Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Local Disk HDD eating virus (DDS Log Inside)


  • This topic is locked This topic is locked
20 replies to this topic

#1 infectedman

infectedman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 13 April 2014 - 10:03 AM

Greetings to all the BC fellows!

Since yesterday, I've been facing a pretty nasty virus that probably came from here  . So I had 3,07GB free yesterday on my Local Disk (C:) on Windows 7 which I'm using. After I ran the torrent I linked you to before, suddenly the free space became 307 MB and since then it went from a range of 114MB TO 602MB free, each time I refreshed the explorer window. In parallel, I was running MalwareBytes, ESET and Microsoft Security Essentials and only MBAM was able to delete 50 suspicious files, which half of them were some false positives of some network security software I had.

After MBAM I rebooted my PC and in hope that I would see again 3,07GB free on my Local Disk, it was 52,40 MB !! And it was going down down down to the point I got worried and shut my PC down. I downloaded TFC and it actually did a tremendous job and left me with 11,2 GB free. But the nightmare doesn't finish here. I restarted my PC again and now it said 8,02 GB free. This happened yesterday. Now I'm left with 7,19 GB . I lost 100MB a few hours ago. I did not download anything and temporary files are nearly 0 MB.
 
 
From the looks of those suspicious probs, I'm really sure I'm infected with a rootkit/trojan/keylogger or any other nasty viruses. I also installed Keyscrambler, an antikeylogging software.

I've read all the instructions of the forum so in this topic I'm posting here my DDS.txt log that I ran some minutes ago.

I hope that I will be able to be helped here and eventually wipe off the ass of that bastard virus. :)

Thank you for taking the time to read this!


DDS LOG
[SPOILER]DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16521  BrowserJavaVersion: 10.51.2
Run by George at 17:46:21 on 2014-04-13
#Option MBR scan  is disabled.
Microsoft Windows 7 Ultimate   6.1.7601.1.1253.30.1033.18.3293.1493 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Acunetix\Web Vulnerability Scanner 7\WVSScheduler7.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BlueStacks\HD-LogRotatorService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\lkcitdl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Windows\system32\lkads.exe
C:\Windows\system32\lktsrv.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\system32\nisvcloc.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BlueStacks\HD-Agent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\explorer.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\KeyScrambler\KeyScrambler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTAgent.exe" -autorun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BlueStacks Agent] c:\program files\bluestacks\HD-Agent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KeyScrambler] c:\program files\keyscrambler\keyscrambler.exe /a
StartupFolder: c:\users\george\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Sothink Flash Downloader For IE - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
Trusted Zone: localhost
Trusted Zone: localhost
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{4536323D-3CD3-4D67-839B-71B1D54D4B7E} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{ECA05D7E-E853-48B6-BF13-174C55AB46B9} : DHCPNameServer = 8.8.8.8 4.2.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\george\appdata\roaming\mozilla\firefox\profiles\c6d7xxfe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.http - 176.73.174.4
FF - prefs.js: network.proxy.http_port - 808
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\george\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\george\appdata\local\pokki\download helper\npPokkiDownloadHelper.1.2.0.78.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673&q=
FF - user.js: extensions.funmoods.id - 4487FCABE9BD6E82
FF - user.js: extensions.funmoods.instlDay - 15581
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:57:30
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - iron2
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - iron2
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2013-3-8 242240]
R2 AcuWVSSchedulerv7;Acunetix WVS Scheduler v7;c:\program files\acunetix\web vulnerability scanner 7\WVSScheduler7.exe [2010-9-21 674104]
R2 BstHdDrv;BlueStacks Hypervisor;c:\program files\bluestacks\HD-Hypervisor-x86.sys [2013-9-19 63816]
R2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\bluestacks\HD-LogRotatorService.exe [2013-9-19 384840]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2011-8-9 163424]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-9-22 974944]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2011-8-4 103112]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-12 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-12 857912]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104264]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2013-3-7 167424]
R3 InputFilter_Hid_FlexDef2b;Siliten HID Devices(FlexDef2b) Driver Service;c:\windows\system32\drivers\InputFilter_FlexDef2b.sys [2010-6-19 14848]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2014-4-12 209016]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-4-12 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-12 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-4-12 51416]
R3 NisSrv;Επιθεώρηση δικτύου της Microsoft;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\bluestacks\HD-Service.exe [2013-9-19 393032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 metasploitPostgreSQL;metasploitPostgreSQL;C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N "metasploitPostgreSQL" -D "C:/METASP~1/POSTGR~1/data" --> C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N metasploitPostgreSQL [?]
S2 metasploitProSvc-1;Metasploit Pro Service-1;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\engine" prosvc_service.rb -e production --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\engine [?]
S2 metasploitProSvc;Metasploit Pro Service;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\engine" prosvc_service.rb -e production --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\engine [?]
S2 metasploitThin-1;Metasploit Thin Service-1;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\ui" thin_service.rb --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\ui [?]
S2 metasploitThin;Metasploit Thin Service;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\ui" thin_service.rb --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\ui [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-27 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2012-12-7 23040]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-3-14 108032]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-3-7 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-3-7 10200]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-6-26 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-6-26 52224]
S3 WatAdminSvc;Υπηρεσία Τεχνολογιών ενεργοποίησης των Windows;c:\windows\system32\wat\WatAdminSvc.exe [2012-6-26 1343400]
SUnknown tsusbhub;tsusbhub; [x]
.
=============== File Associations ===============
.
ShellExec: Opera.exe: open="g:\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-04-13 14:31:14 7969936 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{44a7541b-2248-4924-8586-52e7907747d4}\mpengine.dll
2014-04-13 14:30:33 -------- d-sh--w- C:\$RECYCLE.BIN
2014-04-13 14:28:55 -------- d-----w- c:\users\george\appdata\local\temp
2014-04-13 14:20:40 98816 ----a-w- c:\windows\sed.exe
2014-04-13 14:20:40 256000 ----a-w- c:\windows\PEV.exe
2014-04-13 14:20:40 208896 ----a-w- c:\windows\MBR.exe
2014-04-13 14:16:14 -------- d-----w- c:\users\george\appdata\roaming\GetRightToGo
2014-04-12 22:26:57 -------- d-----w- c:\users\george\appdata\roaming\JAM Software
2014-04-12 22:26:48 -------- d-----w- c:\program files\JAM Software
2014-04-12 16:10:45 209016 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2014-04-12 16:10:43 -------- d-----w- c:\program files\KeyScrambler
2014-04-12 13:52:15 -------- d-----w- c:\users\george\appdata\roaming\QFX Software
2014-04-12 13:52:15 -------- d-----w- c:\programdata\QFX Software
2014-04-12 13:42:46 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-12 13:42:05 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-12 13:42:05 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-12 13:42:05 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-12 13:42:05 -------- d-----w- c:\programdata\Malwarebytes
2014-04-12 13:42:05 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-11 10:08:19 7969936 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-04-09 06:23:26 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-04-09 06:23:26 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-04-09 06:23:26 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-04-09 06:23:26 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-04-09 06:23:19 1212352 ----a-w- c:\windows\system32\drivers\ntfs.sys
2014-04-09 06:23:12 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-04-06 17:42:25 765968 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{d46742e5-5cc8-40ee-adab-ded856841b9e}\gapaengine.dll
2014-03-19 17:36:21 -------- d-----w- c:\program files\proXPN
.
==================== Find3M  ====================
.
2014-03-12 16:21:32 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 16:21:32 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-11 07:52:30 104264 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-01 04:10:48 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52:43 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-01 03:38:23 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37:35 553472 ----a-w- c:\windows\system32\jscript9diag.dll
2014-03-01 03:31:30 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14:15 4244480 ----a-w- c:\windows\system32\jscript9.dll
2014-03-01 03:00:08 1964032 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- c:\windows\system32\wininet.dll
2014-02-07 01:07:56 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:04:22 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:04:11 509440 ----a-w- c:\windows\system32\qedit.dll
2014-01-29 02:06:47 381440 ----a-w- c:\windows\system32\wer.dll
2014-01-28 02:07:07 185344 ----a-w- c:\windows\system32\wwansvc.dll
2014-01-24 23:19:42 231960 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 17:46:44,47 ===============

Edited by nasdaq, 18 April 2014 - 08:24 AM.
Bad link offuscated.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 18 April 2014 - 10:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/530907 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 infectedman

infectedman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 19 April 2014 - 05:48 AM

Despite characterising yourself as a silly little program, I appreciate the fact a bot posted on my thread.
To the point now, yes I have my Windows 7 CD/DVD available.

BTW, here's my new DDS log.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16521  BrowserJavaVersion: 10.51.2
Run by George at 13:42:41 on 2014-04-19
#Option MBR scan  is disabled.
Microsoft Windows 7 Ultimate   6.1.7601.1.1253.30.1033.18.3293.1719 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Acunetix\Web Vulnerability Scanner 7\WVSScheduler7.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BlueStacks\HD-LogRotatorService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\system32\lkcitdl.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BlueStacks\HD-Agent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Windows\system32\lkads.exe
C:\Windows\system32\lktsrv.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\system32\nisvcloc.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTAgent.exe" -autorun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BlueStacks Agent] c:\program files\bluestacks\HD-Agent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KeyScrambler] c:\program files\keyscrambler\keyscrambler.exe /a
StartupFolder: c:\users\george\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Sothink Flash Downloader For IE - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
Trusted Zone: localhost
Trusted Zone: localhost
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{4536323D-3CD3-4D67-839B-71B1D54D4B7E} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{ECA05D7E-E853-48B6-BF13-174C55AB46B9} : DHCPNameServer = 8.8.8.8 4.2.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\george\appdata\roaming\mozilla\firefox\profiles\c6d7xxfe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.http - 176.73.174.4
FF - prefs.js: network.proxy.http_port - 808
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\george\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\george\appdata\local\pokki\download helper\npPokkiDownloadHelper.1.2.0.78.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673&q=
FF - user.js: extensions.funmoods.id - 4487FCABE9BD6E82
FF - user.js: extensions.funmoods.instlDay - 15581
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:57:30
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - iron2
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - iron2
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2013-3-8 242240]
R1 MpKsl23f8f896;MpKsl23f8f896;c:\programdata\microsoft\microsoft antimalware\definition updates\{26adf9f1-75e8-484b-82de-657c2388d14d}\MpKsl23f8f896.sys [2014-4-19 39464]
R2 AcuWVSSchedulerv7;Acunetix WVS Scheduler v7;c:\program files\acunetix\web vulnerability scanner 7\WVSScheduler7.exe [2010-9-21 674104]
R2 BstHdDrv;BlueStacks Hypervisor;c:\program files\bluestacks\HD-Hypervisor-x86.sys [2013-9-19 63816]
R2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\bluestacks\HD-LogRotatorService.exe [2013-9-19 384840]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2011-8-9 163424]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-9-22 974944]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2011-8-4 103112]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-12 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-12 857912]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2013-3-7 167424]
R3 InputFilter_Hid_FlexDef2b;Siliten HID Devices(FlexDef2b) Driver Service;c:\windows\system32\drivers\InputFilter_FlexDef2b.sys [2010-6-19 14848]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2014-4-12 209016]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-4-12 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-12 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-4-12 51416]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\bluestacks\HD-Service.exe [2013-9-19 393032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 metasploitPostgreSQL;metasploitPostgreSQL;C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N "metasploitPostgreSQL" -D "C:/METASP~1/POSTGR~1/data" --> C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N metasploitPostgreSQL [?]
S2 metasploitProSvc-1;Metasploit Pro Service-1;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\engine" prosvc_service.rb -e production --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\engine [?]
S2 metasploitProSvc;Metasploit Pro Service;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\engine" prosvc_service.rb -e production --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\engine [?]
S2 metasploitThin-1;Metasploit Thin Service-1;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\ui" thin_service.rb --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\ui [?]
S2 metasploitThin;Metasploit Thin Service;c:\metasp~1\ruby\bin\ruby.exe -c "c:\metasp~1\apps\pro\ui" thin_service.rb --> c:\metasp~1\ruby\bin\ruby.exe -c c:\metasp~1\apps\pro\ui [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-27 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2012-12-7 23040]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-3-14 108032]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104264]
S3 NisSrv;Επιθεώρηση δικτύου της Microsoft;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-3-7 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-3-7 10200]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-6-26 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-6-26 52224]
S3 WatAdminSvc;Υπηρεσία Τεχνολογιών ενεργοποίησης των Windows;c:\windows\system32\wat\WatAdminSvc.exe [2012-6-26 1343400]
SUnknown tsusbhub;tsusbhub; [x]
.
=============== File Associations ===============
.
ShellExec: Opera.exe: open="g:\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-04-19 07:03:56    39464    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{26adf9f1-75e8-484b-82de-657c2388d14d}\MpKsl23f8f896.sys
2014-04-18 12:16:16    8050496    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{26adf9f1-75e8-484b-82de-657c2388d14d}\mpengine.dll
2014-04-17 08:44:36    8049928    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-04-14 08:40:54    107736    ----a-w-    c:\windows\system32\drivers\48230029.sys
2014-04-14 02:16:17    --------    d-----w-    c:\users\george\appdata\local\Adobe
2014-04-13 14:30:33    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-04-13 14:28:55    --------    d-----w-    c:\users\george\appdata\local\temp
2014-04-13 14:20:40    98816    ----a-w-    c:\windows\sed.exe
2014-04-13 14:20:40    256000    ----a-w-    c:\windows\PEV.exe
2014-04-13 14:20:40    208896    ----a-w-    c:\windows\MBR.exe
2014-04-13 14:16:14    --------    d-----w-    c:\users\george\appdata\roaming\GetRightToGo
2014-04-12 22:26:57    --------    d-----w-    c:\users\george\appdata\roaming\JAM Software
2014-04-12 22:26:48    --------    d-----w-    c:\program files\JAM Software
2014-04-12 16:10:45    209016    ----a-w-    c:\windows\system32\drivers\keyscrambler.sys
2014-04-12 16:10:43    --------    d-----w-    c:\program files\KeyScrambler
2014-04-12 13:52:15    --------    d-----w-    c:\users\george\appdata\roaming\QFX Software
2014-04-12 13:52:15    --------    d-----w-    c:\programdata\QFX Software
2014-04-12 13:42:46    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-12 13:42:05    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-04-12 13:42:05    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-12 13:42:05    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-04-12 13:42:05    --------    d-----w-    c:\programdata\Malwarebytes
2014-04-12 13:42:05    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-04-09 06:23:26    27072    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-04-09 06:23:26    234432    ----a-w-    c:\windows\system32\drivers\msiscsi.sys
2014-04-09 06:23:26    2048    ----a-w-    c:\windows\system32\iologmsg.dll
2014-04-09 06:23:26    149440    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-04-09 06:23:19    1212352    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2014-04-09 06:23:12    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-04-06 17:42:25    765968    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{d46742e5-5cc8-40ee-adab-ded856841b9e}\gapaengine.dll
.
==================== Find3M  ====================
.
2014-03-12 16:21:32    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 16:21:32    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-11 07:52:30    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-01 04:10:48    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52:43    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-01 03:51:53    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38:26    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-01 03:38:23    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37:35    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-01 03:31:30    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14:15    4244480    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-01 03:00:08    1964032    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-01 02:32:16    1820160    ----a-w-    c:\windows\system32\wininet.dll
2014-02-07 01:07:56    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-02-04 02:04:22    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:04:11    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-01-29 02:06:47    381440    ----a-w-    c:\windows\system32\wer.dll
2014-01-28 02:07:07    185344    ----a-w-    c:\windows\system32\wwansvc.dll
2014-01-24 23:19:42    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 13:43:43,49 ===============
 



#4 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 20 April 2014 - 04:00 AM

Hi infectedman,

Welcome to the BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum. :welcome:
My name is Mako and I will be helping you with your computer problems.

Before we begin, please note the following:

  • Please stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • The instructions given are for your system only!
  • Please do not run any tools until requested! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • If you don't understand something don't hesitate to ask before running the tools.
  • As you may have noticed, I live in Belgium. Due to the time difference it can take up to 24h before I get back to you. Please try to match our commitment to you with your patience.
  • Now let's get started...
    • Did you set up the following proxy knowingly?

      FF - prefs.js: network.proxy.http - 176.73.174.4
      FF - prefs.js: network.proxy.http_port - 808
      FF - prefs.js: network.proxy.type - 2
    • ======Zoek.exe======

      Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
      >> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

      Download 51a612a8b27e2-Zoek.pngzoek.exe to your desktop
      • If Internet Explorer, any other browser, or a security program issues a warning indicating the file is unsafe, please ignore, since it is a false warning.
      Using Zoek.exe
      • On the Desktop, double-click Zoek.exe to start the tool.
        Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
        Give the program a few seconds to appear.
      • Copy and paste the following script in the code box:
      • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
        filesrcm;
        startupall;
        chromelook;
        firefoxlook;
        skipfix-iedefaults;
        services-list;
        c:\metasp~1\ruby\bin\ruby.exe;i
        
      • Click the "Run script" button and wait patiently.
      • When finished the logfile will be opened in notepad.
      • If a reboot is needed the logfile will be opened after reboot.
      • The zoek-results.log can also be found on your systemdrive.
      • Please post the logfile for further review in your next comment.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#5 infectedman

infectedman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 21 April 2014 - 06:21 AM

Hi and thank you for your response.
To start off, I don't remember having something to my PC related to proxies, except a VPN software I've installed proXPN. While I was scanning with DDS however, I did not enable it.

Here's my zoek.exe log


Zoek.exe v5.0.0.0 Updated 14-April-2014
Tool run by George on ƒ¬ 21/04/2014 at 14:03:28,57.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\George\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

21/4/2014 2:05:21 μμ Zoek.exe System Restore Point Created Succesfully.

==== File Information Results ======================


==== Services (whitelist) ======================
Powered by E Dev

R2 - [AcuWVSSchedulerv7] - Acunetix WVS Scheduler v7 - C:\Program Files\Acunetix\Web Vulnerability Scanner 7\WVSScheduler7.exe
R2 - [Apple Mobile Device] - Apple Mobile Device - "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
R2 - [Bonjour Service] - Bonjour Service - "C:\Program Files\Bonjour\mDNSResponder.exe"
R2 - [BstHdLogRotatorSvc] - BlueStacks Log Rotator Service - C:\Program Files\BlueStacks\HD-LogRotatorService.exe
R2 - [LkCitadelServer] - Lookout Citadel Server - C:\Windows\system32\lkcitdl.exe
R2 - [lkClassAds] - National Instruments PSP Server Locator - C:\Windows\system32\lkads.exe
R2 - [lkTimeSync] - National Instruments Time Synchronization - C:\Windows\system32\lktsrv.exe
R2 - [MBAMScheduler] - MBAMScheduler - "C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe"
R2 - [MBAMService] - MBAMService - "C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe"
R2 - [MsMpSvc] - Microsoft Antimalware Service - "C:\Program Files\Microsoft Security Client\MsMpEng.exe"
R2 - [niSvcLoc] - NI Service Locator - C:\Windows\system32\nisvcloc.exe -s
R2 - [PassThru Service] - Internet Pass-Through Service - C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
R2 - [wlidsvc] - Windows Live ID Sign-in Assistant - "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"
R2 - [WMPNetworkSvc] - ΥπηΟεσία κοινής Ο‡Οήσης δικτΟΞΏΟ… του Windows Media Player - "C:\Program Files\Windows Media Player\wmpnetwk.exe"
R2 - [WSearch] - Windows Search - C:\Windows\system32\SearchIndexer.exe /Embedding
R3 - [iPod Service] - ΥπηΟεσία iPod - "C:\Program Files\iPod\bin\iPodService.exe"
R3 - [NisSrv] - Ξ•Ο€ΞΉΞΈΞµΟŽΟηση δικτΟΞΏΟ… της Microsoft - "C:\Program Files\Microsoft Security Client\NisSrv.exe"
R3 - [NMIndexingService] - NMIndexingService - "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"
R3 - [VSS] - Ξ£ΞΊΞΉΟŽΞ΄ΞµΟ‚ αντίγΟαφο Ο„ΟΞΌΞΏΟ… - C:\Windows\system32\vssvc.exe
S2 - [AdobeARMservice] - Adobe Acrobat Update Service - "C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe"
S2 - [BstHdAndroidSvc] - BlueStacks Android Service - "C:\Program Files\BlueStacks\HD-Service.exe" BstHdAndroidSvc Android
S2 - [clr_optimization_v4.0.30319_32] - Microsoft .NET Framework NGEN v4.0.30319_X86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
S2 - [gupdate] - ΥπηΟεσία Google Update (gupdate) - "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc
S2 - [metasploitPostgreSQL] - metasploitPostgreSQL - C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N "metasploitPostgreSQL" -D "C:/METASP~1/POSTGR~1/data"
S2 - [metasploitProSvc] - Metasploit Pro Service - C:\METASP~1\ruby\bin\ruby.exe -C "C:\METASP~1\apps\pro\engine" prosvc_service.rb -E production
S2 - [metasploitProSvc-1] - Metasploit Pro Service-1 - C:\METASP~1\ruby\bin\ruby.exe -C "C:\METASP~1\apps\pro\engine" prosvc_service.rb -E production
S2 - [metasploitThin] - Metasploit Thin Service - C:\METASP~1\ruby\bin\ruby.exe -C "C:\METASP~1\apps\pro\ui" thin_service.rb
S2 - [metasploitThin-1] - Metasploit Thin Service-1 - C:\METASP~1\ruby\bin\ruby.exe -C "C:\METASP~1\apps\pro\ui" thin_service.rb
S2 - [NIDomainService] - National Instruments Domain Service - "G:\National Instruments\Shared\Security\nidmsrv.exe"
S2 - [SkypeUpdate] - Skype Updater - "C:\Program Files\Skype\Updater\Updater.exe"
S2 - [sppsvc] - Ξ Οοστασία Ξ»ΞΏΞ³ΞΉΟƒΞΌΞΉΞΊΞΏΟ - C:\Windows\system32\sppsvc.exe
S3 - [AdobeFlashPlayerUpdateSvc] - Adobe Flash Player Update Service - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
S3 - [ALG] - ΥπηΟεσία Ο€Ολης επιπέδου εφαΟμογής - C:\Windows\System32\alg.exe
S3 - [aspnet_state] - ASP.NET State Service - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
S3 - [COMSysApp] - ΕφαΟΞΌΞΏΞ³Ξ® συστήματος COM+ - C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 - [ehRecvr] - ΥπηΟεσία Windows Media Center Receiver - C:\Windows\ehome\ehRecvr.exe
S3 - [ehSched] - ΥπηΟεσία Ο‡ΟονοδιαγΟάμματος Windows Media Center - C:\Windows\ehome\ehsched.exe
S3 - [Fax] - Φαξ - C:\Windows\system32\fxssvc.exe
S3 - [FLEXnet Licensing Service] - FLEXnet Licensing Service - "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
S3 - [FontCache3.0.0.0] - Cache Ξ³ΟαμματοσειΟΟŽΞ½ Υποδομής Ξ Ξ±Οουσίασης των Windows 3.0.0.0 - C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 - [gupdatem] - ΥπηΟεσία Google Update (gupdatem) - "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc
S3 - [gusvc] - Google Software Updater - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
S3 - [IEEtwCollectorService] - Internet Explorer ETW Collector Service - C:\Windows\system32\IEEtwCollector.exe /V
S3 - [Microsoft Office Groove Audit Service] - Microsoft Office Groove Audit Service - "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
S3 - [MozillaMaintenance] - Mozilla Maintenance Service - "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe"
S3 - [MSDTC] - ΣυντονισμΟΟ‚ κατανεμημένων ΟƒΟ…Ξ½Ξ±Ξ»Ξ»Ξ±Ξ³ΟŽΞ½ - C:\Windows\System32\msdtc.exe
S3 - [msiserver] - Windows Installer - C:\Windows\system32\msiexec.exe /V
S3 - [NBService] - NBService - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
S3 - [odserv] - Microsoft Office Diagnostics Service - "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
S3 - [ose] - Office Source Engine - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
S3 - [rpcapd] - Remote Packet Capture Protocol v.0 (experimental) - "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"
S3 - [RpcLocator] - Ξ ΟΟΞ³ΟΞ±ΞΌΞΌΞ± ΞµΞ½Ο„ΞΏΟ€ΞΉΟƒΞΌΞΏΟ Ξλήσης απομακΟ. διαδικασίας (RPC) - C:\Windows\system32\locator.exe
S3 - [SNMPTRAP] - Παγίδευση SNMP - C:\Windows\System32\snmptrap.exe
S3 - [TrustedInstaller] - Ξ ΟΟΞ³ΟΞ±ΞΌΞΌΞ± Εγκατάστασης λειτουΟΞ³ΞΉΞΊΟŽΞ½ μονάδων των Windows - C:\Windows\servicing\TrustedInstaller.exe
S3 - [vds] - ΕικονικΟΟ‚ δίσκος - C:\Windows\System32\vds.exe
S3 - [Visual Studio Analyzer RPC bridge] - Visual Studio Analyzer RPC bridge - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe
S3 - [WatAdminSvc] - ΥπηΟεσία Ξ¤ΞµΟ‡Ξ½ΞΏΞ»ΞΏΞ³ΞΉΟŽΞ½ ΞµΞ½ΞµΟγοποίησης των Windows - C:\Windows\system32\Wat\WatAdminSvc.exe
S3 - [wbengine] - ΥπηΟεσία ΞΌΞ·Ο‡Ξ±Ξ½ΞΉΟƒΞΌΞΏΟ Ξ΄Ξ·ΞΌΞΉΞΏΟ…ΟΞ³Ξ―Ξ±Ο‚ αντιγΟάφων ασφαλείας σε επίπεδο μπλοκ - "C:\Windows\system32\wbengine.exe"
S3 - [wmiApSrv] - WMI Performance Adapter - C:\Windows\system32\wbem\WmiApSrv.exe
S4 - [clr_optimization_v2.0.50727_32] - Microsoft .NET Framework NGEN v2.0.50727_X86 - C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
S4 - [NILM License Manager] - NILM License Manager - "G:\National Instruments\Shared\License Manager\Bin\lmgrd.exe"

==== Files Recently Created / Modified ======================

====== C:\Windows ====
2014-04-13 14:20:40    F042EE4C8D66248D9B86DCF52ABAE416    256000    ----a-w-    C:\Windows\PEV.exe
2014-04-13 14:20:40    9E05A9C264C8A908A8E79450FCBFF047    80412    ----a-w-    C:\Windows\grep.exe
2014-04-13 14:20:40    5E832F4FAF5F481F2EAF3B3A48F603B8    68096    ----a-w-    C:\Windows\zip.exe
2014-04-13 14:20:40    0297C72529807322B152F517FDB0A9FC    406528    ----a-w-    C:\Windows\SWSC.exe
2014-04-13 14:20:40    0277C027A26428DB64EF4F64F52BB4FD    208896    ----a-w-    C:\Windows\MBR.exe
====== C:\Users\George\AppData\Local\Temp ====
2014-04-13 14:29:02    2F8F1D62382AD78ACEB22C4E22C5EC59    53248    ----a-w-    C:\Users\George\AppData\Local\temp\catchme.dll
====== Java Cache =====
2014-04-12 15:33:43    52CA19332C0B45828C02CB678228EBF4    582569    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\2c6d4440-2c673f27
2014-04-12 15:33:34    22B8C973CADE5146726FAF2083A1E637    432528    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\2c8c54c-5772274d
2014-04-12 15:33:32    C7E3A633A60F72074A3DD90600149C24    29458    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\a48e10e-5737b51e
2014-04-12 15:33:32    2941DB0EE7AFEC8BBD8516D205699A65    1541596    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\2f083fd3-3d6fceae
2014-04-12 15:33:31    40DAB271BCE5B03DDB418196E1ED15B6    3059    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\5cf48382-4b8a50c8
2014-04-12 15:33:32    529657B94E2DEEA2EC14C4C2726338BE    1671175    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\699c8b5e-73c41082
2014-04-12 15:33:32    EC73988CD783E448AEFA65868500976E    2018397    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\4b35de23-66cd89ea
2014-04-12 15:34:01    4FF89A65EF2C1BAA8666DE0614D0A627    469    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\4de63de6-27025b7a
2014-04-12 15:33:42    1F35DE86D14D4C4E209E87A55CED14E0    2234324    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1eecb6c4-2a3ca704
2014-04-12 15:33:49    DBE8A14F24221AFEFC0AA18F5AC6C198    189815    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\7c19f204-17677493
2014-04-12 15:33:42    DBFBC574861522348496EAEA6C390DA6    493129    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\6d25d8ae-3ea76525
2014-04-12 15:33:37    C5CDD48E5FE7CC892D6617E232A468AA    823736    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\30c473ef-73611cb0
2014-04-12 15:33:33    C11BD23D7F1C55E73E9A346352337311    3238    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\3b54653c-640ed011
2014-04-12 15:34:00    E7FC2A6C91C01B2F87310C16A0A018C7    12862    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\3b54653c-640ed011.ico
2014-04-12 15:33:46    A7363044CBACAE3B411971183482BE11    192539    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4788ebfd-2160c17c
2014-04-12 15:33:31    40DAB271BCE5B03DDB418196E1ED15B6    3059    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4fa56afd-2977fe8d
2014-04-12 15:33:31    235BAA29864A724498C9E18FC9277A87    151    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4fa56afd-6.0.lap
2014-04-12 15:34:01    C46BF6E740145597BE358CC90D53B51B    3800    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\aac77c9-72daef2b
2014-04-12 15:34:00    84DDAC5511DE04A8727C6318020A5482    191    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\appIcon\appIcon.xml
2014-04-12 15:33:31    D41D8CD98F00B204E9800998ECF8427E    0    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\splash\splash.xml
2014-04-04 15:29:05    D41D8CD98F00B204E9800998ECF8427E    0    ----a-w-    C:\Users\George\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-2caaeb07
====== C:\Windows\system32 =====
2014-04-09 06:23:17    F74FFA7654702F81884BDB41EB80DAC2    868352    ----a-w-    C:\Windows\System32\kernel32.dll
2014-04-09 06:23:12    CCF19C82F6145E4A467F7CB9AF82026C    17073152    ----a-w-    C:\Windows\System32\mshtml.dll
2014-04-09 06:23:12    A45A13AAC7777C096A073FF1F4F5A0D5    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
====== C:\Windows\system32\drivers =====
2014-04-14 08:40:54    661B911FA04E73FB073FF9B1C9BD2E05    107736    ----a-w-    C:\Windows\System32\drivers\48230029.sys
2014-04-12 16:10:45    D9CA77A69473A93E40B7551A7DE425A9    209016    ----a-w-    C:\Windows\System32\drivers\keyscrambler.sys
2014-04-12 13:42:46    661B911FA04E73FB073FF9B1C9BD2E05    107736    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-04-12 13:42:05    2BB23932978D623D3D395AEAB1825BF1    73432    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-04-12 13:42:05    18898A87CBA96DEA2074C19E140938A8    51416    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-04-12 13:42:05    0C6EA0109CFEDF441F06D031E9A8D1A9    23256    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-04-09 06:23:26    F1A449D762657230629D8BFC107ABC14    149440    ----a-w-    C:\Windows\System32\drivers\storport.sys
2014-04-09 06:23:26    EB34CE31FABD4DC4343FD2AD16D2CAF9    234432    ----a-w-    C:\Windows\System32\drivers\msiscsi.sys
2014-04-09 06:23:26    5FB4F271032B6435F3B2252F577A4815    27072    ----a-w-    C:\Windows\System32\drivers\Diskdump.sys
2014-04-09 06:23:19    C8DFF8D07755A66C7A4A738930F0FEAC    1212352    ----a-w-    C:\Windows\System32\drivers\ntfs.sys
====== C:\Windows\Tasks ======
====== C:\Windows\Temp ======
======= C:\Program Files =====
2014-04-14 02:16:19    --------    d-----w-    C:\Program Files\Common Files\Adobe
2014-04-12 22:26:48    --------    d-----w-    C:\Program Files\JAM Software
2014-04-12 16:10:43    --------    d-----w-    C:\Program Files\KeyScrambler
======= C: =====
====== C:\Users\George\AppData\Roaming ======
2014-04-14 02:16:17    --------    d-----w-    C:\Users\George\AppData\Local\Adobe
2014-04-13 14:30:24    --------    d-----w-    C:\Users\Public\AppData\Local\temp
2014-04-13 14:30:24    --------    d-----w-    C:\Users\Default\AppData\Local\temp
2014-04-13 14:30:24    --------    d-----w-    C:\Users\Default User\AppData\Local\temp
2014-04-13 14:30:24    --------    d-----w-    C:\Users\1\AppData\Local\temp
2014-04-13 14:28:55    --------    d-----w-    C:\Users\George\AppData\Local\temp
2014-04-13 14:16:14    --------    d-----w-    C:\Users\George\AppData\Roaming\GetRightToGo
2014-04-12 22:26:57    --------    d-----w-    C:\Users\George\AppData\Roaming\JAM Software
2014-04-12 13:52:15    --------    d-----w-    C:\Users\George\AppData\Roaming\QFX Software
2014-04-11 17:34:38    --------    d-----w-    C:\Users\George\AppData\Roaming\Adobe
====== C:\Users\George ======
2014-04-13 14:44:39    8B968045D75783A09592C3105F2865DA    688992    ------r-    C:\Users\George\Downloads\dds.com
2014-04-13 14:30:24    --------    d-----w-    C:\Users\Public\AppData
2014-04-13 14:30:24    --------    d-----w-    C:\Users\1\AppData
2014-04-13 14:15:43    E1EABF141B1A1952108CE8E393B2FEEC    368256    ----a-w-    C:\Users\George\Downloads\Download_MaxSDDMnew.exe
2014-04-12 22:25:44    38AA5BC65295946ECF99D6C95F537F79    4909680    ----a-w-    C:\Users\George\Downloads\TreeSizeFreeSetup.exe
2014-04-12 16:10:46    --------    d-----w-    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyScrambler
2014-04-12 15:44:49    --------    d-----w-    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat
2014-04-12 15:44:28    3ABF1C149873E25D4E266225FBF37CBF    645729    ----a-w-    C:\Users\George\Downloads\windirstat1_1_2_setup.exe
2014-04-12 15:08:47    788FCDDD88240A85039F7F561093B118    448512    ----a-w-    C:\Users\George\Downloads\TFC.exe
2014-04-12 13:52:15    --------    d-----w-    C:\ProgramData\QFX Software
2014-04-12 13:50:38    80A75F4AB1EB35D78574C95F0FE57A67    1279384    ----a-w-    C:\Users\George\Downloads\KeyScrambler_Setup.exe
2014-04-12 13:39:55    302103AF95A8F43AD85F80DAE14BDB9C    17305616    ----a-w-    C:\Users\George\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-12 11:24:18    A8D868B8CA864E4A42CD43B547170E30    2358584    ----a-w-    C:\Users\George\Downloads\MicroSD_Card_Recovery_Pro_Setup.exe

====== C: exe-files ==
=== C: other files ==
2014-04-19 09:42:59    F005CB53DF80D3FBB7FDD00D41CF66AC    544    ----a-w-    C:\$RECYCLE.BIN\S-1-5-21-2435758532-2327058874-870633547-1000\$INO4RLP.zip
2014-04-14 13:52:00    2C7B04CC249E80EB887FB6D9E4DCA9B5    17478    ------r-    C:\Users\George\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\BHFG01FE\P-LNG-145956_20140414163225.zip

==== Startup Registry Enabled ======================

[HKEY_USERS\S-1-5-21-2435758532-2327058874-870633547-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTAgent.exe -autorun"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"MSC"="C:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey"
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe /hide /waitservice"
"HTC Sync Loader"="C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe -startup"
"IgfxTray"="C:\Windows\system32\igfxtray.exe"
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe"
"Persistence"="C:\Windows\system32\igfxpers.exe"
"BlueStacks Agent"="C:\Program Files\BlueStacks\HD-Agent.exe"
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"KeyScrambler"="C:\Program Files\KeyScrambler\keyscrambler.exe /a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTAgent.exe -autorun"

==== Startup Registry Disabled ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Facebook Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Facebook Update"
"hkey"="HKCU"
"command"="\"C:\\Users\\George\\AppData\\Local\\Facebook\\Update\\FacebookUpdate.exe\" /c /nocrashserver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="C:\\Users\\George\\AppData\\Roaming\\Google\\Google Talk\\googletalk.exe /autostart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /minimized /regrun"


==== Startup Folders ======================


==== Task Scheduler Jobs ======================

C:\Windows\tasks\Adobe Flash Player Updater.job --a------ C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/03/2014 07:21 ££]
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2435758532-2327058874-870633547-1000Core.job --a------ C:\Users\George\AppData\Local\Facebook\Update\FacebookUpdate.exe [19/01/2013 11:43 ££]
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2435758532-2327058874-870633547-1000UA.job --a------ C:\Users\George\AppData\Local\Facebook\Update\FacebookUpdate.exe [19/01/2013 11:43 ££]
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job --a------ C:\Program Files\Google\Update\GoogleUpdate.exe [02/02/2013 12:03 §£]
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job --a------ C:\Program Files\Google\Update\GoogleUpdate.exe [02/02/2013 12:03 §£]

==== Other Scheduled Tasks ======================

"C:\Windows\system32\tasks\Adobe Flash Player Updater" [C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe]
"C:\Windows\system32\tasks\CreateChoiceProcessTask" [C:\Windows\System32\browserchoice.exe]
"C:\Windows\system32\tasks\FacebookUpdateTaskUserS-1-5-21-2435758532-2327058874-870633547-1000Core" [C:\Users\George\AppData\Local\Facebook\Update\FacebookUpdate.exe]
"C:\Windows\system32\tasks\FacebookUpdateTaskUserS-1-5-21-2435758532-2327058874-870633547-1000UA" [C:\Users\George\AppData\Local\Facebook\Update\FacebookUpdate.exe]
"C:\Windows\system32\tasks\GoogleUpdateTaskMachineCore" [C:\Program Files\Google\Update\GoogleUpdate.exe]
"C:\Windows\system32\tasks\GoogleUpdateTaskMachineUA" [C:\Program Files\Google\Update\GoogleUpdate.exe]
"C:\Windows\system32\tasks\Launch HTC Sync Loader" [C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe]
"C:\Windows\system32\tasks\proXPN" ["C:\Program Files\proXPN\bin\proxpn.exe"]
"C:\Windows\system32\tasks\{58665E77-4A62-41C4-B164-57EE366EFE01}" ["c:\program files\internet explorer\iexplore.exe" http://ui.skype.com/ui/0/6.3.0.105/en/abandoninstall?page=tsProgressBar]
"C:\Windows\system32\tasks\{5C3C6F0D-AB6A-4905-94F0-6E69E9494882}" [C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe]
"C:\Windows\system32\tasks\{6E0BD876-F175-4200-A2C3-5854564B409D}" ["c:\program files\internet explorer\iexplore.exe" http://ui.skype.com/ui/0/6.3.0.105/en/abandoninstall?page=tsProgressBar]
"C:\Windows\system32\tasks\Apple\AppleSoftwareUpdate" [C:\Program Files\Apple Software Update\SoftwareUpdate.exe]

==== Firefox Extensions ======================

ProfilePath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default
- Auto Refresh - %ProfilePath%\extensions\autorefresh@plugin.xpi
- TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi
- Unseen - %ProfilePath%\extensions\unseen@tangrs.xpi
- Tamper Data - %ProfilePath%\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}.xpi
- ProfilePassword-Firefox - %ProfilePath%\extensions\{b9615918-d3de-44a4-ab65-76df7ea1f1c1}.xpi
- Download YouTube Videos as MP4 - %ProfilePath%\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- Greasemonkey - %ProfilePath%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default
E83B541C71965CFA1DEFF846CD6E9ECD    - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll -    Google Update
95812430959AE88CDD0301AB3A71913B    - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll -    Shockwave Flash
01D93217A9EE48DD37072B671378CC9C    - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll -    Silverlight Plug-In
49CFBB2130C682FFDF2CEBEE9A2D556E    - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll -    iTunes Application Detector
A9191AE22A8F1287B5E2DF33E3A57253    - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll -    Java™ Platform SE 7 U51
9B10927CFD0F7AD39E40C0E34005B1AD    - C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll -    Java Deployment Toolkit 7.0.510.13
FF0D6F82A0EC13952E83B9439100E45D    - C:\Users\George\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll -    Facebook Video Calling Plugin
5B92CB0A3EEE50F6B9AE036B4F9B0F0C    - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll -    Google Earth Plugin
F20AB49A381EEC05319A352CBCAB3532    - C:\Users\George\AppData\Local\Pokki\Download Helper\npPokkiDownloadHelper.1.2.0.78.dll -    Pokki Download Helper
3A523765D795DB006C010B915C3A840A    - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll -    Adobe Acrobat
0D80C49D9A4A3E096296C67BD015F614    - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll -    Photo Gallery
28986F0A2342A033345EF9E70D395E4F    - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrlui.dll -    Microsoft® Silverlight


==== Chrome Look ======================

YouTube - George\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
Google Search - George\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
AdBlock - George\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Google Wallet - George\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Gmail - George\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia

==== IE Start and Search Settings ======================

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{60A65567-A40B-4AA8-8AB4-50C2FD7AC370}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"
{117A4AC5-D842-9984-187C-590599B31BF9} Google  Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"
{60A65567-A40B-4AA8-8AB4-50C2FD7AC370} Funmoods  Url="http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673"

==== C:\zoek_backup content ======================

C:\zoek_backup (files=0 folders=0 0 bytes)

==== EOF on ƒ¬ 21/04/2014 at 14:09:09,61 ======================
 



#6 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 21 April 2014 - 07:44 AM

Hello again,
 
Thanks for clearing that out for me :). The IP in the proxy refers to Georgia so I guess we want to get rid of that...

:step1: ====Zoek.exe====

Start Zoek.exe 51a612a8b27e2-Zoek.png again.

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Using Zoek.exe
  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    autoclean;
    emptyclsid;
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.
:step2: ====ProxyFix====

Download ProxyFix to your desktop.
  • Rightclick on ProxyFix.zip and select "Extract All".
  • Doubleclick "ProxyFix.exe" to start the tool.
  • Caution! Windows Vista & 7 & 8 users must start this tool as an administrator. To do so, rightclick the tool and select "Run as Administrator"[/u]"

  • When prompted type "D" and hit Enter.
  • When finished, a notepad file will open. Post the content of this file in your next reply for further review.
:step3: ====Malwarebytes Anti-Malware (MBAM)====

----------
  • Download Malwarebytes Anti-Malware Free and save it to your desktop
  • Double click the desktop icon, click Run, then OK
  • Click Next
  • Select I accept the agreement then continue to click Next then finally click Install
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
  • If you are notified the Database is out of date click Update Now
  • Click Scan Now >>
----------
  • Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
  • Click Start (Start, Search, All files and folders for Windows XP) then type mbam
  • Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open. Follow those instructions until the Malwarebytes program starts the scan

  • mbam-chameleon.scr
    mbam-chameleon
    mbam-chameleon.exe
    mbam-chameleon.com

    ----------

  • When completed click the down arrow on Export Log and select Text file (*.txt)
  • Save the file to your desktop as MBAM
  • Click Apply Actions then restart your computer if requested
  • Copy and past the contents of MBAM.txt in your reply

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#7 infectedman

infectedman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 21 April 2014 - 10:10 AM

ZOEK LOG

Zoek.exe v5.0.0.0 Updated 14-April-2014
Tool run by George on ƒ¬ 21/04/2014 at 17:39:30,46.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\George\Downloads\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2014-04-21-110909.log    25519 bytes

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2435758532-2327058874-870633547-1000\Software\Microsoft\Internet Explorer\SearchScopes\{60A65567-A40B-4AA8-8AB4-50C2FD7AC370} deleted successfully
HKEY_USERS\S-1-5-21-2435758532-2327058874-870633547-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully
HKEY_USERS\S-1-5-21-2435758532-2327058874-870633547-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default

---- Lines funmoods removed from prefs.js ----
user_pref("extensions.funmoods.aflt", "iron2");
user_pref("extensions.funmoods.autoRvrt", false);
user_pref("extensions.funmoods.cntry", "GR");
user_pref("extensions.funmoods.cv", "cv5");
user_pref("extensions.funmoods.dfltLng", "");
user_pref("extensions.funmoods.dfltSrch", true);
user_pref("extensions.funmoods.dnsErr", true);
user_pref("extensions.funmoods.envrmnt", "production");
user_pref("extensions.funmoods.excTlbr", false);
user_pref("extensions.funmoods.hdrMd5", "78584A0D36018698C019CF5F48767C87");
user_pref("extensions.funmoods.hmpg", true);
user_pref("extensions.funmoods.hmpgUrl", "http://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tz
user_pref("extensions.funmoods.id", "4487FCABE9BD6E82");
user_pref("extensions.funmoods.instlDay", "15581");
user_pref("extensions.funmoods.instlRef", "iron2");
user_pref("extensions.funmoods.isdcmntcmplt", true);
user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2217:57:30");
user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
user_pref("extensions.funmoods.newTab", true);
user_pref("extensions.funmoods.newTabUrl", "http://start.funmoods.com/?f=2&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0
user_pref("extensions.funmoods.prdct", "funmoods");
user_pref("extensions.funmoods.prtnrId", "funmoods");
user_pref("extensions.funmoods.sg", "none");
user_pref("extensions.funmoods.smplGrp", "none");
user_pref("extensions.funmoods.srchPrvdr", "Search");
user_pref("extensions.funmoods.tlbrId", "base");
user_pref("extensions.funmoods.tlbrSrchUrl", "http://start.funmoods.com/?f=3&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0
user_pref("extensions.funmoods.vrsn", "1.5.23.22");
user_pref("extensions.funmoods.vrsnTs", "1.5.23.2217:57:30");
user_pref("extensions.funmoods.vrsni", "1.5.23.22");
user_pref("extensions.funmoods_i.newTab", true);
user_pref("extensions.funmoods_i.smplGrp", "none");
user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2217:57:30");
---- Lines funmoods removed from user.js ----

user_pref("extensions.funmoods.hmpg", true);
user_pref("extensions.funmoods.hmpgUrl", "http://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673");
user_pref("extensions.funmoods.dfltSrch", true);
user_pref("extensions.funmoods.srchPrvdr", "Search");
user_pref("extensions.funmoods.dnsErr", true);
user_pref("extensions.funmoods_i.newTab", true);
user_pref("extensions.funmoods.newTabUrl", "http://start.funmoods.com/?f=2&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673");
user_pref("extensions.funmoods.tlbrSrchUrl", "http://start.funmoods.com/?f=3&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEzzyB0F0C0A0B0Ezy0B0DyC0EzztBtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=122666673&q=");
user_pref("extensions.funmoods.id", "4487FCABE9BD6E82");
user_pref("extensions.funmoods.instlDay", "15581");
user_pref("extensions.funmoods.vrsn", "1.5.23.22");
user_pref("extensions.funmoods.vrsni", "1.5.23.22");
user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2217:57:30");
user_pref("extensions.funmoods.prtnrId", "funmoods");
user_pref("extensions.funmoods.prdct", "funmoods");
user_pref("extensions.funmoods.aflt", "iron2");
user_pref("extensions.funmoods_i.smplGrp", "none");
user_pref("extensions.funmoods.tlbrId", "base");
user_pref("extensions.funmoods.instlRef", "iron2");
user_pref("extensions.funmoods.dfltLng", "");
user_pref("extensions.funmoods.excTlbr", false);
user_pref("extensions.funmoods.autoRvrt", false);
user_pref("extensions.funmoods.envrmnt", "production");
user_pref("extensions.funmoods.isdcmntcmplt", true);
user_pref("extensions.funmoods.mntrvrsn", "1.3.0");

---- FireFox user.js and prefs.js backups ----

user_20142104_0549_.backup
prefs_20142104_0549_.backup

==== Deleting Files \ Folders ======================

C:\Users\George\AppData\Roaming\Thinstall deleted
C:\Users\George\AppData\Roaming\GetRightToGo deleted
C:\PROGRA~2\boost_interprocess deleted
C:\Users\George\AppData\Local\funmoods-speeddial.crx deleted
C:\Users\George\AppData\Local\Thinstall deleted
C:\Users\George\AppData\Local\Pokki deleted
C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default\foxydeal.sqlite deleted
C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default\jetpack deleted
"C:\Users\George\AppData\Roaming\tor\lock" deleted
"C:\Users\George\AppData\Roaming\tor\state" deleted
"C:\Users\George\AppData\Roaming\tor" deleted

==== Firefox Extensions ======================

ProfilePath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default
- Auto Refresh - %ProfilePath%\extensions\autorefresh@plugin.xpi
- TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi
- Unseen - %ProfilePath%\extensions\unseen@tangrs.xpi
- Tamper Data - %ProfilePath%\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}.xpi
- ProfilePassword-Firefox - %ProfilePath%\extensions\{b9615918-d3de-44a4-ab65-76df7ea1f1c1}.xpi
- Download YouTube Videos as MP4 - %ProfilePath%\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- Greasemonkey - %ProfilePath%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default
E83B541C71965CFA1DEFF846CD6E9ECD    - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll -    Google Update
95812430959AE88CDD0301AB3A71913B    - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll -    Shockwave Flash
01D93217A9EE48DD37072B671378CC9C    - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll -    Silverlight Plug-In
49CFBB2130C682FFDF2CEBEE9A2D556E    - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll -    iTunes Application Detector
A9191AE22A8F1287B5E2DF33E3A57253    - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll -    Java™ Platform SE 7 U51
9B10927CFD0F7AD39E40C0E34005B1AD    - C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll -    Java Deployment Toolkit 7.0.510.13
FF0D6F82A0EC13952E83B9439100E45D    - C:\Users\George\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll -    Facebook Video Calling Plugin
5B92CB0A3EEE50F6B9AE036B4F9B0F0C    - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll -    Google Earth Plugin
3A523765D795DB006C010B915C3A840A    - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll -    Adobe Acrobat
0D80C49D9A4A3E096296C67BD015F614    - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll -    Photo Gallery
28986F0A2342A033345EF9E70D395E4F    - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrlui.dll -    Microsoft® Silverlight


==== Chrome Look ======================

AdBlock - George\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{60A65567-A40B-4AA8-8AB4-50C2FD7AC370}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{60A65567-A40B-4AA8-8AB4-50C2FD7AC370}] not found

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"
{117A4AC5-D842-9984-187C-590599B31BF9} Google  Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}"

==== Empty IE Cache ======================

C:\Users\George\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\George\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\George\AppData\Local\Mozilla\Firefox\Profiles\c6d7xxfe.default\Cache emptied successfully

==== Empty Chrome Cache ======================

C:\Users\George\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=65 folders=49 111302701 bytes)

==== Empty Temp Folders ======================

C:\Users\1\AppData\Local\temp emptied successfully
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\George\AppData\Local\temp will be emptied at reboot
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\George\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on ƒ¬ 21/04/2014 at 17:53:29,89 ======================




PROXYFIX LOG

ProxyFix v 2.1 © by Maxstar
ƒ¬ 21/04/2014 - 17:54:54,76
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1  


----------Internet Explorer----------
"ProxyEnable"=dword:00000000
"ProxyServer"="0"

----------Firefox----------

----------E.O.F----------


MBAM LOG

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 21/4/2014
Scan Time: 6:05:29 μμ
Logfile: mbam.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.21.04
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: George

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 259364
Time Elapsed: 8 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Riskware.Patcher, C:\Users\George\Downloads\sHaRewbb_kscrmble3203.rar, , [d91f46e6384341f5153173941ee3bd43],

Physical Sectors: 0
(No malicious items detected)


(end)



#8 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 21 April 2014 - 10:44 AM

Hi infectedman,

I'm not entirely sure the proxy fix for Firefox worked. Can you please check the following for me?

  • Open your Firefox browser
  • On the top left corner of the opened Mozilla Firefox interface, click the Firefox button.
  • On the displayed menu, go to Options > Options.
    tdLo7KL.jpg
  • On the opened Options box, click to select the Advanced icon.
  • On the Advanced interface, go to the Network tab.
  • Under the Connection section, click the Settings button.
  • On the opened Connection Settings box, click to select the No Proxy configuration radio button.

Now let's do some further checkups:

:step1: ====Zoek.exe====

Start Zoek.exe 51a612a8b27e2-Zoek.png again.

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Using Zoek.exe

  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    Unseen;firefoxfix;
    Auto Refresh;firefoxfix;
    Download YouTube Videos as MP4;firefoxfix;
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.

 

:step2: ====TDSSKiller====

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Attach this file to your next reply.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#9 infectedman

infectedman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 21 April 2014 - 10:45 AM

Forgot to clear up that the file MBAM is a false positive and in my opinion, is not related to the virus that runs on my PC.

#10 infectedman

infectedman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 21 April 2014 - 11:58 AM

TDSKiller found nothing. I'm attaching the 3rd Zoek log. (I've also ticked the No Proxy selection on Firefox as you instructed)


Zoek.exe v5.0.0.0 Updated 14-April-2014
Tool run by George on ƒ¬ 21/04/2014 at 19:47:42,29.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\George\Downloads\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2014-04-21-110909.log    25519 bytes
C:\zoek-results2014-04-21-145329.log    12137 bytes

==== Deleting Files \ Folders ======================


==== C:\zoek_backup content ======================

C:\zoek_backup (files=65 folders=49 111302701 bytes)

==== EOF on ƒ¬ 21/04/2014 at 19:48:53,32 ======================
 



#11 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 21 April 2014 - 02:39 PM

Good evening,

It seems like I've made a mistake in my previous Zoek.exe script. My apologies.
Can you run Zoek.exe again with the following script please.

:step1: ====Zoek.exe====

Start Zoek.exe 51a612a8b27e2-Zoek.png again.

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Using Zoek.exe

  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    Unseen;firefoxlook;
    Auto Refresh;firefoxlook;
    Download YouTube Videos as MP4;firefoxlook;
    autorefresh@plugin.xpi;ff
    unseen@tangrs.xpi;ff
    {b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi;ff
    {b9bfaf1c-a63f-47cd-8b9a-29526ced9060};c
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.

:step2: ====ComboFix====

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#12 infectedman

infectedman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 21 April 2014 - 04:09 PM

Don't even bother to ask sorry, the fact that you are helping me is one thing that I really appreciate.

Here are the logs

ZOEK

Zoek.exe v5.0.0.0 Updated 14-April-2014
Tool run by George on ƒ¬ 21/04/2014 at 23:50:34,86.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\George\Downloads\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2014-04-21-110909.log    25519 bytes
C:\zoek-results2014-04-21-145329.log    12137 bytes
C:\zoek-results2014-04-21-164853.log    668 bytes

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default

user.js not found
---- Lines autorefresh@plugin.xpi modified from prefs.js ----

user_pref("extensions.installCache", "[{\"name\":\"app-global\",\"addons\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program
---- Lines unseen@tangrs.xpi removed from prefs.js ----
user_pref("extensions.bootstrappedAddons", "{\"unseen@tangrs\":{\"version\":\"0.1\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\George\\\\A
---- Lines unseen@tangrs.xpi modified from prefs.js ----

user_pref("extensions.installCache", "[{\"name\":\"app-global\",\"addons\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program
---- Lines {b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi modified from prefs.js ----

user_pref("extensions.installCache", "[{\"name\":\"app-global\",\"addons\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program
---- FireFox user.js and prefs.js backups ----

prefs_20142104_1151_.backup

==== Deleting Files \ Folders ======================

C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default\extensions\autorefresh@plugin.xpi deleted
"C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default\extensions\unseen@tangrs.xpi" deleted
"C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi" deleted

==== Firefox Extensions ======================

ProfilePath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default
- TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi
- Tamper Data - %ProfilePath%\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}.xpi
- ProfilePassword-Firefox - %ProfilePath%\extensions\{b9615918-d3de-44a4-ab65-76df7ea1f1c1}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- Greasemonkey - %ProfilePath%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default
E83B541C71965CFA1DEFF846CD6E9ECD    - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll -    Google Update
95812430959AE88CDD0301AB3A71913B    - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll -    Shockwave Flash
01D93217A9EE48DD37072B671378CC9C    - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll -    Silverlight Plug-In
49CFBB2130C682FFDF2CEBEE9A2D556E    - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll -    iTunes Application Detector
A9191AE22A8F1287B5E2DF33E3A57253    - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll -    Java™ Platform SE 7 U51
9B10927CFD0F7AD39E40C0E34005B1AD    - C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll -    Java Deployment Toolkit 7.0.510.13
FF0D6F82A0EC13952E83B9439100E45D    - C:\Users\George\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll -    Facebook Video Calling Plugin
5B92CB0A3EEE50F6B9AE036B4F9B0F0C    - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll -    Google Earth Plugin
3A523765D795DB006C010B915C3A840A    - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll -    Adobe Acrobat
0D80C49D9A4A3E096296C67BD015F614    - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll -    Photo Gallery
28986F0A2342A033345EF9E70D395E4F    - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrlui.dll -    Microsoft® Silverlight


==== C:\zoek_backup content ======================

C:\zoek_backup (files=69 folders=49 111391879 bytes)

==== EOF on ƒ¬ 21/04/2014 at 23:51:59,13 ======================




COMBOFIX
ComboFix 14-04-12.01 - George 21/04/2014  23:55:11.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1253.30.1033.18.3293.2044 [GMT 3:00]
Running from: c:\users\George\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-21 to 2014-04-21  )))))))))))))))))))))))))))))))
.
.
2014-04-21 21:02 . 2014-04-21 21:02    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-04-21 20:40 . 2014-04-21 20:40    --------    d-----w-    C:\Python27
2014-04-21 20:16 . 2014-04-21 20:16    --------    d-----w-    c:\users\George\.idlerc
2014-04-21 14:53 . 2014-04-21 14:53    39464    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E6C3411-ED9A-4301-9979-4B31E3894A94}\MpKsla04bf3d8.sys
2014-04-21 14:52 . 2014-04-21 21:02    --------    d-----w-    c:\users\George\AppData\Local\Temp
2014-04-21 11:03 . 2014-04-21 20:51    --------    d-----w-    C:\zoek_backup
2014-04-21 08:25 . 2014-04-16 09:25    8050496    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E6C3411-ED9A-4301-9979-4B31E3894A94}\mpengine.dll
2014-04-19 22:42 . 2014-02-24 08:51    765968    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4217E814-FB74-43EE-A12A-A4023DF2ED77}\gapaengine.dll
2014-04-19 22:42 . 2014-04-16 09:25    8050496    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-14 08:40 . 2014-04-14 08:40    107736    ----a-w-    c:\windows\system32\drivers\48230029.sys
2014-04-14 02:16 . 2014-04-14 02:16    --------    d-----w-    c:\program files\Common Files\Adobe
2014-04-14 02:16 . 2014-04-14 02:16    --------    d-----w-    c:\users\George\AppData\Local\Adobe
2014-04-12 22:26 . 2014-04-12 22:26    --------    d-----w-    c:\users\George\AppData\Roaming\JAM Software
2014-04-12 22:26 . 2014-04-12 22:26    --------    d-----w-    c:\program files\JAM Software
2014-04-12 16:10 . 2013-05-31 14:53    209016    ----a-w-    c:\windows\system32\drivers\keyscrambler.sys
2014-04-12 16:10 . 2014-04-12 16:12    --------    d-----w-    c:\program files\KeyScrambler
2014-04-12 13:52 . 2014-04-12 13:52    --------    d-----w-    c:\users\George\AppData\Roaming\QFX Software
2014-04-12 13:52 . 2014-04-12 13:52    --------    d-----w-    c:\programdata\QFX Software
2014-04-12 13:42 . 2014-04-21 14:54    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-12 13:42 . 2014-04-12 13:42    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-04-12 13:42 . 2014-04-12 13:42    --------    d-----w-    c:\programdata\Malwarebytes
2014-04-12 13:42 . 2014-04-03 06:51    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-12 13:42 . 2014-04-03 06:51    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-04-12 13:42 . 2014-04-03 06:50    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-04-09 06:23 . 2014-02-04 02:07    149440    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-04-09 06:23 . 2014-02-04 02:07    234432    ----a-w-    c:\windows\system32\drivers\msiscsi.sys
2014-04-09 06:23 . 2014-02-04 02:07    27072    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-04-09 06:23 . 2014-02-04 02:00    2048    ----a-w-    c:\windows\system32\iologmsg.dll
2014-04-09 06:23 . 2014-01-24 02:18    1212352    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2014-04-09 06:23 . 2014-03-31 00:13    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 16:21 . 2012-06-26 12:29    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 16:21 . 2012-06-26 12:29    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-11 07:52 . 2012-03-20 17:44    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-01 04:10 . 2014-03-14 00:02    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52 . 2014-03-14 00:02    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-01 03:51 . 2014-03-14 00:02    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38 . 2014-03-14 00:02    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-01 03:38 . 2014-03-14 00:02    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37 . 2014-03-14 00:02    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-01 03:31 . 2014-03-14 00:02    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14 . 2014-03-14 00:02    4244480    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-01 03:00 . 2014-03-14 00:02    1964032    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-01 02:32 . 2014-03-14 00:02    1820160    ----a-w-    c:\windows\system32\wininet.dll
2014-02-24 08:51 . 2012-07-04 07:18    765968    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-02-07 01:07 . 2014-03-13 23:59    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-02-04 02:04 . 2014-03-13 23:59    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-14 00:02    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-01-29 02:06 . 2014-03-13 23:59    381440    ----a-w-    c:\windows\system32\wer.dll
2014-01-28 02:07 . 2014-03-13 23:59    185344    ----a-w-    c:\windows\system32\wwansvc.dll
2014-01-24 23:19 . 2014-01-24 23:19    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2008-12-10 12:50 . 2008-12-10 12:50    118784    ----a-w-    c:\program files\internet explorer\plugins\LV86ActiveXControl.dll
2010-05-25 10:43 . 2010-05-25 10:43    158720    ----a-w-    c:\program files\internet explorer\plugins\LV90ActiveXControl.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-05 43848]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 3080264]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-12-12 655360]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-11-13 138784]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-11-13 172064]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-11-13 173600]
"BlueStacks Agent"="c:\program files\BlueStacks\HD-Agent.exe" [2013-09-19 606024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-06 152392]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2013-07-14 508048]
.
c:\users\George\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Απόσπασμα οθόνης και Εκκίνηση για το OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2013-01-19 20:43    138096    ----atw-    c:\users\George\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22    3739648    ----a-w-    c:\users\George\AppData\Roaming\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2014-02-10 15:46    20922016    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
R2 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\BlueStacks\HD-Service.exe BstHdAndroidSvc Android [x]
R2 metasploitPostgreSQL;metasploitPostgreSQL;C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N metasploitPostgreSQL -D C:/METASP~1/POSTGR~1/data [x]
R2 metasploitProSvc-1;Metasploit Pro Service-1;c:\metasp~1\ruby\bin\ruby.exe [x]
R2 metasploitProSvc;Metasploit Pro Service;c:\metasp~1\ruby\bin\ruby.exe [x]
R2 metasploitThin-1;Metasploit Thin Service-1;c:\metasp~1\ruby\bin\ruby.exe [x]
R2 metasploitThin;Metasploit Thin Service;c:\metasp~1\ruby\bin\ruby.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2012-12-07 23040]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-01 108032]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
R3 NisSrv;Επιθεώρηση δικτύου της Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2013-03-01 36600]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-01-11 15576]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-01-11 10200]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-19 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-19 52224]
R3 tsusbhub;tsusbhub; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-03-08 242240]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 118104]
S2 AcuWVSSchedulerv7;Acunetix WVS Scheduler v7;c:\program files\Acunetix\Web Vulnerability Scanner 7\WVSScheduler7.exe [2010-09-21 674104]
S2 BstHdDrv;BlueStacks Hypervisor;c:\program files\BlueStacks\HD-Hypervisor-x86.sys [2013-09-19 63816]
S2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\BlueStacks\HD-LogRotatorService.exe [2013-09-19 384840]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 163424]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2011-09-22 974944]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2011-08-04 103112]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-04-03 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-04-03 857912]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2012-12-07 167424]
S3 InputFilter_Hid_FlexDef2b;Siliten HID Devices(FlexDef2b) Driver Service;c:\windows\system32\DRIVERS\InputFilter_FlexDef2b.sys [2010-06-18 14848]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2013-05-31 209016]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-04-03 23256]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-04-03 51416]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 82981583
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MBAMWEBACCESSCONTROL
*NewlyCreated* - MPKSLA04BF3D8
*Deregistered* - 82981583
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-10 22:02    1077576    ----a-w-    c:\program files\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-26 16:21]
.
2014-04-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2435758532-2327058874-870633547-1000Core.job
- c:\users\George\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-19 20:43]
.
2014-04-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2435758532-2327058874-870633547-1000UA.job
- c:\users\George\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-19 20:43]
.
2014-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-01 21:03]
.
2014-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-01 21:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink Flash Downloader For IE - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: localhost
Trusted Zone: localhost
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\c6d7xxfe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PokkiDownloadHelper - c:\users\George\AppData\Local\Pokki\Download Helper\PokkiDownloadHelper.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\metasploitPostgreSQL]
"ImagePath"="C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N \"metasploitPostgreSQL\" -D \"C:/METASP~1/POSTGR~1/data\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\metasploitPostgreSQL]
"ImagePath"="C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N \"metasploitPostgreSQL\" -D \"C:/METASP~1/POSTGR~1/data\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2435758532-2327058874-870633547-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*‘]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2435758532-2327058874-870633547-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*‘\OpenWithList]
@Class="Shell"
"a"="firefox.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-04-22  00:03:48
ComboFix-quarantined-files.txt  2014-04-21 21:03
ComboFix2.txt  2014-04-13 14:30
.
Pre-Run: 7.605.878.784 διαθέσιμα byte
Post-Run: 7.549.595.648 διαθέσιμα byte
.
- - End Of File - - 015E95BBF9E7E04B9F74E74EA3AD2C88
A36C5E4F47E84449FF07ED3517B43A31
 



#13 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 22 April 2014 - 03:58 PM

Greetings infectedman,

One more general check-up before we dig into the specified hard disk volume issue.
How is the computer behaving now? Is your free disk space still shrinking day by day?

====Farbar Recovery Scan Tool (FRST)====

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#14 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 25 April 2014 - 07:19 AM

Hello,

 

You're still with me...? :hello:


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#15 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 27 April 2014 - 04:09 AM

Hello infectedman,

 

If you haven't replied within the next 24h I'll have to close this topic.


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users