskhost.exe [2013-6-12 96701]
user.exe [2012-4-7 5389566]
.
c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doc\
cpu.py [2012-2-21 6847]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2012-10-01 07:22 66360 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
R2 VMTools;VMware Tools;c:\program files\VMware\VMware Tools\vmtoolsd.exe [2012-01-17 62576]
R3 CFcatchme;CFcatchme;c:\users\ANDEEZY\AppData\Local\Temp\CFcatchme.sys [x]
R3 Desura Install Service;Desura Install Service;c:\program files\Common Files\Desura\desura_service.exe [2012-05-04 131912]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 hcwE5bda;Hauppauge Siena Video Capture;c:\windows\system32\drivers\hcwE5bda.sys [2012-12-20 623744]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-07-26 31560]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RTCore32;RTCore32;c:\program files\MSI Afterburner\RTCore32.sys [2011-09-06 5632]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2010-08-02 263496]
R3 TPVCGateway;TP VC Gateway Service;c:\program files\VMware\VMware Tools\TPVCGateway.exe [2010-10-07 394104]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2012-10-03 743320]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vm3dmp;vm3dmp;c:\windows\system32\DRIVERS\vm3dmp.sys [2012-01-17 108144]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2012-01-17 11440]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-30 1343400]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\Razer\Razer Game Booster\Driver\WinRing0.sys [2012-08-01 14416]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-01-17 98928]
S1 vmhgfs;vmhgfs;c:\windows\system32\DRIVERS\vmhgfs.sys [2012-01-17 144112]
S1 vmrawdsk;VMware Vista Physical Disk Helper;c:\program files\VMware\VMware Tools\vmrawdsk.sys [2012-01-17 37872]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S2 VMMEMCTL;Memory Control Driver;c:\program files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [2012-01-17 15088]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 19720]
S3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;c:\windows\system32\DRIVERS\LGSHidFilt.Sys [2012-10-02 42040]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 14856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ   HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 03:30 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 04:02]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-17 03:43]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-17 03:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
LSP: %SystemRoot%\system32\vsocklib.dll
Trusted Zone: apple.com\www
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\ANDEEZY\AppData\Roaming\Mozilla\Firefox\Profiles\qbbzua38.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3441309628-415962082-4169549075-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3441309628-415962082-4169549075-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-3441309628-415962082-4169549075-1000\Software\SecuROM\License information*]
"datasecu"=hex:aa,19,49,34,ee,28,34,74,20,64,2c,2b,eb,97,c6,e1,47,ab,4d,39,a3,
   58,e9,bd,15,97,a3,8e,fe,3c,e9,16,84,08,ed,45,9d,1b,6b,ea,23,69,d1,11,87,e8,\
"rkeysecu"=hex:0a,15,a2,5f,aa,36,7d,57,6b,34,fd,a6,4e,5c,4b,a4
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
z:\program files\Hi-Rez Studios\HiPatchService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\windows\System32\msdtc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\iPod\bin\iPodService.exe
c:\users\ANDEEZY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\user.exe
c:\windows\system32\conhost.exe
c:\program files\Google\Chrome\Application\chrome.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\program files\Google\Chrome\Application\chrome.exe
c:\program files\Google\Chrome\Application\chrome.exe
c:\program files\Google\Chrome\Application\chrome.exe
c:\program files\Google\Chrome\Application\chrome.exe
c:\program files\Google\Chrome\Application\chrome.exe
c:\progra~1\Raptr\raptr.exe
c:\windows\system32\DllHost.exe
c:\progra~1\Raptr\raptr_im.exe
c:\program files\Google\Chrome\Application\chrome.exe
c:\program files\Google\Chrome\Application\chrome.exe
.
**************************************************************************
.
Completion time: 2013-07-26  04:19:25 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-26 11:19
ComboFix2.txt  2013-07-26 09:43
ComboFix3.txt  2013-07-24 09:52
.
Pre-Run: 29,530,722,304 bytes free
Post-Run: 29,787,865,088 bytes free
.
- - End Of File - - A00B82CA3E9064F4A97B51F6B12EC743
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.07.26.03
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16576
ANDEEZY :: ANDEEZY-DESKTOP [administrator]
 
7/26/2013 4:31:35 AM
mbam-log-2013-07-26 (04-31-35).txt
 
Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|Z:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 849211
Time elapsed: 3 hour(s), 57 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 15
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> No action taken.
HKCR\f (PUP.Funmoods) -> No action taken.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> No action taken.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funmoods (PUP.FunMoods) -> No action taken.
HKCU\SOFTWARE\Funmoods (PUP.FunMoods) -> No action taken.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 5
C:\Users\ANDEEZY\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\ANDEEZY\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\ANDEEZY\AppData\Local\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\ANDEEZY\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\ANDEEZY\AppData\Roaming\Funmoods\UpdateProc\UpdateTask.exe (PUP.FunMoods) -> No action taken.
 
 
(end)


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 27 July 2013 - 08:01 AM

The detections have to be removed.

Run a new full scan and hit "Remove selected".


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 30 July 2013 - 10:27 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users