Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eset keeps detecting malware


  • This topic is locked This topic is locked
7 replies to this topic

#1 mehrab2603

mehrab2603

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 11 February 2014 - 05:48 AM

Hi, I've recently noticed that Eset has been detecting and cleaning various malware like Boaxxe.BE(mostly), Redyms.AF trojan (a lot), Generik.JBLMHHA trojan, Kryptik.BTQZ trojan, Injector.AWSZ trojan, Injector.AWJT trojan etc. The detections are irregular. Sometimes it can go on without detecting anything for days, other times it detects stuff several times a day. I have been trying to get to the root of the problem following instructions in this thread, and finally I've been instructed to follow the prep. guide and post my problem here.

I tried to run DDS but got this message, so couldn't get any logs.

2dsh2mg.png

Please help.

Edit: Ran it as admin, which produced the logs.

dds.txt
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16384
Run by Mehrab at 17:00:34 on 2014-02-11
Microsoft Windows 8.1 Pro 6.3.9600.0.1252.1.1033.18.8078.6090 [GMT 6:00]
.
AV: ESET Smart Security 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET Smart Security 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\WINDOWS\system32\dashost.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SysWOW64\vmnat.exe
C:\WINDOWS\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler64.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\LogonUI.exe
C:\WINDOWS\System32\dwm.exe
C:\WINDOWS\System32\LogonUI.exe
C:\WINDOWS\System32\dwm.exe
C:\WINDOWS\System32\dwm.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\WINDOWS\system32\nvvsvc.exe
C:\WINDOWS\system32\taskhostex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [vmware-tray] C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
mRun: [vmware-tray.exe] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: ??????(S&martGet) - <no file>
IE: ????Smart&Get?? - <no file>
IE: ??S&martGet?? - <no file>
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office15\ONBttnIE.dll/105
IE: ??????(S&martGet) - <no file>
IE: ??S&martGet?? - <no file>
IE: ????Smart&Get?? - <no file>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe"
LSP: %windir%\system32\vsocklib.dll
TCP: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{B916A8C4-CFAF-4C97-BDF7-7C1C9E240E95} : DHCPNameServer = 8.8.8.8 8.8.4.4
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] "C:\WINDOWS\System32\igfxtray.exe"
x64-Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
x64-Run: [Persistence] "C:\WINDOWS\System32\igfxpers.exe"
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
x64-Run: [tvncontrol] "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave
x64-Run: [ShadowPlay] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-mPolicies-System: PromptOnSecureDesktop = dword:0
x64-mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
x64-mPolicies-System: SoftwareSASGeneration = dword:1
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe"
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - /UserInstall
x64-mASetup: {89820200-ECBD-11cf-8B85-00AA005B4340} - U
.
============= SERVICES / DRIVERS ===============
.
R0 AsrRamDisk;AsrRamDisk;C:\WINDOWS\System32\drivers\AsrRamDisk.sys [2013-5-23 31016]
R0 edevmon;edevmon;C:\WINDOWS\System32\drivers\edevmon.sys [2013-9-17 239296]
R0 epfwwfp;epfwwfp;C:\WINDOWS\System32\drivers\epfwwfp.sys [2013-9-17 62136]
R0 intelpep;Intel® Power Engine Plug-in Driver;C:\WINDOWS\System32\drivers\intelpep.sys [2013-12-11 39768]
R0 vsock;vSockets Driver;C:\WINDOWS\System32\drivers\vsock.sys [2013-11-13 70256]
R1 ahcache;Application Compatibility Cache;C:\WINDOWS\System32\drivers\ahcache.sys [2013-8-22 76800]
R1 eamonm;eamonm;C:\WINDOWS\System32\drivers\eamonm.sys [2013-9-17 239320]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\WINDOWS\System32\drivers\EpfwLWF.sys [2013-9-17 44120]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2013-9-12 1337752]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-11-23 414496]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-8-1 917656]
R2 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2012-8-15 15680000]
R3 ISCT;Intel® Smart Connect Technology Device Driver;C:\WINDOWS\System32\drivers\ISCTD64.sys [2013-1-19 46568]
R3 iwdbus;IWD Bus Enumerator;C:\WINDOWS\System32\drivers\iwdbus.sys [2013-9-30 27032]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\WINDOWS\System32\drivers\k57nd60a.sys [2013-8-22 425984]
R3 MBfilt;MBfilt;C:\WINDOWS\System32\drivers\MBfilt64.sys [2012-12-3 32344]
R3 NcbService;Network Connection Broker;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2013-8-22 37768]
R3 NdisVirtualBus;Microsoft Virtual Network Adapter Enumerator;C:\WINDOWS\System32\drivers\NdisVirtualBus.sys [2013-8-22 16384]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\WINDOWS\System32\drivers\nvvad64v.sys [2014-1-22 39200]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 ADP80XX;ADP80XX;C:\WINDOWS\System32\drivers\adp80xx.sys [2013-8-22 782176]
S3 amdkmafd;AMD Audio Bus Lower Filter;C:\WINDOWS\System32\drivers\amdkmafd.sys [2012-9-23 21160]
S3 AppReadiness;App Readiness;C:\WINDOWS\System32\svchost.exe -k AppReadiness [2013-8-22 37768]
S3 AppXSvc;AppX Deployment Service (AppXSVC);C:\WINDOWS\System32\svchost.exe -k wsappx [2013-8-22 37768]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\WINDOWS\System32\drivers\AtihdW86.sys [2013-4-23 98744]
S3 bcmfn2;bcmfn2 Service;C:\WINDOWS\System32\drivers\bcmfn2.sys [2013-8-22 17624]
S3 CodeMeter.exe;CodeMeter Runtime Server;C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe --> C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [?]
S3 iaLPSSi_GPIO;Intel® Serial IO GPIO Controller Driver;C:\WINDOWS\System32\drivers\iaLPSSi_GPIO.sys [2013-8-22 24568]
S3 iaLPSSi_I2C;Intel® Serial IO I2C Controller Driver;C:\WINDOWS\System32\drivers\iaLPSSi_I2C.sys [2013-8-22 99320]
S3 iaStorAV;Intel® SATA RAID Controller Windows;C:\WINDOWS\System32\drivers\iaStorAV.sys [2013-8-22 651248]
S3 IDMWFP;IDMWFP;C:\WINDOWS\System32\drivers\idmwfp.sys [2013-4-30 166576]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\WINDOWS\System32\ieetwcollector.exe [2013-11-28 111616]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\WINDOWS\System32\drivers\intelaud.sys [2013-9-30 39320]
S3 kbldfltr;kbldfltr;C:\WINDOWS\System32\drivers\kbldfltr.sys [2013-9-30 22272]
S3 lfsvc;Windows Location Framework Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2013-8-22 37768]
S3 LSI_SAS3;LSI_SAS3;C:\WINDOWS\System32\drivers\lsi_sas3.sys [2013-8-22 81760]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\WINDOWS\System32\drivers\MijXfilt.sys [2012-12-23 121416]
S3 netvsc;netvsc;C:\WINDOWS\System32\drivers\netvsc63.sys [2013-8-22 87040]
S3 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2014-1-22 1494304]
S3 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2013-10-18 15129376]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE [2012-10-1 178824]
S3 ReFS;ReFS;C:\WINDOWS\System32\drivers\refs.sys [2013-8-22 924512]
S3 ScDeviceEnum;Smart Card Device Enumeration Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2013-8-22 37768]
S3 SerCx2;Serial UART Support Library;C:\WINDOWS\System32\drivers\SerCx2.sys [2013-12-11 146776]
S3 smphost;Microsoft Storage Spaces SMP;C:\WINDOWS\System32\svchost.exe -k smphost [2013-8-22 37768]
S3 stornvme;Microsoft Standard NVM Express Driver;C:\WINDOWS\System32\drivers\stornvme.sys [2013-11-28 57176]
S3 tapSF0901;Spotflux TAP Device Driver;C:\WINDOWS\System32\drivers\tapSF0901.sys [2013-1-25 38664]
S3 tvnserver;TightVNC Server;C:\Program Files\TightVNC\tvnserver.exe [2013-7-19 2179056]
S3 UEFI;Microsoft UEFI Driver;C:\WINDOWS\System32\drivers\uefi.sys [2013-8-22 26976]
S3 vmbusr;Virtual Machine Bus Provider;C:\WINDOWS\System32\drivers\vmbusr.sys [2013-9-30 129536]
S3 vmicguestinterface;Hyper-V Guest Service Interface;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2013-8-22 37768]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\System32\drivers\wdcsam64.sys [2012-9-6 14464]
S3 WdNisDrv;Windows Defender Network Inspection System Driver;C:\WINDOWS\System32\drivers\WdNisDrv.sys [2013-8-22 124256]
S3 WdNisSvc;Windows Defender Network Inspection Service;C:\Program Files\Windows Defender\NisSrv.exe [2013-8-22 346872]
S3 WEPHOSTSVC;Windows Encryption Provider Host Service;C:\WINDOWS\System32\svchost.exe -k WepHostSvcGroup [2013-8-22 37768]
S3 workfolderssvc;Work Folders;C:\WINDOWS\System32\svchost.exe -k LocalService [2013-8-22 37768]
S3 WUDFWpdComp;WUDFWpdComp;C:\WINDOWS\System32\drivers\WUDFRd.sys [2013-8-22 230912]
S3 WUDFWpdMtp;WUDFWpdMtp;C:\WINDOWS\System32\drivers\WUDFRd.sys [2013-8-22 230912]
S4 MsKeyboardFilter;Microsoft Keyboard Filter;C:\WINDOWS\System32\svchost.exe -k netsvcs [2013-8-22 37768]
.
=============== Created Last 30 ================
.
2014-02-07 16:05:42 108968 ----a-w- C:\WINDOWS\System32\WindowsAccessBridge-64.dll
2014-02-07 15:59:26 96168 ----a-w- C:\WINDOWS\SysWow64\WindowsAccessBridge-32.dll
2014-02-07 04:48:48 -------- d-----w- C:\WINDOWS\ERUNT
2014-02-07 04:42:52 -------- d-----w- C:\AdwCleaner
2014-02-06 06:13:32 119000 ----a-w- C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys
2014-02-06 06:13:32 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-02-06 06:11:42 91352 ----a-w- C:\WINDOWS\System32\drivers\mbamchameleon.sys
2014-01-22 00:39:31 -------- d-----w- C:\Users\Mehrab\AppData\Local\NVIDIA Corporation
2014-01-22 00:38:26 39200 ----a-w- C:\WINDOWS\System32\drivers\nvvad64v.sys
2014-01-22 00:38:26 35104 ----a-w- C:\WINDOWS\System32\nvaudcap64v.dll
2014-01-22 00:38:26 32544 ----a-w- C:\WINDOWS\SysWow64\nvaudcap32v.dll
2014-01-21 23:50:24 -------- d-----w- C:\Users\Mehrab\AppData\Roaming\QuickScan
2014-01-21 23:41:03 848384 ----a-w- C:\WINDOWS\System32\WSShared.dll
2014-01-21 23:41:03 84480 ----a-w- C:\WINDOWS\System32\WSCollect.exe
2014-01-21 23:41:03 695808 ----a-w- C:\WINDOWS\SysWow64\WSShared.dll
2014-01-21 23:41:03 3395920 ----a-w- C:\WINDOWS\System32\WSService.dll
2014-01-21 23:41:03 249856 ----a-w- C:\WINDOWS\System32\Windows.ApplicationModel.Store.TestingFramework.dll
2014-01-21 23:41:03 206336 ----a-w- C:\WINDOWS\System32\WSClient.dll
2014-01-21 23:41:03 189952 ----a-w- C:\WINDOWS\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2014-01-21 23:41:03 174592 ----a-w- C:\WINDOWS\SysWow64\WSClient.dll
2014-01-21 23:41:03 138240 ----a-w- C:\WINDOWS\System32\OEMLicense.dll
2014-01-21 23:41:03 103936 ----a-w- C:\WINDOWS\SysWow64\OEMLicense.dll
2014-01-21 23:39:16 787968 ----a-w- C:\WINDOWS\System32\uDWM.dll
.
==================== Find3M ====================
.
2014-01-30 20:47:26 693240 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerApp.exe
2014-01-30 20:47:26 105464 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2013-12-10 02:13:11 982232 ----a-w- C:\WINDOWS\SysWow64\nvspcap.dll
2013-12-10 02:13:01 1100248 ----a-w- C:\WINDOWS\System32\nvspcap64.dll
2013-12-03 12:18:18 112640 ----a-w- C:\WINDOWS\SysWow64\ff_vfw.dll
2013-12-03 12:17:04 47616 ----a-w- C:\WINDOWS\SysWow64\ff_acm.acm
2013-11-28 14:46:31 2724864 ----a-w- C:\WINDOWS\SysWow64\mshtml.tlb
2013-11-28 14:46:28 2724864 ----a-w- C:\WINDOWS\System32\mshtml.tlb
2013-11-26 08:35:02 5769216 ----a-w- C:\WINDOWS\System32\jscript9.dll
2013-11-26 08:16:12 4243968 ----a-w- C:\WINDOWS\SysWow64\jscript9.dll
2013-11-26 08:02:16 1995264 ----a-w- C:\WINDOWS\System32\inetcpl.cpl
2013-11-26 07:32:06 1928192 ----a-w- C:\WINDOWS\SysWow64\inetcpl.cpl
2013-11-26 07:07:57 2334208 ----a-w- C:\WINDOWS\System32\wininet.dll
2013-11-26 06:33:33 1820160 ----a-w- C:\WINDOWS\SysWow64\wininet.dll
2013-11-23 17:42:12 6674208 ----a-w- C:\WINDOWS\System32\nvcpl.dll
2013-11-23 17:42:12 3490080 ----a-w- C:\WINDOWS\System32\nvsvc64.dll
2013-11-23 17:42:10 922912 ----a-w- C:\WINDOWS\System32\nvvsvc.exe
2013-11-23 17:42:10 63776 ----a-w- C:\WINDOWS\System32\nvshext.dll
2013-11-23 17:42:10 219424 ----a-w- C:\WINDOWS\System32\nvmctray.dll
2013-11-23 06:18:38 590112 ----a-w- C:\WINDOWS\SysWow64\nvStreaming.exe
2013-11-23 04:34:43 393216 ----a-w- C:\WINDOWS\System32\WMPhoto.dll
2013-11-23 04:13:51 348160 ----a-w- C:\WINDOWS\SysWow64\WMPhoto.dll
2013-11-23 03:32:09 4105728 ----a-w- C:\WINDOWS\System32\SyncEngine.dll
2013-11-23 03:10:49 568832 ----a-w- C:\WINDOWS\System32\SkyDrive.exe
2013-11-22 16:28:31 3498475 ----a-w- C:\WINDOWS\System32\nvcoproc.bin
2013-11-14 23:03:13 1355776 ----a-w- C:\WINDOWS\SysWow64\MSVBVM50.DLL
2013-11-14 23:02:45 1355776 ----a-w- C:\WINDOWS\System32\MSVBVM50.DLL
.
============= FINISH: 17:01:15.87 ===============

Attached Files


Edited by mehrab2603, 11 February 2014 - 06:06 AM.


BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 11 February 2014 - 07:09 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 mehrab2603

mehrab2603
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 11 February 2014 - 07:28 AM

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-02-11 18:27:21
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 Hitachi_HDS5C3020ALA632 rev.ML6OAA10 1863.02GB
Running: qxex4eu2.exe; Driver: C:\Users\Mehrab\AppData\Local\Temp\fwddypoc.sys


---- Threads - GMER 2.1 ----

Thread System [4:1052] ffffe000048934b0
Thread C:\WINDOWS\system32\csrss.exe [4020:652] fffff960008694d0
Thread [164:6008] 00007fffeb0ba4a4
Thread [164:1416] 00007fffeb07b5c0
Thread [164:4900] 00007fffeb07b5c0
Thread [164:5480] 00007fffe9958530
Thread [164:2684] 00007fffeb07b5c0
Thread [164:4992] 00007fffeb07b5c0
Thread [164:1140] 00007fffeb07b5c0
Thread [164:2364] 00007fffeb07b5c0
Thread [164:5428] 00007fffe9cdd304
Thread [164:4008] 00007fffdfce4b30
Thread [164:2680] 00007fffeb07b5c0
Thread [164:3184] 00007fffdfce4b30
Thread [164:4604] 00007fffe1b480ac
---- Processes - GMER 2.1 ----

Library C:\ProgramData\Microsoft\BingDesktop\BingCore\BingDesktopOverlays.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [2552] (Online files icon's overlay/Microsoft)(2013-12-31 20:26:31) 00007fffda220000
Library C:\ProgramData\Microsoft\BingDesktop\BingCore\BingDesktopCore.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [2552](2013-12-31 20:26:31) 00007fffd8450000

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\DEL407E7JNY535R552S_16_07DD_C5^C9CA8ACE004FBABFBEF2C7DC33E64674@Timestamp 0x55 0x8E 0xAC 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{892C3A3D-D6FC-41A6-A1A4-075FE9771AA9}\Connection@Name isatap.{C5DC7776-E496-4188-8FDC-29296198DF57}
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{DAB23CC0-D113-4707-84F1-DFFF5DA10A49}\Connection@Name isatap.{B916A8C4-CFAF-4C97-BDF7-7C1C9E240E95}
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 164432295
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 12180
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 11291
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 17681
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 824
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 12688
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 521
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 12987
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 360
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 162
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 13512
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 13597
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 17102
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 13591
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 17526
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 3954
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 36
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 8718
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 3499
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 409
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 330064
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x60 0xCE 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 31144
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x06 0x40 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 133
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 118
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 3308
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 744
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 3518
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xA6 0xB9 0x58 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{892C3A3D-D6FC-41A6-A1A4-075FE9771AA9}@InterfaceName isatap.{C5DC7776-E496-4188-8FDC-29296198DF57}
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{892C3A3D-D6FC-41A6-A1A4-075FE9771AA9}@DefunctTimestamp 0x21 0xBC 0xF8 0x52 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{DAB23CC0-D113-4707-84F1-DFFF5DA10A49}@InterfaceName isatap.{B916A8C4-CFAF-4C97-BDF7-7C1C9E240E95}
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{DAB23CC0-D113-4707-84F1-DFFF5DA10A49}@DefunctTimestamp 0x16 0xF7 0xF9 0x52 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4084
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 839
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B916A8C4-CFAF-4C97-BDF7-7C1C9E240E95}@LeaseObtainedTime 1392113431
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B916A8C4-CFAF-4C97-BDF7-7C1C9E240E95}@T1 -755370218
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B916A8C4-CFAF-4C97-BDF7-7C1C9E240E95}@T2 1928984342
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ...
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 3384

---- EOF - GMER 2.1 ----

#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 11 February 2014 - 11:13 AM

You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.


  • The logs can be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Zip any and all of these logs and attach the file to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 mehrab2603

mehrab2603
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 11 February 2014 - 11:26 AM

MBAM logs provided.

Attached Files



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 11 February 2014 - 11:32 AM

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 mehrab2603

mehrab2603
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 11 February 2014 - 11:53 AM

Sorry for all the trouble and thanks for everything.

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 11 February 2014 - 11:57 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users