Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection with Trojan.Upnoda


  • This topic is locked This topic is locked
3 replies to this topic

#1 PushReset

PushReset

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 03 April 2015 - 07:09 AM

Hello

 

Yesterday i unfortunately became infected with a Trojan virus while browsing the web.

The website i was visiting got redirected to a malicious site and it seemed that something was downloaded and installed, i therefore got suspicious that i had been infected. 

I ran a scan with Malwarebytes and it detected the virus as Trojan.Upnoda. I let Malwarebytes clean the infection and a second scan did not show up anything, but i still suspect something is wrong with the system. 

At every system start up, there is a process named lsass.exe that is using 40-50% CPU for about 30 min and the system seems more unresponsive. Before the infection i did not notice this process taxing the CPU so high. Is this normal behavior or has the virus corrupted something?

I will appreciate your help to get my system checked.

 

Here is what Malwarebytes found:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 02-04-2015
Scan Time: 18:05:15
Logfile: scan.txt
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.04.02.05
Rootkit Database: v2015.03.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: NEU
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 324136
Time Elapsed: 14 min, 1 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 1
Trojan.Upnoda, C:\Program Files\NVIDIA Corporation\Updates\NvdUpd.exe, 2368, Delete-on-Reboot, [ab686ae222686bcb74ece05fa85a6799]
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
Trojan.Upnoda, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NvUpdSrv, Quarantined, [ab686ae222686bcb74ece05fa85a6799], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 2
Trojan.Upnoda, C:\Program Files\NVIDIA Corporation\Updates\NvdUpd.exe, Delete-on-Reboot, [ab686ae222686bcb74ece05fa85a6799], 
Trojan.Upnoda, C:\Users\NEU\AppData\Local\temp\FCE5.tmp, Quarantined, [52c1bf8d1278fa3c87d9102fbe442ad6], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


BC AdBot (Login to Remove)

 


#2 PushReset

PushReset
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 03 April 2015 - 12:24 PM

I have now run a scan with FRST as suggested in the guide. Can someone please help me?

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by NEU (administrator) on GISMO on 03-04-2015 19:03:03
Running from C:\Users\NEU\Downloads
Loaded Profiles: NEU (Available profiles: NEU)
Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) OS Language: Dansk (Danmark)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\WINDOWS\System32\atiesrxx.exe
(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(AMD) C:\WINDOWS\System32\atieclxx.exe
(Realtek Semiconductor) C:\WINDOWS\RtHDVCpl.exe
(Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Samsung) C:\Program Files\Samsung\Kies\Kies.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Nalpeiron Ltd.) C:\WINDOWS\System32\NLSSRV32.EXE
() C:\WINDOWS\System32\PnkBstrA.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\WINDOWS\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\WINDOWS\System32\taskmgr.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Hewlett-Packard Company) C:\hp\KBD\kbd.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\WINDOWS\System32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\WINDOWS\System32\conime.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4874240 2008-01-15] (Realtek Semiconductor)
HKLM\...\Run: [KiesTrayAgent] => C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [311152 2013-11-06] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [KBD] => C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\x86\CLIStart.exe [748256 2014-04-17] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2303256 2014-05-19] (Logitech, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [335232 2015-03-07] (Oracle Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\...\Run: [KiesPreload] => C:\Program Files\Samsung\Kies\Kies.exe [1564528 2013-11-06] (Samsung)
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\...\Run: [KiesAirMessage] => C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [220672 2008-01-19] (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-1862204334-1866920431-4229674107-1000\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://dk.msn.com/?ocid=iehp
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.dk/
SearchScopes: HKU\S-1-5-21-1862204334-1866920431-4229674107-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1862204334-1866920431-4229674107-1000 -> {740363D3-AD80-42DE-9DA9-E5C375005E56} URL = http://da.wikipedia.org/w/index.php?title=Speciel:S%C3%B8gning&search={searchTerms}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-04-03] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-04-03] (Oracle Corporation)
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-1862204334-1866920431-4229674107-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-08] (Microsoft Corporation)
Winsock: Catalog9 01 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 02 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 03 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 04 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 05 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 06 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 07 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 08 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 19 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.16.200.62 172.16.200.63

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-03-09] ()
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-04-03] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-04-03] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-05] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-05] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1862204334-1866920431-4229674107-1000: ubisoft.com/uplaypc -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2015-03-26] ()
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-19]

Chrome:
=======
CHR Profile: C:\Users\NEU\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\NEU\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-06-11]
CHR Extension: (Google Drive) - C:\Users\NEU\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-06-11]
CHR Extension: (YouTube) - C:\Users\NEU\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-06-11]
CHR Extension: (Google Search) - C:\Users\NEU\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-11]
CHR Extension: (Google Wallet) - C:\Users\NEU\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-06-11]
CHR Extension: (Gmail) - C:\Users\NEU\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-06-11]
CHR HKLM\...\Chrome\Extension: [fgnippahjheicjenccifemomfgjofdhp] - C:\ProgramData\Codec-C\fgnippahjheicjenccifemomfgjofdhp.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [276992 2014-04-17] (Advanced Micro Devices, Inc.) [File not signed]
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-03-17] (Hewlett-Packard Company) [File not signed]
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2014-08-02] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
S4 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AODDriver4.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [50400 2014-02-11] (Advanced Micro Devices)
R3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.Sys [28312 2014-03-19] (Logitech, Inc.)
R2 secdrv; C:\Windows\system32\Drivers\secdrv.sys [163644 2011-08-12] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [File not signed]
S3 ALSysIO; \??\C:\Users\NEU\AppData\Local\Temp\ALSysIO.sys [X]
S3 amdiox86; system32\DRIVERS\amdiox86.sys [X]
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
S3 AtiHDAudioService; system32\drivers\AtihdLH3.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\NEU\AppData\Local\Temp\catchme.sys [X]
S3 cpuz130; \??\C:\Users\NEU\AppData\Local\Temp\cpuz130\cpuz_x32.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 nsysaudm; \??\C:\Users\NEU\AppData\Local\Temp\nsysaudm.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 SymIM; system32\DRIVERS\SymIM.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-03 19:03 - 2015-04-03 19:04 - 00013649 _____ () C:\Users\NEU\Downloads\FRST.txt
2015-04-03 19:02 - 2015-04-03 19:03 - 00000000 ____D () C:\FRST
2015-04-03 19:02 - 2015-04-03 19:02 - 01135104 _____ (Farbar) C:\Users\NEU\Downloads\FRST.exe
2015-04-03 16:23 - 2015-04-03 16:23 - 18701616 _____ (Microsoft Corporation) C:\Users\NEU\Downloads\IE9-WindowsVista-x86-dan.exe
2015-04-03 15:00 - 2015-04-03 15:00 - 05344528 _____ (Piriform Ltd) C:\Users\NEU\Downloads\ccsetup504.exe
2015-04-03 12:18 - 2015-04-03 12:18 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\ATI
2015-04-03 11:11 - 2015-04-03 11:11 - 37064104 _____ (Oracle Corporation) C:\Users\NEU\Downloads\jre-8u40-windows-i586.exe
2015-04-03 02:18 - 2015-04-03 12:14 - 00002425 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-04-03 02:18 - 2015-04-03 12:11 - 00000000 ____D () C:\ProgramData\Adobe
2015-04-03 02:18 - 2015-04-03 02:18 - 00001894 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk
2015-04-03 02:18 - 2015-04-03 02:18 - 00000000 ____D () C:\Program Files\Adobe
2015-04-03 02:14 - 2015-04-03 02:14 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-04-03 02:14 - 2015-04-03 02:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-04-03 02:14 - 2015-04-03 02:14 - 00000000 ____D () C:\Program Files\Java
2015-04-03 02:14 - 2015-04-03 02:14 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-04-03 01:40 - 2015-04-03 01:40 - 00000000 ____D () C:\Users\NEU\Downloads\JavaRa-2.6
2015-04-03 01:37 - 2015-04-03 01:37 - 00159578 _____ () C:\Users\NEU\Downloads\JavaRa-2.6.zip
2015-04-03 01:14 - 2015-04-03 01:14 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\Oracle
2015-04-02 23:20 - 2012-11-02 14:17 - 00242504 _____ (BitDefender) C:\Windows\system32\Drivers\SET633B.tmp
2015-04-02 23:20 - 2009-07-14 23:27 - 01461992 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01009.dll
2015-04-02 23:17 - 2015-04-03 12:11 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\Adobe
2015-04-02 17:52 - 2015-04-02 17:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HD Tune
2015-04-02 17:52 - 2015-04-02 17:52 - 00000000 ____D () C:\Program Files\HD Tune
2015-04-02 17:51 - 2015-04-02 17:52 - 00642632 _____ (EFD Software ) C:\Users\NEU\Downloads\hdtune_255.exe
2015-03-31 13:32 - 2015-03-31 13:32 - 00000759 _____ () C:\Windows\system32\Drivers\etc\HOSTS.STD
2015-03-31 13:26 - 2015-03-31 13:26 - 00000000 ____D () C:\Users\NEU\Downloads\hosts (1)
2015-03-29 17:43 - 2015-03-29 17:49 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\SpinTires
2015-03-29 17:42 - 2015-03-31 12:42 - 00002583 _____ () C:\Users\Public\Desktop\SpinTires Tech Demo (June 060613).lnk
2015-03-29 17:42 - 2015-03-29 17:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oovee
2015-03-29 17:42 - 2015-03-29 17:42 - 00000000 ____D () C:\Program Files\Oovee
2015-03-29 17:41 - 2015-03-29 17:41 - 00000000 ____D () C:\Users\NEU\Downloads\SpinTiresInstall_060613
2015-03-28 20:45 - 2015-03-28 20:45 - 00000000 ____D () C:\Users\NEU\Documents\SavedGames
2015-03-28 20:45 - 2015-03-28 20:45 - 00000000 ____D () C:\Program Files\Microsoft XNA
2015-03-28 19:17 - 2015-01-29 03:35 - 00369664 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2015-03-28 19:16 - 2015-02-26 02:18 - 02064384 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-03-28 19:16 - 2015-01-29 03:35 - 00975360 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-03-28 19:15 - 2015-02-26 04:01 - 03604408 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-03-28 19:15 - 2015-02-26 04:01 - 03552184 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-03-28 19:15 - 2015-02-20 04:03 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-03-28 19:15 - 2015-02-20 02:28 - 00296960 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-03-28 19:15 - 2015-01-21 04:02 - 00807936 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-03-28 19:15 - 2015-01-09 04:04 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-03-28 19:15 - 2015-01-09 02:18 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-03-28 19:14 - 2015-03-06 06:01 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-03-28 19:14 - 2014-10-13 03:12 - 02264064 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-03-28 19:13 - 2015-02-18 04:02 - 11587584 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-03-28 19:12 - 2015-02-21 19:37 - 12375040 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-03-28 19:12 - 2015-02-21 19:34 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-03-28 19:12 - 2015-02-21 19:29 - 09747968 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-03-28 19:12 - 2015-02-21 19:28 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-03-28 19:12 - 2015-02-21 19:22 - 01139200 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-03-28 19:12 - 2015-02-21 19:21 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-03-28 19:12 - 2015-02-21 19:21 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-03-28 19:12 - 2015-02-21 19:20 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-03-28 19:12 - 2015-02-21 19:20 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-03-28 19:12 - 2015-02-21 19:19 - 01803264 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-03-28 19:12 - 2015-02-21 19:19 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-03-28 19:12 - 2015-02-21 19:19 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-03-28 19:12 - 2015-02-21 19:19 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-03-28 19:12 - 2015-02-21 19:19 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-03-28 19:12 - 2015-02-21 19:18 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-03-28 19:12 - 2015-02-21 19:18 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-03-28 19:12 - 2015-02-21 19:18 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-03-28 19:12 - 2015-02-21 19:18 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-03-28 19:12 - 2015-02-21 19:18 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-03-28 19:12 - 2015-02-21 19:18 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-03-28 19:12 - 2015-02-21 19:18 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-03-28 19:12 - 2015-02-21 19:17 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-03-27 11:43 - 2015-03-27 11:43 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\Wargaming.net
2015-03-27 10:37 - 2015-03-27 10:37 - 00000712 _____ () C:\Users\NEU\Desktop\World of Tanks.lnk
2015-03-27 10:37 - 2015-03-27 10:37 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\World of Tanks
2015-03-20 21:24 - 2015-03-20 21:27 - 00000000 ____D () C:\Program Files\CrystalDiskMark
2015-03-20 21:24 - 2015-03-20 21:24 - 00001767 _____ () C:\Users\NEU\Desktop\CrystalDiskMark.lnk
2015-03-20 21:24 - 2015-03-20 21:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CrystalDiskMark
2015-03-20 21:23 - 2015-03-20 21:24 - 00000000 ____D () C:\Users\NEU\Downloads\CrystalDiskInfo6_3_0
2015-03-20 21:19 - 2015-03-20 21:19 - 01659040 _____ (Crystal Dew World ) C:\Users\NEU\Downloads\CrystalDiskMark3_0_3b-en.exe
2015-03-09 23:33 - 2015-04-03 18:54 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-03 19:02 - 2006-11-02 12:33 - 01357422 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-03 19:00 - 2006-11-02 14:52 - 01391022 _____ () C:\Windows\WindowsUpdate.log
2015-04-03 18:55 - 2014-06-11 17:12 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-03 18:55 - 2006-11-02 15:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-03 18:55 - 2006-11-02 14:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-03 18:55 - 2006-11-02 14:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-03 18:54 - 2006-11-02 15:01 - 00032570 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-03 18:39 - 2014-06-11 17:12 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-03 15:58 - 2014-10-28 01:50 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-03 12:11 - 2014-08-14 21:24 - 00000000 ____D () C:\Users\NEU\AppData\Local\Adobe
2015-04-03 11:42 - 2009-11-12 06:38 - 00000262 __RSH () C:\ProgramData\ntuser.pol
2015-04-03 02:18 - 2009-04-06 11:41 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2015-04-03 02:14 - 2014-10-30 00:32 - 00000000 ____D () C:\ProgramData\Oracle
2015-04-03 00:03 - 2009-04-19 18:22 - 00810008 _____ () C:\Windows\PFRO.log
2015-04-02 23:20 - 2014-10-26 20:53 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\QuickScan
2015-04-02 23:20 - 2009-04-19 18:06 - 00000000 ____D () C:\Users\NEU
2015-04-02 20:02 - 2014-06-28 21:04 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2015-04-02 19:01 - 2011-01-30 14:25 - 00000000 ____D () C:\Windows\Minidump
2015-04-02 18:24 - 2006-11-02 13:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-04-02 16:43 - 2012-08-04 20:39 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-04-02 15:47 - 2013-04-25 20:15 - 00000000 ____D () C:\Users\NEU\AppData\Local\Ubisoft
2015-04-02 14:24 - 2014-06-11 17:13 - 00001985 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-31 10:04 - 2009-04-06 21:06 - 00000000 ____D () C:\hp
2015-03-29 21:28 - 2009-07-02 20:29 - 00000000 ____D () C:\Users\NEU\Documents\NEU
2015-03-28 20:45 - 2006-11-02 13:18 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-03-28 20:11 - 2006-11-02 14:47 - 00290056 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-27 10:37 - 2012-08-02 21:04 - 00000000 ____D () C:\Spil
2015-03-26 13:15 - 2014-01-03 01:43 - 00000000 ____D () C:\Users\NEU\Documents\Eidos
2015-03-26 13:14 - 2010-09-18 19:17 - 00491081 _____ () C:\Windows\DirectX.log
2015-03-26 12:49 - 2013-02-24 02:43 - 00000000 ____D () C:\Users\NEU\Documents\Settlers7
2015-03-20 21:47 - 2013-11-14 21:16 - 00014069 _____ () C:\Users\NEU\Desktop\Notat.txt
2015-03-09 23:54 - 2014-08-14 21:25 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-03-09 23:54 - 2014-08-14 21:25 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-03-09 23:24 - 2009-08-28 15:40 - 00000000 ____D () C:\ProgramData\Apple Computer
2015-03-07 00:46 - 2015-01-19 21:25 - 00000000 ____D () C:\Users\NEU\AppData\Roaming\vlc

==================== Files in the root of some directories =======

2010-01-24 15:14 - 2014-07-10 22:06 - 0022328 ____R () C:\Users\NEU\AppData\Roaming\PnkBstrK.sys
2009-07-02 22:26 - 2014-09-03 20:00 - 0004466 ____R () C:\Users\NEU\AppData\Roaming\wklnhst.dat
2011-01-08 13:04 - 2014-08-27 17:02 - 0001356 _____ () C:\Users\NEU\AppData\Local\d3d9caps.dat
2009-06-28 17:15 - 2015-02-20 01:57 - 0105984 _____ () C:\Users\NEU\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-04-06 11:34 - 2009-04-06 11:34 - 0000342 _____ () C:\ProgramData\hpzinstall.log

Files to move or delete:
====================
C:\Users\NEU\handle.exe
C:\Users\NEU\temp.dat


Some content of TEMP:
====================
C:\Users\NEU\AppData\Local\temp\detectionapi_rd.dll
C:\Users\NEU\AppData\Local\temp\detectionui_r.exe
C:\Users\NEU\AppData\Local\temp\directx9tests_rd.dll
C:\Users\NEU\AppData\Local\temp\local.dll
C:\Users\NEU\AppData\Local\temp\mfc80.dll
C:\Users\NEU\AppData\Local\temp\mfc80u.dll
C:\Users\NEU\AppData\Local\temp\msvcp80.dll
C:\Users\NEU\AppData\Local\temp\msvcr80.dll
C:\Users\NEU\AppData\Local\temp\_is277D.exe
C:\Users\NEU\AppData\Local\temp\_isB1A2.exe
C:\Users\NEU\AppData\Local\temp\_isD24B.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-03 19:01

==================== End Of Log ============================

Attached Files


Edited by nasdaq, 04 April 2015 - 07:42 AM.
FRST log posted.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 04 April 2015 - 07:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled.

Enable your System restore.
How to:
http://www.vistax64.com/tutorials/66971-system-restore.html
===

Running from C:\Users\NEU\Downloads
The Farbar tool is presently running from the Download folder.

Please copy or move the .exe file to your Desktop.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

GroupPolicyUsers\S-1-5-21-1862204334-1866920431-4229674107-1000\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1862204334-1866920431-4229674107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-1862204334-1866920431-4229674107-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR HKLM\...\Chrome\Extension: [fgnippahjheicjenccifemomfgjofdhp] - C:\ProgramData\Codec-C\fgnippahjheicjenccifemomfgjofdhp.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
S4 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [X]
S3 ALSysIO; \??\C:\Users\NEU\AppData\Local\Temp\ALSysIO.sys [X]
S3 amdiox86; system32\DRIVERS\amdiox86.sys [X]
S3 AtiHDAudioService; system32\drivers\AtihdLH3.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\NEU\AppData\Local\Temp\catchme.sys [X]
S3 cpuz130; \??\C:\Users\NEU\AppData\Local\Temp\cpuz130\cpuz_x32.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 nsysaudm; \??\C:\Users\NEU\AppData\Local\Temp\nsysaudm.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 SymIM; system32\DRIVERS\SymIM.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]
AlternateDataStreams: C:\WINDOWS:nlsPreferences
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\Users\NEU\AppData\Local\desktop.ini:722b2b1c349a06abf0e866180e5a7e63
C:\Users\NEU\AppData\Local\temp\detectionapi_rd.dll
C:\Users\NEU\AppData\Local\temp\detectionui_r.exe
C:\Users\NEU\AppData\Local\temp\directx9tests_rd.dll
C:\Users\NEU\AppData\Local\temp\local.dll
C:\Users\NEU\AppData\Local\temp\mfc80.dll
C:\Users\NEU\AppData\Local\temp\mfc80u.dll
C:\Users\NEU\AppData\Local\temp\msvcp80.dll
C:\Users\NEU\AppData\Local\temp\msvcr80.dll
C:\Users\NEU\AppData\Local\temp\_is277D.exe
C:\Users\NEU\AppData\Local\temp\_isB1A2.exe
C:\Users\NEU\AppData\Local\temp\_isD24B.exe

End
Save the files as fixlist.txt to the Desktop

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 09 April 2015 - 08:15 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users