Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer running extremely slowly, did have trojans and email account was hacked


  • This topic is locked This topic is locked
10 replies to this topic

#1 gei1a08

gei1a08

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 17 March 2014 - 02:30 PM

A week or so ago my email account was hacked and I had a few trojans. I spoke to a virus removal company who cleaned up my laptop but it's still running extremely slowly and wondered if anyone could help me.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16521
Run by Gwen at 19:23:11 on 2014-03-17
#Option MBR scan  is disabled.
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.44.1033.18.986.232 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Kaspersky Anti-Virus *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Anti-Virus *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = Preserve
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - c:\program files\adblock plus for ie\AdblockPlus32.dll
uRun: [Embedded Callback - remote.techvedic.com] c:\users\gwen\appdata\local\bomgar-scc-cb\remote.techvedic.com\embedhook-x86.exe --start remote.techvedic.com
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2012\avp.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{0CD4956A-5B9F-440D-ABFC-C34829AA480A} : DHCPNameServer = 194.168.4.100 194.168.8.100
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gwen\appdata\roaming\mozilla\firefox\profiles\ltta8zfn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=vmn&type=vmn-toolbarcleaner-1_1-ya-bs-rp&q=
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2014-03-17 18:52:17    25088    ----a-w-    c:\users\gwen\appdata\local\Z@H!-1689322220241543070373-32.tmp
2014-03-16 20:41:36    7947048    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{9d2c4a5f-03fa-48b7-8ed5-857d3753ca14}\mpengine.dll
2014-03-14 22:39:38    765968    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{28e3f3ed-9a38-4dec-abf6-d3e56d7333a3}\gapaengine.dll
2014-03-14 22:35:18    7947048    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-03-10 14:57:49    765968    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2014-03-06 13:03:31    --------    d-----w-    c:\program files\ESET
2014-03-06 11:37:34    --------    d-----w-    c:\users\gwen\appdata\local\bomgar-scc-cb
2014-03-06 11:35:44    14848    ----a-w-    c:\windows\system32\drivers\rdpvideominiport.sys
2014-03-06 11:35:40    12800    ----a-w-    c:\windows\system32\RdpGroupPolicyExtension.dll
2014-03-06 11:35:38    221184    ----a-w-    c:\windows\system32\rdpudd.dll
2014-03-06 11:35:38    192000    ----a-w-    c:\windows\system32\rdpendp_winip.dll
2014-03-06 11:35:37    2739712    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-03-06 11:31:36    32256    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2014-03-06 11:31:33    12800    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-06 11:31:32    49152    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2014-03-06 11:31:29    53248    ----a-w-    c:\windows\system32\tsgqec.dll
2014-03-06 11:31:29    50176    ----a-w-    c:\windows\system32\MsRdpWebAccess.dll
2014-03-06 11:31:29    17920    ----a-w-    c:\windows\system32\wksprtPS.dll
2014-03-06 11:31:29    14336    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-06 11:31:28    855552    ----a-w-    c:\windows\system32\rdvidcrl.dll
2014-03-06 11:31:28    76288    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2014-03-06 11:31:28    350208    ----a-w-    c:\windows\system32\wksprt.exe
2014-03-06 11:31:28    1068544    ----a-w-    c:\windows\system32\mstsc.exe
2014-03-06 11:31:27    5698048    ----a-w-    c:\windows\system32\mstscax.dll
2014-03-06 11:20:56    --------    d-----w-    c:\windows\Migration
2014-03-06 11:06:11    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-03-06 11:06:11    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-03-06 11:06:10    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-03-06 11:06:10    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-03-06 11:06:08    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2014-03-06 11:06:08    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-03-06 11:06:08    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-03-06 11:04:44    12625408    ----a-w-    c:\windows\system32\wmploc.DLL
2014-03-06 11:04:43    164864    ----a-w-    c:\program files\windows media player\wmplayer.exe
2014-03-06 11:01:27    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
2014-03-06 11:01:07    164352    ----a-w-    c:\windows\system32\profsvc.dll
2014-03-06 11:01:05    2342400    ----a-w-    c:\windows\system32\msi.dll
2014-03-06 10:59:34    442880    ----a-w-    c:\windows\system32\ntshrui.dll
2014-03-06 10:58:16    1699328    ----a-w-    c:\windows\system32\esent.dll
2014-03-06 10:58:15    74240    ----a-w-    c:\windows\system32\fsutil.exe
2014-03-06 10:58:14    80256    ----a-w-    c:\windows\system32\drivers\amdsata.sys
2014-03-06 10:58:14    332160    ----a-w-    c:\windows\system32\drivers\iaStorV.sys
2014-03-06 10:58:14    148864    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-03-06 10:58:13    22400    ----a-w-    c:\windows\system32\drivers\amdxata.sys
2014-03-06 10:58:13    143744    ----a-w-    c:\windows\system32\drivers\nvstor.sys
2014-03-06 10:58:13    117120    ----a-w-    c:\windows\system32\drivers\nvraid.sys
2014-03-06 10:57:57    1796096    ----a-w-    c:\windows\system32\authui.dll
2014-03-06 10:57:56    168960    ----a-w-    c:\windows\system32\credui.dll
2014-03-06 10:57:56    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2014-03-06 10:57:22    626688    ----a-w-    c:\windows\system32\usp10.dll
2014-03-06 10:55:57    400896    ----a-w-    c:\windows\system32\srcore.dll
2014-03-06 10:41:41    594944    ----a-w-    c:\windows\system32\RMActivate_isv.exe
2014-03-06 10:41:41    572416    ----a-w-    c:\windows\system32\RMActivate.exe
2014-03-06 10:41:41    508928    ----a-w-    c:\windows\system32\RMActivate_ssp_isv.exe
2014-03-06 10:41:39    510976    ----a-w-    c:\windows\system32\RMActivate_ssp.exe
2014-03-06 10:41:38    423936    ----a-w-    c:\windows\system32\secproc_isv.dll
2014-03-06 10:41:36    428032    ----a-w-    c:\windows\system32\secproc.dll
2014-03-06 10:41:36    390144    ----a-w-    c:\windows\system32\msdrm.dll
2014-03-06 10:41:35    87040    ----a-w-    c:\windows\system32\secproc_ssp.dll
2014-03-06 10:41:31    87040    ----a-w-    c:\windows\system32\secproc_ssp_isv.dll
2014-03-06 10:35:22    --------    d-----w-    c:\program files\Adblock Plus for IE
2014-03-06 10:34:38    --------    d-----w-    c:\programdata\Package Cache
2014-03-06 10:06:12    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-03-06 10:00:53    --------    d-----w-    c:\program files\Microsoft Security Client
2014-03-04 15:28:50    7947048    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{47d5411f-85a7-479d-a3e3-cc7125fb80c0}\mpengine.dll
.
==================== Find3M  ====================
.
2014-03-11 22:21:08    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 22:21:08    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-01 04:11:20    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-03-01 04:10:48    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52:43    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-01 03:51:53    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38:26    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-01 03:38:23    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37:35    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-01 03:31:30    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14:15    4244480    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-01 03:00:08    1964032    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-01 02:32:16    1820160    ----a-w-    c:\windows\system32\wininet.dll
2014-02-07 01:07:56    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-02-04 02:04:11    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-01-29 02:06:47    381440    ----a-w-    c:\windows\system32\wer.dll
2014-01-19 07:32:23    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-16 00:40:14    487016    ----a-w-    C:\SecurityScanner.dll
2013-12-24 23:09:41    1987584    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-12-21 08:56:47    454656    ----a-w-    c:\windows\system32\vbscript.dll
.
============= FINISH: 19:25:33.41 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 17 March 2014 - 03:42 PM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

It seems that you were betrayed by scammers.

 

 

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

Bomgar Button 13.1.2 [remote.techvedic.com]


Close the window.

 

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 gei1a08

gei1a08
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 18 March 2014 - 06:27 AM

Hi Marius,

 

  I have run the scan and attached the log.Attached File  aswMBR.txt   2.17KB   1 downloads



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 18 March 2014 - 08:26 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 gei1a08

gei1a08
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 18 March 2014 - 09:07 AM

Marius,

 

Please see below the log:

 

 

ComboFix 14-03-16.01 - Gwen 18/03/2014  13:49:25.1.1 - x86
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.44.1033.18.986.360 [GMT 0:00]
Running from: c:\users\Gwen\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Kaspersky Anti-Virus *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Gwen\AppData\Local\Z@H!-166244531135314021-32.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-18 to 2014-03-18  )))))))))))))))))))))))))))))))
.
.
2014-03-18 13:58 . 2014-03-18 13:58    --------    d-----w-    c:\users\Gwen\AppData\Local\temp
2014-03-18 13:58 . 2014-03-18 13:58    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-18 13:40 . 2014-03-18 13:40    39464    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{35E7CFEE-1346-421E-9240-3C4D02550CD0}\MpKslf952d40a.sys
2014-03-18 11:07 . 2014-03-07 04:35    7969936    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{35E7CFEE-1346-421E-9240-3C4D02550CD0}\mpengine.dll
2014-03-16 20:41 . 2014-02-05 23:08    7947048    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-14 22:39 . 2014-03-06 10:05    765968    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{28E3F3ED-9A38-4DEC-ABF6-D3E56D7333A3}\gapaengine.dll
2014-03-10 14:57 . 2014-03-06 10:05    765968    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-03-06 13:03 . 2014-03-06 13:03    --------    d-----w-    c:\program files\ESET
2014-03-06 11:35 . 2012-08-23 14:44    14848    ----a-w-    c:\windows\system32\drivers\rdpvideominiport.sys
2014-03-06 11:35 . 2012-08-23 13:52    12800    ----a-w-    c:\windows\system32\RdpGroupPolicyExtension.dll
2014-03-06 11:35 . 2012-08-23 14:48    221184    ----a-w-    c:\windows\system32\rdpudd.dll
2014-03-06 11:35 . 2012-08-23 11:12    192000    ----a-w-    c:\windows\system32\rdpendp_winip.dll
2014-03-06 11:35 . 2012-08-23 10:08    2739712    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-03-06 11:33 . 2014-03-14 12:44    --------    d-----w-    c:\program files\Microsoft Silverlight
2014-03-06 11:31 . 2013-10-01 23:45    32256    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2014-03-06 11:31 . 2013-10-02 00:32    12800    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-06 11:31 . 2013-10-02 00:42    49152    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2014-03-06 11:31 . 2013-10-02 00:30    14336    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-06 11:31 . 2013-10-02 00:14    50176    ----a-w-    c:\windows\system32\MsRdpWebAccess.dll
2014-03-06 11:31 . 2013-10-02 00:14    17920    ----a-w-    c:\windows\system32\wksprtPS.dll
2014-03-06 11:31 . 2013-10-01 23:58    53248    ----a-w-    c:\windows\system32\tsgqec.dll
2014-03-06 11:31 . 2013-10-01 23:08    855552    ----a-w-    c:\windows\system32\rdvidcrl.dll
2014-03-06 11:31 . 2013-10-01 23:00    76288    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2014-03-06 11:31 . 2013-10-01 22:53    350208    ----a-w-    c:\windows\system32\wksprt.exe
2014-03-06 11:31 . 2013-10-01 22:34    1068544    ----a-w-    c:\windows\system32\mstsc.exe
2014-03-06 11:31 . 2013-10-01 20:55    5698048    ----a-w-    c:\windows\system32\mstscax.dll
2014-03-06 11:20 . 2014-03-06 11:20    --------    d-----w-    c:\windows\Migration
2014-03-06 11:06 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-03-06 11:06 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-03-06 11:06 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-03-06 11:06 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-03-06 11:06 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-03-06 11:06 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2014-03-06 11:06 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-03-06 11:04 . 2013-05-10 04:56    12625408    ----a-w-    c:\windows\system32\wmploc.DLL
2014-03-06 11:04 . 2013-05-10 03:48    164864    ----a-w-    c:\program files\Windows Media Player\wmplayer.exe
2014-03-06 11:01 . 2013-05-10 03:20    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
2014-03-06 11:01 . 2012-05-01 04:44    164352    ----a-w-    c:\windows\system32\profsvc.dll
2014-03-06 11:01 . 2012-04-07 11:26    2342400    ----a-w-    c:\windows\system32\msi.dll
2014-03-06 10:59 . 2012-01-04 08:58    442880    ----a-w-    c:\windows\system32\ntshrui.dll
2014-03-06 10:58 . 2011-03-11 05:33    1699328    ----a-w-    c:\windows\system32\esent.dll
2014-03-06 10:58 . 2011-03-11 05:31    74240    ----a-w-    c:\windows\system32\fsutil.exe
2014-03-06 10:58 . 2011-03-11 05:39    148864    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-03-06 10:58 . 2011-03-11 05:38    332160    ----a-w-    c:\windows\system32\drivers\iaStorV.sys
2014-03-06 10:58 . 2011-03-11 05:38    80256    ----a-w-    c:\windows\system32\drivers\amdsata.sys
2014-03-06 10:58 . 2011-03-11 05:39    143744    ----a-w-    c:\windows\system32\drivers\nvstor.sys
2014-03-06 10:58 . 2011-03-11 05:39    117120    ----a-w-    c:\windows\system32\drivers\nvraid.sys
2014-03-06 10:58 . 2011-03-11 05:38    22400    ----a-w-    c:\windows\system32\drivers\amdxata.sys
2014-03-06 10:57 . 2013-10-04 01:56    1796096    ----a-w-    c:\windows\system32\authui.dll
2014-03-06 10:57 . 2013-10-04 01:58    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2014-03-06 10:57 . 2013-10-04 01:56    168960    ----a-w-    c:\windows\system32\credui.dll
2014-03-06 10:57 . 2012-11-22 04:45    626688    ----a-w-    c:\windows\system32\usp10.dll
2014-03-06 10:55 . 2012-05-05 07:46    400896    ----a-w-    c:\windows\system32\srcore.dll
2014-03-06 10:41 . 2013-12-04 01:54    594944    ----a-w-    c:\windows\system32\RMActivate_isv.exe
2014-03-06 10:41 . 2013-12-04 01:54    572416    ----a-w-    c:\windows\system32\RMActivate.exe
2014-03-06 10:41 . 2013-12-04 01:54    508928    ----a-w-    c:\windows\system32\RMActivate_ssp_isv.exe
2014-03-06 10:41 . 2013-12-04 01:54    510976    ----a-w-    c:\windows\system32\RMActivate_ssp.exe
2014-03-06 10:41 . 2013-12-04 02:03    423936    ----a-w-    c:\windows\system32\secproc_isv.dll
2014-03-06 10:41 . 2013-12-04 02:03    428032    ----a-w-    c:\windows\system32\secproc.dll
2014-03-06 10:41 . 2013-12-04 02:02    390144    ----a-w-    c:\windows\system32\msdrm.dll
2014-03-06 10:41 . 2013-12-04 02:03    87040    ----a-w-    c:\windows\system32\secproc_ssp.dll
2014-03-06 10:41 . 2013-12-04 02:03    87040    ----a-w-    c:\windows\system32\secproc_ssp_isv.dll
2014-03-06 10:35 . 2014-03-06 10:35    --------    d-----w-    c:\program files\Adblock Plus for IE
2014-03-06 10:34 . 2014-03-06 10:34    --------    d-----w-    c:\programdata\Package Cache
2014-03-06 10:06 . 2011-04-22 19:14    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-03-06 10:00 . 2014-03-06 12:23    --------    d-----w-    c:\program files\Microsoft Security Client
2014-03-04 15:28 . 2014-02-06 07:08    7947048    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{47D5411F-85A7-479D-A3E3-CC7125FB80C0}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-11 22:21 . 2013-05-26 17:44    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 22:21 . 2013-05-26 17:44    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-19 07:32 . 2013-05-24 13:45    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-16 00:40 . 2014-01-16 00:40    487016    ----a-w-    C:\SecurityScanner.dll
2013-12-24 23:09 . 2014-02-13 15:01    1987584    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-12-21 08:56 . 2014-02-13 15:11    454656    ----a-w-    c:\windows\system32\vbscript.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2013-05-13 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2013-05-13 206448]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-18 19:08    946352    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-02-11 18:26    171032    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-02-11 18:26    137752    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-02-11 18:26    172568    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-01 108032]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-09-27 104768]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-10-23 280288]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-05-13 1343400]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 23856]
S1 MpKslf952d40a;MpKslf952d40a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{35E7CFEE-1346-421E-9240-3C4D02550CD0}\MpKslf952d40a.sys [2014-03-18 39464]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-03-03 1363584]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-03-03 1748608]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-26 22:21]
.
2014-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-26 17:45]
.
2014-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-26 17:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\Gwen\AppData\Roaming\Mozilla\Firefox\Profiles\ltta8zfn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=vmn&type=vmn-toolbarcleaner-1_1-ya-bs-rp&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-03-18  14:01:15
ComboFix-quarantined-files.txt  2014-03-18 14:01
.
Pre-Run: 117,747,953,664 bytes free
Post-Run: 117,450,641,408 bytes free
.
- - End Of File - - 5A28D76683C2E2C43057AF66DED91D71
A36C5E4F47E84449FF07ED3517B43A31
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 18 March 2014 - 09:14 AM

Multiple Antivirus Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Microsoft Security Essentials or Kaspersky.

 

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 gei1a08

gei1a08
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 18 March 2014 - 12:41 PM

Hi Marius,

 

  Here's the ComboFix log and Malware log.

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.18.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16521
Gwen :: GWEN-PC [administrator]

Protection: Enabled

18/03/2014 16:26:27
mbam-log-2014-03-18 (16-26-27).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 298703
Time elapsed: 1 hour(s), 2 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Setup\scripts\faXcooL.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.

(end)
 

 

 

 

 

ComboFix 14-03-16.01 - Gwen 18/03/2014  16:04:10.2.1 - x86
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.44.1033.18.986.407 [GMT 0:00]
Running from: c:\users\Gwen\Desktop\ComboFix.exe
Command switches used :: c:\users\Gwen\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Anti-Virus *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll --> c:\windows\System32\user32.dll
.
(((((((((((((((((((((((((   Files Created from 2014-02-18 to 2014-03-18  )))))))))))))))))))))))))))))))
.
.
2014-03-18 16:12 . 2014-03-18 16:12    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-18 14:01 . 2014-03-18 16:12    --------    d-----w-    c:\users\Gwen\AppData\Local\temp
2014-03-06 13:03 . 2014-03-06 13:03    --------    d-----w-    c:\program files\ESET
2014-03-06 11:35 . 2012-08-23 14:44    14848    ----a-w-    c:\windows\system32\drivers\rdpvideominiport.sys
2014-03-06 11:35 . 2012-08-23 13:52    12800    ----a-w-    c:\windows\system32\RdpGroupPolicyExtension.dll
2014-03-06 11:35 . 2012-08-23 14:48    221184    ----a-w-    c:\windows\system32\rdpudd.dll
2014-03-06 11:35 . 2012-08-23 11:12    192000    ----a-w-    c:\windows\system32\rdpendp_winip.dll
2014-03-06 11:35 . 2012-08-23 10:08    2739712    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-03-06 11:33 . 2014-03-14 12:44    --------    d-----w-    c:\program files\Microsoft Silverlight
2014-03-06 11:31 . 2013-10-01 23:45    32256    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2014-03-06 11:31 . 2013-10-02 00:32    12800    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-06 11:31 . 2013-10-02 00:42    49152    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2014-03-06 11:31 . 2013-10-02 00:30    14336    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-06 11:31 . 2013-10-02 00:14    50176    ----a-w-    c:\windows\system32\MsRdpWebAccess.dll
2014-03-06 11:31 . 2013-10-02 00:14    17920    ----a-w-    c:\windows\system32\wksprtPS.dll
2014-03-06 11:31 . 2013-10-01 23:58    53248    ----a-w-    c:\windows\system32\tsgqec.dll
2014-03-06 11:31 . 2013-10-01 23:08    855552    ----a-w-    c:\windows\system32\rdvidcrl.dll
2014-03-06 11:31 . 2013-10-01 23:00    76288    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2014-03-06 11:31 . 2013-10-01 22:53    350208    ----a-w-    c:\windows\system32\wksprt.exe
2014-03-06 11:31 . 2013-10-01 22:34    1068544    ----a-w-    c:\windows\system32\mstsc.exe
2014-03-06 11:31 . 2013-10-01 20:55    5698048    ----a-w-    c:\windows\system32\mstscax.dll
2014-03-06 11:20 . 2014-03-06 11:20    --------    d-----w-    c:\windows\Migration
2014-03-06 11:06 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-03-06 11:06 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-03-06 11:06 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-03-06 11:06 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-03-06 11:06 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-03-06 11:06 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2014-03-06 11:06 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-03-06 11:04 . 2013-05-10 04:56    12625408    ----a-w-    c:\windows\system32\wmploc.DLL
2014-03-06 11:04 . 2013-05-10 03:48    164864    ----a-w-    c:\program files\Windows Media Player\wmplayer.exe
2014-03-06 11:01 . 2013-05-10 03:20    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
2014-03-06 11:01 . 2012-05-01 04:44    164352    ----a-w-    c:\windows\system32\profsvc.dll
2014-03-06 11:01 . 2012-04-07 11:26    2342400    ----a-w-    c:\windows\system32\msi.dll
2014-03-06 10:59 . 2012-01-04 08:58    442880    ----a-w-    c:\windows\system32\ntshrui.dll
2014-03-06 10:58 . 2011-03-11 05:33    1699328    ----a-w-    c:\windows\system32\esent.dll
2014-03-06 10:58 . 2011-03-11 05:31    74240    ----a-w-    c:\windows\system32\fsutil.exe
2014-03-06 10:58 . 2011-03-11 05:39    148864    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-03-06 10:58 . 2011-03-11 05:38    332160    ----a-w-    c:\windows\system32\drivers\iaStorV.sys
2014-03-06 10:58 . 2011-03-11 05:38    80256    ----a-w-    c:\windows\system32\drivers\amdsata.sys
2014-03-06 10:58 . 2011-03-11 05:39    143744    ----a-w-    c:\windows\system32\drivers\nvstor.sys
2014-03-06 10:58 . 2011-03-11 05:39    117120    ----a-w-    c:\windows\system32\drivers\nvraid.sys
2014-03-06 10:58 . 2011-03-11 05:38    22400    ----a-w-    c:\windows\system32\drivers\amdxata.sys
2014-03-06 10:57 . 2013-10-04 01:56    1796096    ----a-w-    c:\windows\system32\authui.dll
2014-03-06 10:57 . 2013-10-04 01:58    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2014-03-06 10:57 . 2013-10-04 01:56    168960    ----a-w-    c:\windows\system32\credui.dll
2014-03-06 10:57 . 2012-11-22 04:45    626688    ----a-w-    c:\windows\system32\usp10.dll
2014-03-06 10:55 . 2012-05-05 07:46    400896    ----a-w-    c:\windows\system32\srcore.dll
2014-03-06 10:41 . 2013-12-04 01:54    594944    ----a-w-    c:\windows\system32\RMActivate_isv.exe
2014-03-06 10:41 . 2013-12-04 01:54    572416    ----a-w-    c:\windows\system32\RMActivate.exe
2014-03-06 10:41 . 2013-12-04 01:54    508928    ----a-w-    c:\windows\system32\RMActivate_ssp_isv.exe
2014-03-06 10:41 . 2013-12-04 01:54    510976    ----a-w-    c:\windows\system32\RMActivate_ssp.exe
2014-03-06 10:41 . 2013-12-04 02:03    423936    ----a-w-    c:\windows\system32\secproc_isv.dll
2014-03-06 10:41 . 2013-12-04 02:03    428032    ----a-w-    c:\windows\system32\secproc.dll
2014-03-06 10:41 . 2013-12-04 02:02    390144    ----a-w-    c:\windows\system32\msdrm.dll
2014-03-06 10:41 . 2013-12-04 02:03    87040    ----a-w-    c:\windows\system32\secproc_ssp.dll
2014-03-06 10:41 . 2013-12-04 02:03    87040    ----a-w-    c:\windows\system32\secproc_ssp_isv.dll
2014-03-06 10:35 . 2014-03-06 10:35    --------    d-----w-    c:\program files\Adblock Plus for IE
2014-03-06 10:34 . 2014-03-06 10:34    --------    d-----w-    c:\programdata\Package Cache
2014-03-06 10:06 . 2011-04-22 19:14    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-03-04 15:28 . 2014-02-06 07:08    7947048    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{47D5411F-85A7-479D-A3E3-CC7125FB80C0}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-11 22:21 . 2013-05-26 17:44    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 22:21 . 2013-05-26 17:44    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-19 07:32 . 2013-05-24 13:45    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-16 00:40 . 2014-01-16 00:40    487016    ----a-w-    C:\SecurityScanner.dll
2013-12-24 23:09 . 2014-02-13 15:01    1987584    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-12-21 08:56 . 2014-02-13 15:11    454656    ----a-w-    c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-01-30 15:05    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2013-05-13 206448]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-18 19:08    946352    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-02-11 18:26    171032    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-02-11 18:26    137752    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-02-11 18:26    172568    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-01 108032]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-05-13 1343400]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 23856]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-03-03 1363584]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-03-03 1748608]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - NisDrv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-26 22:21]
.
2014-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-26 17:45]
.
2014-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-26 17:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\Gwen\AppData\Roaming\Mozilla\Firefox\Profiles\ltta8zfn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-03-18  16:15:58
ComboFix-quarantined-files.txt  2014-03-18 16:15
.
Pre-Run: 117,880,197,120 bytes free
Post-Run: 117,595,668,480 bytes free
.
- - End Of File - - B3235968A91709C02F60ECB1E8DEE043
A36C5E4F47E84449FF07ED3517B43A31
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 18 March 2014 - 03:36 PM

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 gei1a08

gei1a08
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 18 March 2014 - 05:34 PM

Hi Marius

 

Thank you for the response, I'm a little bit confused about the cracked software you are referring to as I have inherited this laptop and as far as I'm aware there was no cracked software on it.

 

Please tell me the location of this so I can remove it.

 

Many thanks



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 19 March 2014 - 03:22 AM

Let´s see:

 

 

Please download this tool and save it to your desktop: http://go.microsoft.com/fwlink/?linkid=52012

Run the file by double click and press the "Continue" button.

When the tool is finished, click the "Copy" button in the lower right corner.

Reply to your topic here, right click into the reply box and select paste.

Post up.

 

 

 

Scan with CKScanner

Download CKScanner by askey127 from Here & save it to your Desktop.

  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply


Edited by TB-Psychotic, 19 March 2014 - 03:22 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 23 March 2014 - 01:10 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users