Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

You'r System is in danger! Wierd desktop file pop-up?(trojan/malware?)


  • Please log in to reply
9 replies to this topic

#1 wertykauhanen

wertykauhanen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 19 September 2013 - 04:25 PM

I have been getting this wierd pop up from a file that just has been generated on my desktop.
It even does this when i dont have internet connection on, But it usually does nothing else but create the desktop file and then open it.(though it usually may crash Dota2(steamgame)) If i have it running fullscreen (in windowed with no borders it doesnt almost crash at all)
When the pop-up begins to create and open the file it might just open it with computer being normall but sometimes (usually if it crashes a game) my computer makes processing sounds (may just be the game closing and steam writing error report and synchronizing) like i would be running something (i tried to look at processes many times but didnt come up with anything using more than usually)
I use windows XP and have firewall enabled with only few allowed programs wich i all trust (steam games,skype,hamachi,Java) (only thing im wondering about is a steam client bootstrapper(buildbot_winslave04_steam_steam_rel_client...) wich is allowed because its steam as its path goes to steam directory, am i wrong?)
I have tried many programs (avast,tdsskiller,HiJackThis and ESET online scanner).
I have tried to search a solution to this problem from here and tried to fix it but it hasn't worked for now (this mostly is why i got here).
If anyone could help i would be pleased.
I really would like to atleast try once more to remove the infection so i dont have to clear and reinstall if it really isnt needed.
 
Im posting Logs from the programs i used:
 
Avast:(no infections with full check with all packets and high priority and high parameters)
 
Tdsskiller: no threats found (every other parameters, but not loaded modules)
 
HiJackThis:(check attaches)
 
ESET: (No threaths found)
 
Windows Firewall:Too big to fit :S
 

 

Attached Files


Edited by hamluis, 19 September 2013 - 06:54 PM.
Moved from XP to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:05 PM

Posted 22 September 2013 - 10:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

It might be wise if possible to download these tools from an other good computer.
Download to a CD or flash driver and copy the tools to the Desktop of the problem computer.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 wertykauhanen

wertykauhanen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 23 September 2013 - 11:23 AM

Rogue killer :RogueKiller V8.6.12 [Sep 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : werty [Admin rights]
Mode : Scan -- Date : 09/23/2013 18:59:13
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
79.249.69.231 skins.minecraft.net
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standardit levyasemat) - ST3500830AS +++++
--- User ---
[MBR] 635408cdcc8949f068c10283ab8e5e72
[BSP] 1eb568eaa03448698392cc4daa8fb2c5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_09232013_185913.txt >>
 
 
 
 

RK2:RogueKiller V8.6.12 [Sep 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : werty [Admin rights]
Mode : Remove -- Date : 09/23/2013 18:59:19
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
79.249.69.231 skins.minecraft.net
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standardit levyasemat) - ST3500830AS +++++
--- User ---
[MBR] 635408cdcc8949f068c10283ab8e5e72
[BSP] 1eb568eaa03448698392cc4daa8fb2c5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_09232013_185919.txt >>
RKreport[0]_S_09232013_185913.txt
 
 
 

ADWCLEAN:# AdwCleaner v3.005 - Report created 23/09/2013 at 19:01:46

# Updated 22/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : werty - KARVA
# Running from : C:\Documents and Settings\werty\Työpöytä\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Save
Folder Deleted : C:\Documents and Settings\werty\Application Data\SwvUpdater
Folder Deleted : C:\Documents and Settings\werty\Omat tiedostot\BitLord
[!] Folder Deleted : C:\Documents and Settings\werty\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pflphaooapbgpeakohlggbpidpppgdff
File Deleted : C:\Documents and Settings\werty\Local Settings\Application Data\mysearchdial.crx
File Deleted : C:\DOCUME~1\werty\LOCALS~1\Temp\Uninstall.exe
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\esrv.mysearchdialESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.mysearchdialESrvc.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{219046AE-358F-4CF1-B1FD-2B4DE83642A8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\mysearchdial
Key Deleted : HKCU\Software\mysearchdial.com
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\InstallCore
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
 
-\\ Google Chrome v29.0.1547.76
 
[ File : C:\Documents and Settings\werty\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2612 octets] - [23/09/2013 19:00:44]
AdwCleaner[S0].txt - [2410 octets] - [23/09/2013 19:01:46]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2470 octets] ##########
 

JRT:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.2 (09.22.2013:1)
OS: Microsoft Windows XP x86
Ran by werty on ma 23.09.2013 at 19:07:16,04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on ma 23.09.2013 at 19:09:15,48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

COMBO:ComboFix 13-09-23.02 - werty 23.09.2013  19:16:02.1.8 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.358.1035.18.3046.2664 [GMT 3:00]
Sijainti: c:\documents and settings\werty\Ty÷p÷ytõ\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((   Muut poistot   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{E3739848-5329-48E3-8D28-5BBD6E8BE384}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{E3739848-5329-48E3-8D28-5BBD6E8BE384}\Setup.exe
C:\install.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\SET1BF.tmp
c:\windows\system32\SETB2.tmp
c:\windows\system32\SETB6.tmp
c:\windows\system32\SETBE.tmp
.
.
(((((   Tiedostot, jotka on luotu seuraavalla aikavälillä: 2013-08-23 to 2013-09-23  )))))))))))))))))
.
.
2013-09-23 16:07 . 2013-09-23 16:07 -------- d-----w- c:\windows\ERUNT
2013-09-23 16:00 . 2013-09-23 16:01 -------- d-----w- C:\AdwCleaner
2013-09-19 22:09 . 2013-09-19 22:09 -------- d-----w- c:\program files\AGEIA Technologies
2013-09-19 22:09 . 2013-09-19 22:09 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2013-09-19 22:09 . 2013-09-19 22:09 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2013-09-19 22:09 . 2013-09-19 22:09 -------- d-----w- c:\program files\OpenAL
2013-09-16 15:11 . 2013-09-16 15:11 -------- d-sh--w- c:\documents and settings\werty\PrivacIE
2013-09-16 14:56 . 2013-09-16 14:57 -------- dc-h--w- c:\windows\ie8
2013-08-31 11:17 . 2013-08-31 11:37 -------- d-----w- c:\documents and settings\werty\Application Data\BSplayer
2013-08-31 11:17 . 2013-08-31 11:17 -------- d-----w- c:\documents and settings\werty\Application Data\BSplayer Pro
2013-08-31 11:17 . 2013-08-31 11:17 -------- d-----w- c:\program files\Webteh
2013-08-31 11:08 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2013-08-31 11:08 . 1998-08-20 11:02 140800 ----a-w- c:\windows\system32\tm20dec.ax
2013-08-31 11:08 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2013-08-31 11:08 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe
2013-08-31 11:08 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll
2013-08-31 11:08 . 1998-08-17 09:21 5672 ----a-w- c:\windows\system32\quartz.vxd
2013-08-31 11:08 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll
2013-08-31 11:08 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv
2013-08-31 11:08 . 2013-08-31 11:08 4608 ----a-w- c:\windows\system32\w95inf32.dll
2013-08-31 11:08 . 2013-08-31 11:08 2272 ----a-w- c:\windows\system32\w95inf16.dll
2013-08-31 10:10 . 2013-08-31 10:10 -------- d-----w- c:\documents and settings\werty\Application Data\CyberLink
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M-raportti   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 15:27 . 2013-06-15 20:07 139904 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-09-20 15:26 . 2013-06-15 20:42 291096 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-09-20 15:26 . 2013-06-15 20:07 291096 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-09-20 15:25 . 2013-06-15 20:07 291096 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-09-11 16:32 . 2013-04-24 15:01 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-11 16:32 . 2013-04-24 15:01 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-08 16:39 . 2013-03-06 06:36 29760 ----a-w- c:\windows\system32\drivers\FNETTBOH_305.SYS
2013-07-10 10:37 . 2004-09-15 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 07:33 . 2004-09-15 12:00 2152448 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 07:33 . 2004-09-14 16:08 2031104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-28 02:06 . 2013-05-18 09:03 6897664 ------w- c:\program files\RaUI.exe
2012-03-21 03:48 . 2013-05-18 09:03 871488 ------w- c:\program files\RaAPAPI.dll
2012-03-21 03:48 . 2013-05-18 09:03 503808 ------w- c:\program files\ICSDHCP.dll
2012-03-21 03:48 . 2013-05-18 09:03 375872 ------w- c:\program files\RaRegistry.exe
.
.
((((((((((((((((((((((((((((((   Rekisterin käynnistyskohteet   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2013-09-06 1811368]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-05-09 18679400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]
"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]
"RTHDCPL"="RTHDCPL.EXE" [2011-05-12 20053608]
"XFast USB"="c:\program files\XFast USB\XFastUsb.exe" [2013-03-06 4878912]
"XFast LAN"="c:\program files\ASRock\XFast LAN\cFosSpeed.exe" [2011-07-04 1202560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"MDS_Menu"="c:\program files\CyberLink\MediaEspresso\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2013-06-28 2255184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Documents and Settings\\werty\\Työpöytä\\terraria testi\\TerrariaServer.exe"=
"c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"=
"c:\\Program Files\\EA Games\\Battlefield Play4Free\\BFP4f.exe"=
"c:\\Program Files\\Red Storm Entertainment\\Ghost Recon Demo\\GRDemo.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\werty\\Työpöytä\\Slendytubbies V2 Beta\\Slendytubbies V2 Beta.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\Team Fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\Awesomenauts\\AwesomenautsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\America's Army\\AAPG\\Binaries\\AALauncher32.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\America's Army\\AAPG\\Binaries\\Win32\\AAGame.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dota 2 beta\\dota.exe"=
.
R1 AsrAppCharger;AsrAppCharger;c:\windows\system32\drivers\AsrAppCharger.sys [6.3.2013 9:16 15656]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [27.7.2013 16:32 21576]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [6.3.2013 9:25 14656]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\drivers\EtronHub3.sys [29.7.2011 6:40 44928]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\drivers\EtronXHCI.sys [29.7.2011 6:40 64256]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [6.3.2013 8:48 31288]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [28.6.2013 14:02 1440080]
S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\Drivers\Scutum50.sys --> c:\windows\system32\Drivers\Scutum50.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [28.2.2013 19:09 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6.3.2013 9:15 1691480]
S3 FNETTBOH_305;FNETTBOH_305;c:\windows\system32\drivers\FNETTBOH_305.SYS [6.3.2013 9:36 29760]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [18.5.2013 11:42 2609728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-19 21:37 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
'Ajoitetut tehtävät'-kansion sisältö
.
2013-09-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-24 16:32]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-18 18:22]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-18 18:22]
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
.
- - - - POISTETUT JÄMÄRIVIT - - - -
.
HKCU-Run-ASRockXTU - (no file)
HKCU-Run-zASRockInstantBoot - (no file)
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\werty\Local Settings\Application Data\Akamai\netsession_win.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-23 19:18
Windows 5.1.2600 Service Pack 3 NTFS
.
tarkistaa piilotettuja prosesseja ... 
.
tarkistaa piilotettuja käynnistysarvoja ... 
.
tarkistaa piilotettuja tiedostoja ... 
.
tarkistus on valmis
piilotetut tiedostot: 0
.
**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"
.
Valmistumisajankohta: 2013-09-23  19:19:21
ComboFix-quarantined-files.txt  2013-09-23 16:19
.
Ennen ajoa: 424 250 613 760 tavua vapaana
Ajon jälkeen: 424 809 971 712 tavua vapaana
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FIN.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 5189D29C9E9F0F6EFB9D9EA987AF5142
6573D157A3DFFD65292C07911AC353A2


#4 wertykauhanen

wertykauhanen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 23 September 2013 - 11:24 AM

Sorry for combo it selected finnish automatically i can help you with that if any problems come up.

Thx for the help and im asking if i should install any anti virus programs?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:05 PM

Posted 23 September 2013 - 12:29 PM

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one.
AVG.
If you install AVG it will install Chrome unless you deny it.
avast!.
AVAST will install the Google Chrome if not already installed. If you do not want to keep it just remove it using the Add/Remove Programs list.
AntiVir

===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any remaining issues with this computer.

#6 wertykauhanen

wertykauhanen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 23 September 2013 - 12:46 PM

Yea had avast (deleted before clean-up so got no crossing with anti-virus prgrms) but i think i got the infection while i had avast. So i think i just have to stop downloading too much from internet



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:05 PM

Posted 23 September 2013 - 01:00 PM

Please post the security Check log for my review.

#8 wertykauhanen

wertykauhanen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 25 September 2013 - 10:05 AM

Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
Please wait while WMIC compiles updated MOF files.d 
ECHO ei käytössä.
ECHO ei käytössä.
ECHO ei käytössä.
ECHO ei käytössä.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java 7 Update 21  
 Java version out of Date! 
 Adobe Flash Player 11.8.800.168  
 Adobe Reader 9 Adobe Reader out of Date! 
 Google Chrome 29.0.1547.66  
 Google Chrome 29.0.1547.76  
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast afwServ.exe  
 AVAST Software Avast AvastEmUpdate.exe  
 AVAST Software Avast avastUI.exe  
 AVAST Software Avast setup avast.setup 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C::  
````````````````````End of Log`````````````````````` 


#9 wertykauhanen

wertykauhanen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 25 September 2013 - 10:06 AM

I think the problem is still on / part of it it still creates the file and opens it but it does it less often ( i think )



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:05 PM

Posted 25 September 2013 - 12:45 PM

I use windows XP and have firewall enabled with only few allowed programs wich i all trust (steam games,skype,hamachi,Java) (only thing im wondering about is a steam client bootstrapper(buildbot_winslave04_steam_steam_rel_client...) wich is allowed because its steam as its path goes to steam directory, am i wrong?)


Something you should ask in the Gaming forum. This is not my forte.
http://www.bleepingcomputer.com/forums/f/20/computer-gaming/

===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u40 was released on Sept 10. 2013.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 21

Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users