Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by COMODO? Stopped Windows security services, etc


  • This topic is locked This topic is locked
39 replies to this topic

#1 Maria sts

Maria sts

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 08 November 2013 - 05:23 AM

Serious changes on my netbook Asus Eee PC: _  many services of Windows 7(Starter) related to security are STOPPED ; restore points deleted; AVG and Windows Update disabled; seems there's problems with memory, motherboard and bios; can't do back up neither send User's folders to my external drive; checking 'regedit' there's many spam files on the register...  SOS! PLEASE.
 
 After I uninstalled 'Comodo Software Security' trial, it reinstalled by itself with all its components (Comodo, Dragon Geek Buddy, Cis, Priv Dog), so quickly, that not allowed Advanced Uninstaller Pro to delete leftovers. It spread everywhere, even hidding with other names, such as 'Safe Installer ' and made ​​changes that seems to me, who am 'an amateur', very dangerous. Trying to get free of it, I entered in a fight to get the propertie of these files and to delete them in 'regedit', where ever they appeared, also several hidden ones. I suspect that this is not to repeat.
 
I use to be very careful with UAC and do not keep passwords on my computer. But being honest, I always was afraid to download so much updates that will fill the pc and was not sure if they were really necessary...
 
As a prevention, I have not tried to access ebanking, connected the Bank and my account online is blocked until this problem is solved.
 
 I'm working in safe mode with networking. I managed to get the System Diagnostic Report. I'll post it here, if  I got to do so. If you think it's better in a different place, please feel free to move it.
Thank you so much for being  here for us and for the help Im sure you'll give me, ASAP.
 
s.p._Can I keep working with this computer in safe mode with networking? The question is that I can't use my Laptop Asus X54C (I'll ask for help to fix it too, but after resting a bit) 
KInd regards
 
  file:///C:/Users/MARIA/Documents/RELAT%C3%93RIO%20DE%20DIAGN%C3%93STICO%20DO%20SISTEMA%201%20-%2007.11.2013.html
 
 
Sorry, I also save the Report as 'All files', but couldn't open it neither post it here. Tried to atach but too large and doesn't accep winrar file. Please help me.


Edited by Maria sts, 08 November 2013 - 05:34 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 08 November 2013 - 08:00 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 08 November 2013 - 06:15 PM

Hi Marius

Thank you for your quick reply. 

I will follow your instructions and post the results as you ask me. I'm writing from my first and old desktop, where I use Linux. 

I'm anxious to get this fight and it is very good to do it monitored by someone who knows the matter.

 

 English is not my first language, too. Don't worry, as I will ask every thing that I don't understand. Please, feel free to do the same thing, if I don't explain things clearly.



#4 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 10 November 2013 - 11:34 PM

Hi Marius

 tex

Just want to say that some hours ago I wrote 2 texts to post here, but they were not assumed and disappeared,



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 11 November 2013 - 03:29 AM

What text?

I need the log files.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 11 November 2013 - 09:28 AM

The texts were the posts with the log files. But also the first one and the second were not posted (published, made public here in the forum). They were barred or locked... 

Didn't you got the pm that I sent you about 04:59 am? Please read them and help me to surpass this obstacle. I'm writing you from my old desktop and trying a solution.


Edited by Maria sts, 11 November 2013 - 09:29 AM.


#7 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 11 November 2013 - 09:36 AM

1.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2013 01
Ran by MARIA (administrator) on MARIAFREE on 10-11-2013 23:19:43
Running from C:\Users\MARIA\Downloads
Microsoft Windows 7 Starter (X86) OS Language: Portuguese Standard
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Comodo Security Solutions, Inc.) C:\Program Files\Common Files\COMODO\launcher_service.exe
() C:\Windows\System32\AsusService.exe
() C:\Program Files\Comodo\Dragon\dragon_updater.exe
(Comodo Security Solutions, Inc.) C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
() C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
(ASUSTeK Computer Inc.) C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
(Intel Corporation) C:\windows\system32\igfxsrvc.exe
(ASUSTeK Computer Inc.) C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(ASUSTeK Computer Inc.) C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
() C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe
(ASUS) C:\Program Files\EeePC\CapsHook\CapsHook.exe
() C:\Program Files\AdTrustMedia\PrivDog\finalizesetup.exe
(Comodo Security Solutions, Inc.) C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Nokia) C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe
(Comodo Security Solutions, Inc.) C:\Program Files\Comodo\GeekBuddy\unit_manager.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(Comodo Security Solutions, Inc.) C:\Program Files\Comodo\GeekBuddy\unit.exe
(Nokia) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
() C:\Program Files\ASUS\ASUS WebStorage\EeeStorageUploader.exe
(AVG Secure Search) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.1.2\ToolbarUpdater.exe
() C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.1.2\loggingserver.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
() C:\Program Files\AVG Secure Search\vprot.exe
(Microsoft Corporation) C:\windows\system32\wuauclt.exe
(Microsoft Corporation) C:\windows\system32\taskmgr.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\regedit.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\virtualization handler\cvh.exe
() C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(COMODO) C:\windows\temp\dragon_setup.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1594664 2010-04-13] (Synaptics Incorporated)
HKLM\...\Run: [SynAsusAcpi] - C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [83240 2010-04-13] (Synaptics Incorporated)
HKLM\...\Run: [SuperHybridEngine] - C:\Program Files\EeePC\SHE\SuperHybridEngine.exe [412600 2010-06-09] (ASUSTeK Computer Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9177632 2010-05-25] (Realtek Semiconductor)
HKLM\...\Run: [LiveUpdate] - C:\Program Files\ASUS\LiveUpdate\LiveUpdate.exe [751592 2010-01-29] ()
HKLM\...\Run: [IAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [186904 2009-06-05] (Intel Corporation)
HKLM\...\Run: [HotkeyService] - C:\Program Files\EeePC\HotkeyService\HotkeyService.exe [1242544 2010-06-04] (ASUSTeK Computer Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [HotkeyMon] - C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe [100328 2009-09-11] (ASUSTeK Computer Inc.)
HKLM\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [415920 2010-03-29] ()
HKLM\...\Run: [CapsHook] - C:\Program Files\EeePC\CapsHook\CapsHook.exe [445344 2010-05-28] (ASUS)
HKLM\...\Run: [ASUSPRP] - C:\Program Files\ASUS\APRP\aprp.exe [2018032 2010-06-24] (ASUSTek Computer Inc.)
HKLM\...\Run: [ASUS WebStorage] - C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe [1754448 2010-03-16] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [35696 2009-02-28] (Adobe Systems Incorporated)
HKLM\...\Run: [ComodoFSChrome] - C:\Program Files\AdTrustMedia\PrivDog\finalizesetup.exe [4247208 2013-09-17] ()
HKLM\...\Run: [tvncontrol] - C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2013-10-11] (Comodo Security Solutions, Inc.)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2420248 2013-11-10] ()
HKLM\...\Run: [CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}] - "C:\ProgramData\cis1736.exe" --PostUninstall {81EFDD93-DBBE-415B-BE6E-49B9664E3E82}
HKCU\...\Run: [] - [x]
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-01-22] (Google Inc.)
HKCU\...\Run: [NokiaSuite.exe] - C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe [1090912 2013-04-19] (Nokia)
MountPoints2: {12f15968-1756-11e0-a2d6-20cf30431cfa} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {12f159ef-1756-11e0-a2d6-20cf30431cfa} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {12f159fd-1756-11e0-a2d6-20cf30431cfa} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {5fc4f1fd-3186-11e0-a1e0-20cf30431cfa} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {b39aa63d-6507-11e0-a290-20cf30431cfa} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {d987a2fd-3f85-11e0-b877-20cf30431cfa} - E:\setup_vmc_lite.exe /checkApplicationPresence
HKU\Default\...\RunOnce: [Reboot] - AsusSender.exe C:\Windows\AP\Reboot.exe 60
HKU\Default User\...\RunOnce: [Reboot] - AsusSender.exe C:\Windows\AP\Reboot.exe 60

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.pt/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://eeepc.asus.com
URLSearchHook: HKCU - (No Name) - {249d74a3-bd19-4657-b6ce-e62f480a20de} - No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=MAAU&src=IE-SearchBox
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll (AVG Secure Search)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.1.2.1\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKCU - No Name - {249D74A3-BD19-4657-B6CE-E62F480A20DE} - No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\17.1.2\ViProtocol.dll (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{7D7BF79B-8EC9-4F27-96D8-F48B2C0C062B}: [NameServer]8.8.8.8,8.8.4.4

FireFox:
========
FF ProfilePath: C:\Users\MARIA\AppData\Roaming\Mozilla\Firefox\Profiles\di4mye8i.default
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.1.2\\npsitesafety.dll (AVG Technologies)
FF HKLM\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\17.1.2.1
FF Extension: AVG Security Toolbar - C:\ProgramData\AVG Secure Search\FireFoxExt\17.1.2.1

Chrome:
=======
CHR Extension: (Google Docs) - C:\Users\MARIA\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\MARIA\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\MARIA\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\MARIA\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Google Wallet) - C:\Users\MARIA\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR Extension: (Gmail) - C:\Users\MARIA\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\17.1.2.1\avg.crx

========================== Services (Whitelisted) =================

R2 AsusService; C:\Windows\System32\AsusService.exe [219136 2009-08-19] ()
R2 CLPSLauncher; C:\Program Files\Common Files\COMODO\launcher_service.exe [70352 2013-10-11] (Comodo Security Solutions, Inc.)
R2 DragonUpdater; C:\Program Files\Comodo\Dragon\dragon_updater.exe [2104968 2013-10-09] ()
R2 GeekBuddyRSP; C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2013-10-11] (Comodo Security Solutions, Inc.)
R2 vToolbarUpdater17.1.2; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.1.2\ToolbarUpdater.exe [1734680 2013-11-10] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

R1 AsUpIO; C:\Windows\System32\drivers\AsUpIO.sys [11520 2010-06-10] ()
R1 avgtp; C:\windows\system32\drivers\avgtpx86.sys [37664 2013-11-10] (AVG Technologies)
R1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [35064 2013-05-07] (Windows ® Win 7 DDK provider)
R1 HMD; C:\Windows\System32\DRIVERS\hmd.sys [15400 2013-10-07] ()
S3 hwusbfake; C:\Windows\System32\DRIVERS\ewusbfake.sys [100736 2009-07-23] (Huawei Technologies Co., Ltd.)
R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [13880 2010-04-13] ( )
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 btwaudio; system32\drivers\btwaudio.sys [x]
S3 btwavdt; \SystemRoot\system32\DRIVERS\btwavdt.sys [x]
S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [x]
S3 btwrchid; \SystemRoot\system32\DRIVERS\btwrchid.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-10 23:19 - 2013-11-10 23:19 - 00000000 ____D C:\FRST
2013-11-10 23:15 - 2013-11-10 23:15 - 01090275 _____ (Farbar) C:\Users\MARIA\Downloads\FRST.exe
2013-11-10 20:11 - 2013-11-10 22:07 - 00000000 ____D C:\Users\MARIA\Documents\REGEDIT e outros
2013-11-09 18:44 - 2013-11-09 18:44 - 02024936 _____ C:\Users\MARIA\Downloads\dixmlsetup.exe
2013-11-09 10:29 - 2013-11-09 10:29 - 08499200 _____ (Luis Cobian) C:\Users\MARIA\Downloads\cbSetup8.exe
2013-11-07 03:39 - 2013-11-10 14:33 - 00001072 _____ C:\windows\setupact.log
2013-11-07 03:39 - 2013-11-07 03:39 - 00000000 _____ C:\windows\setuperr.log
2013-11-05 11:13 - 2013-11-05 11:13 - 00035833 _____ C:\Users\MARIA\Downloads\comodo.txt
2013-11-05 00:31 - 2013-11-05 00:31 - 00001195 _____ C:\Users\MARIA\Desktop\AVG Secure Search - Atalho.lnk
2013-11-04 14:47 - 2013-11-04 14:47 - 00000351 _____ C:\Users\MARIA\Downloads\https---www.youtube.com-watch-v=AfdV_OlLu4U
2013-11-04 14:12 - 2013-11-04 14:12 - 04478397 _____ C:\Users\MARIA\Downloads\Golpe.wmv
2013-10-30 10:38 - 2013-10-30 10:38 - 21548944 _____ (Innovative Solutions ) C:\Users\MARIA\Downloads\Advanced_Uninstaller11.exe
2013-10-30 05:12 - 2013-10-30 05:12 - 06951048 _____ (Microsoft Corporation) C:\Users\MARIA\Downloads\Silverlight (1).exe
2013-10-29 03:55 - 2013-10-29 03:55 - 00029201 _____ C:\Users\MARIA\Downloads\How Great Thou Art Hymn.htm
2013-10-29 03:55 - 2013-10-29 03:55 - 00000000 ____D C:\Users\MARIA\Downloads\How Great Thou Art Hymn_files
2013-10-21 20:41 - 2013-10-21 20:41 - 00091480 _____ C:\Users\MARIA\Documents\Uma Semana no Aeroporto, Allain de Botton.htm
2013-10-21 20:41 - 2013-10-21 20:41 - 00000000 ____D C:\Users\MARIA\Documents\Uma Semana no Aeroporto, Allain de Botton_files
2013-10-21 18:25 - 2013-10-21 18:25 - 00000000 ____D C:\Users\MARIA\Documents\Manual do Processo de Inventário - À luz do Novo Regime, Eduardo Paiva, Helena Cabrita b_files
2013-10-21 18:24 - 2013-10-21 18:25 - 00108704 _____ C:\Users\MARIA\Documents\Manual do Processo de Inventário - À luz do Novo Regime, Eduardo Paiva, Helena Cabrita b.htm
2013-10-21 18:23 - 2013-10-21 18:23 - 00077232 _____ C:\Users\MARIA\Documents\Manual do Processo de Inventário - À luz do Novo Regime, Eduardo Paiva, Helena Cabrita.htm
2013-10-21 18:19 - 2013-10-21 18:19 - 00103103 _____ C:\Users\MARIA\Documents\Heranças e Partilhas - Doações e Testamentos, João Queiroga Chaves.htm
2013-10-21 18:19 - 2013-10-21 18:19 - 00000000 ____D C:\Users\MARIA\Documents\Heranças e Partilhas - Doações e Testamentos, João Queiroga Chaves_files
2013-10-21 18:18 - 2013-10-21 18:18 - 00104960 _____ C:\Users\MARIA\Documents\Heranças & Partilhas - Guia Prático, Carlos Ricardo Sousa Soares.htm
2013-10-21 18:18 - 2013-10-21 18:18 - 00000000 ____D C:\Users\MARIA\Documents\Heranças & Partilhas - Guia Prático, Carlos Ricardo Sousa Soares_files
2013-10-19 23:53 - 2013-10-19 23:53 - 00022263 _____ C:\Users\MARIA\Documents\3 APRe! Colóquio - Ficha inscrição MARIA SANTOS.xlsx
2013-10-19 22:40 - 2013-10-19 22:40 - 00022100 _____ C:\Users\MARIA\Documents\3 APRe! Colóquio - Ficha inscrição (1).xlsx
2013-10-17 04:05 - 2013-10-17 04:05 - 00022100 _____ C:\Users\MARIA\Documents\3 APRe! Colóquio - Ficha inscrição.xlsx
2013-10-15 08:03 - 2013-10-15 08:03 - 00000192 _____ C:\Users\MARIA\Downloads\radiousp.wax
2013-10-15 05:59 - 2013-10-15 05:59 - 00000482 _____ C:\Users\MARIA\Downloads\url (1).htm
2013-10-15 05:53 - 2013-10-15 06:35 - 00035980 ____H C:\Users\MARIA\Documents\~WRL2787.tmp
2013-10-13 04:15 - 2013-10-18 00:27 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-13 02:50 - 2013-10-13 02:50 - 00000000 ____D C:\Users\MARIA\AppData\Local\AVG Secure Search
2013-10-13 02:49 - 2013-11-10 14:36 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-10-13 02:49 - 2013-11-10 14:36 - 00000000 ____D C:\Program Files\AVG Secure Search
2013-10-13 02:49 - 2013-11-10 14:35 - 00037664 _____ (AVG Technologies) C:\windows\system32\Drivers\avgtpx86.sys
2013-10-13 02:49 - 2013-11-07 11:38 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2013-10-11 21:18 - 2013-11-07 11:38 - 00000000 ____D C:\Program Files\Common Files\COMODO
2013-10-11 21:18 - 2013-10-11 21:18 - 00002013 _____ C:\Users\Public\Desktop\GeekBuddy.lnk

==================== One Month Modified Files and Folders =======

2013-11-10 23:19 - 2013-11-10 23:19 - 00000000 ____D C:\FRST
2013-11-10 23:15 - 2013-11-10 23:15 - 01090275 _____ (Farbar) C:\Users\MARIA\Downloads\FRST.exe
2013-11-10 23:04 - 2011-01-22 12:19 - 00000994 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-10 22:07 - 2013-11-10 20:11 - 00000000 ____D C:\Users\MARIA\Documents\REGEDIT e outros
2013-11-10 21:32 - 2013-02-12 19:56 - 00057560 _____ C:\Users\MARIA\AppData\Local\GDIPFONTCACHEV1.DAT
2013-11-10 20:45 - 2013-10-04 19:09 - 01087056 _____ C:\windows\WindowsUpdate.log
2013-11-10 15:25 - 2009-07-26 09:01 - 00679786 _____ C:\windows\system32\prfh0816.dat
2013-11-10 15:25 - 2009-07-26 09:01 - 00133938 _____ C:\windows\system32\prfc0816.dat
2013-11-10 15:25 - 2009-07-25 07:50 - 01539738 _____ C:\windows\system32\PerfStringBackup.INI
2013-11-10 15:04 - 2010-12-01 22:46 - 00000000 ____D C:\Users\MARIA\AppData\Roaming\ASUS WebStorage
2013-11-10 14:42 - 2009-07-14 04:34 - 00009696 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-10 14:42 - 2009-07-14 04:34 - 00009696 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-10 14:36 - 2013-10-13 02:49 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-11-10 14:36 - 2013-10-13 02:49 - 00000000 ____D C:\Program Files\AVG Secure Search
2013-11-10 14:35 - 2013-10-13 02:49 - 00037664 _____ (AVG Technologies) C:\windows\system32\Drivers\avgtpx86.sys
2013-11-10 14:33 - 2013-11-07 03:39 - 00001072 _____ C:\windows\setupact.log
2013-11-10 14:33 - 2011-01-22 12:19 - 00000990 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-10 14:33 - 2009-07-14 04:53 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-11-09 18:44 - 2013-11-09 18:44 - 02024936 _____ C:\Users\MARIA\Downloads\dixmlsetup.exe
2013-11-09 10:29 - 2013-11-09 10:29 - 08499200 _____ (Luis Cobian) C:\Users\MARIA\Downloads\cbSetup8.exe
2013-11-07 14:30 - 2011-06-02 23:42 - 00000000 ____D C:\Users\MARIA\AppData\Roaming\SoftGrid Client
2013-11-07 11:38 - 2013-10-13 02:49 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2013-11-07 11:38 - 2013-10-11 21:18 - 00000000 ____D C:\Program Files\Common Files\COMODO
2013-11-07 11:38 - 2013-08-13 13:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-07 11:38 - 2009-07-14 02:37 - 00000000 ____D C:\windows\system32\wfp
2013-11-07 11:38 - 2009-07-14 02:37 - 00000000 ____D C:\windows\system32\NDF
2013-11-07 11:38 - 2009-07-14 02:37 - 00000000 ____D C:\windows\registration
2013-11-07 03:39 - 2013-11-07 03:39 - 00000000 _____ C:\windows\setuperr.log
2013-11-07 03:39 - 2010-12-01 22:46 - 00000000 ___DC C:\Users\MARIA
2013-11-05 11:13 - 2013-11-05 11:13 - 00035833 _____ C:\Users\MARIA\Downloads\comodo.txt
2013-11-05 04:54 - 2013-10-04 21:35 - 00000000 ____D C:\ProgramData\COMODO
2013-11-05 04:51 - 2013-10-04 21:37 - 00000000 ___SD C:\ProgramData\Shared Space
2013-11-05 00:31 - 2013-11-05 00:31 - 00001195 _____ C:\Users\MARIA\Desktop\AVG Secure Search - Atalho.lnk
2013-11-04 14:47 - 2013-11-04 14:47 - 00000351 _____ C:\Users\MARIA\Downloads\https---www.youtube.com-watch-v=AfdV_OlLu4U
2013-11-04 14:12 - 2013-11-04 14:12 - 04478397 _____ C:\Users\MARIA\Downloads\Golpe.wmv
2013-11-01 16:11 - 2013-10-04 21:40 - 01474832 _____ C:\windows\system32\Drivers\sfi.dat
2013-11-01 11:17 - 2013-10-04 22:36 - 01440730 _____ C:\windows\system32\Drivers\fvstore.dat
2013-10-31 11:37 - 2010-06-24 20:34 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-30 10:44 - 2012-08-08 16:33 - 00002381 _____ C:\Users\MARIA\Desktop\Advanced Uninstaller PRO 11.lnk
2013-10-30 10:38 - 2013-10-30 10:38 - 21548944 _____ (Innovative Solutions ) C:\Users\MARIA\Downloads\Advanced_Uninstaller11.exe
2013-10-30 05:12 - 2013-10-30 05:12 - 06951048 _____ (Microsoft Corporation) C:\Users\MARIA\Downloads\Silverlight (1).exe
2013-10-29 03:55 - 2013-10-29 03:55 - 00029201 _____ C:\Users\MARIA\Downloads\How Great Thou Art Hymn.htm
2013-10-29 03:55 - 2013-10-29 03:55 - 00000000 ____D C:\Users\MARIA\Downloads\How Great Thou Art Hymn_files
2013-10-25 07:08 - 2013-08-08 01:47 - 00000000 ____D C:\Users\MARIA\Documents\Russellers_files
2013-10-21 20:41 - 2013-10-21 20:41 - 00091480 _____ C:\Users\MARIA\Documents\Uma Semana no Aeroporto, Allain de Botton.htm
2013-10-21 20:41 - 2013-10-21 20:41 - 00000000 ____D C:\Users\MARIA\Documents\Uma Semana no Aeroporto, Allain de Botton_files
2013-10-21 18:25 - 2013-10-21 18:25 - 00000000 ____D C:\Users\MARIA\Documents\Manual do Processo de Inventário - À luz do Novo Regime, Eduardo Paiva, Helena Cabrita b_files
2013-10-21 18:25 - 2013-10-21 18:24 - 00108704 _____ C:\Users\MARIA\Documents\Manual do Processo de Inventário - À luz do Novo Regime, Eduardo Paiva, Helena Cabrita b.htm
2013-10-21 18:23 - 2013-10-21 18:23 - 00077232 _____ C:\Users\MARIA\Documents\Manual do Processo de Inventário - À luz do Novo Regime, Eduardo Paiva, Helena Cabrita.htm
2013-10-21 18:19 - 2013-10-21 18:19 - 00103103 _____ C:\Users\MARIA\Documents\Heranças e Partilhas - Doações e Testamentos, João Queiroga Chaves.htm
2013-10-21 18:19 - 2013-10-21 18:19 - 00000000 ____D C:\Users\MARIA\Documents\Heranças e Partilhas - Doações e Testamentos, João Queiroga Chaves_files
2013-10-21 18:18 - 2013-10-21 18:18 - 00104960 _____ C:\Users\MARIA\Documents\Heranças & Partilhas - Guia Prático, Carlos Ricardo Sousa Soares.htm
2013-10-21 18:18 - 2013-10-21 18:18 - 00000000 ____D C:\Users\MARIA\Documents\Heranças & Partilhas - Guia Prático, Carlos Ricardo Sousa Soares_files
2013-10-19 23:53 - 2013-10-19 23:53 - 00022263 _____ C:\Users\MARIA\Documents\3 APRe! Colóquio - Ficha inscrição MARIA SANTOS.xlsx
2013-10-19 22:40 - 2013-10-19 22:40 - 00022100 _____ C:\Users\MARIA\Documents\3 APRe! Colóquio - Ficha inscrição (1).xlsx
2013-10-18 00:27 - 2013-10-13 04:15 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-17 04:05 - 2013-10-17 04:05 - 00022100 _____ C:\Users\MARIA\Documents\3 APRe! Colóquio - Ficha inscrição.xlsx
2013-10-15 08:03 - 2013-10-15 08:03 - 00000192 _____ C:\Users\MARIA\Downloads\radiousp.wax
2013-10-15 06:35 - 2013-10-15 05:53 - 00035980 ____H C:\Users\MARIA\Documents\~WRL2787.tmp
2013-10-15 05:59 - 2013-10-15 05:59 - 00000482 _____ C:\Users\MARIA\Downloads\url (1).htm
2013-10-13 04:15 - 2011-01-22 12:19 - 00000000 ____D C:\Users\MARIA\AppData\Local\Google
2013-10-13 04:14 - 2011-01-22 12:18 - 00000000 ____D C:\Program Files\Google
2013-10-13 02:50 - 2013-10-13 02:50 - 00000000 ____D C:\Users\MARIA\AppData\Local\AVG Secure Search
2013-10-11 21:18 - 2013-10-11 21:18 - 00002013 _____ C:\Users\Public\Desktop\GeekBuddy.lnk

Some content of TEMP:
====================
C:\Users\MARIA\AppData\Local\Temp\NOSEventMessages.dll


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-11-05 12:28

==================== End Of Log ============================


Edited by Maria sts, 11 November 2013 - 09:54 AM.


#8 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 11 November 2013 - 09:48 AM

2.

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 10-11-2013 01
Ran by MARIA at 2013-11-10 23:22:42
Running from C:\Users\MARIA\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

32 Bit HP CIO Components Installer (Version: 1.1.0)
Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 11 ActiveX (Version: 11.0.1.152)
Adobe Flash Player 11 Plugin (Version: 11.8.800.168)
Adobe Reader 9.1 MUI (Version: 9.1.0)
Advanced Uninstaller PRO - Version 11 (Version: 11)
Assistente de Início de Sessão do Windows Live (Version: 5.000.818.5)
ASUS VIBE (Version: 1.0.187)
ASUS WebStorage (Version: 2.0.46.1429)
ASUSUpdate for Eee PC (Version: 1.04.01)
Atheros Client Installation Program (Version: 7.0)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (Version: 1.0.0.10)
CapsHook (Version: 1.0.0.5)
CCleaner (Version: 4.04)
DriveImage XML (Private Edition) (Version: 2.44.000)
E-Cam (Version: 2.0.2.5)
Eee Docking 3.7.0 (Version: 3.7.0)
EeeSplendid (Version: 5.1.2.0011)
Ferramenta de Carregamento do Windows Live (Version: 14.0.8014.1029)
FontResizer (Version: 1.01.0011)
Galeria de Fotografias do Windows Live (Version: 14.0.8081.709)
GeekBuddy (Version: 4.9.73)
Google Chrome (Version: 30.0.1599.101)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4601.54)
Google Update Helper (Version: 1.3.21.165)
Hotkey Service (Version: 1.27)
Intel® Graphics Media Accelerator Driver (Version: 8.14.10.2117)
Intel® Matrix Storage Manager
Junk Mail filter update (Version: 14.0.8089.726)
LiveUpdate (Version: 1.21)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile PTG Language Pack (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Office Clique-e-Use 2010 (Version: 14.0.4763.1006)
Microsoft Office Starter 2010 - Português (Version: 14.0.4763.1006)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC100_CRT_SP1_x86 (Version: 10.0.40219.1)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSVC90_x86 (Version: 1.0.1.2)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
Nokia Connectivity Cable Driver (Version: 7.1.172.0)
Nokia Suite (Version: 3.8.30.0)
PC Connectivity Solution (Version: 12.0.109.0)
Ralink RT2860 Wireless LAN Card (Version: 1.2.0.1)
Realtek High Definition Audio Driver (Version: 6.0.1.6098)
Segurança Familiar do Windows Live (Version: 14.0.8093.805)
Super Hybrid Engine (Version: 2.16)
Synaptics Pointing Device Driver (Version: 14.0.16.0)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Windows Driver Package - Broadcom Bluetooth (07/17/2009 6.2.0.9403) (Version: 07/17/2009 6.2.0.9403)
Windows Driver Package - Broadcom Bluetooth (07/29/2009 6.1.7100.0) (Version: 07/29/2009 6.1.7100.0)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800) (Version: 07/28/2009 6.2.0.9800)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8064.206)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Messenger (Version: 14.0.8089.0726)
Windows Live Writer (Version: 14.0.8089.0726)
WinRAR 4.20 (32-bit) (Version: 4.20.0)

==================== Restore Points =========================

30-10-2013 03:08:00 Ponto de Verificação Agendado
30-10-2013 10:45:00 After installing Advanced Uninstaller PRO
05-11-2013 04:45:37 Removed COMODO Internet Security Pro 2013
05-11-2013 11:33:44 Removed GeekBuddy.
05-11-2013 13:48:53 Removed GeekBuddy.
10-11-2013 15:26:26 Cópia de Segurança do Windows

==================== Hosts content: ==========================

2009-07-14 02:04 - 2009-06-10 21:39 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {26FEB505-8137-4BCF-A222-BFF8018F7963} - \CreateChoiceProcessTask No Task File
Task: {4B9EBE48-F988-428F-A174-19424E10861C} - System32\Tasks\Microsoft\Windows\MUI\Lpksetup => C:\Windows\System32\lpksetup.exe [2009-07-14] (Microsoft Corporation)
Task: {6DEBA1A5-9B0F-4D8A-BDE0-DF06E7C15D27} - System32\Tasks\{7A7B65C9-FBEF-4FD8-BDF2-5852AEE98CE9} => C:\Users\MARIA\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih(1).exe
Task: {75876A2F-AD1A-45D0-BC67-0A6317095CDF} - \GoogleUpdateTaskUserS-1-5-21-342263834-3094944489-2881250582-1000Core No Task File
Task: {82B6EC8D-AD79-487A-B574-F7ACBCA0C383} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-01-22] (Google Inc.)
Task: {8B5C1B84-D609-432F-AFEA-635E1A5431D0} - \CCleanerSkipUAC No Task File
Task: {BA8AA7C8-BBC1-43D1-94B9-49BB3E031BD7} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {E7AF4554-CEDC-4037-A0E5-137D73FC3460} - \SidebarExecute No Task File
Task: {ED5770BE-8A78-438E-9D02-16A1A7A7E168} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-01-22] (Google Inc.)
Task: {FF33960A-5B67-427A-A9AE-38C684F234C6} - \GoogleUpdateTaskUserS-1-5-21-342263834-3094944489-2881250582-1000UA No Task File
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2010-03-16 01:48 - 2010-03-16 01:48 - 00148816 _____ () C:\Program Files\ASUS\ASUS WebStorage\EcaremeDLL.dll
2010-06-24 20:35 - 2010-06-24 20:35 - 00030032 _____ () C:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3726.20828__0d0f4b69e50e559b\SqliteShared.dll
2010-06-24 20:35 - 2010-06-24 20:35 - 00839680 _____ () C:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
2009-02-27 19:56 - 2009-02-27 19:56 - 00016768 _____ () C:\Program Files\Adobe\Reader 9.0\Reader\viewerps.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 08507232 _____ () C:\Program Files\Nokia\Nokia Suite\QtGui4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 02354016 _____ () C:\Program Files\Nokia\Nokia Suite\QtCore4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 01014624 _____ () C:\Program Files\Nokia\Nokia Suite\QtNetwork4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 00364384 _____ () C:\Program Files\Nokia\Nokia Suite\QtXml4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 02480992 _____ () C:\Program Files\Nokia\Nokia Suite\QtDeclarative4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 01346912 _____ () C:\Program Files\Nokia\Nokia Suite\QtScript4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 00206176 _____ () C:\Program Files\Nokia\Nokia Suite\QtSql4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 02653024 _____ () C:\Program Files\Nokia\Nokia Suite\QtXmlPatterns4.dll
2013-04-19 00:45 - 2013-04-19 00:45 - 00033120 _____ () C:\Program Files\Nokia\Nokia Suite\imageformats\qgif4.dll
2013-04-19 00:45 - 2013-04-19 00:45 - 00035680 _____ () C:\Program Files\Nokia\Nokia Suite\imageformats\qico4.dll
2013-04-19 00:45 - 2013-04-19 00:45 - 00207200 _____ () C:\Program Files\Nokia\Nokia Suite\imageformats\qjpeg4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 11166560 _____ () C:\Program Files\Nokia\Nokia Suite\QtWebKit4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 00276832 _____ () C:\Program Files\Nokia\Nokia Suite\phonon4.dll
2013-04-15 12:26 - 2013-04-15 12:26 - 00391600 _____ () C:\Program Files\Nokia\Nokia Suite\ssoengine.dll
2013-04-15 12:26 - 2013-04-15 12:26 - 00059280 _____ () C:\Program Files\Nokia\Nokia Suite\securestorage.dll
2013-04-19 00:45 - 2013-04-19 00:45 - 00438624 _____ () C:\Program Files\Nokia\Nokia Suite\NService.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 00446304 _____ () C:\Program Files\Nokia\Nokia Suite\sqldrivers\qsqlite4.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 00520544 _____ () C:\Program Files\Nokia\Nokia Suite\QtMultimediaKit1.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 00720736 _____ () C:\Program Files\Nokia\Nokia Suite\QtOpenGL4.dll
2013-04-19 00:44 - 2013-04-19 00:44 - 00606560 _____ () C:\Program Files\Nokia\Nokia Suite\CommonUpdateChecker.dll
2013-04-19 00:46 - 2013-04-19 00:46 - 00093024 _____ () C:\Program Files\Nokia\Nokia Suite\qjson.dll
2013-10-18 00:26 - 2013-10-09 00:01 - 00698832 _____ () C:\Program Files\Google\Chrome\Application\30.0.1599.101\libglesv2.dll
2013-10-18 00:26 - 2013-10-09 00:01 - 00099792 _____ () C:\Program Files\Google\Chrome\Application\30.0.1599.101\libegl.dll
2013-11-10 14:36 - 2013-11-10 14:35 - 00519704 _____ () C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.1.2\log4cplusU.dll
2013-11-10 14:36 - 2013-11-10 14:35 - 00142360 _____ () C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.1.2\SiteSafety.dll
2013-10-18 00:26 - 2013-10-09 00:02 - 04055504 _____ () C:\Program Files\Google\Chrome\Application\30.0.1599.101\pdf.dll
2013-10-18 00:27 - 2013-10-09 00:02 - 00415184 _____ () C:\Program Files\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll
2013-10-18 00:26 - 2013-10-09 00:01 - 01604560 _____ () C:\Program Files\Google\Chrome\Application\30.0.1599.101\ffmpegsumo.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4

==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/10/2013 07:00:12 PM) (Source: Windows Backup) (User: )
Description: A cópia de segurança não foi concluída devido a um erro ao escrever na localização da cópia de segurança E:\. O erro é: Não é possível encontrar a localização de cópia de segurança ou esta não é válida. Reveja as definições de cópia de segurança e verifique a localização de cópia de segurança. (0x81000006).

Error: (11/09/2013 08:14:50 PM) (Source: VSS) (User: )
Description: Erro do Serviço de Cópia Sombra de Volumes: erro inesperado ao consultar a interface IVssWriterCallback. hr = 0x80070005, Acesso negado.
.
Este é muitas vezes causado por definições de segurança incorrectas no processo do escritor ou requerente.


Operação:
A Recolher Dados de Escritor

Contexto:
ID de Classe de Escritor: {e8132975-6f93-4464-a53e-1050253ae220}
Nome de Escritor: System Writer
ID de Instância de Escritor: {333900a7-9db0-4fb3-9d76-82d58497598b}

Error: (11/09/2013 08:13:50 PM) (Source: VSS) (User: )
Description: Erro do Serviço de Cópia Sombra de Volumes: erro inesperado ao consultar a interface IVssWriterCallback. hr = 0x80070005, Acesso negado.
.
Este é muitas vezes causado por definições de segurança incorrectas no processo do escritor ou requerente.


Operação:
A Recolher Dados de Escritor

Contexto:
ID de Classe de Escritor: {e8132975-6f93-4464-a53e-1050253ae220}
Nome de Escritor: System Writer
ID de Instância de Escritor: {333900a7-9db0-4fb3-9d76-82d58497598b}

Error: (11/07/2013 03:40:39 AM) (Source: Windows Search Service) (User: )
Description: O Serviço Windows Search está a ser parado porque existe um problema com o indexador, The catalog is corrupt.

Detalhes:
    O catálogo de índices de conteúdos está danificado. (HRESULT : 0xc0041801) (0xc0041801)

Error: (11/07/2013 03:40:39 AM) (Source: Windows Search Service) (User: )
Description: O serviço de pesquisa detectou ficheiros de dados danificados no índice {id=4400}. O serviço irá tentar corrigir este problema automaticamente recriando o índice.

Detalhes:
    O catálogo de índices de conteúdos está danificado. (HRESULT : 0xc0041801) (0xc0041801)

Error: (11/07/2013 03:40:39 AM) (Source: Windows Search Service) (User: )
Description: Não foi possível inicializar o índice.

Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service) (User: )
Description: Não foi possível inicializar a aplicação.

Contexto: Aplicação Windows

Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service) (User: )
Description: Não foi possível inicializar o objecto do colector.

Contexto: Aplicação Windows, Catálogo SystemIndex

Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service) (User: )
Description: Não foi possível inicializar o plug-in em <Search.TripoliIndexer>.

Contexto: Aplicação Windows, Catálogo SystemIndex

Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service) (User: )
Description: O Serviço Windows Search está a ser parado porque existe um problema com o indexador, The catalog is corrupt.

Contexto: Aplicação Windows, Catálogo SystemIndex

Detalhes:
    O catálogo de índices de conteúdos está danificado. 0xc0041801 (0xc0041801)


System errors:
=============
Error: (11/10/2013 02:34:05 PM) (Source: Service Control Manager) (User: )
Description: Falhou o carregamento dos seguintes controladores de início de arranque ou de início do sistema:
cdrom

Error: (11/10/2013 02:28:03 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:28:03 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:28:03 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:27:41 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:27:41 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:27:41 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:25:57 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:25:57 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068

Error: (11/10/2013 02:25:57 PM) (Source: Service Control Manager) (User: )
Description: O serviço Browser de computador depende do serviço Servidor o qual falhou o arranque devido ao seguinte erro:
%%1068


Microsoft Office Sessions:
=========================
Error: (11/10/2013 07:00:12 PM) (Source: Windows Backup)(User: )
Description: E:\Não é possível encontrar a localização de cópia de segurança ou esta não é válida. Reveja as definições de cópia de segurança e verifique a localização de cópia de segurança. (0x81000006)

Error: (11/09/2013 08:14:50 PM) (Source: VSS)(User: )
Description: 0x80070005, Acesso negado.


Operação:
A Recolher Dados de Escritor

Contexto:
ID de Classe de Escritor: {e8132975-6f93-4464-a53e-1050253ae220}
Nome de Escritor: System Writer
ID de Instância de Escritor: {333900a7-9db0-4fb3-9d76-82d58497598b}

Error: (11/09/2013 08:13:50 PM) (Source: VSS)(User: )
Description: 0x80070005, Acesso negado.


Operação:
A Recolher Dados de Escritor

Contexto:
ID de Classe de Escritor: {e8132975-6f93-4464-a53e-1050253ae220}
Nome de Escritor: System Writer
ID de Instância de Escritor: {333900a7-9db0-4fb3-9d76-82d58497598b}

Error: (11/07/2013 03:40:39 AM) (Source: Windows Search Service)(User: )
Description: Detalhes:
    O catálogo de índices de conteúdos está danificado. (HRESULT : 0xc0041801) (0xc0041801)
The catalog is corrupt

Error: (11/07/2013 03:40:39 AM) (Source: Windows Search Service)(User: )
Description: Detalhes:
    O catálogo de índices de conteúdos está danificado. (HRESULT : 0xc0041801) (0xc0041801)
4400

Error: (11/07/2013 03:40:39 AM) (Source: Windows Search Service)(User: )
Description: Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service)(User: )
Description: Contexto: Aplicação Windows

Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service)(User: )
Description: Contexto: Aplicação Windows, Catálogo SystemIndex

Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service)(User: )
Description: Contexto: Aplicação Windows, Catálogo SystemIndex

Detalhes:
    A base de dados de índices de conteúdos está danificada. (HRESULT : 0xc0041800) (0xc0041800)
Search.TripoliIndexer

Error: (11/07/2013 03:40:38 AM) (Source: Windows Search Service)(User: )
Description: Contexto: Aplicação Windows, Catálogo SystemIndex

Detalhes:
    O catálogo de índices de conteúdos está danificado. 0xc0041801 (0xc0041801)
The catalog is corrupt


==================== Memory info ===========================

Percentage of memory in use: 62%
Total physical RAM: 1014.18 MB
Available physical RAM: 379.96 MB
Total Pagefile: 2136.18 MB
Available Pagefile: 842.15 MB
Total Virtual: 2047.88 MB
Available Virtual: 1897.52 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:100 GB) (Free:73.19 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:117.87 GB) (Free:115.44 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 29133921)
Partition 1: (Active) - (Size=100 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=15 GB) - (Type=1B)
Partition 3: (Not Active) - (Size=118 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=20 MB) - (Type=EF)

==================== End Of Log ============================



#9 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 11 November 2013 - 09:52 AM

3.

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-11-11 00:59:58
Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0 232,89GB
Running: emg9rzvw.exe; Driver: C:\Users\MARIA\AppData\Local\Temp\uxdyipod.sys


---- Devices - GMER 2.1 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd6048c5c
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd6048c5c (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\8D23458C-052E-4F12-A123-DEFB563B2B3F@IPAddress 127.0.0.1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{414D4B79-FD39-11DF-8AAB-806E6F6E6963} 1887270096
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1

---- EOF - GMER 2.1 ----



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 11 November 2013 - 09:56 AM

Please download and run this tool as administrator to remove all comodo remainings:

 

https://sites.google.com/site/jacobcprt/Setup.zip?attredirects=0

 

When finished, reboot your computer.

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 AM

Posted 14 November 2013 - 04:22 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 19 November 2013 - 06:09 AM

Hi Marius

Sorry for the delay due to family issues and problems on network wire connection of my old desktop that I've used to post  the log that I have done before, as in this infected netbook I was not allowed to post lthose logs. They disappeared, were not made public like someone (not me) deleting them.

 

I download the program from the first link, but when I clicked an Add/Remove boton opens Add /Remove window in Control Panel. But COMODO is not listed there. If I can't post its location, that I found, in a next post in a few minutes, I will send you a pm. Please check for it.


Edited by Maria sts, 19 November 2013 - 03:19 PM.


#13 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 19 November 2013 - 08:50 AM

I found it at least on:

 

Computador\C:\Progamas:

COMODO

ADTRUSTMEDIA 

COMMONFILES

 

Computador\C:\ProgramData:

COMODO

COMODODOWNLOADER

 

C:\Users\MARIA\AppData\Local\Comodo\Dragon

C:\Users\MARIA\AppData\LocalLow

 

 

Do you need its content?

I also found that Programs, that I had remove, are already presents: Panda, Spybot, Trend Micro, MalWareAntimalwarebytes, etc.

 

Checked by Regedit and it is not on [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]



#14 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 19 November 2013 - 08:58 AM

I also have Comodo Dragon and GeekBuddy icons on deskop and a pop-up from Comodo Dragon flashing and asking permission and  wanting that I consent a new license, wich I refused.

 

Now, how can I apply Setup.zip to the folders were COMODO IS LISTED?


Edited by Maria sts, 19 November 2013 - 03:29 PM.


#15 Maria sts

Maria sts
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:19 AM

Posted 19 November 2013 - 07:50 PM

Hi

 

I have download again 'Setup.zip' and saved it on the desktop, being able, this time, to run it as Admnistrator. Although COMODO I.S. is not in the list of programs on Control Panel, I tried to uninstall GeekBuddy that is there. But without success because appeared a message saying "Windows Installer Service could not be accessed. It may happen if Widows is not correctly installed. Contact technique support to get assistance".

 

What can I do, please?

p,s. - In the programs that I have uninstalled but even are in my computer (complete ora rest of them), II've remembered that also 'Conduit' is there. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users