Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

syshost


  • This topic is locked This topic is locked
16 replies to this topic

#1 Animas42

Animas42

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 08 March 2014 - 02:36 PM

My original thread in am I infected:

http://www.bleepingcomputer.com/forums/t/526764/am-i-infected/

As I stated in it I got few virus alerts in Avira that it apparently removed. After on of them I checked start task manager and I found there some strange names like qelin that didn't had proper description and had the same name in it.

After that I ran malwarebytes and it found some random Trojan that it removed, it also found syshost that is apparently a Trojan that it tried to remove but required a restart and on restart Avira interfered so im not sure if it is removed. The log from it is the original thread above. Avira thou doesn't find anything, while mwb finds the stated syshost.

On the reply thou I didn't quite understand if the replier wanted me to run combofix too, and as I read its a scary program I only ran dds like written in guide.

Posting dds.txt here as guide said and attaching attach as instructed.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16521  BrowserJavaVersion: 10.51.2
Run by Eduardas at 21:09:01 on 2014-03-08
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.4031.2727 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvwmi64.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\Hpservice.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvwmi64.exe
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Intel\AMT\atchksrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe
C:\Windows\SysWOW64\srvany.exe
C:\Windows\KMService.exe
C:\Program Files (x86)\Intel\AMT\LMS.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files (x86)\Intel\AMT\UNS.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
C:\Program Files\Tablet\Wacom\WacomHost.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
C:\Windows\system32\svchost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files (x86)\Intel\AMT\atchk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Users\Eduardas\qelin.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [AdobeBridge] <no file>
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{A1045EE0-45A6-4D90-A428-27079A729D13} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{C6DC86AB-B466-430B-9131-2C6E32D9D2A6} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [atchk] "C:\Program Files (x86)\Intel\AMT\atchk.exe"
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-4-9 28600]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2013-4-9 440400]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2013-4-9 440400]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-4-9 108440]
R2 DAZContentManagementService;DAZ Content Management Service;C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe [2013-10-4 22528]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-5-13 30520]
R2 KMService;KMService;C:\Windows\System32\srvany.exe --> C:\Windows\System32\srvany.exe [?]
R2 NVWMI;NVIDIA WMI Provider;C:\Windows\System32\nvwmi64.exe [2014-2-19 2510112]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2013-4-6 635416]
R2 PSI_SVC_2_x64;Protexis Licensing V2 x64;C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2010-11-30 336824]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2014-2-19 411936]
R2 TabletServicePen;TabletServicePen;C:\Program Files\Tablet\Pen\Pen_Tablet.exe [2013-10-4 6583160]
R2 TouchServicePen;Wacom Consumer Touch Service;C:\Program Files\Tablet\Pen\Pen_TouchService.exe [2013-10-5 528760]
R2 UNS;Intel® Active Management Technology User Notification Service;C:\Program Files (x86)\Intel\AMT\UNS.exe [2013-4-5 1464856]
R2 WTabletServicePro;Wacom Professional Service;C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [2013-11-15 621336]
R3 ATSwpWDF;AuthenTec TruePrint WBF Driver;C:\Windows\System32\drivers\ATSwpWDF.sys [2012-10-18 1111856]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2006-12-22 300032]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2013-4-8 227896]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2007-7-12 70168]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
R3 rismcx64;RICOH Smart Card Reader;C:\Windows\System32\drivers\rismcx64.sys [2013-4-6 59008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-8 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2013-4-6 35104]
S3 hidkmdf;KMDF Driver;C:\Windows\System32\drivers\hidkmdf.sys [2013-11-15 14136]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-4-8 19456]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-14 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-4-8 57856]
S3 WacHidRouter;Wacom Hid Router;C:\Windows\System32\drivers\wachidrouter.sys [2013-11-15 89912]
S3 wacomrouterfilter;Wacom Router Filter Driver;C:\Windows\System32\drivers\wacomrouterfilter.sys [2013-11-15 15160]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-4-11 1255736]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-03-08 12:08:38 114688 --sh--r- C:\Users\Eduardas\qelin.exe
2014-03-08 12:06:07 49152 ----a-w- C:\Users\Eduardas\rarar.exe
2014-03-06 14:54:46 -------- d-----w- C:\Users\Eduardas\AppData\Roaming\Malwarebytes
2014-03-06 14:54:32 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-06 14:54:30 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-06 14:54:30 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-06 14:53:55 -------- d-----w- C:\Users\Eduardas\AppData\Local\Programs
2014-03-01 11:02:26 -------- d-----w- C:\Users\Eduardas\AppData\Local\Google
2014-03-01 11:02:06 -------- d-----w- C:\Users\Eduardas\AppData\Local\Deployment
2014-03-01 11:02:06 -------- d-----w- C:\Users\Eduardas\AppData\Local\Apps
2014-02-19 19:54:09 2510112 ----a-w- C:\Windows\System32\nvwmi64.exe
2014-02-19 19:53:45 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2014-02-19 19:53:39 595232 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2014-02-19 19:50:41 -------- d-----w- C:\NVIDIA
2014-02-16 10:41:21 -------- d-----w- C:\Users\Eduardas\AppData\Roaming\SimulationCraft
.
==================== Find3M  ====================
.
2014-02-20 22:24:15 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-20 22:24:15 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-01-24 06:27:12 6676768 ----a-w- C:\Windows\System32\nvcpl.dll
2014-01-24 06:27:12 3496224 ----a-w- C:\Windows\System32\nvsvc64.dll
2014-01-24 06:27:08 922912 ----a-w- C:\Windows\System32\nvvsvc.exe
2014-01-24 06:27:08 63776 ----a-w- C:\Windows\System32\nvshext.dll
2014-01-24 06:27:08 386336 ----a-w- C:\Windows\System32\nvmctray.dll
2014-01-24 06:27:08 2559776 ----a-w- C:\Windows\System32\nvsvcr.dll
2013-12-18 19:09:39 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-12-12 10:27:25 84720 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2013-12-12 10:27:25 108440 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2013-06-12 16:10:44 97856 ----a-w- C:\Program Files (x86)\lol.launcher.exe
2013-06-12 16:10:18 97856 ----a-w- C:\Program Files (x86)\lol.launcher.admin.exe
.
============= FINISH: 21:09:42,12 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:39 PM

Posted 09 March 2014 - 05:03 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#3 Animas42

Animas42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 09 March 2014 - 10:37 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-03-2014 01
Ran by Eduardas (administrator) on EDUARDAS-PC on 09-03-2014 17:29:02
Running from C:\Users\Eduardas\Desktop
Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvwmi64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\system32\AUDIODG.EXE
(Hewlett-Packard Company) C:\Windows\system32\Hpservice.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvwmi64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Andrea Electronics Corporation) C:\Windows\system32\AEADISRV.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\atchksrv.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
() C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe
() C:\Windows\SysWOW64\srvany.exe
() C:\Windows\KMService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\LMS.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(arvato digital services llc) c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\UNS.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Conexant Systems, Inc.) C:\Windows\system32\DRIVERS\xaudio64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\atchk.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
() C:\Users\Eduardas\qelin.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\update.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\updrgui.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [atchk] - C:\Program Files (x86)\Intel\AMT\atchk.exe [408088 2008-05-25] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2174760 2010-06-04] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2728736 2014-01-24] ()
HKLM-x32\...\Run: [SoundMAXPnP] - C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1183744 2007-02-21] (Analog Devices, Inc.)
HKLM-x32\...\Run: [PDF Complete] - C:\Program Files (x86)\PDF Complete\pdfsty.exe [563736 2009-06-18] (PDF Complete Inc)
HKLM-x32\...\Run: [QlbCtrl.exe] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [287800 2009-11-11] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKU\S-1-5-21-4236149965-273026236-3721222470-1000\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [17879216 2012-11-09] (Skype Technologies S.A.)
HKU\S-1-5-21-4236149965-273026236-3721222470-1000\...\Run: [AdobeBridge] - [X]
HKU\S-1-5-21-4236149965-273026236-3721222470-1000\...\Run: [uTorrent] - C:\Program Files (x86)\uTorrent\uTorrent.exe [399736 2013-04-27] (BitTorrent, Inc.)
HKU\S-1-5-21-4236149965-273026236-3721222470-1000\...\Run: [qelin] - C:\Users\Eduardas\qelin.exe [114688 2014-03-08] ()
HKU\S-1-5-21-4236149965-273026236-3721222470-1000\...\Policies\Explorer: [HideSCAHealth] 1

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xAAA4F3A52332CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = lt
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Chrome:
=======
CHR Extension: (Google Docs) - C:\Users\Eduardas\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-01]
CHR Extension: (Google Drive) - C:\Users\Eduardas\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-01]
CHR Extension: (YouTube) - C:\Users\Eduardas\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-01]
CHR Extension: (Google Search) - C:\Users\Eduardas\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-01]
CHR Extension: (Google Wallet) - C:\Users\Eduardas\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-01]
CHR Extension: (Gmail) - C:\Users\Eduardas\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-01]

==================== Services (Whitelisted) =================

R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [80384 2007-02-06] (Andrea Electronics Corporation)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 atchksrv; C:\Program Files (x86)\Intel\AMT\atchksrv.exe [182808 2008-05-25] (Intel Corporation)
R2 DAZContentManagementService; C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe [22528 2011-05-05] ()
R2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2013-04-09] ()
R2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [121368 2008-05-25] (Intel Corporation)
R2 NVWMI; C:\Windows\system32\nvwmi64.exe [2510112 2014-01-24] (NVIDIA Corporation)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [635416 2009-06-18] (PDF Complete Inc)
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
R2 UNS; C:\Program Files (x86)\Intel\AMT\UNS.exe [1464856 2008-05-25] (Intel Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [621336 2013-10-04] (Wacom Technology, Corp.)

==================== Drivers (Whitelisted) ====================

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-12] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-12] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-10-07] (Avira Operations GmbH & Co. KG)
R3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [19000 2010-02-24] (Hewlett-Packard Company)
R3 rismcx64; C:\Windows\System32\DRIVERS\rismcx64.sys [59008 2009-07-20] (RICOH Company, Ltd.)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S0 2c5a549386bb2b27; \SystemRoot\System32\Drivers\2c5a549386bb2b27.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-03-09 17:29 - 2014-03-09 17:30 - 00012123 _____ () C:\Users\Eduardas\Desktop\FRST.txt
2014-03-09 17:28 - 2014-03-09 17:29 - 00000000 ____D () C:\FRST
2014-03-09 17:27 - 2014-03-09 17:28 - 02156544 _____ (Farbar) C:\Users\Eduardas\Desktop\FRST64.exe
2014-03-08 21:14 - 2014-03-08 21:14 - 00000000 ____D () C:\Users\Eduardas\Desktop\removalo programos
2014-03-08 21:09 - 2014-03-08 21:09 - 00015989 _____ () C:\Users\Eduardas\Desktop\dds.txt
2014-03-08 21:09 - 2014-03-08 21:09 - 00008652 _____ () C:\Users\Eduardas\Desktop\attach.txt
2014-03-08 14:08 - 2014-03-08 14:07 - 00114688 __RSH () C:\Users\Eduardas\qelin.exe
2014-03-08 14:06 - 2014-03-08 14:06 - 00049152 _____ () C:\Users\Eduardas\rarar.exe
2014-03-07 01:38 - 2014-03-07 01:38 - 00000012 _____ () C:\Users\Eduardas\AppData\Roaming\mbam.context.scan
2014-03-06 16:54 - 2014-03-06 16:54 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-06 16:54 - 2014-03-06 16:54 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\Malwarebytes
2014-03-06 16:54 - 2014-03-06 16:54 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-06 16:54 - 2014-03-06 16:54 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-06 16:54 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-03-06 02:47 - 2014-03-06 02:47 - 00007608 _____ () C:\Users\Eduardas\AppData\Local\Resmon.ResmonCfg
2014-03-01 13:02 - 2014-03-09 17:24 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-01 13:02 - 2014-03-08 21:08 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-01 13:02 - 2014-03-01 13:02 - 00003898 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-01 13:02 - 2014-03-01 13:02 - 00003646 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Google
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Deployment
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Apps\2.0
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Program Files (x86)\Google
2014-02-27 00:54 - 2014-03-06 12:01 - 00000000 ____D () C:\Users\Eduardas\Desktop\chess
2014-02-26 17:47 - 2014-02-26 17:47 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\Media Player Classic
2014-02-25 11:53 - 2014-02-25 12:03 - 00000000 ____D () C:\Users\Eduardas\Desktop\portretai
2014-02-24 22:34 - 2014-02-25 02:38 - 19796057 _____ () C:\Users\Eduardas\Desktop\portretai.psd
2014-02-21 15:57 - 2014-02-21 15:57 - 00125360 _____ () C:\Users\Eduardas\Desktop\sachmatai.jpeg
2014-02-21 14:30 - 2014-02-21 14:30 - 00182777 _____ () C:\Users\Eduardas\Desktop\sachmatai.psd
2014-02-20 11:11 - 2014-02-20 11:24 - 00000000 ____D () C:\Users\Eduardas\Desktop\logotipai
2014-02-19 21:54 - 2014-01-24 10:40 - 02510112 _____ (NVIDIA Corporation) C:\Windows\system32\nvwmi64.exe
2014-02-19 21:54 - 2014-01-24 10:40 - 00004084 _____ () C:\Windows\system32\nvPerfProvider.man
2014-02-19 21:53 - 2014-02-19 21:53 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation
2014-02-19 21:53 - 2014-01-24 07:47 - 00595232 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2014-02-19 21:51 - 2014-01-24 10:40 - 30385440 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 25258784 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 22971168 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 18313184 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 18224080 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 17560352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 15878752 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 15231912 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 12661536 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2014-02-19 21:51 - 2014-01-24 10:40 - 11626352 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 11575376 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 09720800 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 09678064 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 03138336 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 03130144 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 02952992 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 02752800 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 02701392 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 01884448 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6433250.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 01511712 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6433250.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 00887584 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 00887072 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 00857888 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2014-02-19 21:51 - 2014-01-24 10:40 - 00853792 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2014-02-19 21:50 - 2014-02-19 21:50 - 00000000 ____D () C:\NVIDIA
2014-02-19 20:17 - 2014-02-20 11:24 - 09782364 _____ () C:\Users\Eduardas\Desktop\logos.psd
2014-02-16 21:36 - 2014-02-16 21:36 - 00262144 ____N () C:\Windows\Minidump\021614-19156-01.dmp
2014-02-16 12:41 - 2014-02-16 12:41 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\SimulationCraft
2014-02-16 12:39 - 2014-02-16 12:48 - 00000000 ____D () C:\Users\Eduardas\Desktop\simc-542-1-win64

==================== One Month Modified Files and Folders =======

2014-03-09 17:30 - 2014-03-09 17:29 - 00012123 _____ () C:\Users\Eduardas\Desktop\FRST.txt
2014-03-09 17:29 - 2014-03-09 17:28 - 00000000 ____D () C:\FRST
2014-03-09 17:28 - 2014-03-09 17:27 - 02156544 _____ (Farbar) C:\Users\Eduardas\Desktop\FRST64.exe
2014-03-09 17:28 - 2013-04-09 12:25 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\Skype
2014-03-09 17:24 - 2014-03-01 13:02 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-09 17:24 - 2013-04-23 19:29 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\uTorrent
2014-03-09 17:24 - 2013-04-09 12:19 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-09 17:23 - 2013-04-05 19:30 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-03-09 17:23 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-09 17:23 - 2009-07-14 06:51 - 00057171 _____ () C:\Windows\setupact.log
2014-03-09 11:26 - 2013-04-09 17:00 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Adobe
2014-03-08 21:14 - 2014-03-08 21:14 - 00000000 ____D () C:\Users\Eduardas\Desktop\removalo programos
2014-03-08 21:09 - 2014-03-08 21:09 - 00015989 _____ () C:\Users\Eduardas\Desktop\dds.txt
2014-03-08 21:09 - 2014-03-08 21:09 - 00008652 _____ () C:\Users\Eduardas\Desktop\attach.txt
2014-03-08 21:08 - 2014-03-01 13:02 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-08 20:58 - 2013-09-19 00:53 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Battle.net
2014-03-08 20:50 - 2013-04-19 05:01 - 00000000 ____D () C:\Program Files (x86)\World of Warcraft
2014-03-08 20:37 - 2013-04-05 19:29 - 00117170 _____ () C:\Windows\PFRO.log
2014-03-08 14:10 - 2013-04-05 19:11 - 00000000 ____D () C:\Users\Eduardas
2014-03-08 14:07 - 2014-03-08 14:08 - 00114688 __RSH () C:\Users\Eduardas\qelin.exe
2014-03-08 14:06 - 2014-03-08 14:06 - 00049152 _____ () C:\Users\Eduardas\rarar.exe
2014-03-07 12:34 - 2013-04-19 04:03 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\vlc
2014-03-07 01:38 - 2014-03-07 01:38 - 00000012 _____ () C:\Users\Eduardas\AppData\Roaming\mbam.context.scan
2014-03-07 01:04 - 2009-07-14 06:45 - 00010448 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-07 01:04 - 2009-07-14 06:45 - 00010448 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-06 16:54 - 2014-03-06 16:54 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-06 16:54 - 2014-03-06 16:54 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\Malwarebytes
2014-03-06 16:54 - 2014-03-06 16:54 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-06 16:54 - 2014-03-06 16:54 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-06 12:54 - 2009-07-14 07:13 - 00785302 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-06 12:01 - 2014-02-27 00:54 - 00000000 ____D () C:\Users\Eduardas\Desktop\chess
2014-03-06 02:47 - 2014-03-06 02:47 - 00007608 _____ () C:\Users\Eduardas\AppData\Local\Resmon.ResmonCfg
2014-03-05 21:49 - 2013-09-19 00:53 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-03-04 21:22 - 2013-04-06 05:04 - 01468226 _____ () C:\Windows\WindowsUpdate.log
2014-03-03 00:30 - 2013-04-06 20:50 - 00000000 ____D () C:\ProgramData\PDFC
2014-03-02 10:29 - 2009-07-14 07:08 - 00032628 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-01 13:02 - 2014-03-01 13:02 - 00003898 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-01 13:02 - 2014-03-01 13:02 - 00003646 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Google
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Deployment
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Users\Eduardas\AppData\Local\Apps\2.0
2014-03-01 13:02 - 2014-03-01 13:02 - 00000000 ____D () C:\Program Files (x86)\Google
2014-02-28 16:13 - 2014-01-12 13:44 - 00000000 ____D () C:\Users\Eduardas\Desktop\Catus-Latest
2014-02-27 20:50 - 2013-11-09 22:21 - 00000000 ____D () C:\Users\Eduardas\Desktop\filmai
2014-02-26 17:47 - 2014-02-26 17:47 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\Media Player Classic
2014-02-26 17:28 - 2013-06-29 20:26 - 00000000 ____D () C:\Users\Eduardas\Desktop\CGS_Becoming_a_Better Artist_worksop
2014-02-26 17:28 - 2013-04-13 16:48 - 00000000 ____D () C:\Users\Eduardas\Desktop\Ugdymo tyrimu pagrindai
2014-02-26 17:26 - 2013-12-20 23:45 - 00000000 ____D () C:\Users\Eduardas\Desktop\viz_menai_1kr
2014-02-26 16:59 - 2013-04-09 13:42 - 00000000 ____D () C:\Users\Eduardas\Documents\Zygor_Guides_15.04
2014-02-26 16:47 - 2013-04-13 21:34 - 00000000 ____D () C:\Users\Eduardas\Desktop\Studiju baigiamuju darbu atsiskaitymui_2013
2014-02-26 15:51 - 2013-10-06 16:04 - 00000000 ____D () C:\Users\Eduardas\Desktop\brush
2014-02-26 15:32 - 2013-10-15 01:28 - 00000000 ____D () C:\Users\Eduardas\Desktop\gamta
2014-02-25 12:03 - 2014-02-25 11:53 - 00000000 ____D () C:\Users\Eduardas\Desktop\portretai
2014-02-25 02:38 - 2014-02-24 22:34 - 19796057 _____ () C:\Users\Eduardas\Desktop\portretai.psd
2014-02-21 15:57 - 2014-02-21 15:57 - 00125360 _____ () C:\Users\Eduardas\Desktop\sachmatai.jpeg
2014-02-21 14:30 - 2014-02-21 14:30 - 00182777 _____ () C:\Users\Eduardas\Desktop\sachmatai.psd
2014-02-21 00:24 - 2013-04-09 12:19 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-21 00:24 - 2013-04-09 12:19 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-21 00:24 - 2013-04-09 12:19 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-20 11:24 - 2014-02-20 11:11 - 00000000 ____D () C:\Users\Eduardas\Desktop\logotipai
2014-02-20 11:24 - 2014-02-19 20:17 - 09782364 _____ () C:\Users\Eduardas\Desktop\logos.psd
2014-02-20 11:12 - 2013-04-16 21:59 - 00001456 _____ () C:\Users\Eduardas\AppData\Local\Adobe Save for Web 13.0 Prefs
2014-02-20 11:11 - 2013-04-09 18:34 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\NVIDIA
2014-02-19 21:54 - 2013-04-08 11:06 - 00000000 ____D () C:\ProgramData\NVIDIA Corporation
2014-02-19 21:54 - 2013-04-08 11:06 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2014-02-19 21:53 - 2014-02-19 21:53 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation
2014-02-19 21:50 - 2014-02-19 21:50 - 00000000 ____D () C:\NVIDIA
2014-02-19 10:43 - 2013-12-21 22:56 - 00000000 ____D () C:\Program Files (x86)\RADS
2014-02-16 21:36 - 2014-02-16 21:36 - 00262144 ____N () C:\Windows\Minidump\021614-19156-01.dmp
2014-02-16 21:36 - 2013-05-27 12:49 - 00000000 ____D () C:\Windows\Minidump
2014-02-16 12:48 - 2014-02-16 12:39 - 00000000 ____D () C:\Users\Eduardas\Desktop\simc-542-1-win64
2014-02-16 12:41 - 2014-02-16 12:41 - 00000000 ____D () C:\Users\Eduardas\AppData\Roaming\SimulationCraft
2014-02-09 15:53 - 2013-10-20 15:15 - 00000000 ____D () C:\Users\Eduardas\Desktop\foto

Files to move or delete:
====================
C:\Users\Eduardas\qelin.exe
C:\Users\Eduardas\rarar.exe

Some content of TEMP:
====================
C:\Users\Eduardas\AppData\Local\Temp\20131004165900.799.exe
C:\Users\Eduardas\AppData\Local\Temp\AskSLib.dll
C:\Users\Eduardas\AppData\Local\Temp\avgnt.exe
C:\Users\Eduardas\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Eduardas\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Eduardas\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Eduardas\AppData\Local\Temp\nvAppBar.exe
C:\Users\Eduardas\AppData\Local\Temp\nview.dll
C:\Users\Eduardas\AppData\Local\Temp\nView64.dll
C:\Users\Eduardas\AppData\Local\Temp\nViewSetup.exe
C:\Users\Eduardas\AppData\Local\Temp\nvShell.dll
C:\Users\Eduardas\AppData\Local\Temp\nvTaskBar.exe
C:\Users\Eduardas\AppData\Local\Temp\nvwdmcpl.dll
C:\Users\Eduardas\AppData\Local\Temp\nvwimg.dll
C:\Users\Eduardas\AppData\Local\Temp\nvwimg64.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSAR.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSCS.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSDA.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSDE.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSEL.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSENG.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSENU.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSES.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSESM.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSFI.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSFR.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSHE.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSHU.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSIT.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSJA.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSKO.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSNL.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSNO.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSPL.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSPT.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSPTB.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSRU.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSSK.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSSL.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSSV.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSTH.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSTR.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSZHC.dll
C:\Users\Eduardas\AppData\Local\Temp\NVWRSZHT.dll
C:\Users\Eduardas\AppData\Local\Temp\nwiz.exe
C:\Users\Eduardas\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Eduardas\AppData\Local\Temp\vlc-2.1.2-win32.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

LastRegBack: 2014-03-03 17:25

==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:39 PM

Posted 09 March 2014 - 02:44 PM

Hello,

 

 

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit Necurs. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

 

 

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please the following:

 

 

 

Please download ESETNecursRemover.exe and save it to your desktop.

Double-click on ESETNecursRemover.exe.
If you see the message: "Win32Necurs was found active on your system, do you want to perform cleaning" => choose YES.
Next you will see the message: "Do you want to restart the computer now (required)". => choose YES.

 

 

 

Now please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

 

Regards,

Georgi


cXfZ4wS.png


#5 Animas42

Animas42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 10 March 2014 - 06:00 AM

[2014.03.10 00:53:20.664] -
[2014.03.10 00:53:20.664] - ....................................
[2014.03.10 00:53:20.664] - ..::::::::::::::::::....................
[2014.03.10 00:53:20.680] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Necurs
[2014.03.10 00:53:20.680] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 2.1.0.1
[2014.03.10 00:53:20.680] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Sep 17 2013
[2014.03.10 00:53:20.680] - .::EE:::::::::::::SS:.EE..........TT......
[2014.03.10 00:53:20.680] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright © ESET, spol. s r.o.
[2014.03.10 00:53:20.680] - ..::::::::::::::::::.................... 1992-2013. All rights reserved.
[2014.03.10 00:53:20.680] - ....................................
[2014.03.10 00:53:20.680] -
[2014.03.10 00:53:20.680] - --------------------------------------------------------------------------------
[2014.03.10 00:53:20.680] -
[2014.03.10 00:53:20.680] - INFO: OS: 6.1.7601 SP1
[2014.03.10 00:53:20.680] - INFO: Product Type: Workstation
[2014.03.10 00:53:20.680] - INFO: WoW64: True
[2014.03.10 00:53:20.680] - INFO: Machine guid: 0147DC24-DBC0-4FD8-A95C-3E2D1B0CFE86
[2014.03.10 00:53:20.680] -
[2014.03.10 00:53:31.319] - INFO: Scanning for system infection...
[2014.03.10 00:53:31.319] - --------------------------------------------------------------------------------
[2014.03.10 00:53:31.319] -
[2014.03.10 00:53:31.335] - INFO: Necurs not found - suspicious services list is empty.
[2014.03.10 00:53:31.335] - INFO: DT01...
[2014.03.10 00:53:31.335] - INFO: Win32/Necurs not found
[2014.03.10 00:53:44.439] - --------------------------------------------------------------------------------
[2014.03.10 00:53:44.439] - INFO: Logging finished successfully...
[2014.03.10 00:53:44.439] - --------------------------------------------------------------------------------

Fixlog attached.

Attached Files



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:39 PM

Posted 10 March 2014 - 09:51 AM

Hello,

 

 

Great work...the rootkit was already disabled and that's why Eset's tool didn't find anything and we removed the rootkit service with FRST.

 

Before we continue please do the following:

 

Please zip and upload this folder - C:\FRST\Quarantine to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so I can examine the files and submit to antivirus companies if needed.

After that please delete the zip file you just created but don't delete the folder yet.

 

 

I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

 

STEP 1

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Rootkit mbamicontw5.gif and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

 

 

STEP 4

 

 

1.Please download HitmanPro

  • For 32-bit Operating System - dEMD6.gif.
  • For 64-bit Operating System - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon.

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 5-10 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.

Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

6-scanfin-choose.jpg

Navigate to C:\Documents and Settings\All Users\Application Data\HitmanPro\Logs (for Windows XP) or to C:\ProgramData\HitmanPro\Logs (for Windows Vista/7) open the report and copy and paste it to your next reply.

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 13 March 2014 - 02:34 AM.
typo.

cXfZ4wS.png


#7 Animas42

Animas42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 10 March 2014 - 12:29 PM

The quarantine file you requested is 6 gigs in size. Ziped its 2 ish, but since this isnt the original pc im having trouble sending the zip(this pc is quite old).I keep getting timeouts and connection errors.

I did not do any of the steps you posted to do after the zip file since i did not know if those are related.



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:39 PM

Posted 10 March 2014 - 07:43 PM

Hello,

 

Ok, please open the folder C:\FRST\Quarantine and zip only the following 2 files:

 

C:\FRST\Quarantine\qelin.exe.bad
C:\FRST\Quarantine\rarar.exe.bad

 

and next continue with the rest of the steps.

 

Thanks! :)

 

 

Regards,

Georgi


cXfZ4wS.png


#9 Animas42

Animas42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 11 March 2014 - 11:28 AM

There was no qelin in the location you specified, only rarar which i submitted.

The logs of the programs in the pastebins.

 

Antirootkit did find kmservice that as i said is ms office crack.

Hitman thou found qelin that as you instructed, ignore to all.

 

http://pastebin.com/mc8baWeE

http://pastebin.com/SuPPqbAC

http://pastebin.com/i1eEGJL1

http://pastebin.com/HQuM1zTn



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:39 PM

Posted 11 March 2014 - 12:35 PM

Hello,

 

 

That should remove qelin.exe.

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next see if the file is in C:\FRST\Quarantine and if so please submit the file as well.

 

 

 

About kmservice you really should avoid using pirated software. This is playing with fire though.

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications like GIMP or LibreOffice, OpenOffice, Kingsoft Office, SSuite Office - Accel Spreadsheet + SSuite Office - WordGraph, AbiWord, Gnumeric etc...

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

 

 

 

Also let me know how are things now.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#11 Animas42

Animas42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 11 March 2014 - 01:08 PM

The qelin appeared in quarantine. I sent a zip.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-03-2014 01
Ran by Eduardas at 2014-03-11 19:57:55 Run:2
Running from C:\Users\Eduardas\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
C:\Users\Eduardas\qelin.exe
reg: reg delete "HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}" /f
reg: reg delete "HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}" /f
end
*****************

C:\Users\Eduardas\qelin.exe => Moved successfully.

========= reg delete "HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}" /f =========

The operation completed successfully.

========= End of Reg: =========


========= reg delete "HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}" /f =========

The operation completed successfully.

========= End of Reg: =========


==== End of Fixlog ====



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:39 PM

Posted 11 March 2014 - 01:38 PM

Hello,

 

Thank you for the files...Here are the last 3 steps before I give you my final recommendations:

Also you forgot to answer how are the things now?

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

I'd like us to scan your machine with ESET OnlineScan
 

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  •  
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

 

 

STEP 3

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

Regards,

Georgi


cXfZ4wS.png


#13 Animas42

Animas42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 11 March 2014 - 04:23 PM

Sorry about that. Sofar as I said seems like no virus traces left. Avira isn't poping, no weird named processes poping. As for overall system work, it was ok to begin with . Thou I have a "feeling" it is opening and closing a tad faster.

Here are the three reports:

 

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/11/2014 09:28:03 PM in x64 mode.
Windows Version: Windows 7 Enterprise Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\SysWOW64\srvany.exe (PID: 2444) [WD-HEUR]
 * C:\Windows\KMService.exe (PID: 2552) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Disabled

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Disabled

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * C:\Windows\System32\user32.dll : 1.008.640 : 04/11/2013 06:54 PM : 2c353b6ce0c8d03225caa2af33b68d79 [NoSig]
 +-> C:\Windows\SysWOW64\user32.dll : 833.024 : 04/11/2013 06:54 PM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll : 1.008.640 : 07/14/2009 03:41 AM : 72d7b3ea16946e8f0cf7458150031cc6 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1.008.128 : 11/20/2010 04:27 AM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll : 833.024 : 07/14/2009 03:11 AM : e8b0ffc209e504cb7e79fc24e6c085f0 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833.024 : 11/20/2010 03:08 AM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]

Checking HOSTS File:

 * No issues found.

Program finished at: 03/11/2014 09:28:46 PM
Execution time: 0 hours(s), 0 minute(s), and 43 seconds(s)

 

 

eset scan

C:\FRST\Quarantine\20131004165900.799.exe10-03-2014_00-55-49 Win32/AdWare.Lollipop.S application
C:\FRST\Quarantine\AskSLib.dll10-03-2014_00-55-49 a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\FRST\Quarantine\qelin.exe11-03-2014_19-57-55 a variant of Win32/Injector.AZJD trojan
C:\FRST\Quarantine\rarar.exe10-03-2014_00-55-12 Win32/Injector.AZGX trojan
C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Program Files (x86)\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
C:\Users\Eduardas\Documents\001\IllustStudio\Crack\Patch_host.cmd BAT/HostsChanger.A potentially unsafe application
C:\Windows\KMService.exe Win32/HackKMS.A potentially unsafe application

 

 

 Results of screen317's Security Check version 0.99.80 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
Avira Desktop  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 51 
 Adobe Flash Player 12.0.0.77 
 Google Chrome 33.0.1750.117 
 Google Chrome 33.0.1750.146 
````````Process Check: objlist.exe by Laurent```````` 
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````

 



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:39 PM

Posted 11 March 2014 - 04:42 PM

Hello,

 

 

Click Start, and in the search box type in services.msc and then click OK.

In the list of services, double-click on Security Center and then click Properties.
In the Startup type list, select Automatic and click Apply.
Click on the Start Button.

Repeat the steps for Windows Update service.

 

 

Your Internet Explorer is out of date! Even you don't use it it's recommended to update it.


You can download the latest one from here => Internet Explorer 11.0 Final for Windows 7 EN x64

 

I really don't recommend you to leave your Windows outdated. This can be exploited by many malware which are spread in the wild. The same apply for Internet Explorer as well. Even you don't use it it's recommended to update it because IE is implemented in Windows core on very deep level.

 

 

 

To remove all of the tools we used and the files and folders they created, please do the following:

 

 

Download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.

 

 

 

Please download OTC.exe by OldTimer and save it to your desktop.
 

  • Right-click the OTC.exe and choose Run as Administrator.
  • Click on CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

 

  • Next please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
  • The tool will delete itself once it finishes.

 

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

 

Feel free to uninstall Eset Online Scanner.

 

 

 

Here are my final recommendations:

 

Nicely done ! :bananas: This is the end of our journey if you don't have any more questions.
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

 

 

 

STEP 1 SECURITY ADVICES


Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately including those for bank accounts, credit cards and home loans, PIN codes etc)!! (just in case).

If you're storing password in the browser to access websites than they are non encrypted well (only if you use Firefox with master password protection activated provide better security). So I strongly recommend to change as much password as possible. Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.

Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft

 

 

 

Keep your antivirus software turned on and up-to-date

 

  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.
  • Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.

 

 

Install HIPS based software if needed (or use Limited Account with UAC enabled)

 

I usually recommend to users to install HIPS based software but this type software is only effective in the right hands since it require from the users to take the right decisions.

 

HIPS based software controls what an application is allowed to do and not allowed to do.
It monitors what each application tries to do, how it use the internet and give you the ability to block any suspicious activity occurring on your computer.
In my opinion the best way to prevent an unknown malware from gaining access is to use some HIPS programs (like COMODO Firewall, PrivateFirewall, Online Armor etc.) to control the access rights of legitimate applications, although this would only be advisable for experienced users. (so if you don't feel comfortable using such software then you can skip this advice)

 

However, you should be aware though that (if you install Comodo Firewall and not the whole package Comodo Internet Security) this is not an replacement for a standard antivirus application. It's a great tool to add another layer of protection to your existent antivirus application. Also note that if you have an antivirus installed then you should install Comodo Firewall (and not Comodo Internet Security to avoid conflicts).

 

It takes some time and knowledge to configure it for individual purposes but once done, you should not have a problems with it.
There are so many reviews on YouTube and blogs about all these programs.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.

More information about HIPS can be found here: What is Host Intrusion Prevention System (HIPS) and how does it work?

 
If you like Comodo you should choose for yourself which version of Comodo you will use 5 or 7. Personally I stick to version 5 at least for now.
 

If these kind of programs are difficult for you to use then you can use limited user account (LUA) with UAC enabled. If you need administrative privileges to perform some tasks, then you can use Run As or log on as the administrator account for that specific task.

 

 

Be prepared for CryptoLocker:

 

 

CryptoLocker Ransomware Information Guide and FAQ

Cryptolocker Ransomware: What You Need To Know

New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger

 

 

Since the prevention is better than cure you can use gpedit built-in Windows or CryptoPrevent (described in the first link) to secure the PC against this locker.

Another way is to use Comodo Firewall and to add all local disks to Protected Files and Folders

You may want to check HitmanPro.Alert.CryptoGuard and add install it to be safe when surfing the net.

 

 

Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:
 

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • .exe, .com, .bat, .pif, .scr or .cmd do not open the attachment unless you know for a fact that it is clean.  For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

 

 

Tweak your browsers
 
 
MOZILLA FIREFOX


To prevent further infections be sure to install the following add-ons NoScript and AdBlock Plus

 

Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.

 

Adblock Plus can be found here.

 

NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

 

NoScript can be found here
 

 

Google Chrome

 
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access

 

 

For Internet Explorer 9/10/11 read the articles below:
 

Security and privacy features in Internet Explorer 9

Enhanced Protected Mode
Use Tracking Protection in Internet Explorer

Security in Internet Explorer 10

 

Immunize your browsers with SpywareBlaster 5 and Spybot Search and Destroy 1.6

Also MBAM acquired the following software Malwarebytes Anti-Exploit and it should work with the most popular browsers. Beware the product is in beta stage.

Changelog can be seen here and known issues here.

 

 
Make the extensions for known file types visible:
 

Be wary of files with a double extension such as jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.

 

 

 

Create an image of your system (you can use the built-in Windows software as well if you prefere)

 

  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorial on how to create an system image can be found here.
  • The tutorial on how to restore an system image can be found here.
  • Be sure to read the tutorial first.

 

 

Follow this list and your potential for being infected again will reduce dramatically.

Safe Surfing! :)

 

 

Regards,

Georgi


cXfZ4wS.png


#15 Animas42

Animas42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 12 March 2014 - 05:43 AM

Thank you so much for all the time and help you provided.

*shakes a virtual hand*

Ed






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users