Merrainee
-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Merrainee
-
-
I tried searching for Combofix /uninstall but could find nothing? It doesn't appear under Programs either... Is it okay just to delete the combofix.exe file?
-
It's running well! Thank you so much!
-
Scan Log
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=054b33af7b7dc84891a54aa2445d9299
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-07-14 08:04:21
# local_time=2012-07-14 03:04:21 (-0600, Central Daylight Time)
# country="Singapore"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776638 100 94 31601769 93823705 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=440359
# found=2
# cleaned=2
# scan_time=17347
C:\Qoobox\Quarantine\C\ProgramData\DwGrEROeImE.exe.vir a variant of Win32/Kryptik.AIIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\ProgramData\kwAzjqkPUoRbQu.exe.vir a variant of Win32/Kryptik.AIIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
-
The Combofix guide said to close all windows but the virus window was still open, so I ran RKill. It said Access Denied, but the virus window closed so I left it like that and closed RKill. I ran Unhide without any problems. I was unable to disable my Symantec antivirus before running Combofix, but it seems like it ran smoothly.
Unhide Log
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html
Program started at: 07/12/2012 11:51:34 AM
Windows Version: Windows 7
Please be patient while your files are made visible again.
Processing the C:\ drive
Finished processing the C:\ drive. 511031 files processed.
Processing the D:\ drive
Finished processing the D:\ drive. 41 files processed.
Restoring the Start Menu.
* 285 Shortcuts and Desktop items were restored.
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowHelp was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!
* Start_TrackDocs was set to 0! It was set back to 1!
* Start_TrackProgs was set to 0! It was set back to 1!
* Start_ShowUser was set to 0! It was set back to 1!
* Start_ShowMyGames was set to 0! It was set back to 1!
Restarting Explorer.exe in order to apply changes.
Program finished at: 07/12/2012 12:05:59 PM
Execution time: 0 hours(s), 14 minute(s), and 24 seconds(s)
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html
Program started at: 07/12/2012 04:28:45 PM
Windows Version: Windows 7
Please be patient while your files are made visible again.
Processing the C:\ drive
Finished processing the C:\ drive. 511919 files processed.
Processing the D:\ drive
Finished processing the D:\ drive. 41 files processed.
Restoring the Start Menu.
* 285 Shortcuts and Desktop items were restored.
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowHelp was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!
* Start_TrackDocs was set to 0! It was set back to 1!
* Start_TrackProgs was set to 0! It was set back to 1!
* Start_ShowUser was set to 0! It was set back to 1!
* Start_ShowMyGames was set to 0! It was set back to 1!
Restarting Explorer.exe in order to apply changes.
Program finished at: 07/12/2012 04:45:18 PM
Execution time: 0 hours(s), 16 minute(s), and 32 seconds(s)
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html
Program started at: 07/13/2012 04:59:15 PM
Windows Version: Windows 7
Please be patient while your files are made visible again.
Processing the C:\ drive
Finished processing the C:\ drive. 510230 files processed.
Processing the D:\ drive
Finished processing the D:\ drive. 43 files processed.
Restoring the Start Menu.
* 285 Shortcuts and Desktop items were restored.
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
* DisableTaskMgr policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
* HidNoChangingWallPaperden policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowHelp was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!
* Start_TrackDocs was set to 0! It was set back to 1!
* Start_TrackProgs was set to 0! It was set back to 1!
* Start_ShowUser was set to 0! It was set back to 1!
* Start_ShowMyGames was set to 0! It was set back to 1!
Restarting Explorer.exe in order to apply changes.
Program finished at: 07/13/2012 05:07:54 PM
Execution time: 0 hours(s), 8 minute(s), and 39 seconds(s)
Combofix Log
ComboFix 12-07-13.03 - SP 13/07/2012 17:19:08.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.65.1033.18.3059.1578 [GMT -5:00]
Running from: c:\users\SP\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\100
c:\programdata\DwGrEROeImE.exe
c:\programdata\kwAzjqkPUoRbQu
c:\programdata\kwAzjqkPUoRbQu.exe
c:\users\SP\AppData\Local\Microsoft\Windows\Temporary Internet Files\bidconfig_v1.2.dat
c:\users\SP\AppData\Local\Microsoft\Windows\Temporary Internet Files\collecttask_v1.2.dat
c:\windows\apppatch\AppLoc.exe
c:\windows\system32\drivers\10CF_FUJITSU_FPCA_SH760_FUJITSU_FJNB20B_Version 1.07_FUJ - 1070000_Version 1.07 _NVIDIA GeForce 310M .MRK
c:\windows\system32\html
c:\windows\system32\html\calendar.html
c:\windows\system32\html\calendarbottom.html
c:\windows\system32\html\calendartop.html
c:\windows\system32\html\crystalexportdialog.htm
c:\windows\system32\html\crystalprinthost.html
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
.
.
((((((((((((((((((((((((( Files Created from 2012-06-13 to 2012-07-13 )))))))))))))))))))))))))))))))
.
.
2012-07-13 22:31 . 2012-07-13 22:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-13 19:01 . 2012-07-13 21:43 865022 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-07-13 17:21 . 2012-07-13 17:21 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-07-12 04:40 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 15:09 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-11 15:09 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-11 15:09 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 15:09 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 15:09 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 15:09 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 15:08 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 15:08 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-11 15:08 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 15:08 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-11 15:08 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-11 15:08 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-11 15:08 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-11 15:08 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll
2012-07-11 15:08 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-10 19:31 . 2012-07-10 19:31 -------- d-----w- c:\programdata\Motorola
2012-07-10 19:30 . 2012-07-10 19:30 -------- d-----w- c:\users\SP\AppData\Roaming\Motorola Mobility
2012-07-10 19:30 . 2012-07-10 19:30 -------- d-----w- c:\program files\Motorola Mobility
2012-07-10 19:30 . 2012-07-10 19:30 -------- d-----w- c:\program files\Motorola
2012-07-10 19:28 . 2012-07-10 19:28 -------- d-----w- c:\program files\Common Files\Motorola Shared
2012-07-10 19:26 . 2012-07-10 19:26 -------- d-----w- c:\users\SP\AppData\Roaming\Motorola
2012-07-10 18:02 . 2012-07-10 18:02 -------- d-----w- c:\users\SP\.keytooliui
2012-07-09 18:29 . 2012-07-12 15:14 -------- d-----w- c:\program files\eclipse
2012-07-09 03:21 . 2012-07-09 03:21 -------- d-----w- c:\users\SP\AppData\Roaming\Malwarebytes
2012-07-09 03:21 . 2012-07-09 03:21 -------- d-----w- c:\programdata\Malwarebytes
2012-07-09 03:21 . 2012-07-13 17:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-07 01:03 . 2012-07-07 01:03 -------- d-----w- c:\users\Public\Real
2012-07-07 00:49 . 2012-07-07 00:49 -------- d-----w- c:\programdata\TSLOG
2012-07-06 23:43 . 2012-07-06 23:43 -------- d-----w- c:\programdata\Xunlei
2012-07-06 23:41 . 2012-07-13 00:47 -------- d-----w- c:\program files\Common Files\Thunder Network
2012-07-06 23:41 . 2012-07-06 23:42 -------- d-----w- c:\programdata\Thunder Network
2012-07-06 23:40 . 2012-07-13 00:47 -------- d-----w- c:\program files\Thunder Network
2012-07-06 16:07 . 2012-07-06 16:07 25200 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2012-07-06 16:07 . 2012-07-06 16:07 12400 ----a-w- c:\windows\system32\drivers\ggflt.sys
2012-07-06 16:06 . 2012-07-06 16:06 -------- d-----w- c:\programdata\Sony Ericsson
2012-07-06 16:06 . 2012-07-06 16:06 -------- d-----w- c:\program files\Sony Ericsson
2012-07-06 16:00 . 2012-07-06 16:00 -------- d-----w- c:\programdata\Sony
2012-06-25 21:04 . 2012-06-25 21:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
2012-06-21 14:57 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 14:57 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 14:57 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 14:57 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 14:57 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-21 14:57 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 14:57 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 14:56 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 14:56 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-19 22:35 . 2012-06-19 22:35 4967624 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-06-18 15:36 . 2012-06-18 15:36 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-18 15:36 . 2012-06-18 15:36 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 04:19 . 2012-03-30 03:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 04:19 . 2011-05-19 01:48 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-30 06:50 . 2012-05-30 06:50 34768 ---ha-w- c:\windows\xinstaller.exe
2012-05-30 06:50 . 2012-05-30 06:50 79824 ---ha-w- c:\windows\xinstaller.dll
2012-05-01 04:44 . 2012-06-13 18:14 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-13 18:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45 . 2012-06-13 18:16 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45 . 2012-06-13 18:16 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41 . 2012-06-13 18:16 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:36 . 2012-06-13 18:14 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-13 18:14 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 04:36 . 2012-06-13 18:14 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-18 15:36 . 2011-05-11 12:22 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]
@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"
[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]
2012-05-30 02:56 247760 ----a-w- c:\program files\Common Files\Thunder Network\Kankan\xappex.1.1.1.38.(403).dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SP\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SP\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SP\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SP\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2009-10-10 47976]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2009-10-14 36712]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-05 7703072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-09 1578280]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2009-08-12 662016]
"SNUVCDSM"="c:\windows\snuvcdsm.exe" [2009-05-22 24576]
"CSRSkype"="c:\program files\CSR\Bluetooth Feature Pack 5.0\CSRSkype.exe" [2009-08-20 346464]
"ConMgr"="c:\program files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe" [2009-08-20 504160]
"FDM7"="c:\program files\Fujitsu\FDM7\FdmDaemon.exe" [2009-10-27 128360]
"PSUTility"="c:\program files\Fujitsu\PSUtility\TrayManager.exe" [2009-07-27 144744]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2009-10-16 138088]
"LoadBtnHnd"="c:\program files\Fujitsu\Application Panel\BtnHnd.exe" [2009-10-16 33640]
"FJBATAID2"="c:\program files\Fujitsu\BatteryAid2\BatteryDaemon.exe" [2009-10-16 107880]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-17 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"YouCam Mirror Tray icon"="c:\program files\CyberLink\YouCam\YouCamTray.exe" [2009-10-03 167008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\updnavi\updatenv.exe" [2009-08-07 143360]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2009-08-27 3248128]
"NUSB3MON"="c:\program files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-10-21 106496]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-01 13838952]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-03-02 115560]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-05-25 1951112]
"PlusService"="c:\program files\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-27 801792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2011-11-13 103536]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R2 VMwareHostd;VMware Workstation Server;c:\program files\VMware\VMware Workstation\vmware-hostd.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [x]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [x]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [x]
R3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [x]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [x]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 PCDSRVC{F819FCA4-67B3B36D-06000000}_0;PCDSRVC{F819FCA4-67B3B36D-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\fujitsu hardware diagnostics tool\pcdsrvc.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 XDva393;XDva393;c:\windows\system32\XDva393.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
S0 FBIOSDRV;Fujitsu BIOS Driver;c:\windows\System32\Drivers\FBIOSDRV.sys [x]
S0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\DRIVERS\FJGSDisk.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [x]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [x]
S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [x]
S2 PowerSavingUtilityService;PowerSavingUtilityService;c:\program files\Fujitsu\PSUtility\PSUService.exe [x]
S2 PST Service;PST Service;c:\program files\Motorola\MotForwardDaemon\ForwardDaemon.exe [x]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 UpdateNaviInstallService;UpdateNaviInstallService;c:\program files\Fujitsu\updnavi\updnvsrv.exe [x]
S2 VFPRadioSupportService;Bluetooth Feature Support;c:\program files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [x]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [x]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [x]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\FUJ02E3.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
XLServicePlatform REG_MULTI_SZ XLServicePlatform
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 04:19]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2584503236-3850616731-3045101856-1005Core.job
- c:\users\SP\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-11 13:47]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2584503236-3850616731-3045101856-1005UA.job
- c:\users\SP\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-11 13:47]
.
2012-06-26 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Fujitsu Hardware Diagnostics Tool\pcdrcui.exe [2009-11-17 04:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://about.start.iplay.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: %SystemRoot%\system32\vsocklib.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\users\SP\AppData\Roaming\Mozilla\Firefox\Profiles\ulcmxq60.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-kwAzjqkPUoRbQu - c:\programdata\kwAzjqkPUoRbQu.exe
HKLM-Run-DwGrEROeImE.exe - c:\programdata\DwGrEROeImE.exe
SafeBoot-Symantec Antvirus
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{F819FCA4-67B3B36D-06000000}_0]
"ImagePath"="\??\c:\program files\fujitsu hardware diagnostics tool\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-13 17:35:10
ComboFix-quarantined-files.txt 2012-07-13 22:35
.
Pre-Run: 61,263,237,120 bytes free
Post-Run: 71,124,664,320 bytes free
.
- - End Of File - - D306478D44F86C1E96B07946DA1C2E88
-
I restarted my computer a few times during the previous steps, and the virus hid my files again. My start bar disappeared and I could do nothing after running RKill. After that, I didn't bother with running RKill or Unhide. Should I run those now before running Combofix?
-
If I run Comboxfix, will the files hidden by the virus still be there? I noticed that Combofix will delete the Temp folder?
-
Hi, thank you for your reply! I've carried out the steps above. TDSSKiller found a few objects but didn't show any Cure options, so I skipped them all. While updating MBAM, it gave this error: PROGRAM_ERROR_UPDATING (5, 0, MBAMFileIO::WriteFile) Access is denied. MBAM found two objects and I've removed them.
While restarting and such, I had to run Rkill to stop the virus from throwing out popups, but my desktop went entirely black without my start bar. Nothing I pressed seemed to have any effect either. I had to force shut and restart my laptop and I'm not running RKill for now.
Here are the logs:
TDSSKiller
Sorry, had to attach it as it said my post was too long?
MBAM Log
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.12.08
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
SP :: ROSHIE [administrator]
13/7/2012 12:26:48 PM
mbam-log-2012-07-13 (12-26-48).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 267996
Time elapsed: 17 minute(s), 27 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 5
HKCR\CLSID\{18689D3E-CF06-482F-AEB1-0880F859F0AA} (PUP.Funshion) -> No action taken.
HKCR\TypeLib\{5165BFF4-4E35-446F-B00E-EA4185B64F76} (PUP.Funshion) -> No action taken.
HKCR\Interface\{332C1DFF-B83D-40E3-968F-F85E20BF0CFB} (PUP.Funshion) -> No action taken.
HKCR\Fun.OnlineInstallCtrl.1 (PUP.Funshion) -> No action taken.
HKCR\Fun.OnlineInstallCtrl (PUP.Funshion) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 3
C:\Program Files\Funshion Online (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\icon (PUP.Funshion) -> No action taken.
Files Detected: 9
C:\Windows\System32\funshion.ini (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\fpsrv.dll (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\funoictl.dll (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\funshion.ini (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\FunshionGame2.ico (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\FunshionGame3.ico (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\FunshionService.diagnose (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\Funshop2.ico (PUP.Funshion) -> No action taken.
C:\Program Files\Funshion Online\Funshion\Funshop3.ico (PUP.Funshion) -> No action taken.
(end)
Ran a second scan and deleted the other PUP.Funshion files detected.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.12.08
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
SP :: ROSHIE [administrator]
13/7/2012 12:46:18 PM
mbam-log-2012-07-13 (12-46-18).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 268007
Time elapsed: 17 minute(s), 16 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 5
HKCR\CLSID\{18689D3E-CF06-482F-AEB1-0880F859F0AA} (PUP.Funshion) -> Quarantined and deleted successfully.
HKCR\TypeLib\{5165BFF4-4E35-446F-B00E-EA4185B64F76} (PUP.Funshion) -> Quarantined and deleted successfully.
HKCR\Interface\{332C1DFF-B83D-40E3-968F-F85E20BF0CFB} (PUP.Funshion) -> Quarantined and deleted successfully.
HKCR\Fun.OnlineInstallCtrl.1 (PUP.Funshion) -> Quarantined and deleted successfully.
HKCR\Fun.OnlineInstallCtrl (PUP.Funshion) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 3
C:\Program Files\Funshion Online (PUP.Funshion) -> Delete on reboot.
C:\Program Files\Funshion Online\Funshion (PUP.Funshion) -> Delete on reboot.
C:\Program Files\Funshion Online\Funshion\icon (PUP.Funshion) -> Quarantined and deleted successfully.
Files Detected: 9
C:\Windows\System32\funshion.ini (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\fpsrv.dll (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\funoictl.dll (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\funshion.ini (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\FunshionGame2.ico (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\FunshionGame3.ico (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\FunshionService.diagnose (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\Funshop2.ico (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Program Files\Funshion Online\Funshion\Funshop3.ico (PUP.Funshion) -> Quarantined and deleted successfully.
(end)
DDS Log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.1
Run by SP at 13:58:06 on 2012-07-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.65.1033.18.3059.1659 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Softex\OmniPass\OmniServ.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\nvvsvc.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\WLANExt.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\conhost.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Softex\OmniPass\opvapp.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\vsnp2uvc.exe
C:\Windows\snuvcdsm.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\CSRSkype.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe
C:\Program Files\Fujitsu\FDM7\FdmDaemon.exe
C:\Program Files\Fujitsu\PSUtility\TrayManager.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Fujitsu\BatteryAid2\BatteryDaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Fujitsu\Application Panel\BtnHndHkb.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Program Files\Fujitsu\updnavi\updatenv.exe
c:\Program Files\Fujitsu\PSUtility\PSUService.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
c:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\Wacom_Tablet.exe
C:\ProgramData\DwGrEROeImE.exe
C:\Program Files\Fujitsu\updnavi\updnvsrv.exe
C:\Users\SP\AppData\Local\Google\Update\GoogleUpdate.exe
C:\windows\system32\WTablet\Wacom_TabletUser.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe
C:\Windows\System32\StikyNot.exe
C:\ProgramData\kwAzjqkPUoRbQu.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\windows\system32\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\windows\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-hostd.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\msiexec.exe
C:\windows\system32\SearchIndexer.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\alg.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://about.start.iplay.com
uDefault_Page_URL = hxxp://www.sp.edu.sg
uURLSearchHooks: H - No File
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: {889D2FEB-5411-4565-8998-1DD2C5261283} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
uRun: [Google Update] "c:\users\sp\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [kwAzjqkPUoRbQu] c:\programdata\kwAzjqkPUoRbQu.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [indicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -run
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [sNUVCDSM] c:\windows\snuvcdsm.exe
mRun: [CSRSkype] c:\program files\csr\bluetooth feature pack 5.0\CSRSkype.exe
mRun: [ConMgr] "c:\program files\csr\bluetooth feature pack 5.0\ConMgr.exe"
mRun: [FDM7] c:\program files\fujitsu\fdm7\FdmDaemon.exe
mRun: [PSUTility] c:\program files\fujitsu\psutility\TrayManager.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\application panel\BtnHnd.exe
mRun: [FJBATAID2] c:\program files\fujitsu\batteryaid2\BatteryDaemon.exe
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\3.0"
mRun: [YouCam Mirror Tray icon] "c:\program files\cyberlink\youcam\YouCamTray.exe" /s
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\updnavi\updatenv.exe
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [NUSB3MON] "c:\program files\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [sSUtility] c:\program files\fujitsu\ssutility\FJSSDMN.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [PlusService] c:\program files\yuna software\messenger plus!\PlusService.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe
mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DwGrEROeImE.exe] c:\programdata\DwGrEROeImE.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SystemRoot%\system32\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{B8DBD259-EBF3-4628-A020-E5AD6D0D6674} : DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{B8DBD259-EBF3-4628-A020-E5AD6D0D6674}\3594E4744554C4D273733313 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B8DBD259-EBF3-4628-A020-E5AD6D0D6674}\46C696E6B6 : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sp\appdata\roaming\mozilla\firefox\profiles\ulcmxq60.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\ahnlab\asp\components\aosmgr\conflict_221\npaosmgr.dll
FF - plugin: c:\program files\ahnlab\asp\mykeydefense 2.5\npmkd25aos.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\thunder network\thunder\data\npxunlei1.0.0.1.dll
FF - plugin: c:\users\sp\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 FBIOSDRV;Fujitsu BIOS Driver;c:\windows\system32\drivers\FBIOSDRV.sys [2009-9-2 17008]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2010-3-15 12776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-8-1 659328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-30 106656]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2009-9-2 5632]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-5-28 73216]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2009-10-25 125696]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-10-15 274984]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-10-26 58240]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-10-26 136704]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-11-11 66664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-20 28000]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-7-13 214016]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-5-28 102784]
S3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\drivers\ewusbwwan.sys [2012-5-28 349184]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2012-7-6 12400]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2009-10-29 209920]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-7-13 31560]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2011-6-2 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2011-6-2 79360]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2012-1-25 20864]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2012-1-25 8448]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2012-1-25 23808]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-7-20 60576]
S3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-7-15 41632]
S3 PCDSRVC{F819FCA4-67B3B36D-06000000}_0;PCDSRVC{F819FCA4-67B3B36D-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\fujitsu hardware diagnostics tool\pcdsrvc.pkms [2009-11-16 20848]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-12-11 174592]
.
=============== Created Last 30 ================
.
2012-07-13 17:21:53 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-07-12 15:30:52 236280 ---ha-w- c:\programdata\kwAzjqkPUoRbQu.exe
2012-07-12 15:20:05 325880 ---ha-w- c:\programdata\DwGrEROeImE.exe
2012-07-12 04:44:08 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-12 04:44:07 194560 ----a-w- c:\program files\internet explorer\ieproxy.dll
2012-07-12 04:44:07 194048 ----a-w- c:\program files\internet explorer\IEShims.dll
2012-07-12 04:44:07 140920 ----a-w- c:\program files\internet explorer\sqmapi.dll
2012-07-12 04:44:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-07-12 04:44:04 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-07-12 04:44:03 748664 ----a-w- c:\program files\internet explorer\iexplore.exe
2012-07-12 04:44:02 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2012-07-12 04:44:02 387584 ----a-w- c:\program files\internet explorer\jsdbgui.dll
2012-07-12 04:44:00 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-12 03:54:49 -------- d--h--w- c:\users\sp\appdata\local\{6D163377-3D2C-4041-8E24-4D27E03B6D8D}
2012-07-12 03:54:25 -------- d--h--w- c:\users\sp\appdata\local\{4D52A9A4-29F0-4C93-BA21-6470B93D347A}
2012-07-11 15:49:52 -------- d--h--w- c:\users\sp\appdata\local\{154CCAA7-44D8-4E45-86EF-7C74DE308DEE}
2012-07-11 15:49:30 -------- d--h--w- c:\users\sp\appdata\local\{B028E758-E5C5-4686-B3A9-A95348C9B57D}
2012-07-11 15:09:20 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-11 15:09:19 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-11 15:09:10 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 15:08:30 1019904 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-11 15:08:29 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-11 15:08:24 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2012-07-11 15:08:23 57344 ----a-w- c:\program files\common files\system\ado\msador15.dll
2012-07-11 15:08:22 212992 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2012-07-11 15:08:18 143360 ----a-w- c:\program files\common files\system\ado\msjro.dll
2012-07-11 15:08:14 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll
2012-07-11 03:29:30 -------- d--h--w- c:\users\sp\appdata\local\{B8A34615-244E-46DB-8BD7-07B30C3A8361}
2012-07-11 03:29:09 -------- d--h--w- c:\users\sp\appdata\local\{6F7DE407-E19F-4A9B-859B-177284FA7F68}
2012-07-10 19:31:41 -------- d--h--w- c:\programdata\Motorola
2012-07-10 19:30:53 -------- d--h--w- c:\users\sp\appdata\roaming\Motorola Mobility
2012-07-10 19:30:34 -------- d--h--w- c:\program files\Motorola Mobility
2012-07-10 19:30:34 -------- d--h--w- c:\program files\Motorola
2012-07-10 19:30:34 -------- d--h--w- c:\program files\common files\MSSoap
2012-07-10 19:28:32 -------- d--h--w- c:\program files\common files\Motorola Shared
2012-07-10 19:26:48 -------- d--h--w- c:\users\sp\appdata\roaming\Motorola
2012-07-10 18:02:57 -------- d--h--w- c:\users\sp\.keytooliui
2012-07-10 15:28:41 -------- d--h--w- c:\users\sp\appdata\local\{77663E87-A162-45E0-9FCA-96AC07B36A52}
2012-07-10 15:28:19 -------- d--h--w- c:\users\sp\appdata\local\{B1EE5B13-D6AD-4915-B05D-5F0BD4ECC3C3}
2012-07-10 02:56:45 -------- d--h--w- c:\users\sp\appdata\local\{6FBFD123-9EF1-46CD-995C-3AA8D641EA3A}
2012-07-10 02:56:21 -------- d--h--w- c:\users\sp\appdata\local\{E3F5E366-E359-4405-8063-9AACA2756D74}
2012-07-09 18:29:12 -------- d--h--w- c:\program files\eclipse
2012-07-09 03:21:20 -------- d--h--w- c:\users\sp\appdata\roaming\Malwarebytes
2012-07-09 03:21:13 -------- d--h--w- c:\programdata\Malwarebytes
2012-07-09 03:21:12 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2012-07-09 02:30:45 -------- d--h--w- c:\users\sp\appdata\local\{48E68B56-1DD9-48C3-9882-756AE3748F1C}
2012-07-09 02:30:24 -------- d--h--w- c:\users\sp\appdata\local\{7320C3EE-8164-4C51-BC57-D72917613123}
2012-07-08 14:29:24 -------- d--h--w- c:\users\sp\appdata\local\{47A852B3-0EEC-4C9A-AF6D-85D954D15FD5}
2012-07-08 14:29:07 -------- d--h--w- c:\users\sp\appdata\local\{36AF0129-C3A2-4E19-BE0A-0A5AFD742A03}
2012-07-07 15:10:37 -------- d--h--w- c:\users\sp\appdata\local\{37857896-1E50-4D1D-8DAA-AC87A5235B33}
2012-07-07 15:10:15 -------- d--h--w- c:\users\sp\appdata\local\{06335C05-660C-4FFE-B093-9D3C48AEC7DF}
2012-07-07 03:09:41 -------- d--h--w- c:\users\sp\appdata\local\{EE58FFD0-37E8-453F-A943-8E1898924AC6}
2012-07-07 03:09:16 -------- d--h--w- c:\users\sp\appdata\local\{0E7F4EBD-2F16-42DF-89CD-2BA31502DDAE}
2012-07-07 00:49:59 -------- d--h--w- c:\programdata\TSLOG
2012-07-06 23:43:30 -------- d--h--w- c:\programdata\Xunlei
2012-07-06 23:41:37 -------- d--h--w- c:\program files\common files\Thunder Network
2012-07-06 23:41:31 -------- d--h--w- c:\programdata\Thunder Network
2012-07-06 23:40:57 -------- d--h--w- c:\program files\Thunder Network
2012-07-06 16:07:24 25200 ---ha-w- c:\windows\system32\drivers\ggsemc.sys
2012-07-06 16:07:24 12400 ---ha-w- c:\windows\system32\drivers\ggflt.sys
2012-07-06 16:06:13 -------- d--h--w- c:\programdata\Sony Ericsson
2012-07-06 16:06:09 -------- d--h--w- c:\program files\Sony Ericsson
2012-07-06 15:08:22 -------- d--h--w- c:\users\sp\appdata\local\{0DC32457-489F-4306-8544-0692008F6211}
2012-07-06 15:07:48 -------- d--h--w- c:\users\sp\appdata\local\{C0D33954-3164-49FB-90B6-5B962DA67CC8}
2012-07-04 15:22:52 -------- d--h--w- c:\users\sp\appdata\local\{2BC879F2-6069-42DC-BDF0-9F01F489D6AE}
2012-07-04 15:22:31 -------- d--h--w- c:\users\sp\appdata\local\{C0CBF135-BBB5-4C62-A8D6-1B9EE7CB9854}
2012-07-04 03:22:04 -------- d--h--w- c:\users\sp\appdata\local\{63EABDBB-EB15-4095-93E9-F8F799CE116E}
2012-07-04 03:21:42 -------- d--h--w- c:\users\sp\appdata\local\{7C0794D1-B112-4378-A273-C39A3B99F529}
2012-07-03 15:21:14 -------- d--h--w- c:\users\sp\appdata\local\{EF48F83E-97BE-4019-8C1D-BE30BD0B334D}
2012-07-03 15:20:52 -------- d--h--w- c:\users\sp\appdata\local\{6F08551B-24EE-41BE-A1E9-89D839E88C2E}
2012-07-03 03:20:13 -------- d--h--w- c:\users\sp\appdata\local\{88A3D3B7-946F-4055-9422-48D5E07B0875}
2012-07-03 03:19:49 -------- d--h--w- c:\users\sp\appdata\local\{3429F9C0-3D3A-48CE-8FE9-C568411F9556}
2012-07-01 18:02:25 -------- d--h--w- c:\users\sp\appdata\local\{297501F1-E60D-4368-9791-9960AB2485F0}
2012-07-01 18:02:04 -------- d--h--w- c:\users\sp\appdata\local\{A2240C57-CBB7-4E42-B1E3-9D1B19ACC1B9}
2012-06-30 14:59:46 -------- d--h--w- c:\users\sp\appdata\local\{FA0EE562-905C-4082-BBF0-E62648FCC276}
2012-06-30 14:59:24 -------- d--h--w- c:\users\sp\appdata\local\{93FB469D-2688-4C74-BE88-2B4E00B0242F}
2012-06-29 14:40:53 -------- d--h--w- c:\users\sp\appdata\local\{D3483237-4182-4E1B-8D91-4DB1C339BD96}
2012-06-29 14:40:26 -------- d--h--w- c:\users\sp\appdata\local\{42A5FD40-9A67-440E-8E35-B290B109693B}
2012-06-28 15:10:23 -------- d--h--w- c:\users\sp\appdata\local\{AEAEA033-1480-4ACE-8172-377FAAB59E91}
2012-06-28 15:10:02 -------- d--h--w- c:\users\sp\appdata\local\{9907CC72-9CB7-42C6-BB59-54F812A3E918}
2012-06-26 14:26:10 -------- d--h--w- c:\users\sp\appdata\local\{996B9632-F4AA-495D-9449-D3BDA21D1A7F}
2012-06-26 14:26:00 -------- d--h--w- c:\users\sp\appdata\local\{82339FF5-B698-4534-8B2C-8FF420DF9A81}
2012-06-26 01:31:10 -------- d--h--w- c:\users\sp\appdata\local\{4861598B-F83E-476D-A750-42E78C6D140E}
2012-06-26 01:30:48 -------- d--h--w- c:\users\sp\appdata\local\{EA7690CE-A086-45B4-BB11-F7A3D488CCEB}
2012-06-25 02:10:27 -------- d--h--w- c:\users\sp\appdata\local\{32A077B5-2EA5-4E31-B4AB-DEC00B93AD69}
2012-06-23 03:45:02 -------- d--h--w- c:\users\sp\appdata\local\{599BD4B9-4454-4E67-8DB5-1621A284B4C1}
2012-06-23 03:44:41 -------- d--h--w- c:\users\sp\appdata\local\{310B9E23-1CF7-42A8-ACC9-3A0A21F3310E}
2012-06-22 15:44:14 -------- d--h--w- c:\users\sp\appdata\local\{79398A62-6B6F-49E5-A92A-9BEA39E06FDD}
2012-06-22 15:43:49 -------- d--h--w- c:\users\sp\appdata\local\{0306ACA1-F474-4A1E-8838-1BBDC4A4EF35}
2012-06-22 03:43:19 -------- d--h--w- c:\users\sp\appdata\local\{63473AE9-22A6-42A0-96BE-2F46903A3545}
2012-06-22 03:42:58 -------- d--h--w- c:\users\sp\appdata\local\{A1B43DB9-19BD-479C-B0C5-8EA9EFF7E001}
2012-06-21 15:42:31 -------- d--h--w- c:\users\sp\appdata\local\{350D4A3E-EB89-48BB-A2F4-C4FF42A410AA}
2012-06-21 15:42:09 -------- d--h--w- c:\users\sp\appdata\local\{88BB2E8A-38F1-411F-8EDE-C3087FE17409}
2012-06-21 03:41:38 -------- d--h--w- c:\users\sp\appdata\local\{06B7D4FC-79A5-4A57-99D5-AAAB9945DFC6}
2012-06-21 03:41:14 -------- d--h--w- c:\users\sp\appdata\local\{D1841185-2E72-4A1E-B549-AB8362B4C4FB}
2012-06-20 15:40:41 -------- d--h--w- c:\users\sp\appdata\local\{F22F75CF-5987-4945-88BD-427B9C902283}
2012-06-20 15:40:17 -------- d--h--w- c:\users\sp\appdata\local\{B797E5AA-CF64-4316-A1D3-15314E030969}
2012-06-20 03:39:50 -------- d--h--w- c:\users\sp\appdata\local\{9CC6C64F-1D4B-48F1-B32B-37C081D7F283}
2012-06-20 03:39:29 -------- d--h--w- c:\users\sp\appdata\local\{23132524-34D1-48C5-AC45-BEB514A2DBC5}
2012-06-19 22:35:14 4967624 ---ha-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2012-06-19 15:39:02 -------- d--h--w- c:\users\sp\appdata\local\{41F88865-C560-4028-8826-3497224DDCF3}
2012-06-19 15:38:39 -------- d--h--w- c:\users\sp\appdata\local\{D21D7ED2-4596-4FC3-A7F6-DC62AD143DB7}
2012-06-19 03:37:56 -------- d--h--w- c:\users\sp\appdata\local\{1086CC20-6BFA-454D-BF43-47BEB88D6E57}
2012-06-19 03:37:24 -------- d--h--w- c:\users\sp\appdata\local\{93198057-5BB3-4251-BA17-AF3331D2C5BD}
2012-06-18 15:36:37 -------- d--h--w- c:\users\sp\appdata\local\{209D2A9E-1B39-428C-9D3E-8F91BA118A90}
2012-06-18 15:36:10 770384 ---ha-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-18 15:36:10 421200 ---ha-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-17 14:41:21 -------- d--h--w- c:\users\sp\appdata\local\{497CF24B-FB60-426A-B481-240DD813E437}
2012-06-16 04:00:58 -------- d--h--w- c:\users\sp\appdata\local\{FAF83CBB-55B6-4405-B03D-C074270285A3}
2012-06-15 13:57:12 -------- d--h--w- c:\users\sp\appdata\local\{06358064-5F0F-4500-B9D3-942BEA3959D4}
.
==================== Find3M ====================
.
2012-07-13 19:02:06 865022 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-07-12 04:19:19 70344 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 04:19:19 426184 ---ha-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-25 21:04:24 1394248 ---ha-w- c:\windows\system32\msxml4.dll
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-30 06:50:44 34768 ---ha-w- c:\windows\xinstaller.exe
2012-05-30 06:50:42 79824 ---ha-w- c:\windows\xinstaller.dll
2012-05-01 04:44:12 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17:07 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45:55 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41:16 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:36:42 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 04:36:42 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36:42 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: FUJITSU_ rev.0000 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x8384F000]<< >>UNKNOWN [0x8C650000]<< >>UNKNOWN [0x8C63F000]<< >>UNKNOWN [0x8BDA6000]<< >>UNKNOWN [0x83818000]<< >>UNKNOWN [0x8C01B000]<< >>UNKNOWN [0x8BC90000]<< >>UNKNOWN [0xA0F20000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x8388655A] -> \Device\Harddisk0\DR0[0x861F1700]
\Driver\Disk[0x861F5668] -> IRP_MJ_CREATE -> 0x8C65439F
3 [0x8C65459E] -> ntkrnlpa!IofCallDriver[0x8388655A] -> [0x86EEE8C0]
\Driver\ACPI[0x8615BE40] -> IRP_MJ_CREATE -> 0x8BDAF4CC
5 [0x8BDAF3D4] -> ntkrnlpa!IofCallDriver[0x8388655A] -> \Device\Ide\IAAStorageDevice-1[0x86EBB028]
\Driver\iaStor[0x86EEA030] -> IRP_MJ_CREATE -> 0x8C07C830
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:14:13.65 ===============
-
My laptop has been infected with the System Check virus, or something similar. I found a few solutions online, but I was unable to fix it. This is what I've tried:
-RKill
(kills 2 unknown processes with random names and stops the popups, closes the virus program)
-Unhide
(successfully unhides all my files)
-TDSKiller
(could not run at first, I ran FixTDSS and it could run after, however it found nothing)
-MBAM free version
(ran a full scan as well as a few quick scans before and after trying the 3 programs above, but it found nothing)
I'm currently running in Safe Mode with Networking. The virus appeared only when I booted my laptop today.
I have attached DDS.txt and Attach.txt as instructed by the pinned topic. I hope someone can help! Thanks!
Infected with System Check, cannot be detected by antivirus
in Resolved Malware Removal Logs
Posted
That did the trick! Thank you so much again.