Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locked file folder on external hd - looks suspicious


  • This topic is locked This topic is locked
47 replies to this topic

#1 Ghoul Slayer

Ghoul Slayer

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 14 February 2014 - 05:14 AM

Hello,

It looks like I've been hacked. I have a file folder that was created two days ago on one of my external drives and it's locked by SYSTEM. I've already ran AVG and Malwarebytes but neither of them sees it as a threat. I know this folder doesn't belong there because I didn't create it and no one else is supposed to have access to my computer. It's filled with all sorts of executable files and nasty looking things. I had to unlock the folder to look inside it but that's as far as I was capable of going. The name of the folder is: 6d97371090ee84b8100fe3e5997d About a week ago, about 4 or 5 similar looking folders appeared on that same hd. I deleted the folders then. I can't do that with this one and I'm afraid that there's a lot more to this problem than just deleting a folder will solve.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16518  BrowserJavaVersion: 10.13.2
Run by SSDemonic at 4:53:57 on 2014-02-14
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.6143.3506 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
C:\Program Files (x86)\Maxtor\Sync\SyncServices.exe
H:\Prgms\Malwarebytes' Anti-Malware\mbamscheduler.exe
H:\Prgms\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\loggingserver.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\taskhost.exe
H:\Prgms\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\Pixart\Pac7302\Monitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\AVG\AVG2014\avgui.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://store.thesims3.com/
uURLSearchHooks: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{38C15BAE-C61A-473E-9FFC-93C15E27926A} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{C0C2D301-6EC8-4DC6-874B-D669039EC75C} : DHCPNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe
x64-Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SSDemonic\AppData\Roaming\Mozilla\Firefox\Profiles\1iwg4san.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\npsitesafety.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\SSDemonic\AppData\Local\DIRECTV Player\npPlayerPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - false
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDyC0EyC0FyC0CyEtBtAzztN0D0Tzu0CtBzyzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=1010704821
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDyC0EyC0FyC0CyEtBtAzztN0D0Tzu0CtBzyzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=1010704821
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDyC0EyC0FyC0CyEtBtAzztN0D0Tzu0CtBzyzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=1010704821&q=
FF - user.js: extensions.funmoods.id - 0021856E6F6C4238
FF - user.js: extensions.funmoods.instlDay - 15637
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2220:41:19
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - download
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - download
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - true
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-10-24 194872]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-10-31 294712]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-10-1 123704]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-9-10 31544]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2013-11-5 150808]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-11-4 240920]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-10-31 212280]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-8-1 251192]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-7-22 46368]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2013-11-11 3478544]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2013-9-24 348008]
R2 MBAMScheduler;MBAMScheduler;H:\Prgms\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-9-14 418376]
R2 MBAMService;MBAMService;H:\Prgms\Malwarebytes' Anti-Malware\mbamservice.exe [2013-9-14 701512]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 vToolbarUpdater17.3.0;vToolbarUpdater17.3.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [2014-1-9 1771544]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-9-14 25928]
R3 tapklink;Klink Virtual Network Adapter;C:\Windows\System32\drivers\tapklink.sys [2011-10-23 31232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Andbus;LGE Android Platform Composite USB Device;C:\Windows\System32\drivers\lgandbus64.sys [2012-6-7 19456]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-2-12 111616]
S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2013-10-18 91352]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-7-22 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-7-24 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-24 1255736]
.
=============== Created Last 30 ================
.
2014-02-12 12:36:32    2048    ----a-w-    C:\Windows\SysWow64\msxml3r.dll
2014-02-09 09:41:06    --------    d-----w-    C:\Users\SSDemonic\AppData\Local\FalloutNV
2014-02-09 09:35:15    --------    d-----w-    C:\Users\SSDemonic\AppData\Local\Oblivion
2014-02-05 00:06:04    --------    d-----w-    C:\Users\SSDemonic\Jaikoz
2014-02-02 02:12:54    281688    ----a-w-    C:\Windows\SysWow64\PnkBstrB.xtr
2014-02-02 02:12:45    --------    d-----w-    C:\Users\SSDemonic\AppData\Local\PunkBuster
2014-02-02 02:11:40    282512    ----a-w-    C:\Windows\SysWow64\PnkBstrB.ex0
2014-02-02 02:11:40    281688    ----a-w-    C:\Windows\SysWow64\PnkBstrB.exe
2014-02-02 02:11:39    76888    ----a-w-    C:\Windows\SysWow64\PnkBstrA.exe
2014-01-25 17:11:15    --------    d-----w-    C:\Program Files\PeerBlock
.
==================== Find3M  ====================
.
2014-02-06 11:30:46    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-02-06 11:30:12    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-02-06 11:07:39    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-02-06 11:06:47    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-02-06 10:49:03    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-02-06 10:48:45    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-02-06 10:48:11    708608    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-02-06 10:20:26    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-02-06 10:11:37    5768704    ----a-w-    C:\Windows\System32\jscript9.dll
2014-02-06 10:01:36    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-02-06 10:00:46    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-02-06 09:50:32    2041856    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-02-06 09:47:22    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-02-06 09:46:27    553472    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-02-06 09:25:36    4244480    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-02-06 09:24:52    2334208    ----a-w-    C:\Windows\System32\wininet.dll
2014-02-06 09:09:30    1964032    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-02-06 08:41:35    1820160    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-02-05 00:21:08    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-05 00:21:08    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-12-24 23:09:41    1987584    ----a-w-    C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32    2565120    ----a-w-    C:\Windows\System32\d3d10warp.dll
2013-12-22 14:14:39    466456    ----a-w-    C:\Windows\System32\wrap_oal.dll
2013-12-22 14:14:39    444952    ----a-w-    C:\Windows\SysWow64\wrap_oal.dll
2013-12-22 14:14:39    122904    ----a-w-    C:\Windows\System32\OpenAL32.dll
2013-12-22 14:14:39    109080    ----a-w-    C:\Windows\SysWow64\OpenAL32.dll
2013-12-21 09:53:45    548864    ----a-w-    C:\Windows\System32\vbscript.dll
2013-12-21 08:56:47    454656    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-12-10 08:01:04    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2013-12-10 08:01:04    194048    ----a-w-    C:\Windows\SysWow64\elshyph.dll
2013-12-10 08:01:01    645120    ----a-w-    C:\Windows\SysWow64\jsIntl.dll
2013-12-10 08:01:01    235008    ----a-w-    C:\Windows\System32\elshyph.dll
2013-12-10 08:01:00    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-12-10 08:01:00    62464    ----a-w-    C:\Windows\SysWow64\tdc.ocx
2013-12-10 08:01:00    34816    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2013-12-10 08:01:00    337408    ----a-w-    C:\Windows\SysWow64\html.iec
2013-12-10 08:01:00    182272    ----a-w-    C:\Windows\SysWow64\msls31.dll
2013-12-06 02:30:08    2048    ----a-w-    C:\Windows\System32\msxml3r.dll
2013-12-06 02:30:08    1882112    ----a-w-    C:\Windows\System32\msxml3.dll
2013-12-06 02:02:08    1237504    ----a-w-    C:\Windows\SysWow64\msxml3.dll
2013-12-04 02:27:33    485888    ----a-w-    C:\Windows\System32\secproc_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\Windows\System32\secproc_ssp_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\Windows\System32\secproc_ssp.dll
2013-12-04 02:27:16    488448    ----a-w-    C:\Windows\System32\secproc.dll
2013-12-04 02:26:32    528384    ----a-w-    C:\Windows\System32\msdrm.dll
2013-12-04 02:16:51    658432    ----a-w-    C:\Windows\System32\RMActivate_isv.exe
2013-12-04 02:16:51    626176    ----a-w-    C:\Windows\System32\RMActivate.exe
2013-12-04 02:16:50    552960    ----a-w-    C:\Windows\System32\RMActivate_ssp_isv.exe
2013-12-04 02:16:48    553984    ----a-w-    C:\Windows\System32\RMActivate_ssp.exe
2013-12-04 02:03:20    87040    ----a-w-    C:\Windows\SysWow64\secproc_ssp_isv.dll
2013-12-04 02:03:20    87040    ----a-w-    C:\Windows\SysWow64\secproc_ssp.dll
2013-12-04 02:03:20    423936    ----a-w-    C:\Windows\SysWow64\secproc_isv.dll
2013-12-04 02:03:08    428032    ----a-w-    C:\Windows\SysWow64\secproc.dll
2013-12-04 02:02:06    390144    ----a-w-    C:\Windows\SysWow64\msdrm.dll
2013-12-04 01:54:14    510976    ----a-w-    C:\Windows\SysWow64\RMActivate_ssp.exe
2013-12-04 01:54:10    594944    ----a-w-    C:\Windows\SysWow64\RMActivate_isv.exe
2013-12-04 01:54:09    572416    ----a-w-    C:\Windows\SysWow64\RMActivate.exe
2013-12-04 01:54:06    508928    ----a-w-    C:\Windows\SysWow64\RMActivate_ssp_isv.exe
2013-11-27 01:41:37    343040    ----a-w-    C:\Windows\System32\drivers\usbhub.sys
2013-11-27 01:41:15    99840    ----a-w-    C:\Windows\System32\drivers\usbccgp.sys
2013-11-27 01:41:11    53248    ----a-w-    C:\Windows\System32\drivers\usbehci.sys
2013-11-27 01:41:11    325120    ----a-w-    C:\Windows\System32\drivers\usbport.sys
2013-11-27 01:41:09    25600    ----a-w-    C:\Windows\System32\drivers\usbohci.sys
2013-11-27 01:41:06    30720    ----a-w-    C:\Windows\System32\drivers\usbuhci.sys
2013-11-27 01:41:03    7808    ----a-w-    C:\Windows\System32\drivers\usbd.sys
2013-11-26 11:40:00    376768    ----a-w-    C:\Windows\System32\drivers\netio.sys
2013-11-26 10:32:56    3156480    ----a-w-    C:\Windows\System32\win32k.sys
2013-11-26 08:16:50    3419136    ----a-w-    C:\Windows\SysWow64\d2d1.dll
2013-11-23 18:26:20    417792    ----a-w-    C:\Windows\SysWow64\WMPhoto.dll
2013-11-23 17:47:34    465920    ----a-w-    C:\Windows\System32\WMPhoto.dll
2013-11-22 22:48:21    3928064    ----a-w-    C:\Windows\System32\d2d1.dll
.
============= FINISH:  4:54:14.94 ===============
 


Edited by Ghoul Slayer, 14 February 2014 - 05:20 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 14 February 2014 - 05:26 AM

This folder is created by Windows Updates. Have a look here about how to get rid of it:

 

http://answers.microsoft.com/en-us/windows/forum/windows_7-files/unable-to-delete-folders-on-external-usb-hard/c48be344-53ff-47fd-bedf-18556f6c6dbc


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 14 February 2014 - 08:18 PM

Oddly enough, I had found that same step by step answer on another page before I posted here. I tried that and when I attempt to follow step e. (Click Apply) I get a popup that says, "An error occurred while applying security information to: H:\6d97371090ee84b8100fe3e5997d Access is denied." Yes I have tried it again and still get the same results.

#4 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 16 February 2014 - 01:33 PM

I also tried to unlock the folders within the aforementioned folder. It will not even let me tick the checkboxes.



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 17 February 2014 - 06:16 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Please post a new DDS log and don´t forget the attach.txt.

Also, please do the following:

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 17 February 2014 - 10:34 PM

. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Ultimate Boot Device: \Device\HarddiskVolume1 Install Date: 7/22/2012 3:13:16 AM System Uptime: 2/17/2014 5:35:04 PM (5 hours ago) . Motherboard: MSI | | MS-7390 Processor: AMD Phenom™ 9650 Quad-Core Processor | CPU 1 | 2310/200mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 112 GiB total, 31.133 GiB free. D: is CDROM () E: is CDROM () F: is FIXED (NTFS) - 932 GiB total, 179.426 GiB free. G: is FIXED (NTFS) - 932 GiB total, 218.552 GiB free. H: is FIXED (NTFS) - 2795 GiB total, 1367.669 GiB free. J: is FIXED (NTFS) - 600 GiB total, 168.717 GiB free. . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP186: 2/9/2014 4:34:22 AM - Installed DirectX RP187: 2/9/2014 4:40:10 AM - Installed DirectX RP188: 2/12/2014 8:06:54 AM - Windows Update RP189: 2/12/2014 12:37:10 PM - Windows Update RP190: 2/15/2014 12:49:33 PM - Windows Update . ==== Installed Programs ====================== . µTorrent 15354 Webcam Live Adobe Digital Editions 2.0 Adobe Flash Player 12 ActiveX Adobe Flash Player 12 Plugin Adobe Reader X (10.1.9) Alien Swarm - SDK Alien Swarm Dedicated Server Aliens vs. Predator Alpha Protocol AnyDVD AVG 2014 AVG Security Toolbar Baldur's Gate II: Enhanced Edition Batman: Arkham City GOTY Batman: Arkham Origins BioShock BioShock 2 BioShock Infinite Blood Bowl: Legendary Edition BRINK CCleaner Construct 2 Free Counter-Strike: Source Crazy Taxi Crysis Crysis 2 Maximum Edition Crysis Warhead Crysis Wars D3DX10 DIRECTV Player Dishonored DOOM 3: BFG Edition Dual-Core Optimizer Earth 2160 Empire: Total War Fallout 3 - Game of the Year Edition Fallout: New Vegas Far Cry® 3 Far Cry® 3 Blood Dragon Faveset Klink FileBot FINAL FANTASY VII Football Manager 2011 Garry's Mod Grand Theft Auto IV Grand Theft Auto: Episodes from Liberty City Jaikoz (64-bit) 6.1.0 Java 7 Update 13 Java Auto Updater Just Cause Just Cause 2 Just Cause 2: Multiplayer - Dedicated Server Just Cause 2: Multiplayer Mod Left 4 Dead 2 Malwarebytes Anti-Malware version 1.75.0.1300 Maxtor Manager Medieval II: Total War Medieval II: Total War Kingdoms Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Games for Windows - LIVE Redistributable Microsoft Games for Windows Marketplace Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610 Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610 Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610 Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610 Microsoft WSE 3.0 Runtime Microsoft Xbox 360 Accessories 1.2 Monopoly Mortal Kombat Kollection Movie Maker Mozilla Firefox 27.0.1 (x86 en-US) Mozilla Maintenance Service MSVCRT MSVCRT110 MSVCRT110_amd64 Napoleon: Total War NVIDIA 3D Vision Controller Driver 301.42 NVIDIA 3D Vision Driver 311.06 NVIDIA Control Panel 311.06 NVIDIA Graphics Driver 311.06 NVIDIA Install Application NVIDIA PhysX NVIDIA Stereoscopic 3D Driver NVIDIA Update 1.11.3 NVIDIA Update Components OpenAL Origin Paint.NET v3.5.11 PeerBlock 1.2 (r693) Philips Retractable PC Controller Photo Common Photo Gallery PowerISO PunkBuster Services Quake Quake 4 Quake II Quake II: Ground Zero Quake II: The Reckoning Quake III Arena Quake III: Team Arena Quake Mission Pack 1: Scourge of Armagon Quake Mission Pack 2: Dissolution of Eternity RAGE Ravaged Real World Racing Rocksmith 2014 Rome: Total War Rome: Total War - Alexander RPG Maker VX Ace Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576) Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393) Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628) Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2898855v2) SEGA Bass Fishing SEGA Genesis & Mega Drive Classics Sonic Adventure DX Sonic and SEGA All Stars Racing Space Channel 5: Part 2 Space Siege Spiral Knights Steam Stormrise System Requirements Lab The Club The Elder Scrolls III: Morrowind The Elder Scrolls IV: Oblivion The Elder Scrolls V: Skyrim The Sims™ 3 The Sims 3 The Sims 3 University Life Total War: SHOGUN 2 Train Simulator 2014 Tropico 4 TrueCrypt Universe at War: Earth Assault Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft .NET Framework 4 Client Profile (KB2836939) Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) Uplay Vancouver 2010: The Official Video Game of the Olympic Winter Games Virtua Tennis 2009 Virtua Tennis 4 Visual Studio 2008 x64 Redistributables Visual Studio 2010 x64 Redistributables Visual Studio 2012 x64 Redistributables Visual Studio 2012 x86 Redistributables VLC media player 2.0.3 Windows Live Communications Platform Windows Live Essentials Windows Live ID Sign-in Assistant Windows Live Installer Windows Live Photo Common Windows Live PIMT Platform Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack WinRAR 4.20 (64-bit) XBMC . ==== Event Viewer Messages From Past Week ======== . 2/17/2014 7:08:29 AM, Error: Ntfs [137] - The default transaction resource manager on volume J: encountered a non-retryable error and could not start. The data contains the error code. 2/17/2014 5:37:30 PM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC). 2/17/2014 5:37:30 PM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure. 2/12/2014 5:32:50 PM, Error: Ntfs [137] - The default transaction resource manager on volume G: encountered a non-retryable error and could not start. The data contains the error code. . ==== End Of File ===========================
DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 11.0.9600.16518 BrowserJavaVersion: 10.13.2 Run by SSDemonic at 22:31:42 on 2014-02-17 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6143.4015 [GMT -5:00] . AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664} . ============== Running Processes =============== . C:\PROGRA~2\AVG\AVG2014\avgrsa.exe C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe C:\Windows\system32\nvvsvc.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe C:\Program Files (x86)\Maxtor\Sync\SyncServices.exe H:\Prgms\Malwarebytes' Anti-Malware\mbamscheduler.exe H:\Prgms\Malwarebytes' Anti-Malware\mbamservice.exe C:\Windows\SysWOW64\PnkBstrA.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\loggingserver.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe C:\Program Files (x86)\AVG\AVG2014\avgemca.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\taskhost.exe H:\Prgms\Malwarebytes' Anti-Malware\mbamgui.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\Pixart\Pac7302\Monitor.exe C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files (x86)\AVG Secure Search\vprot.exe C:\Program Files (x86)\AVG\AVG2014\avgui.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Program Files\PeerBlock\peerblock.exe C:\Program Files\TrueCrypt\TrueCrypt.exe C:\Users\SSDemonic\AppData\Roaming\uTorrent\uTorrent.exe C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe C:\Program Files (x86)\XBMC\XBMC.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://store.thesims3.com/ uURLSearchHooks: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - mWinlogon: Userinit = userinit.exe, BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll TB: : {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-Explorer: NoActiveDesktopChanges = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab TCP: NameServer = 192.168.1.254 TCP: Interfaces\{38C15BAE-C61A-473E-9FFC-93C15E27926A} : DHCPNameServer = 8.8.8.8 8.8.4.4 TCP: Interfaces\{C0C2D301-6EC8-4DC6-874B-D669039EC75C} : DHCPNameServer = 192.168.1.254 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll SSODL: WebCheck - x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe x64-Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - x64-SSODL: WebCheck - . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\SSDemonic\AppData\Roaming\Mozilla\Firefox\Profiles\1iwg4san.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: keyword.URL - FF - prefs.js: network.proxy.type - 0 FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\npsitesafety.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: C:\Users\SSDemonic\AppData\Local\DIRECTV Player\npPlayerPlugin.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll FF - plugin: C:\Windows\SysWOW64\npmproxy.dll . ---- FIREFOX POLICIES ---- FF - user.js: extensions.funmoods.hmpg - false FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDyC0EyC0FyC0CyEtBtAzztN0D0Tzu0CtBzyzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=1010704821 FF - user.js: extensions.funmoods.dfltSrch - true FF - user.js: extensions.funmoods.srchPrvdr - Search FF - user.js: extensions.funmoods.dnsErr - true FF - user.js: extensions.funmoods_i.newTab - false FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDyC0EyC0FyC0CyEtBtAzztN0D0Tzu0CtBzyzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=1010704821 FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDyC0EyC0FyC0CyEtBtAzztN0D0Tzu0CtBzyzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=1010704821&q= FF - user.js: extensions.funmoods.id - 0021856E6F6C4238 FF - user.js: extensions.funmoods.instlDay - 15637 FF - user.js: extensions.funmoods.vrsn - 1.5.23.22 FF - user.js: extensions.funmoods.vrsni - 1.5.23.22 FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2220:41:19 FF - user.js: extensions.funmoods.prtnrId - funmoods FF - user.js: extensions.funmoods.prdct - funmoods FF - user.js: extensions.funmoods.aflt - download FF - user.js: extensions.funmoods_i.smplGrp - none FF - user.js: extensions.funmoods.tlbrId - base FF - user.js: extensions.funmoods.instlRef - download FF - user.js: extensions.funmoods.dfltLng - FF - user.js: extensions.funmoods.excTlbr - true FF - user.js: extensions.funmoods.autoRvrt - false FF - user.js: extensions.funmoods.envrmnt - production FF - user.js: extensions.funmoods.isdcmntcmplt - true FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0 . ============= SERVICES / DRIVERS =============== . R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-10-24 194872] R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-10-31 294712] R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-10-1 123704] R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-9-10 31544] R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2013-11-5 150808] R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-11-4 240920] R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-10-31 212280] R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-8-1 251192] R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-7-22 46368] R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2013-11-11 3478544] R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2013-9-24 348008] R2 MBAMScheduler;MBAMScheduler;H:\Prgms\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-9-14 418376] R2 MBAMService;MBAMService;H:\Prgms\Malwarebytes' Anti-Malware\mbamservice.exe [2013-9-14 701512] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264] R2 vToolbarUpdater17.3.0;vToolbarUpdater17.3.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [2014-1-9 1771544] R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-9-14 25928] R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2014-1-25 22600] R3 tapklink;Klink Virtual Network Adapter;C:\Windows\System32\drivers\tapklink.sys [2011-10-23 31232] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S3 Andbus;LGE Android Platform Composite USB Device;C:\Windows\System32\drivers\lgandbus64.sys [2012-6-7 19456] S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-2-12 111616] S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2013-10-18 91352] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-7-22 20992] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-7-24 59392] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-24 1255736] . =============== Created Last 30 ================ . 2014-02-18 03:25:31 -------- d-----w- C:\Program Files (x86)\Indie Softworks 2014-02-12 13:07:48 548864 ----a-w- C:\Windows\System32\vbscript.dll 2014-02-12 12:36:32 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll 2014-02-09 09:41:06 -------- d-----w- C:\Users\SSDemonic\AppData\Local\FalloutNV 2014-02-09 09:35:15 -------- d-----w- C:\Users\SSDemonic\AppData\Local\Oblivion 2014-02-05 00:06:04 -------- d-----w- C:\Users\SSDemonic\Jaikoz 2014-02-02 02:12:54 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr 2014-02-02 02:12:45 -------- d-----w- C:\Users\SSDemonic\AppData\Local\PunkBuster 2014-02-02 02:11:40 282512 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0 2014-02-02 02:11:40 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe 2014-02-02 02:11:39 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe 2014-01-25 17:11:15 -------- d-----w- C:\Program Files\PeerBlock . ==================== Find3M ==================== . 2014-02-06 11:30:46 2724864 ----a-w- C:\Windows\System32\mshtml.tlb 2014-02-06 11:30:12 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll 2014-02-06 11:07:39 66048 ----a-w- C:\Windows\System32\iesetup.dll 2014-02-06 11:06:47 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll 2014-02-06 10:49:03 139264 ----a-w- C:\Windows\System32\ieUnatt.exe 2014-02-06 10:48:45 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe 2014-02-06 10:48:11 708608 ----a-w- C:\Windows\System32\jscript9diag.dll 2014-02-06 10:20:26 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2014-02-06 10:11:37 5768704 ----a-w- C:\Windows\System32\jscript9.dll 2014-02-06 10:01:36 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll 2014-02-06 10:00:46 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll 2014-02-06 09:50:32 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl 2014-02-06 09:47:22 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2014-02-06 09:46:27 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll 2014-02-06 09:25:36 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll 2014-02-06 09:24:52 2334208 ----a-w- C:\Windows\System32\wininet.dll 2014-02-06 09:09:30 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2014-02-06 08:41:35 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll 2014-02-05 00:21:08 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2014-02-05 00:21:08 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2013-12-24 23:09:41 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll 2013-12-24 22:48:32 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll 2013-12-22 14:14:39 466456 ----a-w- C:\Windows\System32\wrap_oal.dll 2013-12-22 14:14:39 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll 2013-12-22 14:14:39 122904 ----a-w- C:\Windows\System32\OpenAL32.dll 2013-12-22 14:14:39 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll 2013-12-21 08:56:47 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll 2013-12-10 08:01:04 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe 2013-12-10 08:01:04 194048 ----a-w- C:\Windows\SysWow64\elshyph.dll 2013-12-10 08:01:01 645120 ----a-w- C:\Windows\SysWow64\jsIntl.dll 2013-12-10 08:01:01 235008 ----a-w- C:\Windows\System32\elshyph.dll 2013-12-10 08:01:00 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe 2013-12-10 08:01:00 62464 ----a-w- C:\Windows\SysWow64\tdc.ocx 2013-12-10 08:01:00 34816 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll 2013-12-10 08:01:00 337408 ----a-w- C:\Windows\SysWow64\html.iec 2013-12-10 08:01:00 182272 ----a-w- C:\Windows\SysWow64\msls31.dll 2013-12-06 02:30:08 2048 ----a-w- C:\Windows\System32\msxml3r.dll 2013-12-06 02:30:08 1882112 ----a-w- C:\Windows\System32\msxml3.dll 2013-12-06 02:02:08 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll 2013-12-04 02:27:33 485888 ----a-w- C:\Windows\System32\secproc_isv.dll 2013-12-04 02:27:33 123392 ----a-w- C:\Windows\System32\secproc_ssp_isv.dll 2013-12-04 02:27:33 123392 ----a-w- C:\Windows\System32\secproc_ssp.dll 2013-12-04 02:27:16 488448 ----a-w- C:\Windows\System32\secproc.dll 2013-12-04 02:26:32 528384 ----a-w- C:\Windows\System32\msdrm.dll 2013-12-04 02:16:51 658432 ----a-w- C:\Windows\System32\RMActivate_isv.exe 2013-12-04 02:16:51 626176 ----a-w- C:\Windows\System32\RMActivate.exe 2013-12-04 02:16:50 552960 ----a-w- C:\Windows\System32\RMActivate_ssp_isv.exe 2013-12-04 02:16:48 553984 ----a-w- C:\Windows\System32\RMActivate_ssp.exe 2013-12-04 02:03:20 87040 ----a-w- C:\Windows\SysWow64\secproc_ssp_isv.dll 2013-12-04 02:03:20 87040 ----a-w- C:\Windows\SysWow64\secproc_ssp.dll 2013-12-04 02:03:20 423936 ----a-w- C:\Windows\SysWow64\secproc_isv.dll 2013-12-04 02:03:08 428032 ----a-w- C:\Windows\SysWow64\secproc.dll 2013-12-04 02:02:06 390144 ----a-w- C:\Windows\SysWow64\msdrm.dll 2013-12-04 01:54:14 510976 ----a-w- C:\Windows\SysWow64\RMActivate_ssp.exe 2013-12-04 01:54:10 594944 ----a-w- C:\Windows\SysWow64\RMActivate_isv.exe 2013-12-04 01:54:09 572416 ----a-w- C:\Windows\SysWow64\RMActivate.exe 2013-12-04 01:54:06 508928 ----a-w- C:\Windows\SysWow64\RMActivate_ssp_isv.exe 2013-11-27 01:41:37 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys 2013-11-27 01:41:15 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys 2013-11-27 01:41:11 53248 ----a-w- C:\Windows\System32\drivers\usbehci.sys 2013-11-27 01:41:11 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys 2013-11-27 01:41:09 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys 2013-11-27 01:41:06 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys 2013-11-27 01:41:03 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys 2013-11-26 11:40:00 376768 ----a-w- C:\Windows\System32\drivers\netio.sys 2013-11-26 10:32:56 3156480 ----a-w- C:\Windows\System32\win32k.sys 2013-11-26 08:16:50 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll 2013-11-23 18:26:20 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll 2013-11-23 17:47:34 465920 ----a-w- C:\Windows\System32\WMPhoto.dll 2013-11-22 22:48:21 3928064 ----a-w- C:\Windows\System32\d2d1.dll . ============= FINISH: 22:32:04.20 ===============

#7 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 17 February 2014 - 10:48 PM

I ran the Malwarebytes rootkit tool and it didn't find anything.

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 18 February 2014 - 05:48 AM

I can´t read that - please attach the logs to your next reply
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 18 February 2014 - 10:29 PM

Is this what you wanted me to do?

Attached Files


Edited by Ghoul Slayer, 18 February 2014 - 10:30 PM.


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 19 February 2014 - 07:12 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 21 February 2014 - 07:04 AM

Any idea what the problem is yet?

Attached Files

  • Attached File  log.txt   22.8KB   4 downloads


#12 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 21 February 2014 - 07:06 AM

I'm not sure if this is any different from the one I just posted. I just want to make sure I'm following your instructions to the letter.

Attached Files


Edited by Ghoul Slayer, 21 February 2014 - 07:07 AM.


#13 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 22 February 2014 - 10:43 AM

I don't know what is going on but I had some more folders magically appear in my external hd's. They were labeled Recyled and Recycle Bin. I deleted them. I don't like stuff just popping up on my computer for no apparent reason.



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 24 February 2014 - 04:46 AM

These folders are system files and are needed by windows to work correctly.

Combofix does some changes to the visibility options regarding system files so they were visible temporarly. They shouldn´t be deleted and I told you before not to do anything without advice.

 

Try this on the random named folder::

 

  • Right click the offending folder, and then click Properties.
  • Click the Security tab followed by Advanced.
  • Click Owner then Edit and set the ownership to yourself.
  • Check Replace Owner on Sub-containers and Objects then click OK.
  • You should now be able to delete the offending folder.
     

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Edited by TB-Psychotic, 24 February 2014 - 04:48 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Ghoul Slayer

Ghoul Slayer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 27 February 2014 - 08:59 PM

As I stated earlier, I already tried the step by step on the offending folder. It unlocks the outer folder but the files inside it will not allow me to do the same. Therefore, I can't delete the folder or it's contents which is why I came here in the first place. I don't understand why Windows needs to create new folders on my external drive all of a sudden, especially ones that seem to be redundant. I apologize for any misunderstanding. I did not realize that deleting those other folders had anything to do with what we are trying to accomplish here.

Attached Files


Edited by Ghoul Slayer, 27 February 2014 - 09:00 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users