Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit virus csrss, svchost spyware virus hidden in hardisk even reformat


  • This topic is locked This topic is locked
16 replies to this topic

#1 kelykely

kelykely

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 14 October 2013 - 09:08 AM

My computer: Dell Inspiron 15inch Windows 8 64bit 500gb hardisk

 

 

I have this virus that will established connection to remote hacker and download virus etc. Currently Im using Sterjo Netstalker to block suspicous connection and its many. I believe its a rootkit virus that hide inside hard disk if not anything else. I have only 1 harddisk attach and I even flash bios and format hardisk. I use to format using DBAN nuke despite not finish (it takes 20 hour) though have gone 1 round and 2 pass but the virus is back after fresh Windows 8 install.

 

Its annoying as it slow down internet and keep use up my hard disk and its getting hot. I wish to remove this virus or had to buy new PC. I attach GMER scan here

 

Too bad though I take prevention step by using AVG and disabled my laptop wireless device and using external usb wireless instead. In the attachment you cant see the real original virus before like its infected svchost and create "auxiliaryseed..." inside the value something like that. But now maybe just ignore the AVG and see around if you can find anything in the attachment. Help much appreciated.

 

Thank you

Attached Files

  • Attached File  vr.log   150.67KB   9 downloads


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 14 October 2013 - 09:48 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

 

 

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 kelykely

kelykely
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 14 October 2013 - 10:41 AM

using aswMBR and successly download avast then it scans... couple minute later it state avast antirootkit has stopped working a problem caused... now how?

 

using tdsskiller nothing found though. I can guess to remove this rootkit virus is by locate its main inside the harddisk, remove that then do clean format.... only then the harddisk is clean.

 

any help?


Edited by kelykely, 14 October 2013 - 10:45 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 15 October 2013 - 02:12 AM

skip aswmbr, proceed with TDSS-Killer.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 kelykely

kelykely
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 October 2013 - 04:20 AM

nothing found with tdss-killer here is the log

Attached Files


Edited by kelykely, 15 October 2013 - 04:21 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 15 October 2013 - 06:01 AM

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 kelykely

kelykely
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 October 2013 - 08:02 AM

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537
Run by J at 20:56:42 on 2013-10-15
Microsoft Windows 8 Enterprise Evaluation  6.2.9200.0.1252.1.1033.18.6051.4152 [GMT 8:00]
.
AV: AVG Internet Security 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Internet Security 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\dwm.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG2014\avgfws.exe
C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
C:\Program Files\Softros Systems\Process Blocker\Process Blocker.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\wlms\wlms.exe
C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
C:\Program Files (x86)\UnHackMe\hackmon.exe
C:\Program Files\Softros Systems\Process Blocker\Tray Informer.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\AVG\AVG2014\avgui.exe
C:\Program Files\COMODO\GeekBuddy\unit_manager.exe
C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
C:\Users\J\Desktop\New folder\NetStalker.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Program Files (x86)\UnHackMe\gwebupdate.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\System32\Taskmgr.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
mRun: [tvncontrol] "C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe" -controlservice -slave
mRun: [SterJo NetStalker] C:\Users\J\Desktop\New folder\NetStalker.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\STARTG~1.LNK - C:\Program Files\COMODO\GeekBuddy\launcher.exe
uPolicies-Explorer: NoDriveAutoRun- = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun- = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:253
mPolicies-Explorer: NoDriveAutoRun- = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun- = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:253
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{5923183B-17AB-4FC8-AE11-D73945CFE912} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{63BD04FD-317D-4965-9F68-DAE19AD8E96A} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{63BD04FD-317D-4965-9F68-DAE19AD8E96A} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{739EDEE1-6D8C-4A8B-BA4D-970243E8DEE1} : NameServer = 156.154.70.22,156.154.71.22
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
AppInit_DLLs= C:\PROGRA~2\NVIDIA~1\3DVISI~1\nvStInit.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-mPolicies-Explorer: NoDriveAutoRun- = dword:0
x64-mPolicies-Explorer: NoDriveTypeAutoRun- = dword:0
x64-mPolicies-Explorer: NoDriveAutoRun = dword:67108863
x64-mPolicies-Explorer: NoDriveTypeAutoRun = dword:253
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
FF - ExtSQL: 2013-10-09 10:15; fbsidebardisabler@vittgam.net; C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\fbsidebardisabler@vittgam.net.xpi
FF - ExtSQL: 2013-10-10 19:39; geolocater@3liz.com; C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\geolocater@3liz.com
FF - ExtSQL: 2013-10-12 01:39; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-10-14 02:38; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-10-14 14:15; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\Drivers\avgidsha.sys [2013-9-3 192824]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\Drivers\avgloga.sys [2013-9-3 294712]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\Drivers\avgmfx64.sys [2013-8-21 123704]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\Drivers\avgrkx64.sys [2013-9-9 31544]
R0 nvpciflt;nvpciflt;C:\Windows\System32\Drivers\nvpciflt.sys [2012-10-9 30056]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\Drivers\avgdiska.sys [2013-9-25 148792]
R1 Avgfwfd;AVG network filter service;C:\Windows\System32\Drivers\avgfwd6a.sys [2012-9-5 57144]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\Drivers\avgidsdrivera.sys [2013-9-3 241464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\Drivers\avgldx64.sys [2013-9-3 212280]
R1 Avgwfpa;AVG Firewall Driver;C:\Windows\System32\Drivers\avgwfpa.sys [2013-7-30 252728]
R1 CFRMD;CFRMD;C:\Windows\System32\Drivers\CFRMD.sys [2013-5-7 40224]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\Drivers\cmderd.sys [2013-9-24 23168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\Drivers\cmdguard.sys [2013-9-24 715824]
R1 cmdhlp;COMODO Internet Security Helper Driver;C:\Windows\System32\Drivers\cmdhlp.sys [2013-9-24 38072]
R1 HMD;COMODO livePCsupport Hardware Monitor Driver;C:\Windows\System32\Drivers\hmd.sys [2013-10-4 14888]
R1 nvkflt;nvkflt;C:\Windows\System32\Drivers\nvkflt.sys [2012-10-9 284008]
R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG2014\avgfws.exe [2013-9-25 1358944]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2013-10-3 3538480]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2013-9-25 301152]
R2 CLPSLauncher;COMODO LPS Launcher;C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [2013-10-11 70352]
R2 DragonUpdater;COMODO Dragon Update Service;C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2013-10-10 2104968]
R2 GeekBuddyRSP;GeekBuddyRSP Server;C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2013-10-11 2327248]
R2 Process Blocker;Process Blocker;C:\Program Files\Softros Systems\Process Blocker\Process Blocker.exe [2013-9-24 1901392]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-9-16 3273088]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-3 382824]
R2 WLMS;Windows Licensing Monitoring Service;C:\Windows\System32\wlms\wlms.exe [2012-7-26 21504]
R3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;C:\Windows\System32\Drivers\netr7364.sys [2012-6-2 729152]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2012-6-2 589824]
S0 Avgboota;AVG Early Launch Anti-Malware Driver;C:\Windows\System32\Drivers\avgboota.sys [2013-9-4 20496]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 cmdvirth;COMODO Virtual Service Manager;C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-9-24 164056]
S3 vmbusr;Virtual Machine Bus Provider;C:\Windows\System32\Drivers\vmbusr.sys [2012-7-26 117248]
.
=============== Created Last 30 ================
.
2013-10-15 11:46:03    --------    d-----w-    C:\Users\J\AppData\Local\SoftFinder Downloader
2013-10-15 11:43:49    --------    d-----w-    C:\Users\J\AppData\Local\Programs
2013-10-15 01:41:05    290992    ----a-w-    C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10221.bin
2013-10-14 16:02:09    --------    d-----w-    C:\Program Files\Softros Systems
2013-10-14 06:16:03    --------    d-----w-    C:\Users\J\dwhelper
2013-10-13 21:31:20    115712    ----a-w-    C:\Windows\System32\wbem\PolicMan.dll
2013-10-13 21:31:20    109568    ----a-w-    C:\Windows\System32\dskquota.dll
2013-10-13 21:31:19    84992    ----a-w-    C:\Windows\SysWow64\wbem\PolicMan.dll
2013-10-13 21:31:19    82944    ----a-w-    C:\Windows\SysWow64\dskquota.dll
2013-10-13 21:30:53    929792    ----a-w-    C:\Windows\SysWow64\mfnetsrc.dll
2013-10-13 21:30:53    677888    ----a-w-    C:\Windows\System32\mfnetcore.dll
2013-10-13 21:30:53    673280    ----a-w-    C:\Windows\System32\mfmpeg2srcsnk.dll
2013-10-13 21:30:53    568832    ----a-w-    C:\Windows\SysWow64\mfnetcore.dll
2013-10-13 21:30:53    513024    ----a-w-    C:\Windows\SysWow64\mfmpeg2srcsnk.dll
2013-10-13 21:30:53    1172992    ----a-w-    C:\Windows\System32\mfnetsrc.dll
2013-10-13 21:28:59    67584    ----a-w-    C:\Windows\SysWow64\samlib.dll
2013-10-13 21:27:56    3245568    ----a-w-    C:\Windows\System32\rdpcorets.dll
2013-10-13 21:26:53    8552448    ----a-w-    C:\Windows\SysWow64\glcndFilter.dll
2013-10-13 16:05:27    --------    d-----w-    C:\Windows\SysWow64\RegRun
2013-10-13 15:32:38    --------    d-----w-    C:\Program Files (x86)\Common Files\COMODO
2013-10-12 14:01:18    48392    ----a-w-    C:\Windows\SysWow64\certsentry.dll
2013-10-12 13:59:38    348160    ----a-w-    C:\Windows\SysWow64\msvcr71.dll
2013-10-12 13:59:38    1060864    ----a-w-    C:\Windows\SysWow64\mfc71.dll
2013-10-12 13:59:14    --------    d-s---w-    C:\ProgramData\Shared Space
2013-10-12 13:58:10    --------    d-----w-    C:\Program Files\AdTrustMedia
2013-10-12 13:58:04    --------    d-----w-    C:\ProgramData\Adtrustmedia
2013-10-12 13:57:22    --------    d-----w-    C:\ProgramData\COMODO
2013-10-12 13:56:42    --------    d-----w-    C:\Program Files\COMODO
2013-10-12 13:56:20    --------    d-----w-    C:\Users\J\AppData\Local\Comodo
2013-10-12 13:56:06    57096    ----a-w-    C:\Windows\System32\certsentry.dll
2013-10-12 13:55:25    --------    d-----w-    C:\Program Files (x86)\Comodo
2013-10-12 13:55:16    --------    d-----w-    C:\ProgramData\Comodo Downloader
2013-10-11 22:00:56    --------    d-----r-    C:\Program Files (x86)\Skype
2013-10-11 12:59:04    652288    ----a-w-    C:\Windows\System32\comctl32.dll
2013-10-11 12:59:03    541696    ----a-w-    C:\Windows\SysWow64\comctl32.dll
2013-10-11 12:58:28    2035200    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
2013-10-11 12:58:28    1617920    ----a-w-    C:\Program Files\Windows Journal\NBDoc.DLL
2013-10-11 12:58:28    1413632    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll
2013-10-11 12:58:28    1318912    ----a-w-    C:\Program Files\Windows Journal\JNWDRV.dll
2013-10-11 12:58:28    1306112    ----a-w-    C:\Program Files\Windows Journal\JNTFiltr.dll
2013-10-11 12:58:28    1272320    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2013-10-11 12:58:28    1029632    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\journal.dll
2013-10-11 12:58:27    86016    ----a-w-    C:\Windows\System32\ncryptsslp.dll
2013-10-11 12:58:27    71168    ----a-w-    C:\Windows\SysWow64\ncryptsslp.dll
2013-10-11 12:56:59    817664    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-10-11 05:37:31    40208    ----a-w-    C:\Windows\System32\Partizan.exe
2013-10-10 08:22:34    301568    ----a-w-    C:\Windows\System32\newdev.dll
2013-10-10 08:22:33    76288    ----a-w-    C:\Windows\System32\newdev.exe
2013-10-10 08:22:33    75264    ----a-w-    C:\Windows\System32\ndadmin.exe
2013-10-10 08:22:33    74240    ----a-w-    C:\Windows\SysWow64\newdev.exe
2013-10-10 08:22:33    73728    ----a-w-    C:\Windows\SysWow64\ndadmin.exe
2013-10-10 08:22:33    275968    ----a-w-    C:\Windows\SysWow64\newdev.dll
2013-10-10 08:00:02    78296    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-10 08:00:02    694232    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-10 07:24:53    2094592    ----a-w-    C:\Windows\System32\mmc.exe
2013-10-10 07:23:32    4917760    ----a-w-    C:\Windows\System32\sppsvc.exe
2013-10-10 07:21:24    1455368    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
2013-10-10 07:19:23    99328    ----a-w-    C:\Windows\System32\drivers\usbcir.sys
2013-10-10 07:19:23    785624    ----a-w-    C:\Windows\System32\drivers\Wdf01000.sys
2013-10-10 07:19:23    54488    ----a-w-    C:\Windows\System32\drivers\WdfLdr.sys
2013-10-10 07:19:23    210560    ----a-w-    C:\Windows\System32\drivers\usbvideo.sys
2013-10-10 07:19:22    83968    ----a-w-    C:\Windows\System32\drivers\hidclass.sys
2013-10-10 07:19:22    32768    ----a-w-    C:\Windows\System32\drivers\hidparse.sys
2013-10-10 07:19:22    27648    ----a-w-    C:\Windows\System32\drivers\hidusb.sys
2013-10-10 07:19:22    25600    ----a-w-    C:\Windows\System32\drivers\usbprint.sys
2013-10-10 07:18:32    17888    ----a-w-    C:\Windows\System32\msvcr100_clr0400.dll
2013-10-10 07:18:31    17888    ----a-w-    C:\Windows\SysWow64\msvcr100_clr0400.dll
2013-10-10 07:11:20    694272    ----a-w-    C:\Windows\SysWow64\rpcrt4.dll
2013-10-10 07:11:20    1314816    ----a-w-    C:\Windows\System32\rpcrt4.dll
2013-10-10 07:11:18    141312    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-10-10 07:11:18    1255936    ----a-w-    C:\Windows\System32\certutil.exe
2013-10-10 07:11:18    109056    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-10-10 07:11:18    1013248    ----a-w-    C:\Windows\SysWow64\certutil.exe
2013-10-10 07:11:06    411880    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
2013-10-10 07:10:03    2893824    ----a-w-    C:\Windows\System32\msmpeg2vdec.dll
2013-10-10 07:10:02    2400256    ----a-w-    C:\Windows\SysWow64\msmpeg2vdec.dll
2013-10-10 07:09:07    595968    ----a-w-    C:\Windows\System32\qedit.dll
2013-10-10 07:09:07    496640    ----a-w-    C:\Windows\SysWow64\qedit.dll
2013-10-10 07:09:06    26624    ----a-w-    C:\Windows\System32\ReAgentc.exe
2013-10-10 07:09:06    24064    ----a-w-    C:\Windows\SysWow64\ReAgentc.exe
2013-10-10 07:07:54    370688    ----a-w-    C:\Windows\System32\drivers\mrxsmb.sys
2013-10-10 07:07:53    215552    ----a-w-    C:\Windows\System32\drivers\mrxsmb20.sys
2013-10-10 07:07:53    1690624    ----a-w-    C:\Windows\System32\GdiPlus.dll
2013-10-10 07:07:53    1437184    ----a-w-    C:\Windows\SysWow64\GdiPlus.dll
2013-10-10 07:07:01    79192    ----a-w-    C:\Windows\System32\drivers\usbehci.sys
2013-10-10 07:07:01    623448    ----a-w-    C:\Windows\System32\drivers\usbhub.sys
2013-10-10 07:07:01    498008    ----a-w-    C:\Windows\System32\drivers\usbport.sys
2013-10-10 07:07:01    32256    ----a-w-    C:\Windows\System32\drivers\usbuhci.sys
2013-10-10 07:07:01    27136    ----a-w-    C:\Windows\System32\drivers\usbohci.sys
2013-10-10 07:07:01    21848    ----a-w-    C:\Windows\System32\drivers\usbd.sys
2013-10-10 07:07:01    120832    ----a-w-    C:\Windows\System32\drivers\usbccgp.sys
2013-10-10 07:07:00    1838080    ----a-w-    C:\Windows\System32\DWrite.dll
2013-10-10 07:07:00    1421312    ----a-w-    C:\Windows\SysWow64\DWrite.dll
2013-10-10 07:06:49    20992    ----a-w-    C:\Windows\System32\drivers\usb8023.sys
2013-10-10 07:06:34    70144    ----a-w-    C:\Windows\System32\appinfo.dll
2013-10-10 07:06:34    112872    ----a-w-    C:\Windows\System32\consent.exe
2013-10-10 07:04:59    888320    ----a-w-    C:\Windows\System32\autochk.exe
2013-10-10 07:03:59    99840    ----a-w-    C:\Windows\System32\wscsvc.dll
2013-10-10 07:02:09    2842112    ----a-w-    C:\Windows\System32\WMVDECOD.DLL
2013-10-10 07:02:09    2620928    ----a-w-    C:\Windows\SysWow64\WMVDECOD.DLL
2013-10-10 07:02:04    405504    ----a-w-    C:\Windows\System32\pcasvc.dll
2013-10-10 07:02:04    31232    ----a-w-    C:\Windows\System32\pcadm.dll
2013-10-10 07:02:04    13312    ----a-w-    C:\Windows\System32\pcalua.exe
2013-10-10 07:02:04    11776    ----a-w-    C:\Windows\System32\pcaevts.dll
2013-10-10 07:00:55    1558912    ----a-w-    C:\Program Files\Windows Defender\DbgHelp.dll
2013-10-10 07:00:55    149264    ----a-w-    C:\Program Files\Windows Defender\SymSrv.dll
2013-10-10 06:32:12    --------    d-----w-    C:\Windows\SysWow64\NV
2013-10-10 06:32:12    --------    d-----w-    C:\Windows\System32\NV
2013-10-10 05:41:37    --------    d-----w-    C:\ProgramData\RegRun
2013-10-10 05:41:36    35816    ----a-w-    C:\Windows\SysWow64\drivers\Partizan.sys
2013-10-10 05:41:31    2    --shatr-    C:\Windows\winstart.bat
2013-10-10 05:41:26    12800    ----a-w-    C:\Windows\SysWow64\drivers\UnHackMeDrv.sys
2013-10-09 14:56:23    --------    d-sh--r-    C:\comment.htt
2013-10-09 14:55:07    --------    d-----w-    C:\Program Files (x86)\Greatis
2013-10-09 12:11:33    --------    d-----w-    C:\Program Files (x86)\UnHackMe
2013-10-09 06:26:56    --------    d-----w-    C:\Windows\System32\MRT
2013-10-09 02:47:42    --------    d-----w-    C:\Users\J\AppData\Roaming\AVG2014
2013-10-09 02:47:04    --------    d-----w-    C:\Users\J\AppData\Roaming\TuneUp Software
2013-10-09 02:46:45    --------    d--h--w-    C:\$AVG
2013-10-09 02:46:45    --------    d-----w-    C:\ProgramData\AVG2014
2013-10-09 02:46:35    --------    d-----w-    C:\Program Files (x86)\AVG
2013-10-09 02:32:49    --------    d-----w-    C:\Windows\Panther
2013-10-09 02:21:27    --------    d-----w-    C:\Users\J\AppData\Local\Macromedia
2013-10-09 02:19:36    --------    d-----w-    C:\Users\J\AppData\Local\Adobe
2013-10-09 02:07:44    --------    d-----w-    C:\Intel
2013-10-09 02:03:19    866664    ----a-w-    C:\Windows\System32\nv3dappshext.dll
2013-10-09 02:03:19    55144    ----a-w-    C:\Windows\System32\nv3dappshextr.dll
2013-10-09 02:03:18    891240    ----a-w-    C:\Windows\System32\nvvsvc.exe
2013-10-09 02:03:18    63336    ----a-w-    C:\Windows\System32\nvshext.dll
2013-10-09 02:03:18    6200680    ----a-w-    C:\Windows\System32\nvcpl.dll
2013-10-09 02:03:18    3536817    ----a-w-    C:\Windows\System32\nvcoproc.bin
2013-10-09 02:03:18    3293544    ----a-w-    C:\Windows\System32\nvsvc64.dll
2013-10-09 02:03:18    2557800    ----a-w-    C:\Windows\System32\nvsvcr.dll
2013-10-09 02:03:18    118120    ----a-w-    C:\Windows\System32\nvmctray.dll
2013-10-09 02:02:40    60776    ----a-w-    C:\Windows\System32\OpenCL.dll
2013-10-09 02:02:40    52584    ----a-w-    C:\Windows\SysWow64\OpenCL.dll
2013-10-09 02:01:52    --------    d-----w-    C:\ProgramData\NVIDIA Corporation
2013-10-09 02:01:40    --------    d-----w-    C:\Program Files\NVIDIA Corporation
2013-10-09 02:01:40    --------    d-----w-    C:\Program Files (x86)\NVIDIA Corporation
2013-10-09 01:54:16    --------    d-----w-    C:\Users\J\AppData\Local\Google
2013-10-09 01:48:25    --------    d--h--w-    C:\ProgramData\Common Files
2013-10-09 01:48:25    --------    d-----w-    C:\Users\J\AppData\Local\MFAData
2013-10-09 01:48:25    --------    d-----w-    C:\Users\J\AppData\Local\Avg2014
2013-10-09 01:48:25    --------    d-----w-    C:\ProgramData\MFAData
2013-10-09 01:39:27    --------    d-----r-    C:\Users\J\Searches
2013-10-09 01:39:27    --------    d-----r-    C:\Users\J\Contacts
2013-10-09 01:38:34    --------    d-----w-    C:\Users\J\AppData\Local\VirtualStore
2013-10-09 01:38:12    --------    d-----w-    C:\Users\J\AppData\Local\Packages
2013-10-09 01:38:11    --------    d-----w-    C:\ProgramData\PRICache
2013-10-08 17:00:06    50784    ----a-w-    C:\ProgramData\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-10-08 17:00:03    17536    ----a-w-    C:\ProgramData\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-10-04 08:15:02    14888    ----a-w-    C:\Windows\System32\drivers\hmd.sys
2013-09-25 13:07:30    148792    ----a-w-    C:\Windows\System32\drivers\avgdiska.sys
2013-09-24 03:54:18    715824    ----a-w-    C:\Windows\System32\drivers\cmdguard.sys
2013-09-24 03:54:18    38072    ----a-w-    C:\Windows\System32\drivers\cmdhlp.sys
2013-09-24 03:54:16    23168    ----a-w-    C:\Windows\System32\drivers\cmderd.sys
2013-09-24 03:53:54    43216    ----a-w-    C:\Windows\System32\cmdcsr.dll
2013-09-24 03:53:52    444392    ----a-w-    C:\Windows\System32\guard64.dll
2013-09-24 03:53:52    354240    ----a-w-    C:\Windows\SysWow64\guard32.dll
2013-09-24 03:53:42    347864    ----a-w-    C:\Windows\System32\cmdvrt64.dll
2013-09-24 03:53:40    45784    ----a-w-    C:\Windows\System32\cmdkbd64.dll
2013-09-24 03:53:36    40664    ----a-w-    C:\Windows\SysWow64\cmdkbd32.dll
2013-09-24 03:53:36    280792    ----a-w-    C:\Windows\SysWow64\cmdvrt32.dll
2013-09-16 04:30:40    4806016    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-09-16 04:30:40    4806016    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
==================== Find3M  ====================
.
2013-10-04 08:15:02    14888    ----a-w-    C:\Windows\inf\HMD\hmd.sys
2013-09-26 01:44:54    57144    ----a-w-    C:\Windows\System32\drivers\avgfwd6a.sys
2013-09-22 23:28:06    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49    2876928    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-09-22 22:55:10    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-09-22 22:54:51    3959296    ----a-w-    C:\Windows\System32\jscript9.dll
2013-09-09 05:11:42    31544    ----a-w-    C:\Windows\System32\drivers\avgrkx64.sys
2013-09-05 09:35:06    68304    ----a-w-    C:\Windows\System32\offreg.dll
2013-09-04 07:35:06    20496    ----a-w-    C:\Windows\System32\drivers\avgboota.sys
2013-09-02 17:59:14    212280    ----a-w-    C:\Windows\System32\drivers\avgldx64.sys
2013-09-02 17:29:18    294712    ----a-w-    C:\Windows\System32\drivers\avgloga.sys
2013-09-02 17:26:50    192824    ----a-w-    C:\Windows\System32\drivers\avgidsha.sys
2013-09-02 17:26:42    241464    ----a-w-    C:\Windows\System32\drivers\avgidsdrivera.sys
2013-08-23 05:11:57    4040192    ----a-w-    C:\Windows\System32\win32k.sys
2013-08-21 05:53:58    123704    ----a-w-    C:\Windows\System32\drivers\avgmfx64.sys
2013-08-16 05:41:13    58200    ----a-w-    C:\Windows\System32\drivers\dam.sys
2013-08-16 05:39:26    2371728    ----a-w-    C:\Windows\System32\WSService.dll
2013-08-16 05:32:48    209200    ----a-w-    C:\Windows\System32\NotificationUI.exe
2013-08-16 05:22:22    40448    ----a-w-    C:\Windows\System32\wuapp.exe
2013-08-16 05:20:30    105984    ----a-w-    C:\Windows\System32\WinSetupUI.dll
2013-08-15 22:43:21    35328    ----a-w-    C:\Windows\SysWow64\wuapp.exe
2013-08-15 22:43:07    84992    ----a-w-    C:\Windows\SysWow64\wudriver.dll
2013-08-15 22:43:07    126976    ----a-w-    C:\Windows\SysWow64\wuwebv.dll
2013-08-15 22:43:03    562688    ----a-w-    C:\Windows\SysWow64\WSShared.dll
2013-08-15 22:43:03    159232    ----a-w-    C:\Windows\SysWow64\WSSync.dll
2013-08-15 22:43:02    83968    ----a-w-    C:\Windows\SysWow64\OEMLicense.dll
2013-08-15 22:43:02    167424    ----a-w-    C:\Windows\SysWow64\WSClient.dll
2013-08-15 22:43:02    143872    ----a-w-    C:\Windows\SysWow64\Windows.ApplicationModel.Store.dll
2013-08-15 22:43:02    124928    ----a-w-    C:\Windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-15 22:42:52    76800    ----a-w-    C:\Windows\SysWow64\setupcln.dll
2013-08-15 22:42:47    91648    ----a-w-    C:\Windows\SysWow64\sppc.dll
2013-08-10 05:21:51    448512    ----a-w-    C:\Windows\System32\SettingSync.dll
2013-08-10 05:21:51    128512    ----a-w-    C:\Windows\System32\SettingSyncInfo.dll
2013-08-10 03:58:51    356352    ----a-w-    C:\Windows\SysWow64\SettingSync.dll
2013-08-07 05:15:02    144896    ----a-w-    C:\Windows\System32\tssdisai.dll
2013-08-03 06:40:49    462336    ----a-w-    C:\Windows\System32\sysmon.ocx
2013-08-03 06:40:17    566784    ----a-w-    C:\Windows\System32\wvc.dll
2013-08-03 06:40:01    1374208    ----a-w-    C:\Windows\System32\wdc.dll
2013-08-03 05:14:15    399360    ----a-w-    C:\Windows\SysWow64\sysmon.ocx
2013-08-03 05:13:57    437248    ----a-w-    C:\Windows\SysWow64\wvc.dll
2013-08-03 05:13:43    1245696    ----a-w-    C:\Windows\SysWow64\wdc.dll
2013-08-02 06:28:29    10116608    ----a-w-    C:\Windows\System32\twinui.dll
2013-08-02 06:26:53    2304512    ----a-w-    C:\Windows\System32\authui.dll
2013-08-02 05:08:18    8858112    ----a-w-    C:\Windows\SysWow64\twinui.dll
2013-08-02 05:06:50    2035712    ----a-w-    C:\Windows\SysWow64\authui.dll
2013-08-01 10:41:31    2233688    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-07-30 02:01:20    252728    ----a-w-    C:\Windows\System32\drivers\avgwfpa.sys
2013-07-24 23:10:08    158208    ----a-w-    C:\Windows\SysWow64\mbsmsapi.dll
2013-07-24 23:06:39    225280    ----a-w-    C:\Windows\System32\mbsmsapi.dll
.
============= FINISH: 20:57:26.73 ===============
 

Attached Files



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 15 October 2013 - 08:45 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 kelykely

kelykely
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 October 2013 - 12:18 PM

using combofix its stuck at extracting at C:\... I have disabled all even put allow on avg when it pops up about combofix



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 16 October 2013 - 02:44 AM

 

Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 kelykely

kelykely
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 16 October 2013 - 07:01 AM

http://imageshack.us/f/13/mdtg.png/

 

image of it stuck



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 17 October 2013 - 02:22 AM

reboot into safe mode and try again.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 kelykely

kelykely
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 October 2013 - 05:32 AM

Here is combofix in safe mode log

 

ComboFix 13-10-16.02 - J 10/21/2013  17:42:49.1.8 - x64 MINIMAL
Microsoft Windows 8 Enterprise Evaluation  6.2.9200.0.1252.1.1033.18.6051.4821 [GMT 8:00]
Running from: c:\users\J\Desktop\ComboFix.exe
AV: AVG Internet Security 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Internet Security 2014 *Disabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: AVG Internet Security 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\J\Desktop\Setup.exe
c:\windows\SysWow64\SET2E6B.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-21 to 2013-10-21  )))))))))))))))))))))))))))))))
.
.
2013-10-21 09:50 . 2013-10-21 09:50    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-10-19 16:25 . 2013-10-19 16:25    --------    d-----w-    c:\programdata\regid.1986-12.com.adobe
2013-10-19 15:31 . 2013-10-19 15:31    --------    d-----w-    c:\programdata\regid.1995-08.com.techsmith
2013-10-19 15:31 . 2013-10-19 15:31    --------    d-----w-    c:\program files (x86)\QuickTime
2013-10-19 15:31 . 2013-10-19 15:31    --------    d-----w-    c:\program files (x86)\Common Files\TechSmith Shared
2013-10-19 15:31 . 2013-10-19 15:31    --------    d-----w-    c:\programdata\TechSmith
2013-10-19 15:31 . 2013-10-19 15:31    --------    d-----w-    c:\program files (x86)\TechSmith
2013-10-19 15:14 . 2013-08-22 17:09    256088    ----a-w-    c:\windows\system32\unrar64.dll
2013-10-19 15:14 . 2013-08-22 17:09    217176    ----a-w-    c:\windows\SysWow64\unrar.dll
2013-10-19 15:14 . 2013-10-19 15:14    --------    d-----w-    c:\program files (x86)\K-Lite Codec Pack
2013-10-19 15:06 . 2013-10-19 15:09    --------    d-----w-    c:\program files (x86)\CamStudio 2.7
2013-10-17 21:31 . 2013-10-17 21:31    --------    d-----w-    c:\windows\ServiceProfiles\LocalService\winhttp
2013-10-17 12:04 . 2013-10-17 12:04    --------    d-----w-    c:\program files (x86)\PDFZilla
2013-10-16 15:21 . 2013-10-16 15:21    --------    d-----w-    c:\program files (x86)\MagicISO
2013-10-16 14:03 . 2013-10-16 14:03    224016    --s---r-    c:\windows\SysWow64\TABCTL32.OCX
2013-10-16 14:03 . 2013-10-16 14:03    152848    --s---r-    c:\windows\SysWow64\COMDLG32.OCX
2013-10-16 14:03 . 2013-10-16 14:03    1010720    --s---r-    c:\windows\SysWow64\MSCHRT20.OCX
2013-10-16 14:03 . 2013-10-16 14:03    --------    d-----w-    c:\program files (x86)\Technitium
2013-10-16 14:03 . 2013-10-16 14:03    1081616    --s---r-    c:\windows\SysWow64\MSCOMCTL.OCX
2013-10-16 13:51 . 2013-10-16 13:51    --------    d-----w-    c:\program files (x86)\Win7 MAC Address Changer
2013-10-15 01:41 . 2013-10-15 01:41    290992    ----a-w-    c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10221.bin
2013-10-14 16:02 . 2013-10-14 16:02    --------    d-----w-    c:\program files\Softros Systems
2013-10-13 21:31 . 2012-10-12 06:14    115712    ----a-w-    c:\windows\system32\wbem\PolicMan.dll
2013-10-13 21:31 . 2012-10-12 06:13    109568    ----a-w-    c:\windows\system32\dskquota.dll
2013-10-13 21:31 . 2012-10-12 05:40    84992    ----a-w-    c:\windows\SysWow64\wbem\PolicMan.dll
2013-10-13 21:31 . 2012-10-12 05:39    82944    ----a-w-    c:\windows\SysWow64\dskquota.dll
2013-10-13 21:30 . 2012-10-24 04:54    396008    ----a-w-    c:\windows\system32\hal.dll
2013-10-13 21:30 . 2012-10-17 04:32    1172992    ----a-w-    c:\windows\system32\mfnetsrc.dll
2013-10-13 21:30 . 2012-10-17 04:32    677888    ----a-w-    c:\windows\system32\mfnetcore.dll
2013-10-13 21:30 . 2012-10-17 04:32    673280    ----a-w-    c:\windows\system32\mfmpeg2srcsnk.dll
2013-10-13 21:30 . 2012-10-17 03:57    929792    ----a-w-    c:\windows\SysWow64\mfnetsrc.dll
2013-10-13 21:30 . 2012-10-17 03:57    568832    ----a-w-    c:\windows\SysWow64\mfnetcore.dll
2013-10-13 21:30 . 2012-10-17 03:57    513024    ----a-w-    c:\windows\SysWow64\mfmpeg2srcsnk.dll
2013-10-13 21:28 . 2013-06-01 09:25    67584    ----a-w-    c:\windows\SysWow64\samlib.dll
2013-10-13 21:27 . 2012-11-27 04:19    3245568    ----a-w-    c:\windows\system32\rdpcorets.dll
2013-10-13 21:26 . 2012-11-06 04:19    8552448    ----a-w-    c:\windows\SysWow64\glcndFilter.dll
2013-10-13 16:05 . 2013-10-13 16:05    --------    d-----w-    c:\windows\SysWow64\RegRun
2013-10-13 15:32 . 2013-10-13 15:32    --------    d-----w-    c:\program files (x86)\Common Files\COMODO
2013-10-12 14:01 . 2013-10-12 14:01    48392    ----a-w-    c:\windows\SysWow64\certsentry.dll
2013-10-12 13:59 . 2013-10-12 13:59    348160    ----a-w-    c:\windows\SysWow64\msvcr71.dll
2013-10-12 13:59 . 2013-10-12 13:59    1060864    ----a-w-    c:\windows\SysWow64\mfc71.dll
2013-10-12 13:59 . 2013-10-12 14:01    --------    d-s---w-    c:\programdata\Shared Space
2013-10-12 13:58 . 2013-10-12 13:58    --------    d-----w-    c:\program files\AdTrustMedia
2013-10-12 13:58 . 2013-10-12 13:58    --------    d-----w-    c:\programdata\Adtrustmedia
2013-10-12 13:57 . 2013-10-12 14:00    --------    d-----w-    c:\programdata\COMODO
2013-10-12 13:56 . 2013-10-12 13:58    --------    d-----w-    c:\program files\COMODO
2013-10-12 13:56 . 2013-10-12 14:01    57096    ----a-w-    c:\windows\system32\certsentry.dll
2013-10-12 13:55 . 2013-10-12 13:59    --------    d-----w-    c:\program files (x86)\Comodo
2013-10-12 13:55 . 2013-10-12 13:55    --------    d-----w-    c:\programdata\Comodo Downloader
2013-10-12 13:32 . 2013-10-12 13:32    --------    d-----w-    c:\program files\WinRAR
2013-10-11 22:00 . 2013-10-11 22:00    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-10-11 22:00 . 2013-10-20 15:12    --------    d-----r-    c:\program files (x86)\Skype
2013-10-11 22:00 . 2013-10-13 18:38    --------    d-----w-    c:\programdata\Skype
2013-10-11 12:59 . 2013-07-06 00:15    652288    ----a-w-    c:\windows\system32\comctl32.dll
2013-10-11 12:59 . 2013-07-04 02:13    541696    ----a-w-    c:\windows\SysWow64\comctl32.dll
2013-10-11 12:58 . 2013-04-11 04:12    1029632    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\Ink\journal.dll
2013-10-11 12:58 . 2013-04-11 04:12    1413632    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll
2013-10-11 12:58 . 2013-04-10 22:35    1617920    ----a-w-    c:\program files\Windows Journal\NBDoc.DLL
2013-10-11 12:58 . 2013-04-10 22:35    2035200    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2013-10-11 12:58 . 2013-04-10 22:35    1318912    ----a-w-    c:\program files\Windows Journal\JNWDRV.dll
2013-10-11 12:58 . 2013-04-10 22:35    1306112    ----a-w-    c:\program files\Windows Journal\JNTFiltr.dll
2013-10-11 12:58 . 2013-04-10 22:35    1272320    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-10-11 12:58 . 2012-11-26 04:21    71168    ----a-w-    c:\windows\SysWow64\ncryptsslp.dll
2013-10-11 12:58 . 2012-11-26 04:20    86016    ----a-w-    c:\windows\system32\ncryptsslp.dll
2013-10-11 05:37 . 2013-10-11 05:37    40208    ----a-w-    c:\windows\system32\Partizan.exe
2013-10-11 02:41 . 2013-10-11 02:41    --------    d-----w-    c:\users\Default\AppData\Roaming\TuneUp Software
2013-10-10 08:22 . 2012-09-27 07:15    301568    ----a-w-    c:\windows\system32\newdev.dll
2013-10-10 08:22 . 2012-09-27 07:17    76288    ----a-w-    c:\windows\system32\newdev.exe
2013-10-10 08:22 . 2012-09-27 07:17    75264    ----a-w-    c:\windows\system32\ndadmin.exe
2013-10-10 08:22 . 2012-09-27 06:35    74240    ----a-w-    c:\windows\SysWow64\newdev.exe
2013-10-10 08:22 . 2012-09-27 06:35    73728    ----a-w-    c:\windows\SysWow64\ndadmin.exe
2013-10-10 08:22 . 2012-09-27 06:34    275968    ----a-w-    c:\windows\SysWow64\newdev.dll
2013-10-10 08:00 . 2013-10-02 01:38    78296    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-10 08:00 . 2013-10-02 01:38    694232    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-10-10 07:24 . 2013-01-09 23:23    2094592    ----a-w-    c:\windows\system32\mmc.exe
2013-10-10 07:23 . 2013-08-16 05:22    4917760    ----a-w-    c:\windows\system32\sppsvc.exe
2013-10-10 07:21 . 2013-04-16 02:34    1455368    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-10-10 07:19 . 2013-07-05 22:02    99328    ----a-w-    c:\windows\system32\drivers\usbcir.sys
2013-10-10 07:19 . 2013-07-05 22:01    210560    ----a-w-    c:\windows\system32\drivers\usbvideo.sys
2013-10-10 07:19 . 2013-06-22 05:45    785624    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-10-10 07:19 . 2013-06-22 05:45    54488    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-10-10 07:19 . 2013-07-01 22:14    25600    ----a-w-    c:\windows\system32\drivers\usbprint.sys
2013-10-10 07:19 . 2013-06-29 03:08    32768    ----a-w-    c:\windows\system32\drivers\hidparse.sys
2013-10-10 07:19 . 2013-06-29 03:07    83968    ----a-w-    c:\windows\system32\drivers\hidclass.sys
2013-10-10 07:19 . 2013-05-04 04:48    27648    ----a-w-    c:\windows\system32\drivers\hidusb.sys
2013-10-10 07:18 . 2012-08-31 00:52    17888    ----a-w-    c:\windows\system32\msvcr100_clr0400.dll
2013-10-10 07:18 . 2012-08-31 00:53    17888    ----a-w-    c:\windows\SysWow64\msvcr100_clr0400.dll
2013-10-10 07:11 . 2013-05-23 23:02    1314816    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-10-10 07:11 . 2013-05-23 22:25    694272    ----a-w-    c:\windows\SysWow64\rpcrt4.dll
2013-10-10 07:11 . 2013-04-23 23:13    1013248    ----a-w-    c:\windows\SysWow64\certutil.exe
2013-10-10 07:11 . 2013-04-23 23:12    109056    ----a-w-    c:\windows\SysWow64\cryptnet.dll
2013-10-10 07:11 . 2013-04-23 22:56    1255936    ----a-w-    c:\windows\system32\certutil.exe
2013-10-10 07:11 . 2013-04-23 22:55    141312    ----a-w-    c:\windows\system32\cryptnet.dll
2013-10-10 07:11 . 2013-03-02 09:59    411880    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2013-10-10 07:10 . 2012-10-06 04:53    2893824    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2013-10-10 07:10 . 2012-10-06 04:15    2400256    ----a-w-    c:\windows\SysWow64\msmpeg2vdec.dll
2013-10-10 07:09 . 2013-06-01 09:25    496640    ----a-w-    c:\windows\SysWow64\qedit.dll
2013-10-10 07:09 . 2013-06-01 09:21    595968    ----a-w-    c:\windows\system32\qedit.dll
2013-10-10 07:09 . 2012-10-24 03:25    26624    ----a-w-    c:\windows\system32\ReAgentc.exe
2013-10-10 07:09 . 2012-10-24 02:48    24064    ----a-w-    c:\windows\SysWow64\ReAgentc.exe
2013-10-10 07:07 . 2013-02-05 22:29    370688    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-10-10 07:07 . 2013-02-05 22:28    215552    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2013-10-10 07:07 . 2013-02-02 05:41    1437184    ----a-w-    c:\windows\SysWow64\GdiPlus.dll
2013-10-10 07:07 . 2013-02-02 05:31    1690624    ----a-w-    c:\windows\system32\GdiPlus.dll
2013-10-10 07:07 . 2013-07-01 01:42    79192    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-10-10 07:07 . 2013-07-01 01:42    623448    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-10-10 07:07 . 2013-07-01 01:42    498008    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-10-10 07:07 . 2013-07-01 01:42    21848    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-10-10 07:07 . 2013-06-29 03:07    32256    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-10-10 07:07 . 2013-06-29 03:06    120832    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-10-10 07:07 . 2012-11-20 04:56    27136    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-10-10 07:07 . 2013-04-11 22:30    1421312    ----a-w-    c:\windows\SysWow64\DWrite.dll
2013-10-10 07:07 . 2013-04-11 22:22    1838080    ----a-w-    c:\windows\system32\DWrite.dll
2013-10-10 07:06 . 2013-02-12 00:17    20992    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-10-10 07:06 . 2013-03-06 07:10    112872    ----a-w-    c:\windows\system32\consent.exe
2013-10-10 07:06 . 2013-03-06 06:29    70144    ----a-w-    c:\windows\system32\appinfo.dll
2013-10-10 07:04 . 2013-05-30 23:24    1257472    ----a-w-    c:\windows\system32\kernel32.dll
2013-10-10 07:03 . 2013-04-09 04:51    99840    ----a-w-    c:\windows\system32\wscsvc.dll
2013-10-10 07:02 . 2013-05-04 06:59    2842112    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-10-10 07:02 . 2013-05-04 04:57    2620928    ----a-w-    c:\windows\SysWow64\WMVDECOD.DLL
2013-10-10 07:02 . 2012-10-24 03:25    13312    ----a-w-    c:\windows\system32\pcalua.exe
2013-10-10 07:02 . 2012-10-24 03:24    405504    ----a-w-    c:\windows\system32\pcasvc.dll
2013-10-10 07:02 . 2012-10-24 03:24    31232    ----a-w-    c:\windows\system32\pcadm.dll
2013-10-10 07:02 . 2012-10-24 03:05    11776    ----a-w-    c:\windows\system32\pcaevts.dll
2013-10-10 07:00 . 2012-11-07 23:04    149264    ----a-w-    c:\program files\Windows Defender\SymSrv.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-04 08:15 . 2013-10-04 08:15    14888    ----a-w-    c:\windows\inf\HMD\hmd.sys
2013-09-26 01:44 . 2012-09-04 17:39    57144    ----a-w-    c:\windows\system32\drivers\avgfwd6a.sys
2013-09-09 05:11 . 2013-09-09 05:11    31544    ----a-w-    c:\windows\system32\drivers\avgrkx64.sys
2013-09-05 09:35 . 2013-09-05 09:35    68304    ----a-w-    c:\windows\system32\offreg.dll
2013-09-04 07:35 . 2013-09-04 07:35    20496    ----a-w-    c:\windows\system32\drivers\avgboota.sys
2013-09-02 17:59 . 2013-09-02 17:59    212280    ----a-w-    c:\windows\system32\drivers\avgldx64.sys
2013-09-02 17:29 . 2013-09-02 17:29    294712    ----a-w-    c:\windows\system32\drivers\avgloga.sys
2013-09-02 17:26 . 2013-09-02 17:26    192824    ----a-w-    c:\windows\system32\drivers\avgidsha.sys
2013-09-02 17:26 . 2013-09-02 17:26    241464    ----a-w-    c:\windows\system32\drivers\avgidsdrivera.sys
2013-08-21 05:53 . 2013-08-21 05:53    123704    ----a-w-    c:\windows\system32\drivers\avgmfx64.sys
2013-07-30 02:01 . 2013-07-30 02:01    252728    ----a-w-    c:\windows\system32\drivers\avgwfpa.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files (x86)\AVG\AVG2014\avgui.exe" [2013-10-07 4908592]
"tvncontrol"="c:\program files (x86)\Common Files\COMODO\GeekBuddyRSP.exe" [2013-10-11 2327248]
"SterJo NetStalker"="c:\users\J\Desktop\New folder\NetStalker.exe" [2013-03-31 742408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~2\NVIDIA~1\3DVISI~1\nvStInit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WLMS]
@="Service"
.
R1 Avgdiska;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiska.sys;c:\windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys;c:\windows\SYSNATIVE\DRIVERS\avgfwd6a.sys [x]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
R1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
R1 Avgwfpa;AVG Firewall Driver;c:\windows\system32\DRIVERS\avgwfpa.sys;c:\windows\SYSNATIVE\DRIVERS\avgwfpa.sys [x]
R1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys;c:\windows\SYSNATIVE\DRIVERS\CFRMD.sys [x]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys;c:\windows\SYSNATIVE\DRIVERS\cmdguard.sys [x]
R1 cmdhlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys;c:\windows\SYSNATIVE\DRIVERS\cmdhlp.sys [x]
R1 HMD;COMODO livePCsupport Hardware Monitor Driver;c:\windows\system32\DRIVERS\hmd.sys;c:\windows\SYSNATIVE\DRIVERS\hmd.sys [x]
R1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
R2 avgfws;AVG Firewall;c:\program files (x86)\AVG\AVG2014\avgfws.exe;c:\program files (x86)\AVG\AVG2014\avgfws.exe [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe [x]
R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe [x]
R2 CLPSLauncher;COMODO LPS Launcher;c:\program files (x86)\Common Files\COMODO\launcher_service.exe;c:\program files (x86)\Common Files\COMODO\launcher_service.exe [x]
R2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [x]
R2 GeekBuddyRSP;GeekBuddyRSP Server;c:\program files (x86)\Common Files\COMODO\GeekBuddyRSP.exe;c:\program files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [x]
R2 Process Blocker;Process Blocker;c:\program files\Softros Systems\Process Blocker\Process Blocker.exe;c:\program files\Softros Systems\Process Blocker\Process Blocker.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr7364.sys;c:\windows\SYSNATIVE\DRIVERS\netr7364.sys [x]
R3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys [x]
S0 Avgboota;AVG Early Launch Anti-Malware Driver;c:\windows\system32\DRIVERS\avgboota.sys;c:\windows\SYSNATIVE\DRIVERS\avgboota.sys [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys;c:\windows\SYSNATIVE\DRIVERS\cmderd.sys [x]
S2 WLMS;Windows Licensing Monitoring Service;c:\windows\system32\wlms\wlms.exe;c:\windows\SYSNATIVE\wlms\wlms.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-17 10:50    1185744    ----a-w-    c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\NVIDIA~1\3DVISI~1\nvStInit64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5923183B-17AB-4FC8-AE11-D73945CFE912}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{63BD04FD-317D-4965-9F68-DAE19AD8E96A}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{739EDEE1-6D8C-4A8B-BA4D-970243E8DEE1}: NameServer = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: 2013-10-09 10:15; fbsidebardisabler@vittgam.net; c:\users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\fbsidebardisabler@vittgam.net.xpi
FF - ExtSQL: 2013-10-10 19:39; geolocater@3liz.com; c:\users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\geolocater@3liz.com
FF - ExtSQL: 2013-10-12 01:39; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-10-14 02:38; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-10-14 14:15; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-10-15 23:32; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\J\AppData\Roaming\Mozilla\Firefox\Profiles\y75slx9y.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2013-10-21  17:52:11
ComboFix-quarantined-files.txt  2013-10-21 09:52
.
Pre-Run: 445,041,680,384 bytes free
Post-Run: 444,823,654,400 bytes free
.
- - End Of File - - 32DD907265FDFD6229FA1DA2FB657525
A36C5E4F47E84449FF07ED3517B43A31
 

 

* comfix did delete something in SysWow64 folder and now I cant access internet. Seems the file is infected.


Edited by kelykely, 21 October 2013 - 05:33 AM.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 21 October 2013 - 06:30 AM

The file that has been deleted has nothing to do with the connection.

Reboot and try again.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 kelykely

kelykely
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 October 2013 - 10:23 AM

I have reinstall fresh windows 8 and now scan with GMER as you can see the rootkit try to infect files: or you can view here screenshot

http://imageshack.us/f/842/jp3p.png/

http://imageshack.us/f/801/on5j.png/

 

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-10-21 23:20:34
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000030 SAMSUNG_HM500JJ rev.2AK10001 465.76GB
Running: 0zbb4x53.exe; Driver: C:\Users\Z\AppData\Local\Temp\pxldapod.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\system32\nvvsvc.exe[352] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                          00007ff9ee9d169a 4 bytes [9D, EE, F9, 7F]
.text    C:\Windows\system32\nvvsvc.exe[352] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                          00007ff9ee9d16a2 4 bytes [9D, EE, F9, 7F]
.text    C:\Windows\system32\nvvsvc.exe[352] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                             00007ff9ee9d181a 4 bytes [9D, EE, F9, 7F]
.text    C:\Windows\system32\nvvsvc.exe[352] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                             00007ff9ee9d1832 4 bytes [9D, EE, F9, 7F]
.text    C:\Program Files\Windows Defender\MsMpEng.exe[1572] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506                          00007ff9ee9d169a 4 bytes [9D, EE, F9, 7F]
.text    C:\Program Files\Windows Defender\MsMpEng.exe[1572] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514                          00007ff9ee9d16a2 4 bytes [9D, EE, F9, 7F]
.text    C:\Program Files\Windows Defender\MsMpEng.exe[1572] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118                             00007ff9ee9d181a 4 bytes [9D, EE, F9, 7F]
.text    C:\Program Files\Windows Defender\MsMpEng.exe[1572] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142                             00007ff9ee9d1832 4 bytes [9D, EE, F9, 7F]
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation                                   00007ff9ed753104 7 bytes JMP 00007ffaebe302d0
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA                                            00007ff9ed80b094 7 bytes JMP 00007ffaebe30308
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx                                   00007ff9ed82f314 7 bytes JMP 00007ffaebe30228
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW                                     00007ff9ed82f384 7 bytes JMP 00007ffaebe30298
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNEL32.DLL!K32GetModuleFileNameExW                                   00007ff9ed82f3b4 7 bytes JMP 00007ffaebe30260
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                        00007ff9ebe92a84 7 bytes JMP 00007ffaebe300d8
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                             00007ff9ebe92b7c 5 bytes JMP 00007ffaebe30180
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                          00007ff9ebe93f38 5 bytes JMP 00007ffaebe30148
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                      00007ff9ebe94098 5 bytes JMP 00007ffaebe30110
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                     00007ff9ee1a1500 8 bytes JMP 00007ffaebe301b8
.text    C:\Windows\system32\taskhostex.exe[2308] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                       00007ff9ee1a1750 8 bytes JMP 00007ffaebe301f0
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation                                     00007ff9ed753104 7 bytes JMP 00007ffaebe30340
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA                                              00007ff9ed80b094 7 bytes JMP 00007ffaebe30378
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx                                     00007ff9ed82f314 7 bytes JMP 00007ffaebe30298
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW                                       00007ff9ed82f384 7 bytes JMP 00007ffaebe30308
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNEL32.DLL!K32GetModuleFileNameExW                                     00007ff9ed82f3b4 7 bytes JMP 00007ffaebe302d0
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                          00007ff9ebe92a84 7 bytes JMP 00007ffaebe300d8
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                               00007ff9ebe92b7c 5 bytes JMP 00007ffaebe30180
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                            00007ff9ebe93f38 5 bytes JMP 00007ffaebe30148
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                        00007ff9ebe94098 5 bytes JMP 00007ffaebe30110
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                       00007ff9ee1a1500 8 bytes JMP 00007ffaebe301b8
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                         00007ff9ee1a1750 8 bytes JMP 00007ffaebe301f0
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance                                             00007ff9ee2f6a40 7 bytes JMP 00007ffaebe30228
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\combase.dll!CoSetProxyBlanket                                            00007ff9ee32a86c 7 bytes JMP 00007ffaebe30260
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                       00007ff9ee9d169a 4 bytes [9D, EE, F9, 7F]
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                       00007ff9ee9d16a2 4 bytes [9D, EE, F9, 7F]
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                          00007ff9ee9d181a 4 bytes [9D, EE, F9, 7F]
.text    C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                          00007ff9ee9d1832 4 bytes [9D, EE, F9, 7F]

---- Threads - GMER 2.1 ----

Thread   C:\Windows\system32\csrss.exe [564:592]                                                                                             fffff9600091f4d0

---- Services - GMER 2.1 ----

Service  C:\Windows\SysWow64\IntelCpHeciSvc.exe (*** hidden *** )                                                                            [AUTO] cphs                                                       <-- ROOTKIT !!!

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control@LastBootSucceeded                                                                             0
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime                                                                   0x73 0x4F 0x67 0xB1 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime                                                               0xEB 0xC0 0x24 0x2A ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime                                                                      0xE9 0xA7 0x70 0xB1 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime                                                                  0x2C 0x6A 0x5F 0x8C ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US                                                               5
Reg      HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO22EC0_00_07DB_72^E47274AA5D50EF66693D6EE7DBA64283@Timestamp  0x9A 0x40 0x76 0x03 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid                                                                                    624
Reg      HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration                                                 2
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber                                                  3899983
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                                   1245166855
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId                                   5
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime                                 394589588
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime                                                                22673
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID                                                                    0c1cc5d1-208d-4293-bcee-fc41758
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Video\{2FEBC870-75CD-4F02-BFA8-FFD2EE5DD3EB}\Video@Service                                    BasicDisplay
Reg      HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName                                                                         \BaseNamedObjects\WDI_{b57b40f2-565d-41af-91b7-0f8402ee4744}
Reg      HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter                                                        2
Reg      HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter                                                          5
Reg      HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter                                                      2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\bc7737133895                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\cphs@Start                                                                                   2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\cphs                                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{fbaf56f2-5e29-47c5-8a38-5459aad9ac7d}@LastProbeTime               1382341833
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime                                                     ?Mon?, ?Oct ?21 ?13, 07:50:43 AM??C???????C???????:???????C????
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                     261
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch                                                                    8
Reg      HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence                                                              4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{328FC45E-7461-43A3-9865-53A8F9A44591}@LeaseObtainedTime         1382367033
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{328FC45E-7461-43A3-9865-53A8F9A44591}@T1                        1382669433
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{328FC45E-7461-43A3-9865-53A8F9A44591}@T2                        1382896233
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{328FC45E-7461-43A3-9865-53A8F9A44591}@LeaseTerminatesTime       1382971833
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter                                                   5
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband@FavoritesChanges                                                   6
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastStoreActivity                                                              0xEA 0x6D 0x8F 0x38 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh                                                                0x3F 0x54 0xEA 0xB8 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified                                    0x00 0x92 0x1E 0x0D ...

---- EOF - GMER 2.1 ----
 


Edited by kelykely, 21 October 2013 - 10:26 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users