Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coin Miner problem, please help


  • This topic is locked This topic is locked
20 replies to this topic

#1 hydetoism

hydetoism

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 05 September 2013 - 05:36 AM

Im sorry for my bad English. I cant speak well.   :(
Dear admin. please help me, my CPU Usage become 100%, and make my computer became slow.
I found the shell.exe - macromedia - coin miner on "Processes" and "Services", and Im sure that is the problem.
Im using windows 7. Then what should I do first?
thanks for your attention sir.
once more, Im sorry if my English doesn't good enough.
 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16660  BrowserJavaVersion: 10.25.2
Run by HANADI at 18:17:35 on 2013-09-05
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.1.1033.18.3071.1613 [GMT 7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
dURLSearchHooks: <No Name>: {93a3111f-4f74-4ed8-895e-d9708497629e} - 
BHO: Ask Toolbar: {5347542D-5637-006A-76A7-7A786E7484D7} - 
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Improved search toolbar: {E4E012DC-1925-48E9-8010-2D195574642A} - c:\program files\b1 free archiver\toolbar\B1Toolbar32.dll
BHO: EpsonToolBandKicker Class: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Ask Toolbar: {5347542D-5637-006A-76A7-7A786E7484D7} - 
TB: VideoDownloadConverter: {48586425-6BB7-4F51-8DC6-38C88E3EBB58} - 
TB: VideoDownloadConverter: {48586425-6bb7-4f51-8dc6-38c88e3ebb58} - 
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Improved search toolbar: {E4E012DC-1925-48E9-8010-2D195574642A} - c:\program files\b1 free archiver\toolbar\B1Toolbar32.dll
TB: Ask Toolbar: {5347542D-5637-006A-76A7-7A786E7484D7} - 
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Autodesk Sync] c:\program files\autodesk\autodesk sync\AdSync.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [APN-Stub_SGT-V7] "c:\programdata\apn\apn-stub\sgt-v7\ApnSetup.exe" /hpr=0 /sa=0 /install=SGT-V7 /dtid= /trgb=IE /type=vanilla /runonce /second /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex
StartupFolder: c:\users\hanadi\appdata\roaming\micros~1\windows\startm~1\programs\startup\skype.lnk - c:\users\hanadi\appdata\roaming\windowslogonsss\usft_ext.exe.vbs
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 202.134.0.155 203.130.193.74
TCP: Interfaces\{B59BF17F-D284-4574-BB03-D47E7A7DC231} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B59BF17F-D284-4574-BB03-D47E7A7DC231} : DHCPNameServer = 202.134.0.155 203.130.193.74
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.62\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\hanadi\appdata\roaming\mozilla\firefox\profiles\fdhs4bqp.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: network.proxy.ftp - proxies.telkom.net.id
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - proxies.telkom.net.id
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxies.telkom.net.id
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxies.telkom.net.id
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npnitroie.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npnitromozilla.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\hanadi\appdata\roaming\igg\web3d\1.0.0.38\NPIGGWeb3DUpdater.dll
FF - plugin: c:\users\hanadi\appdata\roaming\igg\web3d\1.0.0.38\NPJoyConnectShell.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-08-31 01:26; client@anonymox.net; c:\users\hanadi\appdata\roaming\mozilla\firefox\profiles\fdhs4bqp.default\extensions\client@anonymox.net.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\autodesk\content service\Connect.Service.ContentService.exe [2012-1-31 19232]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 107392]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2012-9-13 196112]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2012-10-23 793048]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\ViakaraokeSrv.exe [2012-10-23 27760]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2012-10-22 91248]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2012-10-23 1814640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-21 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 27264]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2013-09-05 11:13:18 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0529db85-a35e-431e-829b-807b5cef4120}\offreg.dll
2013-09-05 10:59:46 7166848 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0529db85-a35e-431e-829b-807b5cef4120}\mpengine.dll
2013-09-05 09:49:13 -------- d-----w- c:\program files\Ragnarok Online 2
2013-09-05 09:46:40 -------- d-----w- C:\gravity
2013-09-03 00:54:39 7166848 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-08-29 12:20:51 -------- d-----w- c:\users\hanadi\appdata\roaming\OpenCandy
2013-08-26 10:01:42 -------- d-----w- c:\users\hanadi\appdata\roaming\Nico Mak Computing
2013-08-26 10:01:41 17224 ----a-w- c:\windows\system32\roboot.exe
2013-08-26 10:01:37 -------- d-----w- c:\program files\WinZip Registry Optimizer
2013-08-24 01:31:55 -------- d-----w- c:\users\hanadi\appdata\roaming\AIMP
2013-08-23 13:46:34 697992 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{44d019ab-1d11-4d79-b081-164dd7126668}\gapaengine.dll
2013-08-15 08:37:24 -------- d-----w- c:\windows\system32\MRT
2013-08-15 03:05:55 -------- d-----w- c:\program files\common files\Steam
2013-08-15 03:05:52 -------- d-----w- c:\program files\Steam
2013-08-14 20:24:09 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 20:23:59 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 20:23:59 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 20:23:59 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 20:23:59 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 20:23:53 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 20:23:53 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 20:23:53 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-08-14 20:22:29 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 20:17:27 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-14 20:12:19 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 20:12:17 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
.
==================== Find3M  ====================
.
2013-08-21 04:18:25 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 04:18:25 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-26 03:13:24 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 03:12:04 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-07-26 03:12:00 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-07-26 03:12:00 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-07-26 02:49:14 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-07-26 01:59:38 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-07-09 15:42:08 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2013-06-30 13:16:29 110 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-24 05:54:27 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-24 05:54:22 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-24 05:54:22 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-18 14:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-18 14:50:08 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
.
============= FINISH: 18:21:37.99 ===============
 

 

Attached Files


Edited by hydetoism, 05 September 2013 - 06:22 AM.


BC AdBot (Login to Remove)

 


#2 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 05 September 2013 - 05:39 AM

Attach :

 

.
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Basic 
Boot Device: \Device\HarddiskVolume1
Install Date: 10/22/2012 10:13:31 PM
System Uptime: 9/5/2013 6:11:13 PM (0 hours ago)
.
Motherboard: BIOSTAR Group |  | G41D3C
Processor: Intel® Core™2 Duo CPU     E7500  @ 2.93GHz | CPU 1 | 2933/267mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 83 GiB total, 20.482 GiB free.
D: is FIXED (NTFS) - 78 GiB total, 3.53 GiB free.
E: is FIXED (NTFS) - 68 GiB total, 11.782 GiB free.
F: is FIXED (NTFS) - 69 GiB total, 6.058 GiB free.
G: is CDROM ()
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP312: 9/4/2013 3:58:46 PM - Installed NVIDIA PhysX
RP313: 9/4/2013 4:12:14 PM - Installed NVIDIA PhysX
RP314: 9/5/2013 4:23:04 PM - Removed Autodesk Sync
.
==== Installed Programs ======================
.
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 1.5
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader XI (11.0.03)
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Application Support
Apple Software Update
Ask Toolbar
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
AutoCAD 2013 - English
AutoCAD 2013 Language Pack - English
Autodesk Content Service
Autodesk Content Service Language Pack
Autodesk Design Review 2013
Autodesk Inventor Fusion 2013
Autodesk Inventor Fusion plug-in for AutoCAD 2013
Autodesk Inventor Fusion plug-in language pack for AutoCAD 2013
Autodesk Material Library 2013
Autodesk Material Library Base Resolution Image Library 2013
Autodesk Sync
B1 Free Archiver
Big City Adventure-Sydney Australia
Big City Adventure New York City
Color Efex Pro 3.0 Complete
Combined Community Codec Pack 2011-11-11
Compatibility Pack for the 2007 Office system
Corel Graphics - Windows Shell Extension
CorelDRAW Graphics Suite X6
CorelDRAW Graphics Suite X6 - Capture
CorelDRAW Graphics Suite X6 - Common
CorelDRAW Graphics Suite X6 - Connect
CorelDRAW Graphics Suite X6 - Custom Data
CorelDRAW Graphics Suite X6 - Draw
CorelDRAW Graphics Suite X6 - EN
CorelDRAW Graphics Suite X6 - Filters
CorelDRAW Graphics Suite X6 - FontNav
CorelDRAW Graphics Suite X6 - IPM
CorelDRAW Graphics Suite X6 - PHOTO-PAINT
CorelDRAW Graphics Suite X6 - Photozoom Plugin
CorelDRAW Graphics Suite X6 - Redist
CorelDRAW Graphics Suite X6 - Setup Files
CorelDRAW Graphics Suite X6 - VBA
CorelDRAW Graphics Suite X6 - VideoBrowser
CorelDRAW Graphics Suite X6 - VSTA
CorelDRAW Graphics Suite X6 - Writing Tools
COWON Media Center - jetAudio Plus VX
CyberLink PowerDVD 8
Dota 2
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan Assistant
EPSON Web-To-Page
ESCX2800_2900 User's Guide
FARO LS 1.1.406.58
GOM Player
Google Chrome
Google Desktop Search
Google Toolbar for Internet Explorer
Google Update Helper
GSMULTI V3.0
Guitar Pro 5.2
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
IGG Web3D Player version 1.0.0.38
Improved search - B1 Toolbar
Java 7 Update 25
Java Auto Updater
LEO
Luxor
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Office 2007 Help Tab
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual Basic for Applications 7.1 (x86)
Microsoft Visual Basic for Applications 7.1 (x86) English
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Tools for Applications 2.0 Runtime
Mozilla Firefox 23.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT Redists
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
Nitro Reader 2
NVIDIA 3D Vision Driver 311.06
NVIDIA Control Panel 311.06
NVIDIA Graphics Driver 311.06
NVIDIA Install Application
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.11.3
NVIDIA Update Components
PC Tools Registry Mechanic 11.0
PDF Settings
PIF DESIGNER
Platform
PowerISO
Puzzle Detective
QuickTime
Ragnarok Online 2
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition 
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 
Steam
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2768023) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817642) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update Manager
VCRedistSetup
Vegas Pro 10.0
VIA Platform Device Manager
Video Download Converter version 1.0.0.0
VLC media player 2.0.2
VueScan
Winamp
Winamp Detector Plug-in
WinRAR 4.20 (32-bit)
Yahoo! Messenger
YTD Video Downloader 4.5
.
==== Event Viewer Messages From Past Week ========
.
9/5/2013 8:08:04 AM, Error: Microsoft-Windows-Eventlog [23]  - The event logging service encountered an error (res=23) while initializing logging resources for channel Microsoft-Windows-ReliabilityAnalysisComponent/Operational.
9/5/2013 6:19:57 PM, Error: cdrom [11]  - The driver detected a controller error on \Device\CdRom0.
9/5/2013 6:14:18 PM, Error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
9/5/2013 6:14:18 PM, Error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
9/5/2013 5:07:05 PM, Error: Service Control Manager [7000]  - The dphdummy service failed to start due to the following error:  Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
9/5/2013 4:58:11 PM, Error: Ntfs [137]  - The default transaction resource manager on volume G: encountered a non-retryable error and could not start.  The data contains the error code.
9/5/2013 2:52:30 AM, Error: cdrom [15]  - The device, \Device\CdRom0, is not ready for access yet.
9/5/2013 2:52:30 AM, Error: atapi [11]  - The driver detected a controller error on \Device\Ide\IdePort2.
8/30/2013 1:18:29 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk1\DR1.
8/29/2013 11:00:33 AM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
8/29/2013 11:00:33 AM, Error: Service Control Manager [7000]  - The Steam Client Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================
 

 


Edited by hydetoism, 05 September 2013 - 06:25 AM.


#3 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 05 September 2013 - 06:13 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#4 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 05 September 2013 - 07:14 AM

Here, Sir. 

Rootkit scans result :

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-05 19:12:46
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 ST3320613AS rev.SD22 298.09GB
Running: bnv62u41.exe; Driver: C:\Users\HANADI\AppData\Local\Temp\pxdirpow.sys
 
 
---- Registry - GMER 2.1 ----
 
Reg  HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Kernel_0_0_cab_06f84f3b
Reg  HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\lkXHeoqVgntze@                                                                        pBum^ta[?WWM}d[d
Reg  HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\oQgbUzxSfkY@                                                                          [HOW^sAEQJm{^{A^PgcDQrlzJsRTk
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C                                                                                   
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC                                                                                 
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume                                                                          
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D                                                                                   
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E                                                                                   
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F                                                                                   
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H                                                                                   
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I                                                                                   
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J                                                                                   
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0ba7d2df-2ed1-11e2-a41e-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ec2a56a-24ba-11e2-8db7-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f635e0f-5657-11e2-b8d6-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f635e0f-5657-11e2-b8d6-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f635e0f-5657-11e2-b8d6-003067e6b8ad}\shell@                                       None
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f635e0f-5657-11e2-b8d6-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f635e0f-5657-11e2-b8d6-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f635e0f-5657-11e2-b8d6-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f635e0f-5657-11e2-b8d6-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4474e2-854a-11e2-b47b-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4474e2-854a-11e2-b47b-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4474e2-854a-11e2-b47b-003067e6b8ad}\shell@                                       None
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4474e2-854a-11e2-b47b-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4474e2-854a-11e2-b47b-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4474e2-854a-11e2-b47b-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4474e2-854a-11e2-b47b-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eae9ef-1d28-11e2-943f-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eae9fe-1d28-11e2-943f-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea06-1d28-11e2-943f-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea06-1d28-11e2-943f-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea06-1d28-11e2-943f-003067e6b8ad}\shell@                                       None
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea06-1d28-11e2-943f-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea06-1d28-11e2-943f-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea06-1d28-11e2-943f-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea06-1d28-11e2-943f-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42eaea14-1d28-11e2-943f-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{59480ff8-1c5c-11e2-a335-a724d82d3b37}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cf97f29-5ee7-11e2-9ac4-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a6de192-3636-11e2-9fc1-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a6de192-3636-11e2-9fc1-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a6de192-3636-11e2-9fc1-003067e6b8ad}\shell@                                       None
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a6de192-3636-11e2-9fc1-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a6de192-3636-11e2-9fc1-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a6de192-3636-11e2-9fc1-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a6de192-3636-11e2-9fc1-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92455e0d-704f-11e2-9d22-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9711717d-248a-11e2-8589-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9711717d-248a-11e2-8589-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9711717d-248a-11e2-8589-003067e6b8ad}\shell@                                       None
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9711717d-248a-11e2-8589-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9711717d-248a-11e2-8589-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9711717d-248a-11e2-8589-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9711717d-248a-11e2-8589-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell@                                       AutoRun
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\AutoRun                                
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\AutoRun@                               Install Motorola Driver
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\AutoRun@SetWorkingDirectoryFromTarget  
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\AutoRun\command                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\shell\AutoRun\command@                       I:\setup.exe -a
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\_Autorun                                     
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\_Autorun\Action                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\_Autorun\Action@                             Install Motorola Driver
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\_Autorun\DefaultIcon                         
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97117185-248a-11e2-8589-003067e6b8ad}\_Autorun\DefaultIcon@                        I:\setup.exe, 0
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9bc510f9-2336-11e2-9741-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fbd-1cce-11e2-91b0-806e6f6e6963}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fbe-1cce-11e2-91b0-806e6f6e6963}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fbf-1cce-11e2-91b0-806e6f6e6963}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fbf-1cce-11e2-91b0-806e6f6e6963}@_CommentFromDesktopINI                       
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc0-1cce-11e2-91b0-806e6f6e6963}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc3-1cce-11e2-91b0-806e6f6e6963}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc3-1cce-11e2-91b0-806e6f6e6963}\Name                                         
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc3-1cce-11e2-91b0-806e6f6e6963}\Name@SetWorkingDirectoryFromTarget           
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc3-1cce-11e2-91b0-806e6f6e6963}\Name@                                        Flight Simulator X Disk 1
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc3-1cce-11e2-91b0-806e6f6e6963}\_Autorun                                     
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc3-1cce-11e2-91b0-806e6f6e6963}\_Autorun\DefaultIcon                         
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fc3-1cce-11e2-91b0-806e6f6e6963}\_Autorun\DefaultIcon@                        G:\Setup.exe
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b59ca776-6dac-11e2-a61d-806e6f6e6963}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b59ca776-6dac-11e2-a61d-806e6f6e6963}\_Autorun                                     
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b59ca776-6dac-11e2-a61d-806e6f6e6963}\_Autorun\DefaultIcon                         
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b59ca776-6dac-11e2-a61d-806e6f6e6963}\_Autorun\DefaultIcon@                        G:\autorun.exe
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b62540fc-5ba6-11e2-b516-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae07a4d-1cb3-11e2-8831-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae07a4d-1cb3-11e2-8831-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae07a4d-1cb3-11e2-8831-003067e6b8ad}\shell@                                       None
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae07a4d-1cb3-11e2-8831-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae07a4d-1cb3-11e2-8831-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae07a4d-1cb3-11e2-8831-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cae07a4d-1cb3-11e2-8831-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cbb0b9fa-8635-11e2-98d2-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d674f739-1dca-11e2-b909-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d29c03-5acb-11e2-b839-003067e6b8ad}                                              
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d29c03-5acb-11e2-b839-003067e6b8ad}\shell                                        
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d29c03-5acb-11e2-b839-003067e6b8ad}\shell@                                       None
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d29c03-5acb-11e2-b839-003067e6b8ad}\shell\Autoplay                               
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d29c03-5acb-11e2-b839-003067e6b8ad}\shell\Autoplay@MUIVerb                       @shell32.dll,-8507
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d29c03-5acb-11e2-b839-003067e6b8ad}\shell\Autoplay\DropTarget                    
Reg  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2d29c03-5acb-11e2-b839-003067e6b8ad}\shell\Autoplay\DropTarget@CLSID              {F26A669A-BCBB-4E37-ABF9-7325DA15F931}
 
---- EOF - GMER 2.1 ----


#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 05 September 2013 - 08:13 AM

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

Ask Toolbar
Improved search - B1 Toolbar

 



Close the window.

 

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 05 September 2013 - 08:58 AM

remove :

Ask Toolbar : done

Improved search B1 toolbar : doesnt work. I can't remove this program. when I click 'remove', my browser closed automaticaly but the program still exist.

 

how to fix it?

 

wait for a minute, I will restart my computer and run combofix.exe and post it here.



#7 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 05 September 2013 - 09:34 AM

from combofix :

 

ComboFix 13-09-04.04 - HANADI 09/05/2013  21:23:09.1.2 - x86
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.1.1033.18.3071.1627 [GMT 7:00]
Running from: d:\malware\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\HANADI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.lnk
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\coinutil.dll
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\compile.bat
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\macromedia.exe
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\macromedia.exe_part2
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\macromedia.exe_part3
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\macromedia.exe_part4
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\macromedia.exe_part5
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\macromedia.exe_part6
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\macromedia.exe
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\compile.bat
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part10
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part11
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part12
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part13
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part14
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part15
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part16
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part17
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part18
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part19
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part2
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part20
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part21
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part22
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part23
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part24
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part25
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part26
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part27
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part28
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part29
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part3
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part30
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part31
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part32
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part33
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part34
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part35
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part4
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part5
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part6
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part7
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part8
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll_part9
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\miner.dll
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\openssl.dll
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\phatk.cl
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\phatk.ptx
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\shel\shell.exe
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\shel\shell.exe_part2
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\shel\shell.exe_part3
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\shel\shell.exe_part4
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\shel\shell.exe_part5
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\shel\shell.exe_part6
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\shell.exe
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\usft_ext.dll
c:\users\HANADI\AppData\Roaming\WindowsLogonSSS\usft_ext.exe.vbs
c:\users\Public\sdelevURL.tmp
c:\windows\system32\roboot.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-05 to 2013-09-05  )))))))))))))))))))))))))))))))
.
.
2013-09-05 14:31 . 2013-09-05 14:31 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-09-05 14:31 . 2013-09-05 14:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-05 11:27 . 2013-08-06 07:28 7166848 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D144C01E-3D99-4F14-9A4B-CBADEFD9EEF3}\mpengine.dll
2013-09-05 10:59 . 2013-08-06 07:28 7166848 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-05 09:49 . 2013-09-05 11:13 -------- d-----w- c:\program files\Ragnarok Online 2
2013-09-05 09:46 . 2013-09-05 09:46 -------- d-----w- C:\gravity
2013-09-04 09:12 . 2013-09-04 09:12 -------- d-----w- c:\program files\AGEIA Technologies
2013-08-29 12:20 . 2013-08-29 12:20 -------- d-----w- c:\users\HANADI\AppData\Roaming\OpenCandy
2013-08-26 10:01 . 2013-08-27 04:30 -------- d-----w- c:\users\HANADI\AppData\Roaming\Nico Mak Computing
2013-08-26 10:01 . 2013-08-27 04:30 -------- d-----w- c:\program files\WinZip Registry Optimizer
2013-08-24 01:31 . 2013-08-24 04:58 -------- d-----w- c:\users\HANADI\AppData\Roaming\AIMP
2013-08-23 13:46 . 2013-08-23 13:46 697992 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{44D019AB-1D11-4D79-B081-164DD7126668}\gapaengine.dll
2013-08-15 08:37 . 2013-08-15 08:39 -------- d-----w- c:\windows\system32\MRT
2013-08-15 03:05 . 2013-08-30 02:42 -------- d-----w- c:\program files\Common Files\Steam
2013-08-15 03:05 . 2013-09-05 14:18 -------- d-----w- c:\program files\Steam
2013-08-14 20:24 . 2013-07-09 04:50 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 20:23 . 2013-07-09 04:52 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 20:23 . 2013-07-09 04:46 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 20:23 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 20:23 . 2013-07-09 04:46 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 20:23 . 2013-07-09 05:03 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 20:23 . 2013-07-09 05:03 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 20:23 . 2013-07-09 04:53 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-08-14 20:22 . 2013-07-06 05:05 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 20:17 . 2013-07-25 08:57 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-14 20:12 . 2013-07-19 01:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 20:12 . 2013-06-15 03:38 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-21 04:18 . 2012-10-22 16:37 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 04:18 . 2012-10-22 16:37 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-18 02:39 . 2012-10-24 15:38 698504 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-07-09 15:42 . 2013-07-09 15:42 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2013-06-30 13:16 . 2013-06-30 13:16 110 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-24 05:54 . 2013-06-24 05:54 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-24 05:54 . 2013-04-18 21:12 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-24 05:54 . 2013-04-18 21:12 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-18 14:50 . 2013-06-18 14:50 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-18 14:50 . 2012-08-30 15:03 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-06-07 19:35 . 2013-06-07 19:35 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-06-07 19:35 . 2013-06-07 19:35 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-06-07 19:35 . 2013-06-07 19:35 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-06-07 19:35 . 2013-06-07 19:35 158720 ----a-w- c:\windows\system32\msls31.dll
2013-06-07 19:35 . 2013-06-07 19:35 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-06-07 19:35 . 2013-06-07 19:35 138752 ----a-w- c:\windows\system32\wextract.exe
2013-06-07 19:35 . 2013-06-07 19:35 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-06-07 19:35 . 2013-06-07 19:35 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-06-07 19:35 . 2013-06-07 19:35 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-06-07 19:35 . 2013-06-07 19:35 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-06-07 19:35 . 2013-06-07 19:35 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-06-07 19:35 . 2013-06-07 19:35 361984 ----a-w- c:\windows\system32\html.iec
2013-06-07 19:35 . 2013-06-07 19:35 12800 ----a-w- c:\windows\system32\mshta.exe
2013-06-07 19:35 . 2013-06-07 19:35 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-06-07 19:35 . 2013-06-07 19:35 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-06-07 19:35 . 2013-06-07 19:35 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 19:35 . 2013-06-07 19:35 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-01 07:04 . 2013-08-18 03:49 109568 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-24 6595928]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2013-02-01 118784]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"Steam"="c:\program files\Steam\Steam.exe" [2013-08-28 1811880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2012-06-20 74752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-20 995176]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2011-02-23 2145392]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2011-12-12 103896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"Autodesk Sync"="c:\program files\Autodesk\Autodesk Sync\AdSync.exe" [2012-02-05 383424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"APN-Stub_SGT-V7"="c:\programdata\APN\APN-Stub\SGT-V7\ApnSetup.exe" [2013-06-06 489392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-06-18 107392]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-06-20 295376]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2012-01-31 19232]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [2012-09-12 196112]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-12-12 793048]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-09-07 27760]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2012-03-02 91248]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-09-07 1814640]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-30 18:25 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-22 04:18]
.
2013-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-23 01:55]
.
2013-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-23 01:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
TCP: DhcpNameServer = 202.134.0.155 203.130.193.74
TCP: Interfaces\{B59BF17F-D284-4574-BB03-D47E7A7DC231}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\HANADI\AppData\Roaming\Mozilla\Firefox\Profiles\fdhs4bqp.default\
FF - prefs.js: browser.search.defaulturl - 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ftp - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ftp_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.http - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.http_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.socks - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.socks_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ssl - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ssl_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.type - 0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - ExtSQL: 2013-08-31 01:26; client@anonymox.net; c:\users\HANADI\AppData\Roaming\Mozilla\Firefox\Profiles\fdhs4bqp.default\extensions\client@anonymox.net.xpi
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{5347542D-5341-5400-76A7-7A786E7484D7} - (no file)
WebBrowser-{5347542D-5637-006A-76A7-7A786E7484D7} - (no file)
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe
AddRemove-VDC_is1 - c:\program files\Video Download Converter\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{48586425-6BB7-4F51-8DC6-38C88E3EBB58}"=hex:51,66,7a,6c,4c,1d,38,12,4b,67,4b,
   4c,85,25,3f,0a,f2,d0,7b,88,8b,60,ff,4c
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"=hex:51,66,7a,6c,4c,1d,38,12,f1,24,4e,
   ea,29,46,6a,01,e6,5b,85,f6,0f,f0,fe,79
"{E4E012DC-1925-48E9-8010-2D195574642A}"=hex:51,66,7a,6c,4c,1d,38,12,b2,11,f3,
   e0,17,57,87,0d,ff,06,6e,59,50,2a,20,3e
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{0055C089-8582-441B-A0BF-17B458C2A3A8}"=hex:51,66,7a,6c,4c,1d,38,12,e7,c3,46,
   04,b0,cb,75,01,df,a9,54,f4,5d,9c,e7,bc
"{0FB6A909-6086-458F-BD92-1F8EE10042A0}"=hex:51,66,7a,6c,4c,1d,38,12,67,aa,a5,
   0b,b4,2e,e1,00,c2,84,5c,ce,e4,5e,06,b4
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{312F84FB-8970-4FD3-BDDB-7012EAC4AFC9}"=hex:51,66,7a,6c,4c,1d,38,12,95,87,3c,
   35,42,c7,bd,0a,c2,cd,33,52,ef,9a,eb,dd
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
   76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{7F6AFBF1-E065-4627-A2FD-810366367D01}"=hex:51,66,7a,6c,4c,1d,38,12,9f,f8,79,
   7b,57,ae,49,03,dd,eb,c2,43,63,68,39,15
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{C547C6C2-561B-4169-A2A5-20BA771CA93B}"=hex:51,66,7a,6c,4c,1d,38,12,ac,c5,54,
   c1,29,18,07,04,dd,b3,63,fa,72,42,ed,2f
"{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}"=hex:51,66,7a,6c,4c,1d,38,12,95,22,87,
   ed,ef,26,9e,05,cb,ba,f4,42,79,f0,6b,0e
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
   2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e8,d5,8d,21,ec,30,ce,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,0f,91,6b,44,73,77,4f,9e,6c,da,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,0f,91,6b,44,73,77,4f,9e,6c,da,\
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
@Denied: (Full) (Everyone)
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa870fbf-1cce-11e2-91b0-806e6f6e6963}]
"_CommentFromDesktopINI"=""
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000_Classes\CLSID\{030D8816-6063-7143-B679-4525324BB6A0}]
@Denied: (A 4) (Everyone)
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):15,9d,0f,3f,9e,de,83,2b,79,11,ee,68,ac,e9,b0,cc,60,28,d3,ea,91,
   44,6b,a1,f6,cc,e3,e9,45,19,f3,53,fc,8b,b5,a0,ee,b5,b6,df,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):7f,86,67,35,99,ac,65,45,eb,45,87,80,d1,99,3b,71,a8,3b,ac,bb,41,
   f4,bb,c2,af,8f,62,c1,fe,4e,c8,6b,53,00,0e,10,6b,e9,85,66,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000_Classes\CLSID\{8ed47985-a923-4927-a711-e6505bf4877e}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000d5
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000_Classes\CLSID\{b61454a0-df18-4590-9574-edbb7eaf73c0}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000039
"Therad"=dword:00000029
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,75,07,18,dd,fb,11,42,94,27,b7,99,0d,2a,ba,05,1a,a2,02,c9,3e,9b,f9,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(1812)
c:\program files\Nero\Nero8\Nero BackItUp\NBShell.dll
c:\program files\PowerISO\PWRISOSH.DLL
c:\program files\JetAudio\JetFlExt.dll
c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
c:\program files\Common Files\Autodesk Shared\DWF Common\en-US\DWFShellExtensionRes.dll
c:\program files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll
c:\program files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll
c:\program files\Common Files\Autodesk Shared\DWF Common\DWFShellExtension.dll
c:\program files\Common Files\Autodesk Shared\DWF Common\dwfcore_wt.1.7.0.dll
c:\program files\Common Files\Autodesk Shared\DWF Common\dwftk_wt.7.7.0.dll
c:\program files\Common Files\Autodesk Shared\DWF Common\w3dtk_wt.1.7.1555.dll
c:\program files\Common Files\Autodesk Shared\DWF Common\whiptk_wt.7.13.601.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\users\HANADI\AppData\Local\Temp\catchme.dll
.
Completion time: 2013-09-05  21:33:28
ComboFix-quarantined-files.txt  2013-09-05 14:33
.
Pre-Run: 21,657,821,184 bytes free
Post-Run: 21,548,969,984 bytes free
.
- - End Of File - - 23577E95FC8793DDD47CEDAF2A7133CC
A36C5E4F47E84449FF07ED3517B43A31


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 05 September 2013 - 11:50 PM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 September 2013 - 08:00 AM

Here is the ComboFix :

 

ComboFix 13-09-04.04 - HANADI 09/06/2013  17:18:17.2.2 - x86

Microsoft Windows 7 Home Basic   6.1.7601.1.1252.1.1033.18.3071.1819 [GMT 7:00]
Running from: d:\malware\ComboFix.exe
Command switches used :: d:\malware\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\WinZip Registry Optimizer
c:\users\HANADI\AppData\Roaming\Nico Mak Computing
c:\users\HANADI\AppData\Roaming\OpenCandy
c:\users\HANADI\AppData\Roaming\OpenCandy\5403FCCC487C4BCF8FB5B2B640A8DAF6\TuneUpUtilities2013-2200313_en-US.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-06 to 2013-09-06  )))))))))))))))))))))))))))))))
.
.
2013-09-06 10:27 . 2013-09-06 10:27 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-09-06 10:27 . 2013-09-06 10:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-05 11:27 . 2013-08-06 07:28 7166848 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D144C01E-3D99-4F14-9A4B-CBADEFD9EEF3}\mpengine.dll
2013-09-05 10:59 . 2013-08-06 07:28 7166848 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-05 09:49 . 2013-09-05 11:13 -------- d-----w- c:\program files\Ragnarok Online 2
2013-09-05 09:46 . 2013-09-05 09:46 -------- d-----w- C:\gravity
2013-09-04 09:12 . 2013-09-04 09:12 -------- d-----w- c:\program files\AGEIA Technologies
2013-08-24 01:31 . 2013-08-24 04:58 -------- d-----w- c:\users\HANADI\AppData\Roaming\AIMP
2013-08-23 13:46 . 2013-08-23 13:46 697992 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{44D019AB-1D11-4D79-B081-164DD7126668}\gapaengine.dll
2013-08-15 08:37 . 2013-08-15 08:39 -------- d-----w- c:\windows\system32\MRT
2013-08-15 03:05 . 2013-08-30 02:42 -------- d-----w- c:\program files\Common Files\Steam
2013-08-15 03:05 . 2013-09-06 10:05 -------- d-----w- c:\program files\Steam
2013-08-14 20:24 . 2013-07-09 04:50 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 20:23 . 2013-07-09 04:52 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 20:23 . 2013-07-09 04:46 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 20:23 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 20:23 . 2013-07-09 04:46 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 20:23 . 2013-07-09 05:03 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 20:23 . 2013-07-09 05:03 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 20:23 . 2013-07-09 04:53 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-08-14 20:22 . 2013-07-06 05:05 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 20:17 . 2013-07-25 08:57 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-14 20:12 . 2013-07-19 01:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 20:12 . 2013-06-15 03:38 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-21 04:18 . 2012-10-22 16:37 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 04:18 . 2012-10-22 16:37 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-18 02:39 . 2012-10-24 15:38 698504 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-07-09 15:42 . 2013-07-09 15:42 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2013-06-30 13:16 . 2013-06-30 13:16 110 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-24 05:54 . 2013-06-24 05:54 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-24 05:54 . 2013-04-18 21:12 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-24 05:54 . 2013-04-18 21:12 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-18 14:50 . 2013-06-18 14:50 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-18 14:50 . 2012-08-30 15:03 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-02-01 07:04 . 2013-08-18 03:49 109568 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-24 6595928]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2013-02-01 118784]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"Steam"="c:\program files\Steam\Steam.exe" [2013-08-28 1811880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2012-06-20 74752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-20 995176]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2011-02-23 2145392]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2011-12-12 103896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"Autodesk Sync"="c:\program files\Autodesk\Autodesk Sync\AdSync.exe" [2012-02-05 383424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"APN-Stub_SGT-V7"="c:\programdata\APN\APN-Stub\SGT-V7\ApnSetup.exe" [2013-06-06 489392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-06-18 107392]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-06-20 295376]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2012-01-31 19232]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [2012-09-12 196112]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-12-12 793048]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-09-07 27760]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2012-03-02 91248]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-09-07 1814640]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-30 18:25 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-22 04:18]
.
2013-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-23 01:55]
.
2013-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-23 01:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
TCP: DhcpNameServer = 202.134.0.155 203.130.193.74
TCP: Interfaces\{B59BF17F-D284-4574-BB03-D47E7A7DC231}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\HANADI\AppData\Roaming\Mozilla\Firefox\Profiles\fdhs4bqp.default\
FF - prefs.js: browser.search.defaulturl - 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ftp - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ftp_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.http - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.http_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.socks - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.socks_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ssl - proxies.telkom.net.id
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.ssl_port - 8080
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - prefs.js: network.proxy.type - 0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FF - ExtSQL: 2013-08-31 01:26; client@anonymox.net; c:\users\HANADI\AppData\Roaming\Mozilla\Firefox\Profiles\fdhs4bqp.default\extensions\client@anonymox.net.xpi
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Improved search - B1 Toolbar - c:\program files\B1 Free Archiver\Toolbar\3PTool.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e8,d5,8d,21,ec,30,ce,01
.
[HKEY_USERS\S-1-5-21-146086492-2649329014-1726378491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
@Denied: (Full) (Everyone)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(1928)
c:\program files\Bonjour\mdnsNSP.dll
c:\users\HANADI\AppData\Local\Temp\catchme.dll
.
Completion time: 2013-09-06  17:28:24
ComboFix-quarantined-files.txt  2013-09-06 10:28
ComboFix2.txt  2013-09-05 14:33
.
Pre-Run: 21,712,723,968 bytes free
Post-Run: 21,500,301,312 bytes free
.
- - End Of File - - C44C77699BCEC84045A6CCD584DADF45
A36C5E4F47E84449FF07ED3517B43A31
 

 

And, this is Malwarebyte's result :

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org
 
Database version: v2013.09.06.05
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16660
HANADI :: HANADI-PC [administrator]
 
9/6/2013 5:32:15 PM
mbam-log-2013-09-06 (17-32-15).txt
 
Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 825297
Time elapsed: 2 hour(s), 9 minute(s), 32 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 7
HKCR\AppID\{38495740-0035-4471-851E-F5BBB86AB085} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
 
Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|APN-Stub_SGT-V7 (PUP.Optional.ASKToolbar.A) -> Data: "C:\ProgramData\APN\APN-Stub\SGT-V7\ApnSetup.exe" /hpr=0 /sa=0 /install=SGT-V7 /dtid= /trgb=IE /type=vanilla /runonce /second /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce /runonce -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 46
C:\ProgramData\APN\APN-Stub\SGT-V7\ApnSetup.exe (PUP.Optional.ASKToolbar.A) -> Quarantined and deleted successfully.
C:\ProgramData\YTD Video Downloader\ytd_installer.exe (PUP.Optional.BundledToolBar.A) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\coinutil.dll.vir (PUP.BitcoinMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\macromedia.exe.vir (PUP.BitCoinMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\miner.dll.vir (PUP.BitCoinMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\shell.exe.vir (PUP.BitCoinMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\usft_ext.dll.vir (PUP.BitCoinMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\macromedia.exe.vir (PUP.BitCoinMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\min\miner.dll.vir (PUP.BitCoinMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\shel\shell.exe.vir (PUP.BitCoinMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\13c078d.msi (PUP.Optional.SweetIM) -> Quarantined and deleted successfully.
C:\Downloads\Software\sweetimsetup.exe (PUP.Optional.SweetIM) -> Quarantined and deleted successfully.
C:\Downloads\Software\winamp563_full_emusic-7plus_all.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\HANADI\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-ap.cab (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\HANADI\Documents\APNSetup.exe (PUP.Optional.ASKToolbar.A) -> Quarantined and deleted successfully.
C:\Users\HANADI\Downloads\Big_City_Adventure_Vancouver_Collectors_Edition_-_New_HOG_-_Wendy99.exe (PUP.BundleInstaller.DW) -> Quarantined and deleted successfully.
D:\MENTAH\GAME\dari a aji\Collapse II\Relapse.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\MENTAH\GAME\dari a aji\Zuma Deluxe\PopUninstall.exe (Trojan.FakeAlert.RRE) -> Quarantined and deleted successfully.
D:\MENTAH\GAME\game Aneh\!flashmovies\Flash Movie (2)\BoredCorp.exe (Trojan.Agent.rf) -> Quarantined and deleted successfully.
D:\MENTAH\MENTAH\winamp5623_full_emusic-7plus_all.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
D:\MENTAH\MENTAH\Adobe Photoshop CS4 Extended\CORE10k.EXE (PUP.Keygen.Intro) -> Quarantined and deleted successfully.
D:\MENTAH\MENTAH\Adobe Photoshop CS4 Extended\Crack\adobe.photoshop.cs4-nope.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\MENTAH\MENTAH\CORELDRAWX3 (K)\Crack\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\MENTAH\MENTAH\GAMEHOUSE baru\GAMEHOUSE 2008\GameHouse.Posh.Shop\Unleashed\Unleashed.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
D:\MENTAH\MENTAH\GAMEHOUSE baru\GAMEHOUSE 2008\Pet Shop Hop\PetShopHop\Reflexorator 1.2 Patch.exe (HackTool.Patch) -> Quarantined and deleted successfully.
D:\New Folder\Downloads\etypesetup.exe (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4A95F1BE-BEE3-49B1-A7A0-D96C30630394}\RP205\A0116073.EXE (PUP.Optional.AskToolbar) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4A95F1BE-BEE3-49B1-A7A0-D96C30630394}\RP205\A0116353.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4A95F1BE-BEE3-49B1-A7A0-D96C30630394}\RP205\A0116358.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4A95F1BE-BEE3-49B1-A7A0-D96C30630394}\RP205\A0116362.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4A95F1BE-BEE3-49B1-A7A0-D96C30630394}\RP205\A0118547.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
D:\media player\VEGAS PRO 10\Sony Vegas Pro 10 Patch & Keygen - www.xp-zone.tk\Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
E:\partisi\CORE10k.EXE (PUP.Keygen.Intro) -> Quarantined and deleted successfully.
E:\partisi\Keygen CorelDRAW.Graphics.Suite.X6.rar (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
E:\Program\GOMPLAYERENSETUP.EXE (PUP.Optional.AskToolbar) -> Quarantined and deleted successfully.
E:\Program\Google Sketch Up\Keygen_GoogleSketchUpPro7.rar (PUP.Keygen.Intro) -> Quarantined and deleted successfully.
E:\Program\IDM6.15\Patch IDM 6.15.rar (Backdoor.Agent) -> Quarantined and deleted successfully.
E:\Program\InDownMan\Patch-Keygen-IDM.6.08.Beta.Build.xx.rar (Riskware.Tool.CK) -> Quarantined and deleted successfully.
E:\Program\InDownMan\Patch-Keygen-IDM.6.08.Beta\Keygen.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.
E:\Program\InDownMan\Patch-Keygen-IDM.6.08.Beta\Patch.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.
E:\Program\SketchUp 8\keygen\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
E:\Program\VEGAS PRO 10\Sony+Vegas+Pro+10+Patch+&+Keygen+-+www.xp-zone.co.cc.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{4A95F1BE-BEE3-49B1-A7A0-D96C30630394}\RP238\A0130317.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{4A95F1BE-BEE3-49B1-A7A0-D96C30630394}\RP238\A0130318.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.
E:\tugas arsi\xf-a2011-32bits.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
F:\Master\NENENG\Flash disk A (Kingston-1)\KINGSTON (L)\GAMEHOUSE 2008\GameHouse.Posh.Shop\Unleashed\Unleashed.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
 
(end)
 

:)



#10 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 08 September 2013 - 11:24 PM

Sir, is that mean that my computer was clean?

If that so, I wanna say a big thanks to you and Malware Response Teams :)


Edited by hydetoism, 08 September 2013 - 11:24 PM.


#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 08 September 2013 - 11:57 PM

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 09 September 2013 - 07:03 PM

Thank you very much sir :)

yes, I gonna remove all cracked software and illegal program, and never enter any illegal webs again.



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 10 September 2013 - 12:47 AM

Fine!

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 hydetoism

hydetoism
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 10 September 2013 - 10:51 AM

here is the result, sir :

 

C:\Downloads\Software\SoftonicDownloader_for_gom-player.exe a variant of Win32/SoftonicDownloader.E application
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\usft_ext.exe.vbs.vir VBS/CoinMiner.Q trojan
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\macro\compile.bat.vir VBS/CoinMiner.S trojan
C:\Qoobox\Quarantine\C\Users\HANADI\AppData\Roaming\WindowsLogonSSS\min\compile.bat.vir VBS/CoinMiner.S trojan
C:\Users\HANADI\Downloads\directx_11_download_windows_7_32_bit_downloader_id_98926.exe a variant of Win32/ExpressFiles.B application
C:\Users\HANADI\Downloads\SoftonicDownloader_for_big-city-adventures-san-francisco.exe Win32/SoftonicDownloader.E application
C:\Users\HANADI\Downloads\SoftonicDownloader_for_coreldraw-graphics-suite.exe Win32/SoftonicDownloader.E application
C:\Users\HANADI\Downloads\SoftonicDownloader_for_gom-player.exe Win32/SoftonicDownloader.E application
D:\malware\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask application
D:\MENTAH\MENTAH\GAMEHOUSE baru\Turbo Pizza\Keygen.exe a variant of Win32/Keygen.BG application
D:\MENTAH\MENTAH\GAMEHOUSE baru\Zak And Jack\Keygen.exe a variant of Win32/Keygen.BG application
D:\New Folder\Downloads\avira_free_antivirus_en(1).exe a variant of Win32/Bundled.Toolbar.Ask application
D:\New Folder\Downloads\avira_free_antivirus_en(2).exe a variant of Win32/Bundled.Toolbar.Ask application
D:\New Folder\Downloads\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask application
D:\New Folder\Downloads\cnet_gdbfn_zip.exe a variant of Win32/InstallCore.D application
D:\New Folder\Downloads\FreeYouTubeDownloaderInstaller(1).exe a variant of Win32/Somoto.A application
D:\New Folder\Downloads\SoftonicDownloader_for_euro-truck-simulator(1).exe Win32/SoftonicDownloader.D application
D:\New Folder\Downloads\SoftonicDownloader_for_euro-truck-simulator.exe Win32/SoftonicDownloader.D application
D:\New Folder\Downloads\SoftonicDownloader_for_garbage-truck-simulator.exe Win32/SoftonicDownloader.D application
D:\New Folder\Downloads\SoftonicDownloader_for_gom-player.exe Win32/SoftonicDownloader application
D:\New Folder\Downloads\YouTubeDownloaderSetup35.exe Win32/Toolbar.Widgi application
E:\unye nitip\CARDIO -Senyumku Senyummu.exe a variant of Win32/Amonetize.H application
E:\unye nitip\codec_setup.exe a variant of Win32/Amonetize.H application
E:\unye nitip\Setup__2140_il50863.exe a variant of Win32/Amonetize.H application
F:\Master\Lala\buat ke hp\rocknrollmafia-zsazsazsu.mp3.exe Win32/InstalleRex.I application
 
how to fix/delete it?


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 10 September 2013 - 11:38 PM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users