madara

Honorary Members

View Profile See their activity

Posts
36
Joined
June 23, 2012
Last visited
July 28, 2012

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by madara

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

PS. Sorry about the previous posts (#11-13); I didn't know you could attach files before and I was attempting to paste the log in sections.
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

Here's the OTL log. It was too big to paste so I've attached the file itself. I'll let you know how my PC is once I get home. Thank you for your help, Pat OTL1.Txt
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

========== Files - Modified Within 30 Days ========== [2012/06/26 21:22:52 | 000,881,475 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\SecurityCheck.exe [2012/06/26 21:22:24 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Patrick Fong\Desktop\OTL.exe [2012/06/26 21:10:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012/06/26 21:09:05 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012/06/26 21:09:05 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012/06/26 20:35:00 | 000,025,600 | ---- | M] () -- C:\Users\Patrick Fong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012/06/26 20:01:29 | 000,176,597 | ---- | M] () -- C:\ProgramData\nvModes.dat [2012/06/26 20:01:29 | 000,176,597 | ---- | M] () -- C:\ProgramData\nvModes.001 [2012/06/26 12:26:12 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2012/06/26 12:03:34 | 000,000,111 | ---- | M] () -- C:\Users\Patrick Fong\AppData\Roaming\mbam.context.scan [2012/06/26 07:35:39 | 000,000,007 | ---- | M] () -- C:\Windows\System32\ANIWZCSUSERNAME [2012/06/25 20:43:50 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2012/06/25 20:07:47 | 000,000,735 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\NTREGOPT.lnk [2012/06/25 20:07:47 | 000,000,716 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\ERUNT.lnk [2012/06/25 19:59:35 | 000,513,320 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\erunt.zip.x350e0w.partial [2012/06/24 11:48:08 | 000,000,680 | ---- | M] () -- C:\Users\Patrick Fong\AppData\Local\d3d9caps.dat [2012/06/23 23:24:29 | 000,001,055 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP5200 Status Window.lnk [2012/06/23 15:47:57 | 000,620,172 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012/06/23 15:47:57 | 000,112,020 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012/06/21 10:17:03 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/14 10:36:24 | 000,435,512 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012/06/11 22:45:16 | 000,001,149 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\Trend Micro Titanium Maximum Security 2012.lnk [2012/06/11 22:19:14 | 000,000,056 | ---- | M] () -- C:\Windows\System32\SupportTool.exe.bat [2012/06/11 22:19:01 | 000,000,410 | RHS- | M] () -- C:\ProgramData\ntuser.pol [2012/06/11 22:08:01 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys [2012/06/11 22:08:01 | 000,092,432 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys [2012/06/11 22:08:01 | 000,081,168 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys [2012/06/11 22:08:01 | 000,068,368 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys [2012/06/11 22:07:42 | 066,901,312 | ---- | M] (Trend Micro Inc.) -- C:\Users\Public\Desktop\Trend_Micro.exe [2012/06/09 15:06:53 | 000,001,016 | ---- | M] () -- C:\Users\Patrick Fong\Application Data\Microsoft\Internet Explorer\Quick Launch\GOM Player.lnk [2012/06/09 15:06:53 | 000,000,992 | ---- | M] () -- C:\Users\Public\Desktop\GOM Player.lnk [2012/06/03 08:19:33 | 000,045,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll [2012/06/03 08:19:32 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wups.dll [2012/06/03 08:19:23 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll [2012/06/03 08:12:32 | 002,422,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll [2012/06/03 08:12:13 | 000,088,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll [2012/06/02 15:19:42 | 000,171,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll [2012/06/02 15:12:20 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe [2012/06/02 10:33:46 | 000,000,412 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\Downloads - Shortcut.lnk [2012/05/30 21:59:47 | 000,002,627 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\Microsoft Office Word 2007.lnk ========== Files Created - No Company Name ========== [2012/06/26 21:24:06 | 000,881,475 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\SecurityCheck.exe [2012/06/26 11:40:21 | 000,000,111 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\mbam.context.scan [2012/06/25 20:07:47 | 000,000,735 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\NTREGOPT.lnk [2012/06/25 20:07:47 | 000,000,716 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\ERUNT.lnk [2012/06/25 19:59:36 | 000,513,320 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\erunt.zip.x350e0w.partial [2012/06/24 11:48:03 | 000,000,680 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Local\d3d9caps.dat [2012/06/24 11:47:42 | 000,025,600 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012/06/21 12:06:32 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012/06/21 12:06:32 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012/06/21 12:06:32 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012/06/21 12:06:32 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012/06/21 12:06:32 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012/06/21 10:17:03 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/11 22:44:49 | 000,001,149 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\Trend Micro Titanium Maximum Security 2012.lnk [2012/06/11 22:19:14 | 000,000,056 | ---- | C] () -- C:\Windows\System32\SupportTool.exe.bat [2012/06/11 22:19:01 | 000,000,410 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2012/06/02 10:33:46 | 000,000,412 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\Downloads - Shortcut.lnk [2012/03/06 18:33:03 | 000,000,813 | ---- | C] () -- C:\Windows\Brpfx04a.ini [2012/03/06 18:33:03 | 000,000,094 | ---- | C] () -- C:\Windows\brpcfx.ini [2012/03/06 18:33:03 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf06a.dat [2012/03/06 18:26:42 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini [2012/03/06 18:26:40 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat [2012/03/06 18:26:39 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BrMuSNMP.dll [2011/06/26 13:07:47 | 000,003,284 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\ANIWZCS{9DED64DF-2F82-4938-A509-17F82B9D095E} [2011/06/26 12:57:45 | 000,012,800 | ---- | C] () -- C:\Windows\System32\drivers\anodlwf.sys [2011/06/26 12:57:44 | 000,013,931 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat [2010/12/13 20:38:02 | 001,048,576 | -HS- | C] () -- C:\Users\Patrick Fong\ehthumbs_vista.db [2010/11/04 20:36:54 | 000,065,536 | ---- | C] () -- C:\Windows\IFinst27.exe [2010/07/09 09:53:51 | 000,176,597 | ---- | C] () -- C:\ProgramData\nvModes.001 [2010/07/09 09:53:50 | 000,176,597 | ---- | C] () -- C:\ProgramData\nvModes.dat [2010/03/28 08:40:37 | 000,007,887 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\pcouffin.cat [2010/03/28 08:40:37 | 000,001,144 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\pcouffin.inf [2009/01/28 15:50:22 | 000,000,000 | ---- | C] () -- C:\Users\Patrick Fong\initdebug.nfo [2008/11/10 15:32:51 | 000,005,061 | ---- | C] () -- C:\ProgramData\xqkcebzs.dik [2008/07/29 20:11:47 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2007/12/26 18:00:28 | 000,017,908 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\UserTile.png ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > [2010/08/26 16:19:48 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Adobe [2010/06/06 16:28:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Apple [2010/06/06 16:08:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Apple Computer [2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Application Data [2007/12/27 12:37:50 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Arcade Lab [2010/01/16 12:43:36 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\ArcSoft [2011/07/14 00:57:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\AVS4YOU [2011/07/13 00:51:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Babylon [2012/03/06 18:24:49 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Brother [2012/06/09 15:05:20 | 000,000,000 | -H-D | M] -- C:\ProgramData\Application Data\Common Files [2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Desktop [2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Documents [2010/03/28 08:57:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Downloaded Installations [2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Favorites [2008/09/25 21:21:45 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Google [2007/06/22 06:09:49 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Hewlett-Packard [2007/06/22 05:42:27 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\HP [2010/10/11 14:33:37 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\HPSS [2007/06/22 05:22:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Intel [2007/10/25 16:09:00 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Logishrd [2008/11/16 12:59:49 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Logitech [2008/12/26 15:17:30 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Malwarebytes [2009/04/05 12:01:20 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Messenger Plus! [2010/10/23 12:09:47 | 000,000,000 | --SD | M] -- C:\ProgramData\Application Data\Microsoft [2012/06/14 06:16:45 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Microsoft Help [2007/10/13 01:40:30 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Mozilla [2007/06/22 05:49:10 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\muvee Technologies [2012/06/11 21:55:01 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Norton [2009/06/30 09:50:43 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\NortonInstaller [2012/06/26 20:01:16 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\NVIDIA [2010/08/03 11:55:03 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\NVIDIA Corporation [2009/02/27 22:19:44 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Office Genuine Advantage [2009/04/10 20:38:48 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\PC Suite [2007/06/22 05:55:22 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\PC-Doctor [2009/06/30 09:51:46 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\PCSettings [2010/03/07 10:35:52 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Real [2010/08/22 11:22:15 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\regid.1986-12.com.adobe [2007/10/09 20:37:25 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Roxio [2011/06/24 01:39:11 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Skype [2007/10/09 20:31:20 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Sonic [2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Start Menu [2010/07/31 12:12:33 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Sun [2009/07/01 16:35:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Symantec [2012/06/16 15:32:38 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Tarma Installer [2009/11/08 11:02:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\TEMP [2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Templates [2012/06/26 11:50:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Trend Micro [2007/12/27 12:37:47 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Trymedia [2009/02/08 11:30:50 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\WindowsSearch [2008/09/28 10:14:03 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\WLInstaller [2010/11/05 21:56:00 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\xOcean [2008/10/07 09:51:41 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} [2010/06/06 16:08:53 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2009/08/21 22:25:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.4 ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.4 ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {55ADC5F7-A848-4AE4-B8C2-E94FFCCB0DF7} - ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Drivers32: msacm.divxa32 - C:\Windows\System32\msaud32_divx.acm (Microsoft Corporation) Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.dvsd - C:\Windows\System32\pdvcodec.dll (Matsushita Electric Industrial Co., Ltd.) Drivers32: VIDC.FPS1 - C:\Windows\System32\frapsvid.dll (Beepa P/L) Drivers32: VIDC.I420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.) Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll () CREATERESTOREPOINT Unable to start System Restore Service. Error code 1084 ========== Files/Folders - Created Within 30 Days ========== [2012/06/26 21:24:06 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\Patrick Fong\Desktop\OTL.exe [2012/06/26 12:09:11 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2012/06/25 20:43:56 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN [2012/06/25 20:41:19 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\AppData\Local\temp [2012/06/25 20:31:46 | 000,000,000 | ---D | C] -- C:\ComboFix [2012/06/25 20:07:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT [2012/06/25 20:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT [2012/06/22 21:55:11 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll [2012/06/22 21:55:10 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll [2012/06/22 21:54:22 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll [2012/06/22 21:54:22 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll [2012/06/22 21:54:22 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll [2012/06/21 13:16:52 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll [2012/06/21 13:16:52 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe [2012/06/21 12:06:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012/06/21 12:06:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012/06/21 12:06:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012/06/21 11:55:30 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/06/21 11:55:16 | 000,000,000 | R--D | C] -- C:\Users\Patrick Fong\Desktop\Programs\Administrative Tools [2012/06/21 11:55:02 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012/06/21 10:15:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/06/21 10:15:20 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012/06/21 10:15:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/06/20 23:13:21 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\AppData\Local\lvpnwwpd [2012/06/16 15:32:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer [2012/06/16 15:31:51 | 000,000,000 | ---D | C] -- C:\Program Files\1ClickDownload [2012/06/14 05:51:05 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2012/06/14 05:51:04 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2012/06/14 05:51:04 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2012/06/14 05:51:02 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2012/06/14 05:51:02 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2012/06/14 05:51:02 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2012/06/14 05:51:01 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2012/06/13 21:39:32 | 002,045,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012/06/11 22:45:19 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\AppData\Local\Trend Micro [2012/06/11 22:44:49 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\Desktop\Programs\Trend Micro Titanium Maximum Security 2012 [2012/06/11 22:37:15 | 000,092,432 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys [2012/06/11 22:25:52 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys [2012/06/11 22:25:52 | 000,068,368 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys [2012/06/11 22:25:51 | 000,081,168 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys [2012/06/11 22:14:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Trend Micro [2012/06/11 22:07:45 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\--AGENT [2012/06/11 22:05:06 | 066,901,312 | ---- | C] (Trend Micro Inc.) -- C:\Users\Public\Desktop\Trend_Micro.exe [2012/06/11 22:05:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2012/06/09 15:05:20 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files [2010/03/28 08:40:37 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Patrick Fong\AppData\Roaming\pcouffin.sys
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

OTL logfile created on: 26/06/2012 9:28:45 PM - Run 1 OTL by OldTimer - Version 3.2.53.0 Folder = C:\Users\Patrick Fong\Desktop Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy 2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.65% Memory free 4.23 Gb Paging File | 3.96 Gb Available in Paging File | 93.63% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 289.41 Gb Total Space | 81.01 Gb Free Space | 27.99% Space Free | Partition Type: NTFS Drive D: | 8.68 Gb Total Space | 1.01 Gb Free Space | 11.64% Space Free | Partition Type: NTFS Drive G: | 994.70 Mb Total Space | 988.77 Mb Free Space | 99.40% Space Free | Partition Type: FAT Computer Name: PATRICKFONG-PC | User Name: Patrick Fong | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/06/26 21:22:24 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Patrick Fong\Desktop\OTL.exe PRC - [2009/04/11 16:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe ========== Modules (No Company Name) ========== MOD - [2012/01/09 18:44:20 | 000,166,912 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe -- (Amsp) SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2010/12/15 03:01:00 | 004,041,064 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc) SRV - [2010/07/09 16:09:52 | 000,248,936 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2010/07/01 09:38:26 | 000,083,512 | ---- | M] (ArcSoft, Inc.) [Auto | Stopped] -- C:\Users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe -- (BackupService) SRV - [2010/04/21 09:56:32 | 000,126,976 | ---- | M] (Wireless Service) [Auto | Stopped] -- C:\Program Files\D-Link\DWA-125 revA\ANIWZCSdS.exe -- (D_Link_DWA-125) SRV - [2010/03/22 19:05:40 | 000,960,992 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe -- (jswpsapi) SRV - [2010/03/03 09:45:46 | 000,053,248 | ---- | M] () [Auto | Stopped] -- C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe -- (D_Link_DWA-125_WPS) SRV - [2008/01/19 17:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007/07/20 00:42:30 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher) SRV - [2007/07/20 00:40:48 | 000,137,752 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv) SRV - [2007/07/20 00:38:54 | 000,186,904 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer) SRV - [2006/09/12 09:02:44 | 000,544,256 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service) Intel® SRV - [2006/09/12 09:01:04 | 000,167,936 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL) Intel® SRV - [2006/09/12 08:56:32 | 000,075,264 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe -- (ISSM) Intel® SRV - [2006/09/12 08:56:20 | 000,188,416 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService) Intel® SRV - [2006/09/04 03:32:28 | 000,208,896 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService) SRV - [2006/09/01 16:47:56 | 000,026,624 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server) Intel® Viiv ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva359.sys -- (XDva359) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva348.sys -- (XDva348) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleNT.sys -- (EagleNT) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme) DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive) DRV - [2012/06/26 12:26:12 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy) DRV - [2012/06/11 22:08:01 | 000,205,072 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmcomm.sys -- (tmcomm) DRV - [2012/06/11 22:08:01 | 000,092,432 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmtdi.sys -- (tmtdi) DRV - [2012/06/11 22:08:01 | 000,081,168 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmactmon.sys -- (tmactmon) DRV - [2012/06/11 22:08:01 | 000,068,368 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmevtmgr.sys -- (tmevtmgr) DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2010/10/10 18:48:00 | 001,439,744 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athur.sys -- (athur) DRV - [2010/07/10 08:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2010/06/22 08:07:37 | 000,105,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA) DRV - [2010/04/29 21:27:36 | 000,849,248 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Dnetr28u.sys -- (netr28u) DRV - [2009/03/06 18:09:52 | 000,012,800 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\anodlwf.sys -- (anodlwf) DRV - [2008/05/14 09:08:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5) DRV - [2007/08/31 12:54:04 | 000,464,384 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73) DRV - [2007/07/20 00:39:50 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVMVdrv.sys -- (LVMVDrv) DRV - [2007/07/20 00:37:56 | 002,109,592 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Lvckap.sys -- (LVcKap) DRV - [2007/07/19 10:44:00 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta) DRV - [2007/07/19 10:39:14 | 001,278,104 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI) DRV - [2007/07/19 10:39:14 | 000,013,848 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lv302af.sys -- (pepifilter) DRV - [2007/07/18 17:42:42 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon) DRV - [2007/04/13 23:22:56 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel® DRV - [2007/04/11 14:33:06 | 000,079,376 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LMouKE.Sys -- (LMouKE) DRV - [2007/04/11 14:32:38 | 000,063,248 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L8042mou.Sys -- (L8042mou) DRV - [2007/04/11 14:32:30 | 000,020,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L8042Kbd.sys -- (L8042Kbd) DRV - [2007/01/26 12:42:50 | 002,831,232 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\3xHybrid.sys -- (3xHybrid) DRV - [2005/12/13 03:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop IE - HKLM\..\SearchScopes,DefaultScope = {B6007434-B024-448E-90EE-DCC80B96FCA1} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{B6007434-B024-448E-90EE-DCC80B96FCA1}: "URL" = http://au.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=19950&mntrId=2444d38500000000000034080495ff42 IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADBS IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid={6DD99196-5726-4F73-9746-4C484A642043}&mid=e2257c0ae7f347d0bf19d152ba04ab3d-5c66ab25a8106ac3ef96210770a6d797e78d98b4〈=en&ds=gm011&pr=sa&d=2012-06-09 15:06:09&v=11.1.1.7&sap=dsp&q={searchTerms} IE - HKCU\..\SearchScopes\{B6007434-B024-448E-90EE-DCC80B96FCA1}: "URL" = http://au.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search" FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=" FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@TrendMicro.com/FFExtension: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll (Trend Micro Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007/10/13 01:40:31 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{38783831-6098-4faa-A9C9-1EE1E343F4D2}: C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\firefoxextension [2012/06/12 22:33:14 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2012/06/11 22:23:49 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ [2012/06/12 22:33:49 | 000,000,000 | ---D | M] [2012/06/16 15:32:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions [2007/10/13 01:42:13 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2012/03/11 19:07:53 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03} [2011/07/13 00:52:21 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions\ffxtlbr@babylon.com File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\DIVX@PARTNERS.MOZILLA.COM File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\TALKBACK@MOZILLA.ORG O1 HOSTS File: ([2012/06/25 20:43:50 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.) O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.) O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O4 - HKLM..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe (Intel® Corporation) O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [D-Link D-Link DWA-125] C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe (D-Link Corp.) O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company) O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe () O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech Inc.) O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe () O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe () O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.) O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.) O4 - HKLM..\Run: [WZCSLDR2] C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe (Wireless Service) O4 - HKCU..\Run: [TchAhayq] C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe File not found O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{72545EE3-403B-4C48-9050-5A07AFB87826}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{73907729-99B0-4873-B55B-564556193DCD}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9DED64DF-2F82-4938-A509-17F82B9D095E}: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.) O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.) O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.) O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.) O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) - C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe File not found O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2007/06/22 05:49:22 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation) NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon LBP5200 Status Window.lnk - - File not found MsConfig - StartUpReg: AdobeAAMUpdater-1.0 - hkey= - key= - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated) MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.) MsConfig - State: "startup" - 2 MsConfig - State: "services" - 0 SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: HelpSvc - Service SafeBootMin: NTDS - File not found SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: sacsvr - Service SafeBootMin: SCSI Class - Driver Group SafeBootMin: System Bus Extender - Driver Group SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: HelpSvc - Service SafeBootNet: Messenger - Service SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: NTDS - File not found SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: rdsessmgr - Service SafeBootNet: sacsvr - Service SafeBootNet: SCSI Class - Driver Group SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootNet: WudfPf - Driver SafeBootNet: WudfUsbccidDriver - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

The Combofix-quarantined-files log. 2012-06-25 10:55:14 . 2012-06-25 10:55:14 922 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-uTorrent.reg.dat 2012-06-25 10:49:43 . 2012-06-25 10:49:43 151 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-uTorrent.reg.dat 2012-06-25 10:33:24 . 2012-06-25 10:33:24 0 -c--a-w- C:\Qoobox\Quarantine\catchme.txt 2012-06-23 13:24:20 . 2012-06-23 13:24:22 4,048 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\amfmkrxk.log.vir 2012-06-23 03:18:49 . 2012-06-25 09:12:39 2,813 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\hsivcopd.log.vir 2012-06-23 03:18:49 . 2012-06-25 09:12:39 135,565 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\jlypkcri.log.vir 2012-06-23 03:18:39 . 2012-06-23 03:18:39 3,315 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\narfqwth.log.vir 2012-06-23 03:18:27 . 2012-06-25 10:31:08 1,061,146 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\wqexycde.log.vir 2012-06-23 03:16:39 . 2012-06-25 10:31:34 24 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\udkriyde.log.vir 2012-06-23 03:16:02 . 2012-06-23 03:16:24 415,424 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\vtofbvlp.log.vir 2012-06-22 13:22:03 . 2012-06-20 13:13:08 92,216 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe.vir 2012-06-21 02:29:44 . 2012-06-21 02:29:44 896 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-iTunesHelper.reg.dat 2012-06-21 02:29:34 . 2012-06-21 02:29:34 154 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-jswtrayutil.reg.dat 2012-06-21 02:29:32 . 2012-06-21 02:29:32 157 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-TchAhayq.reg.dat 2012-06-21 02:29:32 . 2012-06-21 02:29:32 138 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat 2012-06-21 02:29:32 . 2012-06-21 02:29:32 158 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Skype.reg.dat 2012-06-21 02:29:32 . 2012-06-21 02:29:32 600 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}.reg.dat 2012-06-21 02:29:31 . 2012-06-21 02:29:31 171 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03}.reg.dat 2012-06-21 02:29:29 . 2012-06-21 02:29:29 118 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03}.reg.dat 2012-06-21 02:18:59 . 2012-06-25 10:39:27 9,252 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2012-06-21 01:56:06 . 2012-06-25 10:41:26 1,214 -c--a-w- C:\Qoobox\Quarantine\catchme.log 2010-03-27 22:41:47 . 2010-03-27 22:45:53 1,057 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Roaming\vso_ts_preview.xml.vir 2010-03-27 22:40:37 . 2010-03-27 22:46:08 87,608 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Roaming\inst.exe.vir 2008-01-10 08:57:00 . 2008-01-10 08:57:00 3,717,664 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\SET608E.tmp.vir 2007-12-26 07:58:44 . 2008-11-16 03:43:35 375 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\etc\hosts.ics.vir 2007-12-26 01:42:03 . 2009-10-15 00:38:08 945 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\Desktop\Internet Explorer.lnk.vir 2007-11-06 22:03:18 . 2007-11-06 22:03:18 562,688 -c--a-w- C:\Qoobox\Quarantine\C\Install.exe.vir The checkup log. Results of screen317's Security Check version 0.99.42 Windows Vista Service Pack 2 x86 (UAC is disabled!) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled! Trend Micro Titanium Maximum Security 2012 Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.61.0.1400 Java 6 Update 21 Java 6 Update 2 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Reader 8 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! ````````````````````End of Log``````````````````````
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

Hi, Yes, I did the other Combofix runs myself. Prior to seeking your help, I had searched through various forums and found that Combofix had helped others in getting rid of the virus. I'm having a few issues with the first step; I ran MBAM chameleon but MBAM did not automatically open nor could I run it from the Start menu. I also tried safemode but MBAM wouldn't run there either. Previously, I could access the MBAM forums in safemode but today I can't even do that (I couldn't access MBAM forums in normal mode when the virus first showed up). Should I continue with the rest of your instructions and leave the MBAM part out? Regards, Pat
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

ComboFix 12-06-25.02 - Patrick Fong 25/06/2012 20:33:45.6.2 - x86 Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.2047.1017 [GMT 10:00] Running from: c:\users\Patrick Fong\Downloads\ComboFix.exe Command switches used :: c:\users\Patrick Fong\Downloads\CFScript.txt AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92} SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Patrick Fong\AppData\Local\amfmkrxk.log c:\users\Patrick Fong\AppData\Local\hsivcopd.log c:\users\Patrick Fong\AppData\Local\jlypkcri.log c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe c:\users\Patrick Fong\AppData\Local\narfqwth.log c:\users\Patrick Fong\AppData\Local\udkriyde.log c:\users\Patrick Fong\AppData\Local\vtofbvlp.log c:\users\Patrick Fong\AppData\Local\wqexycde.log c:\users\Patrick Fong\Desktop\Internet Explorer.lnk . . ((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 ))))))))))))))))))))))))))))))) . . 2012-06-25 10:41 . 2012-06-25 10:44 -------- d-----w- c:\users\Patrick Fong\AppData\Local\temp 2012-06-25 10:41 . 2012-06-25 10:41 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp 2012-06-25 10:41 . 2012-06-25 10:41 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-06-25 10:07 . 2012-06-25 10:08 -------- d-----w- c:\program files\ERUNT 2012-06-22 11:55 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-22 11:55 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-22 11:55 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-22 11:55 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-22 11:54 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-22 11:54 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-22 11:54 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-21 03:16 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-21 03:16 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-06-21 00:15 . 2012-06-21 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-06-21 00:15 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-20 13:13 . 2012-06-25 10:40 -------- d-----w- c:\users\Patrick Fong\AppData\Local\lvpnwwpd 2012-06-16 05:32 . 2012-06-16 05:32 -------- d-----w- c:\programdata\Tarma Installer 2012-06-16 05:31 . 2012-06-20 14:09 -------- d-----w- c:\program files\1ClickDownload 2012-06-13 11:39 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll 2012-06-13 11:39 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll 2012-06-13 11:39 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll 2012-06-13 11:39 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-13 11:39 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys 2012-06-11 12:45 . 2012-06-11 12:45 -------- d-----w- c:\users\Patrick Fong\AppData\Local\Trend Micro 2012-06-11 12:37 . 2012-06-11 12:08 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys 2012-06-11 12:25 . 2012-06-11 12:08 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2012-06-11 12:25 . 2012-06-11 12:08 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2012-06-11 12:25 . 2012-06-11 12:08 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2012-06-11 12:19 . 2012-06-11 12:19 56 ----a-w- c:\windows\system32\SupportTool.exe.bat 2012-06-11 12:14 . 2012-06-12 12:37 -------- d-----w- c:\programdata\Trend Micro 2012-06-11 12:05 . 2012-06-11 12:17 -------- d-----w- c:\program files\Trend Micro 2012-06-09 05:05 . 2012-06-09 05:05 -------- d--h--w- c:\programdata\Common Files 2012-06-08 13:08 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB267CAB-EDFB-4DFE-9356-7F650B410C37}\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-04-03 08:16 . 2012-05-11 11:44 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-03 08:16 . 2012-05-11 11:44 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-30 12:39 . 2012-05-11 11:46 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] "TchAhayq"="c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe" [bU] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536] "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784] "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-09-11 176128] "D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2010-05-21 1024000] "WZCSLDR2"="c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe" [2010-04-20 122880] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-02-27 1304792] "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168] . c:\users\Patrick Fong\Desktop\Programs\Startup\ tchahayq.exe [2012-6-20 92216] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Canon LBP5200 Status Window.lnk - c:\windows\System32\spool\drivers\w32x86\3\CNAC3LAK.EXE [2004-9-24 50848] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-16 67128] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-16 692224] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588] NETGEAR WNA1100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2012-3-4 4545024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon LBP5200 Status Window.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP5200 Status Window.lnk backup=c:\windows\pss\Canon LBP5200 Status Window.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0] 2010-03-05 17:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 . S3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-01-26 2831232] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com.au/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.0.1 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . - - - - ORPHANS REMOVED - - - - . HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe . . . ************************************************************************** scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: . ************************************************************************** . [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(12068) c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\windows\system32\nvvsvc.exe c:\windows\system32\CNAC3RPK.EXE c:\program files\Intel\IntelDH\CCU\AlertService.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\WUDFHost.exe c:\windows\system32\conime.exe c:\windows\ehome\ehsched.exe c:\windows\ehome\ehRecvr.exe c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Windows Media Player\wmplayer.exe c:\windows\servicing\TrustedInstaller.exe c:\program files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** . Completion time: 2012-06-25 21:05:57 - machine was rebooted ComboFix-quarantined-files.txt 2012-06-25 11:05 ComboFix2.txt 2012-06-22 13:12 ComboFix3.txt 2012-06-21 12:52 ComboFix4.txt 2012-06-21 05:03 ComboFix5.txt 2012-06-25 10:32 . Pre-Run: 87,545,868,288 bytes free Post-Run: 87,235,600,384 bytes free . - - End Of File - - 6F585ABF4D38106A754C0E8ED4AC8E1B
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

Here's the DDS log. . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_02 Run by Patrick Fong at 12:27:40 on 2012-06-24 Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.2047.1147 [GMT 10:00] . AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92} SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\CNAC3RPK.EXE C:\Windows\Explorer.EXE C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\WUDFHost.exe C:\hp\support\hpsysdrv.exe C:\Windows\system32\taskeng.exe C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe C:\Windows\RtHDVCpl.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Windows\ehome\ehmsas.exe C:\Windows\system32\svchost.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\svchost.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Windows\ehome\ehsched.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Windows\ehome\ehRecvr.exe C:\Windows\System32\mobsync.exe C:\hp\kbd\kbd.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\consent.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\conime.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com.au/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop uInternet Settings,ProxyOverride = *.local BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED uRun: [TchAhayq] c:\users\patrick fong\appdata\local\lvpnwwpd\tchahayq.exe mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe mRun: [KBD] c:\hp\kbd\KbdStub.EXE mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe" mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe mRun: [D-Link D-Link DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL "" mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe StartupFolder: c:\users\patrick fong\desktop\programs\startup\tchahayq.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\canonl~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CNAC3LAK.EXE StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.0.1 TCP: Interfaces\{72545EE3-403B-4C48-9050-5A07AFB87826} : DhcpNameServer = 192.168.0.1 TCP: Interfaces\{73907729-99B0-4873-B55B-564556193DCD} : DhcpNameServer = 192.168.0.1 TCP: Interfaces\{9DED64DF-2F82-4938-A509-17F82B9D095E} : DhcpNameServer = 192.168.0.1 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll . ============= SERVICES / DRIVERS =============== . R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2011-6-26 12800] R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-6-11 68368] R2 BackupService;BackupService;c:\users\patrick fong\appdata\roaming\hp simplesave application\uUACTokenSvc.exe [2010-10-11 83512] R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2011-6-26 53248] R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-4 208896] R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-14 21504] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-21 654408] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936] R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-4-4 2666880] R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2007-6-22 2831232] R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2012-3-4 1439744] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-21 22344] R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384] R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-8-3 105576] S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2012-6-11 200632] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2011-6-26 126976] S2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-12 167936] S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\netgear\wna1100\jswpsapi.exe [2012-3-4 960992] S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Dnetr28u.sys [2011-6-26 849248] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] . =============== Created Last 30 ================ . 2012-06-22 13:05:24 -------- dc----w- C:\$RECYCLE.BIN 2012-06-22 13:02:36 -------- d-----w- c:\users\patrick fong\appdata\local\temp 2012-06-22 12:52:01 -------- dc----w- C:\ComboFix 2012-06-22 11:55:10 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-22 11:54:22 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-21 03:16:52 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-06-21 03:16:52 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-21 02:06:32 98816 ----a-w- c:\windows\sed.exe 2012-06-21 02:06:32 518144 ----a-w- c:\windows\SWREG.exe 2012-06-21 02:06:32 256000 ----a-w- c:\windows\PEV.exe 2012-06-21 02:06:32 208896 ----a-w- c:\windows\MBR.exe 2012-06-21 00:15:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-21 00:15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-06-20 13:13:21 -------- d-----w- c:\users\patrick fong\appdata\local\lvpnwwpd 2012-06-16 05:32:38 -------- d-----w- c:\programdata\Tarma Installer 2012-06-16 05:31:51 -------- d-----w- c:\program files\1ClickDownload 2012-06-13 11:39:57 984064 ----a-w- c:\windows\system32\crypt32.dll 2012-06-13 11:39:57 98304 ----a-w- c:\windows\system32\cryptnet.dll 2012-06-13 11:39:57 133120 ----a-w- c:\windows\system32\cryptsvc.dll 2012-06-13 11:39:34 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-13 11:39:32 2045440 ----a-w- c:\windows\system32\win32k.sys 2012-06-11 12:45:19 -------- d-----w- c:\users\patrick fong\appdata\local\Trend Micro 2012-06-11 12:37:15 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys 2012-06-11 12:25:52 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2012-06-11 12:25:52 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2012-06-11 12:25:51 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2012-06-11 12:19:14 56 ----a-w- c:\windows\system32\SupportTool.exe.bat 2012-06-11 12:14:57 -------- d-----w- c:\programdata\Trend Micro 2012-06-11 12:05:01 -------- d-----w- c:\program files\Trend Micro 2012-06-09 05:05:20 -------- d--h--w- c:\programdata\Common Files 2012-06-08 13:08:14 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fb267cab-edfb-4dfe-9356-7f650b410c37}\mpengine.dll . ==================== Find3M ==================== . 2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-04-03 08:16:12 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-03 08:16:11 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-30 12:39:11 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys . ============= FINISH: 12:28:54.75 ===============
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara replied to madara's topic in Resolved Malware Removal Logs

Hi, thanks for helping me. Here is the MBAM log. I had to run it in safe-mode because I couldn't open it on a normal startup: Malwarebytes Anti-Malware (Trial) 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.23.06 Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking) Internet Explorer 9.0.8112.16421 Patrick Fong :: PATRICKFONG-PC [administrator] Protection: Disabled 24/06/2012 11:45:33 AM mbam-log-2012-06-24 (11-45-33).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 218634 Time elapsed: 5 minute(s), 21 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) I shall post the DDS log once its complete. Thanks
Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

madara posted a topic in Resolved Malware Removal Logs

Hello, My computer is infected with a virus thats continually attempting to get me to approve a program called "Windows Command Processor". Everytime I close it, the popup reappears before I can move my mouse. I've looked around on the internet and I found a thread where the user had the same virus. I followed Elise's (I think that was the lady resolving the thread) instructions and it removed the virus/popus, however when I restarted the computer it came back. I would gladly appreciate help in removing this virus, and thanks in advance. Pat.

Sign In

madara

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by madara

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information