Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please HELP, how do i know if i was hacked?


  • This topic is locked This topic is locked
17 replies to this topic

#1 olgapreda1304

olgapreda1304

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 13 September 2015 - 04:56 PM

Hello, I need some advice on whether i was a victim of a hacking process. I recently scanned my computer, and i found one backdoor.bot and 39 trojan.generic. From what i have heard, these are all viruses that grant remote access control to my computer. All of them existed in my computer for almost 2 years. How do i know if someone actually looked into my computer and had actual access to its content? Is there any way?



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:59 AM

Posted 13 September 2015 - 07:58 PM

Greetings olgapreda1304 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please post the report log(s) showing the malware entries you identified above.

Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Previous malware logs
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 olgapreda1304

olgapreda1304
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 14 September 2015 - 04:40 PM

Hi, thank you for your answer! Before i follow all the steps mentioned above, i must ask: these logs will reveal if i am being hacked in this moment, or in the past? Because i cleaned my pc with malwarebyte and AVG, but i am worried that maybe at some point in the past someone accessed my computer and eventually filmed or saved some of its content, even if the respective person isn't connected now to my pc, or hasn' been lately.

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:59 AM

Posted 14 September 2015 - 08:50 PM

Either might be possible. We may find no evidence of malicious software, active malicious software, or remnants of what used to be an active infection. No way to tell without looking at the information.
 
The only thing I can do is try to determine if you are or have been dealing with what is known as a Backdoor Trojan. If you have, then there is a possibility your information has been compromised but without evidence of that (like bank accounts that have been accessed) I would have no way knowing whether or not your information has been stolen.

Let me know what you would like to do.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 olgapreda1304

olgapreda1304
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 16 September 2015 - 05:03 PM

I couldn't execute command msinfo32. I verified and i found out i don't even have msinfo32.exe in my system. Thusly, i executed command dxdiag.
I attached here the logs of all programs i have ever executed. I am attaching all of them, because i think it would be easier for you to analyze them having them grouped in a certain order.
Thank you very much for your time and help.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:15-09-2015
Ran by user (administrator) on X86-11C260063BD (16-09-2015 16:03:45)
Running from D:\User\Desktop
Loaded Profiles: user (Available Profiles: user)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
(Vodafone) C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgidsagent.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\soundman.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
() C:\Program Files\AVG Secure Search\vprot.exe
(CANON INC.) C:\Program Files\Canon\Quick Menu\CNQMMAIN.EXE
(Vodafone) C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(CANON INC.) C:\Program Files\Canon\Quick Menu\CNQMUPDT.EXE
(CANON INC.) C:\Program Files\Canon\Quick Menu\CNQMSWCS.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRV10.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRV10.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRV10.EXE


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [SoundMan] => C:\WINDOWS\SOUNDMAN.EXE [577536 2006-08-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598912 2015-05-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [vProt] => C:\Program Files\AVG Secure Search\vprot.exe [1124016 2013-02-13] ()
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [CanonQuickMenu] => C:\Program Files\Canon\Quick Menu\CNQMMAIN.EXE [1279120 2012-09-27] (CANON INC.)
HKLM\...\Run: [MobileBroadband] => C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe [69632 2012-07-31] (Vodafone)
HKU\S-1-5-18\...\RunOnce: [_nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\Yahoo! Widgets.lnk [2010-01-22]
ShortcutTarget: Yahoo! Widgets.lnk -> C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (Yahoo! Inc.)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 81.12.128.206 81.12.132.206
Tcpip\..\Interfaces\{611D919E-6AD9-441F-9FFD-B21C13D480AB}: [DhcpNameServer] 81.12.128.206 81.12.132.206

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1004336348-1284227242-1417001333-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1004336348-1284227242-1417001333-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 - (No Name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
URLSearchHook: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://isearch.avg.com/tab?cid={3EFCAA68-4B7F-4C9F-A5F2-A77AD730AD55}&mid=afd807aca76b47d3afdad15fa0d4b55f-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=pr&d=2013-02-07 20:59:23&pid=avg&sg=&v=14.1.0.10&sap=nt" <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-19 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={3EFCAA68-4B7F-4C9F-A5F2-A77AD730AD55}&mid=afd807aca76b47d3afdad15fa0d4b55f-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=pr&d=2013-02-07 20:59:23&v=8.0.0.40&sap=dsp&q={searchTerms}
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files\AVG\AVG2012\avgssie.dll [2015-05-19] (AVG Technologies CZ, s.r.o.)
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO: AVG Security Toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll [2013-02-13] ()
Toolbar: HKLM - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll [2013-02-13] ()
Toolbar: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 -> No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL [2001-01-22] (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll [2015-05-19] (AVG Technologies CZ, s.r.o.)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\14.1.7\ViProtocol.dll [2013-02-13] ()

FireFox:
========
FF ProfilePath: D:\User\FF
FF SearchEngineOrder.1: Search the web (Babylon)
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.google.ro/
FF Keyword.URL: hxxp://search.babylon.com/?affID=111796&tt=060612_8_&babsrc=KW_ss&mntrId=b00b79180000000000000016e6305cac&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-21] ()
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.1.7\\npsitesafety.dll [2013-02-13] (AVG Technologies)
FF Plugin: @canon.com/EPPEX -> C:\Program Files\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll [2009-10-15] (DivX,Inc.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2010-06-01] (Yahoo! Inc.)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2010-06-01] (Yahoo! Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
FF Plugin HKU\S-1-5-21-1004336348-1284227242-1417001333-1001: @yahoo.com/BrowserPlus,version=2.9.2 -> C:\Documents and Settings\user\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll [2010-06-10] (Yahoo! Inc.)
FF user.js: detected! => D:\User\FF\user.js [2010-07-30]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npBitCometAgent.dll [2008-01-23] (BitComet)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2013-02-13]
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4 [2013-02-07]

Chrome:
=======
CHR Profile: C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR HKLM\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files\AVG\AVG2012\Chrome\safesearch.crx [2012-07-26]
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\Documents and Settings\All Users\Application Data\AVG Secure Search\ChromeExt\14.1.0.10\avg.crx [2013-02-13]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [5176832 2015-05-19] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [198616 2015-05-19] (AVG Technologies CZ, s.r.o.)
S2 helpsvc; C:\WINDOWS\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 VmbService; C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [8704 2012-07-31] (Vodafone) [File not signed]
S4 vToolbarUpdater14.1.7; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.1.7\ToolbarUpdater.exe [965296 2013-02-13] ()
S4 aoau3ddoevwei2; C:\WINDOWS\system32\sinezuh.exe [X]
S2 ERSvc; %SystemRoot%\System32\ersvc.dll [X]
S4 ipiyi9aeay5yx; C:\WINDOWS\system32\lulaciha.exe [X]
S4 o7ejku2gpejeeapy; C:\WINDOWS\system32\louresylouqu.exe [X]
U2 srservice; %SystemRoot%\system32\srsvc.dll [X]
S4 ueeualtyayuu5p; C:\WINDOWS\system32\caruw.exe [X]
S2 uevdpihx; C:\WINDOWS\system32\vdkaqtxk.dll [X]
S2 wscsvc; %SYSTEMROOT%\system32\wscsvc.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [4017536 2006-08-18] (Realtek Semiconductor Corp.)
R3 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [142600 2015-05-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\WINDOWS\System32\DRIVERS\avgidsfilterx.sys [26504 2015-05-19] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [25352 2015-05-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [19976 2015-05-19] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [250632 2015-05-19] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [43272 2015-05-19] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [34184 2015-05-19] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [302472 2015-05-19] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\WINDOWS\system32\drivers\avgtpx86.sys [33112 2013-02-13] (AVG Technologies)
S3 FETNDIS; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc. )
S3 FETNDISB; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [42496 2004-04-15] (VIA Technologies, Inc. )
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [119512 2015-09-16] (Malwarebytes Corporation)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [46080 2006-05-16] (Sonic Solutions) [File not signed]
R0 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [611064 2010-01-22] () [File not signed]
R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [361344 2009-12-04] (Microsoft Corporation) [File not signed]
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [250496 2006-11-22] (Marvell)
S3 ZTEusbnet; C:\WINDOWS\System32\DRIVERS\ZTEusbnet.sys [110080 2008-11-12] (ZTE Corporation)
S3 ZTEusbvoice; C:\WINDOWS\System32\DRIVERS\ZTEusbvoice.sys [104960 2008-11-12] (ZTE Incorporated)
S3 catchme; \??\D:\User\Tmp\catchme.sys [X]
S3 GMSIPCI; \??\I:\INSTALL\GMSIPCI.SYS [X]
S4 IntelIde; no ImagePath
S3 MSICPL; \??\I:\install4\MSICPL.sys [X]
S3 NTACCESS; \??\I:\NTACCESS.sys [X]
S3 SetupNTGLM7X; \??\I:\NTGLM7X.sys [X]
U3 TlntSvr; no ImagePath
U3 ajc19izh; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: uevdpihx -> C:\WINDOWS\system32\vdkaqtxk.dll ==> No File

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-16 16:03 - 2015-09-16 16:03 - 00000000 ____D C:\FRST
2015-09-11 00:21 - 2015-09-11 00:21 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2015-09-10 23:24 - 2015-09-10 23:25 - 00003658 _____ C:\Documents and Settings\user\Desktop\Rkill.txt
2015-08-25 15:17 - 2015-08-25 15:17 - 00000000 ____D C:\WINDOWS\system32\xircom
2015-08-25 15:17 - 2015-08-25 15:17 - 00000000 ____D C:\WINDOWS\system32\restore
2015-08-25 15:17 - 2015-08-25 15:17 - 00000000 ____D C:\WINDOWS\srchasst
2015-08-25 15:17 - 2015-08-25 15:17 - 00000000 ____D C:\Program Files\xerox
2015-08-25 15:17 - 2015-08-25 15:17 - 00000000 ____D C:\Program Files\netmeeting
2015-08-25 15:17 - 2015-08-25 15:17 - 00000000 ____D C:\Program Files\msn gaming zone
2015-08-25 15:17 - 2015-08-25 15:17 - 00000000 ____D C:\Program Files\microsoft frontpage
2015-08-21 18:03 - 2015-08-21 18:03 - 00015570 _____ C:\ComboFix.txt
2015-08-21 17:14 - 2015-08-21 18:08 - 00000000 ____D C:\WINDOWS\erdnt
2015-08-21 15:21 - 2015-09-16 15:45 - 00119512 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-08-21 15:20 - 2015-08-21 15:20 - 00000783 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-08-21 15:20 - 2015-08-21 15:20 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-21 15:20 - 2015-08-21 15:20 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-21 15:20 - 2015-08-21 15:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-08-21 15:20 - 2015-04-14 10:39 - 00120024 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-08-21 15:20 - 2015-04-14 10:38 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-08-21 12:09 - 2015-08-21 12:09 - 00001917 _____ C:\Documents and Settings\All Users\Desktop\Vodafone Mobile Broadband.lnk
2015-08-21 12:09 - 2015-08-21 12:09 - 00000000 ____D C:\Program Files\Vodafone
2015-08-21 12:09 - 2015-08-21 12:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Vodafone

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-16 15:59 - 2012-12-19 03:52 - 00000754 _____ C:\WINDOWS\WORDPAD.INI
2015-09-16 15:52 - 2011-08-23 15:00 - 00964037 _____ C:\WINDOWS\setupapi.log
2015-09-16 15:36 - 2010-03-05 18:38 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-16 15:35 - 2010-03-05 18:38 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-16 15:23 - 2010-01-21 21:44 - 00359494 _____ C:\WINDOWS\WindowsUpdate.log
2015-09-16 15:22 - 2013-02-07 21:57 - 00000000 ____D C:\WINDOWS\system32\Drivers\AVG
2015-09-16 15:17 - 2010-01-21 23:41 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-09-16 15:17 - 2010-01-21 23:41 - 00000050 _____ C:\WINDOWS\wiaservc.log
2015-09-16 15:17 - 2010-01-21 21:46 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-09-16 15:17 - 2006-07-25 05:33 - 00023644 _____ C:\WINDOWS\system32\nvapps.xml
2015-09-16 15:17 - 2004-08-04 13:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-09-11 02:29 - 2013-01-07 23:59 - 00187816 _____ C:\WINDOWS\DtcInstall.log
2015-09-11 02:29 - 2010-01-21 21:47 - 00000278 ___SH C:\Documents and Settings\user\ntuser.ini
2015-09-11 02:29 - 2010-01-21 21:46 - 00032532 _____ C:\WINDOWS\SchedLgU.Txt
2015-09-11 02:11 - 2013-01-08 12:27 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-09-11 01:20 - 2010-01-21 23:33 - 00000000 ____D C:\WINDOWS\NLDRV
2015-09-11 01:03 - 2012-12-22 01:27 - 00000000 ____D C:\Program Files\EA SPORTS
2015-09-11 00:22 - 2013-02-07 21:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2015-09-11 00:21 - 2013-02-07 21:59 - 00000708 _____ C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
2015-08-25 15:17 - 2010-01-21 23:33 - 00000000 ____D C:\WINDOWS\ime
2015-08-25 15:17 - 2010-01-21 23:33 - 00000000 ____D C:\WINDOWS\Help
2015-08-25 15:17 - 2010-01-21 23:32 - 00000000 ____D C:\WINDOWS\PCHEALTH
2015-08-25 15:17 - 2010-01-21 21:42 - 00000000 ____D C:\Program Files\Windows NT
2015-08-21 18:02 - 2004-08-04 13:00 - 00000227 _____ C:\WINDOWS\system.ini
2015-08-21 17:33 - 2010-01-21 21:46 - 00000000 __SHD C:\Documents and Settings\NetworkService
2015-08-21 17:11 - 2010-01-21 21:48 - 00000000 ____D C:\Program Files\Matroska
2015-08-21 16:53 - 2010-01-22 00:57 - 00000000 ____D C:\Documents and Settings\user\Tracing
2015-08-21 16:34 - 2013-02-13 02:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Browse2save
2015-08-21 16:25 - 2011-08-23 14:48 - 00000000 ____D C:\WINDOWS\pss
2015-08-21 16:17 - 2013-01-08 12:27 - 00778440 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-08-21 16:17 - 2011-12-04 02:33 - 00142536 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-08-21 15:26 - 2010-01-21 23:37 - 00115768 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-08-21 12:13 - 2010-01-21 23:32 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2015-08-21 12:10 - 2011-08-23 18:54 - 00004231 _____ C:\WINDOWS\setupact.log
2015-08-21 12:09 - 2011-09-27 23:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Vodafone
2015-08-21 11:56 - 2010-01-21 21:43 - 00000000 ____D C:\WINDOWS\Registration
2015-08-21 11:46 - 2010-01-21 23:38 - 00507990 _____ C:\WINDOWS\system32\PerfStringBackup.INI

==================== Files in the root of some directories =======

2010-01-22 00:01 - 2013-02-22 12:14 - 0123904 _____ () C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:15-09-2015
Ran by user (2015-09-16 16:04:25)
Running from D:\User\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) (2010-01-21 18:45:59)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Admin (S-1-5-21-1004336348-1284227242-1417001333-500 - Administrator - Enabled)
Guest (S-1-5-21-1004336348-1284227242-1417001333-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1004336348-1284227242-1417001333-1000 - Limited - Disabled)
user (S-1-5-21-1004336348-1284227242-1417001333-1001 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\user

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1004336348-1284227242-1417001333-1001\...\uTorrent) (Version: 1.8.3 - )
AC3Filter (remove only) (HKLM\...\AC3Filter) (Version: - )
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.9.900.117 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
AVG 2012 (HKLM\...\AVG) (Version: 2012.1.2258 - AVG Technologies)
AVG 2012 (Version: 12.0.4311 - AVG Technologies) Hidden
AVG 2012 (Version: 12.1.2258 - AVG Technologies) Hidden
AVG Security Toolbar (HKLM\...\AVG Secure Search) (Version: 14.1.0.10 - AVG Technologies)
BSPlayer (HKLM\...\BSPlayer1) (Version: - )
Canon IJ Scan Utility (HKLM\...\Canon_IJ_Scan_Utility) (Version: - Canon Inc.)
Canon MX390 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX390_series) (Version: 1.00 - Canon Inc.)
Canon MX390 series On-screen Manual (HKLM\...\Canon MX390 series On-screen Manual) (Version: 7.6.0 - Canon Inc.)
Canon My Image Garden (HKLM\...\Canon My Image Garden) (Version: 1.1.0 - Canon Inc.)
Canon My Image Garden Design Files (HKLM\...\Canon My Image Garden Design Files) (Version: 1.0.1 - Canon Inc.)
Canon My Printer (HKLM\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (HKLM\...\CanonQuickMenu) (Version: 2.1.0 - Canon Inc.)
Canon Utilitar de apelare rapidă (HKLM\...\Speed Dial Utility) (Version: 1.3.0 - Canon Inc.)
DivX Web Player (HKLM\...\{B7050CBDB2504B34BC2A9CA0A692CC29}) (Version: 2.0.0 - DivX,Inc.)
ffdshow [rev 3207] [2010-01-18] (HKLM\...\ffdshow_is1) (Version: 1.0.0.3207 - )
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.85 - Google Inc.)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
Hitman 2: Silent Assassin (HKLM\...\Hitman 2: Silent Assassin) (Version: - Eidos Interactive)
Înregistrare utilizator MX390 series Canon (HKLM\...\Înregistrare utilizator MX390 series Canon) (Version: - ‭Canon Inc.)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: - )
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Marvell Miniport Driver (HKLM\...\{C950420B-4182-49EA-850A-A6A2ABF06C6B}) (Version: 9.12.4.3 - Marvell)
Microsoft .NET Framework 2.0 (HKLM\...\Microsoft .NET Framework 2.0) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office XP Professional (HKLM\...\{90110418-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.2627.19 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Mozilla Firefox 30.0 (x86 en-US) (HKLM\...\Mozilla Firefox 30.0 (x86 en-US)) (Version: 30.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
Need For Speed Hot Pursuit 2 (HKLM\...\{76F4DD9B-C246-4BE0-00B6-3DE9ABF72299}) (Version: - )
Nero 6 Ultra Edition (HKLM\...\Nero - Burning Rom!UninstallKey) (Version: - )
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: - )
P2PFilter 3.0.5 (HKLM\...\P2PFilter) (Version: 3.0.5 - SopCast.com)
PhotoScape (HKLM\...\PhotoScape) (Version: - )
Pro Evolution Soccer 2012 (HKLM\...\{E737A098-F161-4B6F-AF22-86AAE34F6FBD}) (Version: 1.00.0000 - KONAMI)
Readon TV Movie Radio Player 6.3.1.0 (HKLM\...\{DA084DC0-F7C4-4285-9304-D0EB88AF0998}) (Version: 6.3.1 - Readon Technology)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version: 5.28 - Realtek Semiconductor Corp.)
Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden
The Sims 2 (HKLM\...\{6E7DD182-9FC6-4651-0095-2E666CC6AF35}) (Version: - )
The Sims 2 Family Fun Stuff (HKLM\...\{6BDD9CE6-D0A6-478A-BAD3-BA6945E89EB0}) (Version: - )
The Sims 2 Glamour Life Stuff (HKLM\...\{9CDBC303-3EED-40b0-8E41-A7C65AA96C26}) (Version: - )
The Sims 2 Nightlife (HKLM\...\{F7529650-B9DB-481B-0089-A2AC3C2821C1}) (Version: - )
The Sims 2 Open For Business (HKLM\...\{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}) (Version: - )
The Sims 2 Pets (HKLM\...\{4817189D-1785-4627-A33C-39FD90919300}) (Version: - )
The Sims 2 University (HKLM\...\{8FD3F4BA-A4A6-4380-00A6-CC6853AB2DC2}) (Version: - )
The Sims 2 Apartment Life (HKLM\...\{B6F5B704-06D3-4687-90F3-6195304AD755}) (Version: - Electronic Arts)
The Sims 2 Bon Voyage (HKLM\...\{F248ADFA-64E0-4b03-8A83-059078BED6A0}) (Version: - Electronic Arts)
The Sims 2 Celebration! Stuff (HKLM\...\{EAA38532-7AD0-4f78-918A-4F4F02096ECE}) (Version: - )
The Sims 2 FreeTime (HKLM\...\{87F6C83D-F949-4d14-B5CB-DC8C75F8932D}) (Version: - Electronic Arts)
The Sims 2 H&M® Fashion Stuff (HKLM\...\{84DDE556-43EF-43ed-B2DF-37AF9E5DDD75}) (Version: - )
The Sims 2 IKEA® Home Stuff (HKLM\...\{6E17F9751-F056-4335-B718-8AF1B1092AFB}) (Version: - Electronic Arts)
The Sims 2 Kitchen & Bath Interior Design Stuff (HKLM\...\{6522C636-B04C-4333-9BEB-9E0C0B6350D6}) (Version: - Electronic Arts)
The Sims 2 Mansion and Garden Stuff (HKLM\...\{1A2A15C2-6780-49c1-B296-503230E9DE00}) (Version: - Electronic Arts)
The Sims 2 Seasons (HKLM\...\{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}) (Version: - )
The Sims 2 Teen Style Stuff (HKLM\...\{5C648FDB-0138-4619-B66E-230EF53E8E2C}) (Version: - Electronic Arts)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0 - DivX, Inc) Hidden
VLC media player 1.1.4 (HKLM\...\VLC media player) (Version: 1.1.4 - VideoLAN)
Vodafone Mobile Broadband (HKLM\...\{6C29152D-3FF9-43B2-84E4-9B35FC0BF5C2}) (Version: 10.3.209.40724 - Vodafone)
Winamp (remove only) (HKLM\...\Winamp) (Version: - )
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Yahoo! BrowserPlus 2.9.2 (HKU\S-1-5-21-1004336348-1284227242-1417001333-1001\...\Yahoo! BrowserPlus) (Version: - Yahoo! Inc.)
Yahoo! Install Manager (HKLM\...\YInstHelper) (Version: - )
Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
Yahoo! Widgets (HKLM\...\Yahoo! Widget Engine) (Version: 4.5.2.0 - Yahoo! Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001_Classes\CLSID\{A4C68457-E642-4354-8E6E-873076FB9FB6}\InprocServer32 -> C:\Documents and Settings\user\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.2\Plugins\YBPAddon_2.9.2.dll (Yahoo! Inc.)

==================== Restore Points =========================

Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 13:00 - 2015-08-21 17:31 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2003-05-15 15:43 - 2003-05-15 15:43 - 00119808 _____ () C:\Program Files\WinRAR\rarext.dll
2006-07-25 05:33 - 2005-08-02 17:35 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2013-02-07 21:59 - 2013-02-13 16:22 - 01124016 _____ () C:\Program Files\AVG Secure Search\vprot.exe
2013-02-13 16:22 - 2013-02-13 16:22 - 00156848 _____ () C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.1.7\SiteSafety.dll
2004-08-04 13:00 - 2007-04-02 17:19 - 00355112 _____ () C:\WINDOWS\system32\msjetoledb40.dll
2012-06-27 12:08 - 2012-06-27 12:08 - 01101824 _____ () C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\Dali\Vbdsdk\NDISAPI.dll
2008-01-09 01:50 - 2008-01-09 01:50 - 00349147 _____ () C:\Program Files\Yahoo!\Widgets\sqlite3.dll
2008-03-19 03:21 - 2008-03-19 03:21 - 00512000 _____ () C:\Program Files\Yahoo!\Widgets\js32.dll
2008-03-19 03:21 - 2008-03-19 03:21 - 00094208 _____ () C:\Program Files\Yahoo!\Widgets\jsd.dll
2014-01-06 13:43 - 2014-06-06 07:38 - 03852912 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1004336348-1284227242-1417001333-1001\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 81.12.128.206 - 81.12.132.206
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutorunVirusRemover.lnk => C:\WINDOWS\pss\AutorunVirusRemover.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: CTFMON.EXE => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: DAEMON Tools => "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
MSCONFIG\startupreg: Messenger (Yahoo!) => "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
MSCONFIG\startupreg: MobileBroadband => C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent
MSCONFIG\startupreg: msnmsgr => "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
MSCONFIG\startupreg: NeroFilterCheck => C:\WINDOWS\system32\NeroCheck.exe
MSCONFIG\startupreg: nwiz => nwiz.exe /install
MSCONFIG\startupreg: uTorrent => "C:\Program Files\uTorrent\uTorrent.exe"
MSCONFIG\startupreg: Yahoo! Pager => "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\wlcsdk.exe] => Enabled:Windows Live Call
DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Enabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\uTorrent\uTorrent.exe] => Enabled:µTorrent
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\wlcsdk.exe] => Enabled:Windows Live Call
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Readon Technology\Readon TV Movie Radio Player 6.3.1.0\internettv.exe] => Enabled:Readon TV Movie Radio Player
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Google Earth\client\googleearth.exe] => Enabled:Google Earth
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgmfapx.exe] => Enabled:AVG Installer
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [D:\Games\Pro Evolution Soccer 2012-RELOADED\pes2012.exe] => Disabled:Pro Evolution Soccer 2012
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\sessmgr.exe] => Disabled:@xpsp2res.dll,-22019
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgnsx.exe] => Enabled:Online Shield
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgdiagex.exe] => Enabled:AVG Diagnostics 2012
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgemcx.exe] => Enabled:Personal E-mail Scanner
StandardProfile\GloballyOpenPorts: [9558:TCP] => Disabled:gnbql
StandardProfile\GloballyOpenPorts: [25598:TCP] => Disabled:BitComet 25598 TCP
StandardProfile\GloballyOpenPorts: [25598:UDP] => Disabled:BitComet 25598 UDP

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/16/2015 04:03:54 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (09/16/2015 04:03:54 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (08/21/2015 06:02:22 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (08/21/2015 06:02:22 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (08/21/2015 05:32:20 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (08/21/2015 05:32:20 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (02/13/2014 09:23:31 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (02/13/2014 09:23:31 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (11/25/2013 01:21:37 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1324) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/09/2013 09:53:10 PM) (Source: MobileBroadband) (EventID: 0) (User: )
Description: VmbSettings:InitializeProfile: Initialize Profile: Second chance failed:Deserialize PID=2464


System errors:
=============
Error: (08/21/2015 04:54:17 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 10.82.68.139 for the Network Card with network address 001E101F5ADC has been
denied by the DHCP server 10.112.170.2 (The DHCP Server sent a DHCPNACK message).

Error: (08/21/2015 04:36:49 PM) (Source: DCOM) (EventID: 10005) (User: X86-11C260063BD)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (08/21/2015 03:48:07 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 10.82.92.161 for the Network Card with network address 001E101FC2E8 has been
denied by the DHCP server 10.82.68.137 (The DHCP Server sent a DHCPNACK message).

Error: (08/21/2015 03:37:29 PM) (Source: DCOM) (EventID: 10005) (User: X86-11C260063BD)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (08/21/2015 03:09:14 PM) (Source: DCOM) (EventID: 10005) (User: X86-11C260063BD)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (08/21/2015 03:09:14 PM) (Source: DCOM) (EventID: 10005) (User: X86-11C260063BD)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (08/21/2015 03:08:05 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (08/21/2015 03:03:24 PM) (Source: DCOM) (EventID: 10005) (User: X86-11C260063BD)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (08/21/2015 03:03:24 PM) (Source: DCOM) (EventID: 10005) (User: X86-11C260063BD)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (08/21/2015 12:17:12 PM) (Source: DCOM) (EventID: 10005) (User: X86-11C260063BD)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}


==================== Memory info ===========================

Processor: Intel® Pentium® D CPU 2.80GHz
Percentage of memory in use: 74%
Total physical RAM: 1023.48 MB
Available physical RAM: 264.59 MB
Total Virtual: 2462.16 MB
Available Virtual: 1574.83 MB

==================== Drives ================================

Drive c: (System) (Fixed) (Total:29.29 GB) (Free:20.37 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive d: (Data) (Fixed) (Total:80.68 GB) (Free:16.43 GB) NTFS
Drive f: (10.3.209.40724_RC2) (CDROM) (Total:0.05 GB) (Free:0 GB) CDFS
Drive l: (PRO EVOLUTION SOCCER 6) (CDROM) (Total:3.49 GB) (Free:0 GB) UDF
Drive m: (NFSHP2) (CDROM) (Total:0.6 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 74DF4169)
Partition 1: (Active) - (Size=29.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=80.7 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 17 September 2015 - 06:48 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:59 AM

Posted 16 September 2015 - 08:20 PM

Greetings,

I am not seeing any evidence of an active infection although there are a lot of leftover entries we need to remove. However, there is evidence in the other logs you posted that you were infected with a Backdoor Trojan.
 

Backdoor.Bot, D:\User\My Documents\Downloads\mirc612.exe, Quarantined, [c6b2e526ef9c1125b62650baea18ec14],

Malware.Tool, C:\WINDOWS\system32\EvID4226Patch.exe, Quarantined, [81f77b90761580b63108f715976b669a]


What I would like to do is post some information for you to consider.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Please let me know if you have already noticed evidences of financial institution irregularities. Those accounts should be monitored from this point forward.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 

Here are some thoughts I have put together for people who ask what they should do in light of the infection. Ultimately each user must decide for themselves what to do and the below are things you might want to consider.

It is necessary for us to at least make you aware of the worse case scenario. This is because of the potential Backdoor Trojans bring with them, but it is not a determination on our part that your situation currently falls within this worse case scenario.

Ultimately it is a personal decision whether to reformat or not. What decision should you make to let you sleep well at night? It is different for different people. I will say whether rightly or wrongly most people decide to clean and not reformat, at least initially.

The only insight I can offer is how I evaluate the issue personally even though I have never had a Backdoor Trojan on my computer. One of the primary purposes for malicious software is to somehow separate you from your money. It seems reasonable to assume that a thief trying to take your money via a Backdoor Trojan will hit you hard, and quickly. Once your computer starts to act up and you become suspicious you have the opportunity to eliminate access to your computer and change the information taken, namely account and password information. The key to this, in my opinion, is whether or not you have noticed any irregularities in your banking or other financial institutions, or things like email and social network accounts (i.e. Facebook). If you have not seen any evidence of that then you may question whether your information has truly been stolen. If it seems it hasn't, and your critical information has been changed, it is reasonable to be more confident you are safe but you must stop short of claiming an absolute guarantee.

If, after careful consideration you decide not to reformat your computer it would be wise to continue monitoring your sensitive data and don't wait to address future symptoms on your computer which seem to be malware related.

The bottom line, the only way to be absolutely sure to be rid of a Backdoor Trojan is to reformat. The decision is yours.

Oh My!


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1004336348-1284227242-1417001333-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 - (No Name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://isearch.avg.com/tab?cid={3EFCAA68-4B7F-4C9F-A5F2-A77AD730AD55}&mid=afd807aca76b47d3afdad15fa0d4b55f-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=pr&d=2013-02-07 20:59:23&pid=avg&sg=&v=14.1.0.10&sap=nt" <======= ATTENTION
hxxp://isearch.avg.com/search?cid={3EFCAA68-4B7F-4C9F-A5F2-A77AD730AD55}&mid=afd807aca76b47d3afdad15fa0d4b55f-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=pr&d=2013-02-07 20:59:23&v=8.0.0.40&sap=dsp&q={searchTerms}
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-1004336348-1284227242-1417001333-1001 -> No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
FF Keyword.URL: hxxp://search.babylon.com/?affID=111796&tt=060612_8_&babsrc=KW_ss&mntrId=b00b79180000000000000016e6305cac&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-21] ()
FF SearchEngineOrder.1: Search the web (Babylon)
FF user.js: detected! => D:\User\FF\user.js [2010-07-30]
S4 aoau3ddoevwei2; C:\WINDOWS\system32\sinezuh.exe [X]
S2 ERSvc; %SystemRoot%\System32\ersvc.dll [X]
S4 ipiyi9aeay5yx; C:\WINDOWS\system32\lulaciha.exe [X]
S4 o7ejku2gpejeeapy; C:\WINDOWS\system32\louresylouqu.exe [X]
U2 srservice; %SystemRoot%\system32\srsvc.dll [X]
S4 ueeualtyayuu5p; C:\WINDOWS\system32\caruw.exe [X]
S2 uevdpihx; C:\WINDOWS\system32\vdkaqtxk.dll [X]
S2 wscsvc; %SYSTEMROOT%\system32\wscsvc.dll [X]
S3 catchme; \??\D:\User\Tmp\catchme.sys [X]
S3 GMSIPCI; \??\I:\INSTALL\GMSIPCI.SYS [X]
S4 IntelIde; no ImagePath
S3 MSICPL; \??\I:\install4\MSICPL.sys [X]
S3 NTACCESS; \??\I:\NTACCESS.sys [X]
S3 SetupNTGLM7X; \??\I:\NTGLM7X.sys [X]
U3 TlntSvr; no ImagePath
U3 ajc19izh; no ImagePath
NETSVC: uevdpihx -> C:\WINDOWS\system32\vdkaqtxk.dll ==> No File
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 olgapreda1304

olgapreda1304
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 17 September 2015 - 02:41 PM

Thank you very much for your answer! Can you please tell me if i had one or more backdoor viruses? 

 

Also, i never noticed weird actions from my email account, and i have no reason to believe my bank account was compromised. I am more interested if this virus would have permitted the hacker to view my webcam or  to record the activity on my screen.

 

There is no way i could ever find out if the virus was effectively accessed by the hacker, in one of the ways described above?

 

Thanks again for your advice and patience. I will format my pc. And also, is there any way this conversation could be deleted? I am afraid of letting all my system information on a public forum.



#8 olgapreda1304

olgapreda1304
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 17 September 2015 - 03:11 PM

Regarding my last question, if the topic can be deleted: i want to mention i appreciate enormously your help, and i am aware of the fact that you are giving it for free, instead of making a profit. i am also aware of the fact that these forums exist in order to help others with similar problems. I am not asking this because i want to take advantage of your help and not give anything in return, but because i am sincerely afraid of letting my information here. Is there a way maybe of deleteing only the files i attached yesterday? 

 

And thank you again, in advance, for answering all of my questions, the ones above included.



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:59 AM

Posted 17 September 2015 - 06:50 PM

The best I can tell you had at least 2.

There is really no way of knowing what, if anything, was intercepted. The same would hold true for whether or not the Backdoor functionality was actually utilized by a hacker. As previously stated unless you have seen irregular or suspicious activity related to personal information on your computer you might question the depth of any compromise. Having said that I am in full support of you reformatting and reinstalling the Operating System. That is the only sure way to have peace of mind.

I am unable to delete the Topic but I will delete all but the FRST and Addition attachments which should remain.

Can you tell me if you will be reformatting immediately?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 olgapreda1304

olgapreda1304
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 18 September 2015 - 01:02 PM

Yes, i will reformat my computer immediately after i save some of the photographs i was keeping on it. Thanks again for all the info about the backdoor virsuses i had. i read somewhere  that there are backdoors like darkcomet, or blackshade, which are very "hacker-friendly", and which are created for the purpose of recording the activity on the victim's screen, or to view his webcam. these kinds of backdoors are detected by the antivirus under the same generic name as any other one? or at least i can know if i had one of those?

 

I realise i insist very much on this topic, but asking someone who knows how these things work is the only way i can find some peace. knowing i didn't have these kinds of backdoors is the only way i can know if i have been compromised. so again, thank you for your answers and patience. 



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:59 AM

Posted 18 September 2015 - 03:39 PM

You are quite welcome. I would recommend we continue cleaning your computer before the reformat. We want to make sure all malware is gone from your data files. Following that I would suggest you transfer your data files to an external drive then before reintroducing those files back into the clean system we scan all those files.

I would be happy to assist you with that if you wish. There is a certain way we would like to do that.

Please let me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 olgapreda1304

olgapreda1304
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 18 September 2015 - 04:07 PM

Of course. I will move only some personal photos, into a clean device, and i will scan them there. Can you please tell me your opinion on whether i can know if those backdoor viruses were "darkcomet" or "blackshade"? I asked in a more detailed manner in my previous reply...i would be even more grateful than i already am. :)



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:59 AM

Posted 18 September 2015 - 04:18 PM

There are a multitude of names for the same virus. Each company will give it its own name. Here is the information on mirc612.exe. For the other one simply click on the link I posted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 olgapreda1304

olgapreda1304
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 18 September 2015 - 04:37 PM

Yes, i am aware of the fact that each company gives its own name, but what i want to know is if all of them harm the victim in the same way (by recording the screen activity or by vieweing the webcam), or if only some of them do that, and other do other things. 



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:59 AM

Posted 18 September 2015 - 04:48 PM

Any malware that has Backdoor Functionality generally provides access to your computer to the same degree you have access. So yes, if they wanted to they could activate your web cam and monitor/record your screen. What some people do on laptop computers nowadays is put a piece of tape over the camera.

Edited by Oh My!, 18 September 2015 - 04:49 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users