Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple pc infection, suspected xe.vbs


  • This topic is locked This topic is locked
28 replies to this topic

#1 Rangio

Rangio

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 20 November 2013 - 06:51 AM

Hello, I am a medical student from italy. Thank you so much for the useful helping tools and support provided on this forum! I am experiencing issues (slow data processing, usb keys infection...) with a computer I am using here at my hospital (CCU). As well trained as they should be the vast majority of doctors seem to ignore the basic rules of computer protection/usage.  :rolleyes:

 

The computer in object contains important data, so I am trying to be as cautious as possibile in my attempt to fix it. Any help will be much appreciated. Here's the DDS and Attach files..

 

Thank you again!

Attached Files


Edited by Rangio, 20 November 2013 - 07:21 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 20 November 2013 - 07:32 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Hi Rangio,

 

as there is the possibility that data is manipulated: Is any patient data stored on this computer?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Rangio

Rangio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 20 November 2013 - 07:42 AM

Hi Marius, thank you for replying to my message.

 

Yes, there is patient data stored in the computer, mostly under the form of excel databases. I have tried to backup most of it. This is a "workhorse" computer used mostl by students.  I have received my boss's authorization to operate the computer with potentially harmful antivirus programs (Combofix).


Edited by Rangio, 20 November 2013 - 08:12 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 20 November 2013 - 08:16 AM

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Rangio

Rangio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 20 November 2013 - 08:28 AM

Thank you again. Here's the logs. There could be a problem though: I had already performed a TDSS scan and quarantined two files a day ago. I also got a download error (AVAST engine download error:407)

when trying to download avast. I do not know whether or not it caused by the proxy of the hospital but i can not seem to be able to download any antivirus (I have tried avira, avast and avg). I am not able to download the MBAM's updates as well.

 

 

Best

 

R

Attached Files


Edited by Rangio, 20 November 2013 - 08:47 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 20 November 2013 - 09:51 AM

Please attach the TDSS-Killer log files that were created when removing files.

I need to see WHAT was removed.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Rangio

Rangio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 20 November 2013 - 11:12 AM

I remember I had performed a "normal" scan with no additional options checked, and it returned no threats. After that I checked the two additional options "verify file digital signature" and "detect TDLFS file system" and it found two threats.

 

Here's the first log.The file was too big so I had to split it. Thank you.

Attached Files



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 21 November 2013 - 03:22 AM

The things you removed with TDSS-Killer were legit and I hope that we can restore them properly...

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Rangio

Rangio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 22 November 2013 - 04:43 AM

Thank you so much Marius. Here is the Combofix log file.

 

 

 

ComboFix 13-11-22.01 - User 22/11/2013  10:24:56.1.4 - x86
Microsoft Windows 7 Professional   6.1.7600.0.1252.39.1040.18.3062.2062 [GMT 1:00]
Eseguito da: c:\users\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Creato nuovo punto di ripristino
.
.
(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\IsUn0410.exe
.
.
(((((((((((((((((((((((((   Files Creati Da 2013-10-22 al 2013-11-22  )))))))))))))))))))))))))))))))))))
.
.
2013-11-22 09:35 . 2013-11-22 09:35    --------    d-----w-    c:\users\User\AppData\Local\temp
2013-11-22 09:35 . 2013-11-22 09:35    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-11-19 16:56 . 2013-11-19 16:57    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-11-19 16:56 . 2013-04-04 13:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-11-18 20:19 . 2013-11-18 20:23    --------    d-----w-    C:\AdwCleaner
2013-11-18 20:18 . 2013-11-18 20:18    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-11-18 20:05 . 2013-11-18 20:05    --------    d-----w-    c:\program files\ESET
2013-11-18 16:57 . 2013-11-18 16:58    --------    d-----w-    c:\program files\Defraggler
2013-11-18 16:35 . 2009-06-30 09:37    28552    ----a-w-    c:\windows\system32\drivers\pavboot.sys
2013-11-18 16:35 . 2013-11-18 16:35    --------    d-----w-    c:\program files\Panda Security
2013-11-18 16:30 . 2013-11-18 16:30    --------    d-----w-    c:\users\User\AppData\Roaming\QuickScan
2013-11-15 15:57 . 2013-11-15 15:57    --------    d-----w-    c:\users\User\AppData\Roaming\Malwarebytes
2013-11-15 15:37 . 2013-11-15 15:37    403440    ----a-w-    c:\windows\system32\drivers\kiedsgrf.sys
2013-11-15 15:37 . 2013-11-15 15:37    --------    d-----w-    c:\programdata\Malwarebytes
2013-11-15 15:36 . 2013-11-15 15:36    --------    d-----w-    c:\users\User\AppData\Local\Programs
2013-11-15 15:30 . 2013-11-15 15:30    --------    d-----w-    c:\program files\AVAST Software
2013-11-15 15:26 . 2013-11-15 15:27    --------    d-----w-    c:\programdata\AVAST Software
2013-11-15 13:45 . 2013-10-03 09:43    193824    -c----w-    c:\programdata\Microsoft\Windows\WER\ReportQueue\Critical_Microsoft Antima_9fcf27d215b361b979fc74236deb3fda02cc4_cab_065eff10\maintenanceservice_installer.exe
2013-10-24 11:21 . 2013-08-17 19:20    144484    --sha-w-    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xe.vbs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-05-20 36864]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-12 421736]
"NBAgent"="c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" [2011-09-20 1493288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632]
xe.vbs [2013-8-17 144484]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2010-11-15 95208]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2010-11-15 288744]
R3 kiedsgrf;kiedsgrf;kiedsgrf.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-08 1343400]
S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [2011-07-13 56496]
S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [2011-07-13 12464]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-13 13336]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2011-09-23 641832]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-10-26 322664]
.
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-11-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 09:48]
.
2013-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-741938975-2718806232-1626271789-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 19:21]
.
2013-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-741938975-2718806232-1626271789-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 19:21]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 150.217.*;*.unifi.it
uInternet Settings,ProxyServer = proxy-auth.unifi.it:8888
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.10.31.100 10.10.31.101 10.10.31.193
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\uejir3vd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: network.proxy.http - http://proxy2k3.aou-careggi.toscana.it:8080/careggiproxy.pac
FF - prefs.js: network.proxy.http_port - 8888
FF - prefs.js: network.proxy.type - 2
FF - ExtSQL: 2013-11-18 17:30; {e001c731-5e37-4538-a5cb-8168736a2360}; c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\uejir3vd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
AddRemove-FileMaker Pro 5.0 - c:\windows\IsUn0410.exe
AddRemove-{5676F50B-9B69-415A-ACB5-E591BF48D282} - c:\progra~2\TARMAI~1\{5676F~1\Setup.exe
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Ora fine scansione: 2013-11-22  10:38:53
ComboFix-quarantined-files.txt  2013-11-22 09:38
.
Pre-Run: 460.796.649.472 byte disponibili
Post-Run: 460.334.182.400 byte disponibili
.
- - End Of File - - 5D9444377DD7EE60C0C0D50E34EB4EC5
A36C5E4F47E84449FF07ED3517B43A31
 

 

 


Edited by Rangio, 22 November 2013 - 07:13 AM.


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 22 November 2013 - 05:03 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Rangio

Rangio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 22 November 2013 - 05:10 AM

I am sorry, I just realized I did not disable windows defender before running combofix. Another problem is I can run a malwarebyte scan (I already did, found and removed 20 threats...can not find the old log as I uninstalled and then reinstalled MBAm trying to fix an the update problem :blush: ) but MBAM will not update reporting error 404, resulting outdated by 231 days. I will proceed as indicated.


Edited by Rangio, 22 November 2013 - 05:50 AM.


#12 Rangio

Rangio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 22 November 2013 - 05:46 AM

Here is the Script-Combofix Log. I had to restore the system to the restore point Combofix created since after the second run the internet connection stopped working and I was not able to fix it. Here is the second log.

 

 

ComboFix 13-11-22.01 - User 22/11/2013  11:15:44.2.4 - x86
Microsoft Windows 7 Professional   6.1.7600.0.1252.39.1040.18.3062.2040 [GMT 1:00]
Eseguito da: c:\users\User\Desktop\ComboFix.exe
Opzioni usate :: c:\users\User\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xe.vbs
.
.
(((((((((((((((((((((((((   Files Creati Da 2013-10-22 al 2013-11-22  )))))))))))))))))))))))))))))))))))
.
.
2013-11-22 10:23 . 2013-11-22 10:23    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-11-22 09:44 . 2012-08-30 08:17    6980552    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1FA6EE3-E6D6-42D6-91C7-9FE4F30AF867}\mpengine.dll
2013-11-22 09:38 . 2013-11-22 10:26    --------    d-----w-    c:\users\User\AppData\Local\temp
2013-11-19 16:56 . 2013-11-19 16:57    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-11-19 16:56 . 2013-04-04 13:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-11-18 20:19 . 2013-11-18 20:23    --------    d-----w-    C:\AdwCleaner
2013-11-18 20:18 . 2013-11-18 20:18    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-11-18 20:05 . 2013-11-18 20:05    --------    d-----w-    c:\program files\ESET
2013-11-18 16:57 . 2013-11-18 16:58    --------    d-----w-    c:\program files\Defraggler
2013-11-18 16:35 . 2009-06-30 09:37    28552    ----a-w-    c:\windows\system32\drivers\pavboot.sys
2013-11-18 16:35 . 2013-11-18 16:35    --------    d-----w-    c:\program files\Panda Security
2013-11-18 16:30 . 2013-11-18 16:30    --------    d-----w-    c:\users\User\AppData\Roaming\QuickScan
2013-11-15 15:57 . 2013-11-15 15:57    --------    d-----w-    c:\users\User\AppData\Roaming\Malwarebytes
2013-11-15 15:37 . 2013-11-15 15:37    403440    ----a-w-    c:\windows\system32\drivers\kiedsgrf.sys
2013-11-15 15:37 . 2013-11-15 15:37    --------    d-----w-    c:\programdata\Malwarebytes
2013-11-15 15:36 . 2013-11-15 15:36    --------    d-----w-    c:\users\User\AppData\Local\Programs
2013-11-15 15:30 . 2013-11-15 15:30    --------    d-----w-    c:\program files\AVAST Software
2013-11-15 15:26 . 2013-11-15 15:27    --------    d-----w-    c:\programdata\AVAST Software
2013-11-15 13:45 . 2013-10-03 09:43    193824    -c----w-    c:\programdata\Microsoft\Windows\WER\ReportQueue\Critical_Microsoft Antima_9fcf27d215b361b979fc74236deb3fda02cc4_cab_065eff10\maintenanceservice_installer.exe
2013-10-24 11:21 . 2013-08-17 19:20    144484    --sha-w-    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xe.vbs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-05-20 36864]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-12 421736]
"NBAgent"="c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" [2011-09-20 1493288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632]
xe.vbs [2013-8-17 144484]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2010-11-15 95208]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2010-11-15 288744]
R3 CFcatchme;CFcatchme;c:\users\User\AppData\Local\Temp\CFcatchme.sys [x]
R3 kiedsgrf;kiedsgrf;kiedsgrf.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-08 1343400]
S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [2011-07-13 56496]
S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [2011-07-13 12464]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-13 13336]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2011-09-23 641832]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-10-26 322664]
.
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - WS2IFSL
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-11-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 09:48]
.
2013-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-741938975-2718806232-1626271789-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 19:21]
.
2013-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-741938975-2718806232-1626271789-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-11 19:21]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 150.217.*;*.unifi.it
uInternet Settings,ProxyServer = proxy-auth.unifi.it:8888
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.10.31.100 10.10.31.101 10.10.31.193
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\uejir3vd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: network.proxy.http - http://proxy2k3.aou-careggi.toscana.it:8080/careggiproxy.pac
FF - prefs.js: network.proxy.http_port - 8888
FF - prefs.js: network.proxy.type - 2
FF - ExtSQL: 2013-11-18 17:30; {e001c731-5e37-4538-a5cb-8168736a2360}; c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\uejir3vd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'Explorer.exe'(2804)
c:\windows\System32\ieframe.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Ora fine scansione: 2013-11-22  11:30:10 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2013-11-22 10:30
ComboFix2.txt  2013-11-22 09:38
.
Pre-Run: 460.398.960.640 byte disponibili
Post-Run: 460.348.583.936 byte disponibili
.
- - End Of File - - 518EB70DD26B6E659629AEDCFAC706CA
A36C5E4F47E84449FF07ED3517B43A31
 


Edited by Rangio, 22 November 2013 - 06:44 AM.


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 22 November 2013 - 06:50 AM

Please upload the zipped file here: http://www.bleepingcomputer.com/submit-malware.php?channel=156


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 Rangio

Rangio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 22 November 2013 - 07:04 AM

Thank you. I have jut submitted the file. I found the first MBAM log as well (it was a quick scan I performed). Hope this helps, here it is

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.04.07

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
User :: USER-PC [administrator]

18/11/2013 16:38:13
mbam-log-2013-11-18 (16-38-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203069
Time elapsed: 27 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKCR\CLSID\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\TypeLib\{BB7256DD-EBA9-480B-8441-A00388C2BEC3} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\Interface\{3D782BB2-F2A5-11D3-BF4C-000000000000} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\CLSID\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: ;áÃzÊ;XA³0öm»Áµ -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: VShareTB -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\vShare.tv plugin\BarLcher.dll (PUP.VShareRedir) -> Quarantined and deleted successfully.

(end)

 

 

 

 

 

 

The MBAM scan I have jut performed with the outdated version returned this log (I am sorry it is in italin, I forgot to change the language to english)

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Versione database: v2013.04.04.07

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
User :: USER-PC [amministratore]

22/11/2013 11:50:26
mbam-log-2013-11-22 (11-50-26).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File di sistema | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 286090
Tempo impiegato: 1 ore, 7 minuti, 38 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 0
(non sono stati rilevati elementi nocivi)

(fine)


 


Edited by Rangio, 22 November 2013 - 07:11 AM.


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 22 November 2013 - 07:20 AM

Disable your system proxy settings, then try again to update malwarebytes.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users