Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Keylogger text message spoofing after ugly divlorce


  • This topic is locked This topic is locked
9 replies to this topic

#1 stepitup

stepitup

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 08 May 2014 - 07:58 PM

Just finished up a very ugly dissolution of marriage, with the circumstances and the tactics that were used by the other party I am taking this issue seriously.

 

Currently someone is using some type of multi spyware on my network, computers and printers attached, my daughters devices, and my cell phones. The issues started out with the person using very amateur text spoofing app such as tigertext or similar along with keyloggers and were impersonating my friends, family, and co-workers through text messages. This was pretty easy to detect and figure out.

 

However, things have advanced and the nature of what ever spyware, virus that is being used is very difficult to get figured out and removed. I have narrowed down a few things and figured out some of it but it is far out of my limited knowledge. It also seems to sync all of my devices and networked items together. It has been logging my key strokes, scans all of my storage and uploads copies of all my personal data, photos, etc. When I print it uploads copies of the printed items. Its very intrusive.

 

I believe it was deployed by script that was inbedded into either a photo from a text message or an attachment in an email. It appears to use Google plus, picasa and gmail as its main way to upload logs and data. A weird and almost un-noticable profile picture on my google plus account was somehow attached that looks like a 1x1 pixel dot.

 

The scariest issue is that it appears to have taken over Internet Explorer and any otherbrowser I use and has installed what appears to be a theme with redirect links in favorite site menu that redirects me to some type of website that appears to try and set me up for going to this set and capture a photo of my screen and log my info. I get redirected to these sites by clicking on random areas of my screen, not just the actual favorites tabs or links. It looks like sometype of Iframe that is not seen or on my screen.

 

It also appears to have installed certificates to these redirect links saying each site is good standing. I have deleted, marked as fraudlent all of the certificates, but the moment I close my browser or restart my comp, the certificates come back showing as good status.

 

I have found some of the script through the admin panel when visiting gmail and a couple of the other redirects showing some of the behavior of collecting the key strokes and how it is using google apps to dispense the info through RSS feeds. I was able to track some of it down to about 24 different .DLL files related to IE.

 

I have tried a few AV and anti-hijack programs but have not been successful. It has found a few small items in prior scans but nothing major and definately not what I have explained above.

 

Any help I can get would be very appreciative as this is a pretty serious issue and involving law enforcement is probably imminent. Being able to show exactly what this is and what it is doing and how it had to be removed could be very helpful.

 

Thanks in advance.

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Derek at 18:01:23 on 2014-05-08
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3559.2476 [GMT -6:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Conexant\SAII\SmartAudio.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
uSearch Bar = Preserve
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
EB: F12 Developer Tools: {28BCCB9A-E66B-463C-82A4-09F320DE94D7} - C:\Program Files (x86)\Internet Explorer\F12Tools.dll
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
mRun: [Malwarebytes Anti-Exploit] C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
mRun: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\2496A5A79596E44784568496A5A79523 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\24C6E613036495A41303E223 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\26C61637476627F6D64786560716374723 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\348627F6D6563616374703939333 : DHCPNameServer = 192.168.255.249
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\35475607F467562725566756273756849647E4564723 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\35475607F6675627255667562737563586F64714C6C6E4564723 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\B4162727967616E637E244F6A4F6 : DHCPNameServer = 192.168.2.1
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = www.google.com
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\gp0nap2m.default\
FF - prefs.js: browser.search.selectedEngine - Startpage (SSL)
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_206.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2013-6-27 82240]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2013-6-27 42304]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [2014-5-3 62168]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-11-29 239616]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-11-29 344064]
R2 AODDriver4.2.0;AODDriver4.2.0;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2013-9-20 59648]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [2014-5-3 319288]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-5-3 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-5-3 701512]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-9-24 94208]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;C:\Windows\System32\drivers\btfilter.sys [2012-4-5 46192]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2014-1-10 103536]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-5-3 25928]
R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2013-9-26 38096]
R3 QIOMem;Generic IO & Memory Access;C:\Windows\System32\drivers\QIOMem.sys [2009-6-15 12800]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2013-9-28 58536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2014-1-22 108800]
S3 libusb0;libusb-win32 - Kernel Driver 09/19/2011 1.2.5.0;C:\Windows\System32\drivers\libusb0.sys [2013-12-26 52320]
S3 libusbK;libusbK USB Driver 10/03/2011 - 3.0.4.0;C:\Windows\System32\drivers\libusbK.sys [2013-12-26 47200]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-9-26 19456]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2013-9-26 250984]
S3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\rtsuvstor.sys [2013-9-26 307304]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2014-1-22 206080]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2014-1-10 16152]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-15 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-9-26 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-5-8 1255736]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S4 IEEtwCollectorService;IEEtwCollectorService;C:\Windows\System32\ieetwcollector.exe [2014-4-9 111616]
.
=============== Created Last 30 ================
.
2014-05-08 16:03:48    --------    d-----w-    C:\Windows\SysWow64\Wat
2014-05-08 16:03:48    --------    d-----w-    C:\Windows\System32\Wat
2014-05-08 15:11:56    --------    d-----w-    C:\Users\Derek\AppData\Local\ElevatedDiagnostics
2014-05-08 13:57:48    --------    d-----w-    C:\Users\Derek\AppData\Local\Apps
2014-05-08 13:22:23    --------    d-sh--w-    C:\Users\Derek\AppData\Local\EmieUserList
2014-05-08 13:22:23    --------    d-sh--w-    C:\Users\Derek\AppData\Local\EmieSiteList
2014-05-08 03:21:55    --------    d-----w-    C:\Windows\System32\catroot2
2014-05-08 01:29:31    --------    d-----w-    C:\RegBackup
2014-05-07 02:09:15    10651704    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-05-07 02:09:10    10651704    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0C4CC9DC-A8FA-4D84-81A9-

225EB262BCFD}\mpengine.dll
2014-05-06 14:22:15    --------    d-----w-    C:\Users\Derek\AppData\Roaming\ControlCenter4
2014-05-06 14:19:10    --------    d-----w-    C:\Windows\System32\user
2014-05-06 14:18:40    180224    ----a-w-    C:\Windows\SysWow64\BROSNMP.DLL
2014-05-06 14:18:39    73728    ------w-    C:\Windows\SysWow64\BrDctF2.dll
2014-05-06 14:18:39    5120    ------w-    C:\Windows\SysWow64\BrDctF2S.dll
2014-05-06 14:18:39    5120    ------w-    C:\Windows\SysWow64\BrDctF2L.dll
2014-05-06 14:18:39    245760    ------w-    C:\Windows\SysWow64\NSSearch.dll
2014-05-06 10:27:10    --------    d-s---w-    C:\Windows\System32\CompatTel
2014-05-06 09:42:58    465408    ----a-w-    C:\Windows\System32\aepdu.dll
2014-05-06 09:42:58    424448    ----a-w-    C:\Windows\System32\aeinv.dll
2014-05-03 07:54:41    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Exploit
2014-05-03 07:41:18    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-05-03 07:41:18    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-05-03 03:41:01    --------    d-----w-    C:\Program Files (x86)\Tweaking.com
2014-05-03 03:07:54    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-05-03 03:07:54    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-05-02 07:33:50    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-05-02 07:33:35    --------    d-----w-    C:\Users\Derek\AppData\Local\temp
2014-05-02 06:45:14    --------    d-----w-    C:\Users\Derek\AppData\Local\CrashDumps
2014-05-02 05:35:15    98816    ----a-w-    C:\Windows\sed.exe
2014-05-02 05:35:15    256000    ----a-w-    C:\Windows\PEV.exe
2014-05-02 05:35:15    208896    ----a-w-    C:\Windows\MBR.exe
2014-05-01 10:53:12    --------    d-----w-    C:\Program Files (x86)\KeyCryptSDK
2014-04-28 05:41:17    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-04-28 05:15:51    --------    d-----w-    C:\Users\Derek\AppData\Local\Mozilla
2014-04-27 05:30:56    --------    d-----w-    C:\ProgramData\eBay
2014-04-27 05:30:56    --------    d-----w-    C:\Program Files (x86)\eBay
2014-04-24 08:50:34    --------    d-----w-    C:\Users\Derek\AppData\Roaming\CoffeeCup Software
2014-04-23 04:54:16    --------    d-----w-    C:\Users\Derek\AppData\Roaming\FLEXnet
2014-04-23 04:46:10    --------    d-----w-    C:\Program Files (x86)\MSXML 4.0
2014-04-22 19:23:24    --------    d-----w-    C:\ProgramData\Oracle
2014-04-22 05:52:31    --------    d-----w-    C:\ProgramData\ControlCenter4
2014-04-22 05:52:25    --------    d-----w-    C:\Program Files (x86)\ControlCenter4
2014-04-22 05:52:09    --------    d-----w-    C:\Program Files (x86)\Brother
2014-04-21 09:56:14    --------    d-----w-    C:\Program Files\Defraggler
2014-04-16 22:07:50    49152    ----a-w-    C:\Windows\SysWow64\inetwh32.dll
2014-04-16 22:07:50    1044480    ----a-w-    C:\Windows\SysWow64\roboex32.dll
2014-04-12 22:13:01    --------    d-----w-    C:\Windows\System32\wbem\repository
2014-04-12 01:54:27    --------    d-----w-    C:\Users\Derek\AppData\Roaming\ProductData
2014-04-09 07:59:12    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-09 03:57:47    27584    ----a-w-    C:\Windows\System32\drivers\Diskdump.sys
.
==================== Find3M  ====================
.
2014-04-29 08:40:25    70832    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-29 08:40:25    692400    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-31 15:35:08    270496    ------w-    C:\Windows\System32\MpSigStub.exe
2014-03-06 08:59:04    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34    548352    ----a-w-    C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15    752640    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:02:34    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33    455168    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43    38400    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36    4254720    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40    592896    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43    32256    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15    2043904    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39    1967104    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40    2260480    ----a-w-    C:\Windows\System32\wininet.dll
2014-03-06 05:41:49    1789440    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-03-04 09:44:21    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21    243712    ----a-w-    C:\Windows\System32\wow64.dll
2014-03-04 09:44:21    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:03    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2014-03-04 09:17:19    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2014-03-04 09:17:05    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2014-03-04 09:16:54    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2014-03-04 08:09:30    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29    2048    ----a-w-    C:\Windows\SysWow64\user.exe
.
============= FINISH: 18:02:13.97 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 13 May 2014 - 08:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/533723 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 stepitup

stepitup
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 14 May 2014 - 12:52 AM

Here is the new DDS Log. Windows 7 64 is my OS.

 

I have not attempted much to remove it however on top of the description in my first post, I believe it has installed some type of virtual area through Microsoft Share Point and using an enterprise program from a company named Newsoft. I have limited abilities and cant install, uninstall or use hardly do anything.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Derek at 23:41:00 on 2014-05-13
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3559.2557 [GMT -6:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - LocalServer32 - <no file>
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - LocalServer32 - <no file>
EB: F12 Developer Tools: {28BCCB9A-E66B-463C-82A4-09F320DE94D7} - LocalServer32 - <no file>
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C} : NameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\2496A5A79596E44784568496A5A79523 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\26C61637476627F6D64786560716374723 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\35475607F467562725566756273756849647E4564723 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}\B4162727967616E637E244F6A4F6 : DHCPNameServer = 192.168.2.1
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - LocalServer32 - <no file>
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - LocalServer32 - <no file>
SSODL: WebCheck - <orphaned>
CLSID: {603D3801-BD81-11d0-A3A5-00C04FD706EC} - <is not referencing any dll>
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\bykg17j5.default\
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_206.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2013-6-27 82240]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2013-6-27 42304]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-11-29 239616]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-11-29 344064]
R2 AODDriver4.2.0;AODDriver4.2.0;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2013-9-20 59648]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-9-24 94208]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;C:\Windows\System32\drivers\btfilter.sys [2012-4-5 46192]
R3 QIOMem;Generic IO & Memory Access;C:\Windows\System32\drivers\QIOMem.sys [2009-6-15 12800]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2013-9-28 58536]
S3 cleanhlp;cleanhlp;C:\EEK\Run\cleanhlp64.sys [2014-5-9 57024]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2014-1-22 108800]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2014-1-10 103536]
S3 libusb0;libusb-win32 - Kernel Driver 09/19/2011 1.2.5.0;C:\Windows\System32\drivers\libusb0.sys [2013-12-26 52320]
S3 libusbK;libusbK USB Driver 10/03/2011 - 3.0.4.0;C:\Windows\System32\drivers\libusbK.sys [2013-12-26 47200]
S3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2013-9-26 38096]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-9-26 19456]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2013-9-26 250984]
S3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\rtsuvstor.sys [2013-9-26 307304]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2014-1-22 206080]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2014-1-10 16152]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-15 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-9-26 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-5-8 1255736]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S4 IEEtwCollectorService;IEEtwCollectorService;C:\Windows\System32\ieetwcollector.exe [2014-4-9 111616]
.
=============== Created Last 60 ================
.
2014-05-14 05:04:41    --------    d-----w-    C:\5e4dc23a98e189948f3418dc766248
2014-05-14 04:58:39    --------    d-----w-    C:\bac05ba25dee03f40f6a03
2014-05-14 04:55:13    --------    d-----w-    C:\f7f3c43ddabc664e9724c18fd4cd33e3
2014-05-14 03:19:59    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-05-14 03:19:59    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-05-14 03:05:34    477184    ----a-w-    C:\Windows\System32\aepdu.dll
2014-05-14 03:05:34    424448    ----a-w-    C:\Windows\System32\aeinv.dll
2014-05-13 23:39:37    --------    d-----w-    C:\Users\Derek\AppData\Local\ElevatedDiagnostics
2014-05-13 23:29:34    --------    d-----w-    C:\Program Files (x86)\Tweaking.com
2014-05-13 23:18:51    10651704    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5929B604-83F6-46F5-94AC-45D03FC2A5F5}\mpengine.dll
2014-05-13 06:43:16    --------    d-----w-    C:\Users\Derek\AppData\Local\Kingsoft
2014-05-13 06:41:32    --------    d-----w-    C:\Program Files (x86)\Kingsoft
2014-05-13 06:38:01    95008    ----a-w-    C:\Windows\System32\Primomonnt.dll
2014-05-13 06:37:58    --------    d-----w-    C:\Program Files (x86)\Nitro PDF
2014-05-11 19:09:42    70832    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-11 19:09:42    692400    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-09 15:30:01    27016    ----a-w-    C:\Windows\SysWow64\drivers\PROCEXP141.SYS
2014-05-09 06:56:56    --------    d-----w-    C:\EEK
2014-05-08 16:03:48    --------    d-----w-    C:\Windows\SysWow64\Wat
2014-05-08 16:03:48    --------    d-----w-    C:\Windows\System32\Wat
2014-05-08 13:57:48    --------    d-----w-    C:\Users\Derek\AppData\Local\Apps
2014-05-08 13:22:23    --------    d-sh--w-    C:\Users\Derek\AppData\Local\EmieUserList
2014-05-08 13:22:23    --------    d-sh--w-    C:\Users\Derek\AppData\Local\EmieSiteList
2014-05-08 03:21:55    --------    d-----w-    C:\Windows\System32\catroot2
2014-05-08 01:29:31    --------    d-----w-    C:\RegBackup
2014-05-06 14:19:10    --------    d-----w-    C:\Windows\System32\user
2014-05-06 14:18:40    180224    ----a-w-    C:\Windows\SysWow64\BROSNMP.DLL
2014-05-06 10:27:10    --------    d-s---w-    C:\Windows\System32\CompatTel
2014-05-02 07:33:50    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-05-02 07:33:35    --------    d-----w-    C:\Users\Derek\AppData\Local\temp
2014-05-02 06:45:14    --------    d-----w-    C:\Users\Derek\AppData\Local\CrashDumps
2014-05-02 05:35:15    98816    ----a-w-    C:\Windows\sed.exe
2014-05-02 05:35:15    256000    ----a-w-    C:\Windows\PEV.exe
2014-05-02 05:35:15    208896    ----a-w-    C:\Windows\MBR.exe
2014-05-01 10:53:12    --------    d-----w-    C:\Program Files (x86)\KeyCryptSDK
2014-04-28 05:41:17    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-04-28 05:15:51    --------    d-----w-    C:\Users\Derek\AppData\Local\Mozilla
2014-04-27 05:30:56    --------    d-----w-    C:\ProgramData\eBay
2014-04-27 05:30:56    --------    d-----w-    C:\Program Files (x86)\eBay
2014-04-24 08:50:34    --------    d-----w-    C:\Users\Derek\AppData\Roaming\CoffeeCup Software
2014-04-23 04:54:16    --------    d-----w-    C:\Users\Derek\AppData\Roaming\FLEXnet
2014-04-22 19:23:24    --------    d-----w-    C:\ProgramData\Oracle
2014-04-22 05:52:31    --------    d-----w-    C:\ProgramData\ControlCenter4
2014-04-22 05:52:25    --------    d-----w-    C:\Program Files (x86)\ControlCenter4
2014-04-22 05:52:09    --------    d-----w-    C:\Program Files (x86)\Brother
2014-04-21 09:56:14    --------    d-----w-    C:\Program Files\Defraggler
2014-04-16 22:07:50    49152    ----a-w-    C:\Windows\SysWow64\inetwh32.dll
2014-04-16 22:07:50    1044480    ----a-w-    C:\Windows\SysWow64\roboex32.dll
2014-04-12 22:13:01    --------    d-----w-    C:\Windows\System32\wbem\repository
2014-04-12 01:54:27    --------    d-----w-    C:\Users\Derek\AppData\Roaming\ProductData
2014-04-09 07:59:12    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-09 03:57:47    27584    ----a-w-    C:\Windows\System32\drivers\Diskdump.sys
2014-04-04 14:38:42    --------    d-----w-    C:\Windows\System32\wbem\repository.003
2014-04-04 13:10:36    --------    d-----w-    C:\Users\Derek\AppData\Local\AMD
2014-04-04 10:41:47    --------    d-----w-    C:\ProgramData\AMD
2014-04-04 09:32:02    --------    d-----w-    C:\Users\Derek\AppData\Local\ATI
2014-04-04 07:51:23    --------    d-----w-    C:\Windows\SysWow64\wbem\Performance
2014-04-02 03:33:20    --------    d-----w-    C:\Users\Derek\AppData\Roaming\Malwarebytes
2014-04-02 03:33:06    --------    d-----w-    C:\ProgramData\Malwarebytes
2014-03-30 01:02:46    --------    d-----w-    C:\Users\Derek\AppData\Local\fontconfig
.
==================== Find6M  ====================
.
2014-04-12 02:22:05    95680    ----a-w-    C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05    155072    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38    29184    ----a-w-    C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38    136192    ----a-w-    C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37    28160    ----a-w-    C:\Windows\System32\secur32.dll
2014-04-12 02:19:32    1460736    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05    31232    ----a-w-    C:\Windows\System32\lsass.exe
2014-04-12 02:12:06    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2014-03-31 15:35:08    270496    ------w-    C:\Windows\System32\MpSigStub.exe
2014-03-06 08:59:04    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34    548352    ----a-w-    C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15    752640    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:02:34    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33    455168    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43    38400    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36    4254720    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40    592896    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43    32256    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15    2043904    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39    1967104    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40    2260480    ----a-w-    C:\Windows\System32\wininet.dll
2014-03-06 05:41:49    1789440    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-03-04 09:47:01    5550016    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21    243712    ----a-w-    C:\Windows\System32\wow64.dll
2014-03-04 09:44:21    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20    39936    ----a-w-    C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10    210944    ----a-w-    C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08    86528    ----a-w-    C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06    340992    ----a-w-    C:\Windows\System32\schannel.dll
2014-03-04 09:44:03    722944    ----a-w-    C:\Windows\System32\objsel.dll
2014-03-04 09:44:03    314880    ----a-w-    C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00    728064    ----a-w-    C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00    424960    ----a-w-    C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56    57344    ----a-w-    C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56    52736    ----a-w-    C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56    44544    ----a-w-    C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:56    22016    ----a-w-    C:\Windows\System32\credssp.dll
2014-03-04 09:43:55    56832    ----a-w-    C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55    53760    ----a-w-    C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50    455168    ----a-w-    C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11    3969984    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11    3914176    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2014-02-07 01:23:30    3156480    ----a-w-    C:\Windows\System32\win32k.sys
2014-02-04 02:35:56    190912    ----a-w-    C:\Windows\System32\drivers\storport.sys
2014-02-04 02:35:49    274880    ----a-w-    C:\Windows\System32\drivers\msiscsi.sys
2014-02-04 02:32:22    1424384    ----a-w-    C:\Windows\System32\WindowsCodecs.dll
2014-02-04 02:32:12    624128    ----a-w-    C:\Windows\System32\qedit.dll
2014-02-04 02:28:36    2048    ----a-w-    C:\Windows\System32\iologmsg.dll
2014-02-04 02:04:22    1230336    ----a-w-    C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04:11    509440    ----a-w-    C:\Windows\SysWow64\qedit.dll
2014-02-04 02:00:39    2048    ----a-w-    C:\Windows\SysWow64\iologmsg.dll
2014-01-29 02:32:18    484864    ----a-w-    C:\Windows\System32\wer.dll
2014-01-29 02:06:47    381440    ----a-w-    C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46    228864    ----a-w-    C:\Windows\System32\wwansvc.dll
2014-01-24 02:37:55    1684928    ----a-w-    C:\Windows\System32\drivers\ntfs.sys
2014-01-22 14:52:10    206080    ----a-w-    C:\Windows\System32\drivers\ssudmdm.sys
2014-01-22 14:52:10    108800    ----a-w-    C:\Windows\System32\drivers\ssudbus.sys
2014-01-12 19:29:03    16152    ----a-w-    C:\Windows\System32\drivers\SWDUMon.sys
2014-01-09 02:22:42    5694464    ----a-w-    C:\Windows\SysWow64\mstscax.dll
2014-01-03 22:44:58    6574592    ----a-w-    C:\Windows\System32\mstscax.dll
2013-12-26 13:43:46    1721576    ----a-w-    C:\Windows\System32\WdfCoInstaller01009.dll
2013-12-26 13:43:46    1002728    ----a-w-    C:\Windows\System32\WinUSBCoInstaller2.dll
2013-12-26 13:41:04    47200    ----a-w-    C:\Windows\System32\drivers\libusbK.sys
2013-12-26 13:41:04    238176    ----a-w-    C:\Windows\System32\libusbK.dll
2013-12-26 13:41:04    170080    ----a-w-    C:\Windows\SysWow64\libusbK.dll
2013-12-26 13:39:58    76384    ----a-w-    C:\Windows\System32\libusb0.dll
2013-12-26 13:39:58    67680    ----a-w-    C:\Windows\SysWow64\libusb0.dll
2013-12-26 13:39:58    52320    ----a-w-    C:\Windows\System32\drivers\libusb0.sys
2013-12-24 23:09:41    1987584    ----a-w-    C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32    2565120    ----a-w-    C:\Windows\System32\d3d10warp.dll
2013-12-06 02:30:08    2048    ----a-w-    C:\Windows\System32\msxml3r.dll
2013-12-06 02:30:08    1882112    ----a-w-    C:\Windows\System32\msxml3.dll
2013-12-06 02:02:08    2048    ----a-w-    C:\Windows\SysWow64\msxml3r.dll
2013-12-06 02:02:08    1237504    ----a-w-    C:\Windows\SysWow64\msxml3.dll
2013-12-04 02:27:33    485888    ----a-w-    C:\Windows\System32\secproc_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\Windows\System32\secproc_ssp_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\Windows\System32\secproc_ssp.dll
2013-12-04 02:27:16    488448    ----a-w-    C:\Windows\System32\secproc.dll
2013-12-04 02:26:32    528384    ----a-w-    C:\Windows\System32\msdrm.dll
2013-12-04 02:16:51    658432    ----a-w-    C:\Windows\System32\RMActivate_isv.exe
2013-12-04 02:16:51    626176    ----a-w-    C:\Windows\System32\RMActivate.exe
2013-12-04 02:16:50    552960    ----a-w-    C:\Windows\System32\RMActivate_ssp_isv.exe
2013-12-04 02:16:48    553984    ----a-w-    C:\Windows\System32\RMActivate_ssp.exe
2013-12-04 02:03:20    87040    ----a-w-    C:\Windows\SysWow64\secproc_ssp_isv.dll
2013-12-04 02:03:20    87040    ----a-w-    C:\Windows\SysWow64\secproc_ssp.dll
2013-12-04 02:03:20    423936    ----a-w-    C:\Windows\SysWow64\secproc_isv.dll
.
============= FINISH: 23:41:25.22 ===============
 



#4 polskamachina

polskamachina

  • Malware Response Team
  • 4,069 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 PM

Posted 14 May 2014 - 03:03 PM

Hi stepitup :)

 

My name is polskamachina and I will be assisting you with your malware problems. Please give me some time to review your situation and I will get back to you with further instructions. In the meantime, based on what you've reported so far, I would disconnect your suspect computer from the internet until your problem has been resolved.

 

Thanks for your patience.

 

polskamachina



#5 stepitup

stepitup
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 14 May 2014 - 11:06 PM

Thanks polskamachina. A little bit more info that I have come up with so it helps. It appears to be running in a 32 bit environment and using some type of theme as a mask which kind of resembles what my normal OS looks like but is very obviously either windows 2000 or XP.

 

This program has found its way onto 2 cell phones, a desktop, and a printer to a certain extent. I have some screen shots and copies of some of the scripts and html I have found if you would want to see any of those.

 

It seems to effect any device that connects to my home network and many footprints of remote entry even when I have devices disconnected.



#6 polskamachina

polskamachina

  • Malware Response Team
  • 4,069 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 PM

Posted 15 May 2014 - 02:58 PM

Hi stepitup :)

 

I would like to officially welcome you to Bleeping Computer. What follows below are some ground rules for this forum.

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know.

I am in California at GMT-7 Hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Let's begin with ComboFix.exe. For the time being, you should re-enable your internet connection for this procedure. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
 
Let me know if you have any questions or if you have noticed any changes, either good or bad, in your computer's performance.

 

polskamachina



#7 stepitup

stepitup
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 15 May 2014 - 11:00 PM

Here is the Combofix log. No Changes to report.

 

ComboFix 14-05-13.01 - Derek 05/15/2014  21:45:22.4.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3559.2483 [GMT -6:00]
Running from: c:\users\Derek\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-16 to 2014-05-16  )))))))))))))))))))))))))))))))
.
.
2014-05-16 03:52 . 2014-05-16 03:52    --------    d-----w-    c:\users\Derek\AppData\Local\temp
2014-05-16 03:52 . 2014-05-16 03:52    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-05-16 01:37 . 2014-04-17 11:31    10651704    ------w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{1329E230-6672-4F0D-9190-3CCF2AB29D83}\mpengine.dll
2014-05-15 12:11 . 2014-05-15 12:11    --------    d-----w-    C:\2302ce1f731204e22e73a897
2014-05-15 12:10 . 2014-05-15 12:11    --------    d-----w-    C:\e50c63298d070e9a5391ca8ac444
2014-05-15 12:09 . 2014-05-15 12:09    --------    d-----w-    c:\program files (x86)\Google
2014-05-15 12:09 . 2014-05-15 12:09    --------    d-----w-    c:\users\Derek\AppData\Local\Google
2014-05-15 04:09 . 2014-05-15 04:09    --------    d-----w-    C:\b9f9a0180f61783d6b10
2014-05-15 01:10 . 2014-05-15 01:10    --------    d-----w-    C:\3c6177d8e85f4c7011cfeea9ab
2014-05-15 01:09 . 2014-05-15 01:09    --------    d-----w-    C:\27dec267b579cc08ad7c9024903985d6
2014-05-15 01:08 . 2014-05-15 01:08    --------    d-----w-    C:\ea7a50e556238568bf2517
2014-05-15 00:04 . 2014-05-15 00:04    --------    d-----w-    c:\users\Derek\AppData\Local\Microsoft_Corporation
2014-05-14 14:42 . 2014-05-14 14:43    --------    d-----w-    c:\users\Derek\AppData\Roaming\EurekaLog
2014-05-14 03:20 . 2014-05-06 04:40    23544320    ----a-w-    c:\windows\system32\mshtml.dll
2014-05-14 03:20 . 2014-05-06 03:00    84992    ----a-w-    c:\windows\system32\mshtmled.dll
2014-05-14 03:19 . 2014-05-06 04:17    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-05-14 03:19 . 2014-05-06 03:07    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2014-05-14 03:06 . 2014-03-25 02:43    14175744    ----a-w-    c:\windows\system32\shell32.dll
2014-05-14 03:05 . 2014-05-09 06:14    477184    ----a-w-    c:\windows\system32\aepdu.dll
2014-05-14 03:05 . 2014-05-09 06:11    424448    ----a-w-    c:\windows\system32\aeinv.dll
2014-05-13 23:29 . 2014-05-13 23:29    --------    d-----w-    c:\program files (x86)\Tweaking.com
2014-05-13 06:43 . 2014-05-13 07:23    --------    d-----w-    c:\users\Derek\AppData\Local\Kingsoft
2014-05-13 06:38 . 2011-02-28 22:37    95008    ----a-w-    c:\windows\system32\Primomonnt.dll
2014-05-11 19:09 . 2014-05-11 19:09    70832    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-11 19:09 . 2014-05-11 19:09    692400    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-09 15:30 . 2014-05-09 15:30    27016    ----a-w-    c:\windows\SysWow64\drivers\PROCEXP141.SYS
2014-05-09 06:56 . 2014-05-09 06:57    --------    d-----w-    C:\EEK
2014-05-08 16:03 . 2014-05-08 16:03    --------    d-----w-    c:\windows\SysWow64\Wat
2014-05-08 16:03 . 2014-05-08 16:03    --------    d-----w-    c:\windows\system32\Wat
2014-05-08 13:57 . 2014-05-08 13:57    --------    d-----w-    c:\users\Derek\AppData\Local\Apps
2014-05-08 13:22 . 2014-05-08 13:22    --------    d-sh--w-    c:\users\Derek\AppData\Local\EmieUserList
2014-05-08 13:22 . 2014-05-08 13:22    --------    d-sh--w-    c:\users\Derek\AppData\Local\EmieSiteList
2014-05-08 03:21 . 2014-05-16 03:15    --------    d-----w-    c:\windows\system32\catroot2
2014-05-08 01:29 . 2014-05-08 01:29    --------    d-----w-    C:\RegBackup
2014-05-06 14:19 . 2014-05-06 14:19    --------    d-----w-    c:\windows\system32\user
2014-05-06 14:18 . 2010-02-05 02:42    180224    ----a-w-    c:\windows\SysWow64\BROSNMP.DLL
2014-05-06 10:27 . 2014-05-14 04:40    --------    d-s---w-    c:\windows\system32\CompatTel
2014-05-02 06:45 . 2014-05-02 06:48    --------    d-----w-    c:\users\Derek\AppData\Local\CrashDumps
2014-05-01 10:53 . 2014-05-03 03:19    --------    d-----w-    c:\program files (x86)\KeyCryptSDK
2014-04-28 05:41 . 2014-04-28 05:41    --------    d-----w-    c:\program files (x86)\Common Files\Java
2014-04-28 05:41 . 2014-04-28 05:41    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-04-28 05:41 . 2014-04-28 05:41    --------    d-----w-    c:\program files (x86)\Java
2014-04-28 05:15 . 2014-04-28 05:16    --------    d-----w-    c:\users\Derek\AppData\Local\Mozilla
2014-04-27 05:30 . 2014-04-27 05:30    --------    d-----w-    c:\programdata\eBay
2014-04-27 05:30 . 2014-04-27 05:30    --------    d-----w-    c:\program files (x86)\eBay
2014-04-24 08:50 . 2014-05-06 09:13    --------    d-----w-    c:\users\Derek\AppData\Roaming\CoffeeCup Software
2014-04-23 04:54 . 2014-04-23 04:54    --------    d-----w-    c:\users\Derek\AppData\Roaming\FLEXnet
2014-04-22 19:23 . 2014-05-15 00:17    --------    d-----w-    c:\programdata\Oracle
2014-04-22 05:52 . 2014-05-07 03:02    --------    d-----w-    c:\programdata\ControlCenter4
2014-04-22 05:52 . 2014-05-11 10:43    --------    d-----w-    c:\program files (x86)\ControlCenter4
2014-04-22 05:52 . 2014-05-11 10:43    --------    d-----w-    c:\program files (x86)\Brother
2014-04-21 09:56 . 2014-04-21 09:56    --------    d-----w-    c:\program files\Defraggler
2014-04-16 22:07 . 2014-04-16 22:07    49152    ----a-w-    c:\windows\SysWow64\inetwh32.dll
2014-04-16 22:07 . 2014-04-16 22:07    1044480    ----a-w-    c:\windows\SysWow64\roboex32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-14 03:18 . 2013-09-27 06:26    93223848    ----a-w-    c:\windows\system32\MRT.exe
2014-05-08 02:47 . 2014-04-04 14:34    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-03-31 15:35 . 2010-11-21 03:27    270496    ------w-    c:\windows\system32\MpSigStub.exe
2014-03-06 08:59 . 2014-04-09 07:12    66048    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-06 08:57 . 2014-04-09 07:12    548352    ----a-w-    c:\windows\system32\vbscript.dll
2014-03-06 08:57 . 2014-04-09 07:12    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-06 08:53 . 2014-04-09 07:12    2767360    ----a-w-    c:\windows\system32\iertutil.dll
2014-03-06 08:40 . 2014-04-09 07:12    51200    ----a-w-    c:\windows\system32\jsproxy.dll
2014-03-06 08:39 . 2014-04-09 07:12    33792    ----a-w-    c:\windows\system32\iernonce.dll
2014-03-06 08:32 . 2014-04-09 07:12    574976    ----a-w-    c:\windows\system32\ieui.dll
2014-03-06 08:29 . 2014-04-09 07:12    139264    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-06 08:29 . 2014-04-09 07:12    111616    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-06 08:28 . 2014-04-09 07:12    752640    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-06 08:15 . 2014-04-09 07:12    940032    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 08:09 . 2014-04-09 07:12    453120    ----a-w-    c:\windows\system32\dxtmsft.dll
2014-03-06 08:03 . 2014-04-09 07:12    586240    ----a-w-    c:\windows\system32\ie4uinit.exe
2014-03-06 08:02 . 2014-04-09 07:12    61952    ----a-w-    c:\windows\SysWow64\iesetup.dll
2014-03-06 08:02 . 2014-04-09 07:12    455168    ----a-w-    c:\windows\SysWow64\vbscript.dll
2014-03-06 08:01 . 2014-04-09 07:12    51200    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56 . 2014-04-09 07:12    38400    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-03-06 07:48 . 2014-04-09 07:12    195584    ----a-w-    c:\windows\system32\msrating.dll
2014-03-06 07:46 . 2014-04-09 07:12    4254720    ----a-w-    c:\windows\SysWow64\jscript9.dll
2014-03-06 07:42 . 2014-04-09 07:12    296960    ----a-w-    c:\windows\system32\dxtrans.dll
2014-03-06 07:38 . 2014-04-09 07:12    112128    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-03-06 07:36 . 2014-04-09 07:12    592896    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2014-03-06 07:21 . 2014-04-09 07:12    628736    ----a-w-    c:\windows\system32\msfeeds.dll
2014-03-06 07:13 . 2014-04-09 07:12    32256    ----a-w-    c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11 . 2014-04-09 07:12    2043904    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-06 06:53 . 2014-04-09 07:12    13551104    ----a-w-    c:\windows\system32\ieframe.dll
2014-03-06 06:40 . 2014-04-09 07:12    1967104    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2014-03-06 06:22 . 2014-04-09 07:12    2260480    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 05:58 . 2014-04-09 07:12    1400832    ----a-w-    c:\windows\system32\urlmon.dll
2014-03-06 05:50 . 2014-04-09 07:12    846336    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-03-06 05:41 . 2014-04-09 07:12    1789440    ----a-w-    c:\windows\SysWow64\wininet.dll
2014-03-04 09:44 . 2014-04-09 03:57    362496    ----a-w-    c:\windows\system32\wow64win.dll
2014-03-04 09:44 . 2014-04-09 03:57    243712    ----a-w-    c:\windows\system32\wow64.dll
2014-03-04 09:44 . 2014-04-09 03:57    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2014-03-04 09:44 . 2014-04-09 03:57    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2014-03-04 09:44 . 2014-04-09 03:57    1163264    ----a-w-    c:\windows\system32\kernel32.dll
2014-03-04 09:17 . 2014-04-09 03:57    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2014-03-04 09:17 . 2014-04-09 03:57    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2014-03-04 09:16 . 2014-04-09 03:57    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2014-03-04 09:16 . 2014-04-09 03:57    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2014-03-04 08:09 . 2014-04-09 03:57    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2014-03-04 08:09 . 2014-04-09 03:57    2048    ----a-w-    c:\windows\SysWow64\user.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2013-11-29 766208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
R3 cleanhlp;cleanhlp;c:\eek\Run\cleanhlp64.sys;c:\eek\Run\cleanhlp64.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
R3 libusb0;libusb-win32 - Kernel Driver 09/19/2011 1.2.5.0;c:\windows\system32\DRIVERS\libusb0.sys;c:\windows\SYSNATIVE\DRIVERS\libusb0.sys [x]
R3 libusbK;libusbK USB Driver 10/03/2011 - 3.0.4.0;c:\windows\system32\DRIVERS\libusbK.sys;c:\windows\SYSNATIVE\DRIVERS\libusbK.sys [x]
R3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTSUVSTOR.sys;c:\windows\SYSNATIVE\Drivers\RTSUVSTOR.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys;c:\windows\SYSNATIVE\DRIVERS\SWDUMon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys;c:\windows\SYSNATIVE\DRIVERS\WSDScan.sys [x]
R4 IEEtwCollectorService;IEEtwCollectorService;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys;c:\windows\SYSNATIVE\DRIVERS\QIOMem.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2011-06-30 562304]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2011-03-24 310912]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:Tabs
mLocal Page = c:\windows\SYSTEM32\blank.htm
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5CFCB905-1A8A-46F7-85F1-F77CA97BF06C}: NameServer = 192.168.2.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} -
FF - ProfilePath - c:\users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\bykg17j5.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB2898869 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.5.50938\setup.exe
AddRemove-{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB2901126 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.5.50938\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{F3C88694-EFFA-4D78-B409-54B7B2535B14}"=hex:51,66,7a,6c,4c,1d,38,12,fa,85,db,
   f7,c8,a1,16,08,cb,1f,17,f7,b7,0d,1f,00
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:57,a1,08,81,cc,bb,ce,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,f4,de,f6,48,26,39,49,8f,02,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,f4,de,f6,48,26,39,49,8f,02,a3,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-05-15  21:54:15
ComboFix-quarantined-files.txt  2014-05-16 03:54
ComboFix2.txt  2014-05-16 03:31
.
Pre-Run: 457,315,766,272 bytes free
Post-Run: 457,248,288,768 bytes free
.
- - End Of File - - 8E233CF6230B9483FC6709DF8DF0D2A0
A36C5E4F47E84449FF07ED3517B43A31
 



#8 polskamachina

polskamachina

  • Malware Response Team
  • 4,069 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 PM

Posted 17 May 2014 - 11:09 PM

Hi stepitup :)
 
Let's do some more investigating:
 
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Next:

Please download the 64-bit version of the  Farbar Recovery Scan Tool and save it to your Desktop.

  • Right click to run as administrator
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also paste that along with the FRST.txt into your reply.

In summary, please post the TDSKiller and FRST scan logs in your next reply.

 

Let me know if you have any questions.

 

polskamachina



#9 polskamachina

polskamachina

  • Malware Response Team
  • 4,069 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 PM

Posted 23 May 2014 - 12:20 AM

Hi stepitup :)

 

It's been several days since you've checked in. Do you still need help with this? If not, this topic will be closed in 48 hours.
 
Let me know if you have any questions.

 

polskamachina



#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:14 PM

Posted 26 May 2014 - 12:49 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users