Jump to content

MarianAlexandru

Honorary Members
 View Profile  See their activity

  • Posts

    22

  • Joined

  • Last visited

Reputation

0 Neutral
  1. MarianAlexandru

    Thanks for all the help and patience, I really learned something from you these days. I'm impressed.

  2. MarianAlexandru
    I downloaded a Microsoft Removal Tool and it found Win32 Sality but it was unable to remove it. Then I downloaded AVG Removal Tool, I ran it and it scanned the system all night(from 2AM to 1PM this morning). The process stucks at some point so I had to reboot the system and start with The last good known configuration that worked. It seems the virus is gone, no suspicious files in C or D drive, and now I can access all anti-virus websites. Thanks a lot for your help and patience, I really learned something from you.
  3. MarianAlexandru
    OK, Norton just finished the process and deleted about 20 programs from my system(winrar, Yahoo, utorrent, bsplayer, etc) and also jkon.exe, iyuyu.exe, jmxap.exe(these files get random names and are located on and D drive). But the last three are back after reboot. It seems the virus creates the files as soon as the windows loads. I think I need to check the startup programs and see if I can find anything suspicious.
  4. MarianAlexandru
    I asked a friend to download NPE for me. He created a .rar archive and sent it to me. Now NPE is running and removing the malwares found. I can see most of .exe files are infected(utorrent, combofix, VLC). I'll post the results as soon as NPE finishes removing the malweare.
  5. MarianAlexandru
    Can't even download it:
  6. MarianAlexandru
    Combofix log: ComboFix 12-12-29.02 - Marian 29.12.2012 17:48:48.5.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1150.774 [GMT 2:00] Running from: c:\documents and settings\Marian\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Marian\Desktop\CFScript.txt . FILE :: "C:\vafhd.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\autorun.inf c:\documents and settings\Marian\My Documents\MSDCSC\msdcsc.exe C:\qadc.exe C:\vafhd.exe D:\autorun.inf . . ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 ))))))))))))))))))))))))))))))) . . 2012-12-29 14:12 . 2012-12-29 14:12 92160 ----a-w- C:\aklremover.exe 2012-12-28 15:32 . 2012-12-29 15:53 -------- d-----w- c:\windows\system32\CatRoot2 2012-12-27 10:13 . 2012-12-27 10:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-12-27 10:13 . 2012-09-29 17:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-27 10:08 . 2012-12-27 10:08 -------- d-----w- C:\TDSSKiller_Quarantine 2012-12-22 22:08 . 2012-12-22 22:13 -------- d-----w- c:\documents and settings\Marian\Application Data\Realore All My Gods 2012-12-22 10:41 . 2012-12-22 10:41 -------- d-----w- c:\documents and settings\Marian\Application Data\AlawarEntertainment 2012-12-22 10:40 . 2012-12-22 10:40 -------- d-----w- C:\Downloads 2012-12-22 10:00 . 2012-12-22 10:05 -------- d-----w- c:\documents and settings\Marian\Application Data\adelantado_big_fish_en 2012-12-22 09:56 . 2012-12-22 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games 2012-12-22 09:54 . 2012-12-22 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache 2012-12-19 22:13 . 2012-12-19 22:13 -------- d-----w- c:\documents and settings\Marian\Application Data\Canneverbe Limited 2012-12-19 22:13 . 2012-12-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited 2012-12-19 20:15 . 2012-12-29 00:32 -------- d-----w- c:\documents and settings\Marian\Application Data\vlc 2012-12-19 20:14 . 2012-12-19 20:14 -------- d-----w- c:\program files\VideoLAN 2012-12-18 14:31 . 2012-12-18 14:31 -------- d-----w- c:\program files\Axantum 2012-12-09 13:13 . 2012-12-10 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\notracks.com 2012-12-09 12:28 . 2012-11-22 13:10 380240 ----a-w- c:\windows\system32\EasyRedirect.dll 2012-12-03 17:38 . 2012-12-03 17:43 -------- d-----w- c:\documents and settings\Marian\Application Data\Charles . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-11 19:58 . 2012-08-18 13:38 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-11 19:58 . 2012-08-18 13:38 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-10-12 13:43 . 2012-08-18 14:14 821736 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-10-12 13:43 . 2012-08-18 14:14 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-12-06 06:27 . 2012-12-06 06:27 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . Cryptography Services Error !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes] "62.75.206.182,255.255.255.255,10.10.13.113,1"="" "173.245.61.58,255.255.255.255,10.10.13.113,1"="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\WINDOWS\\system32\\taskmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "d:\\vipmetin2\\metin2client.bin"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Documents and Settings\\Marian\\Desktop\\mbar-1.01.0.1011\\mbar\\fixdamage.exe"= "c:\\WINDOWS\\system32\\Ati2evxx.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"= "c:\\Documents and Settings\\Marian\\Desktop\\ComboFix.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"= "c:\\Documents and Settings\\Marian\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Program Files\\Glary Utilities\\initialize.exe"= . R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [10/26/2012 9:35 PM 156800] R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [10/26/2012 9:35 PM 5248] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/27/2012 12:13 PM 399432] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2012 12:13 PM 676936] R3 amsint32;amsint32;\??\c:\windows\system32\drivers\noqlno.sys --> c:\windows\system32\drivers\noqlno.sys [?] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2012 12:13 PM 22856] S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - AMSINT32 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-18 19:58] . 2012-12-29 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2012-08-19 23:22] . 2012-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1604221776-839522115-1003Core.job - c:\documents and settings\Marian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-16 11:09] . 2012-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1604221776-839522115-1003UA.job - c:\documents and settings\Marian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-16 11:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = about:blank IE: E&xport în Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: Interfaces\{F9160D27-4F22-4362-BF46-B754F8EF40A7}: NameServer = 213.154.124.1 193.231.252.1 FF - ProfilePath - c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\ FF - ExtSQL: 2012-11-10 16:51; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi FF - ExtSQL: 2012-12-03 19:41; {3e9a3920-1b27-11da-8cd6-0800200c9a66}; c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\extensions\{3e9a3920-1b27-11da-8cd6-0800200c9a66}.xpi . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-29 17:59 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1177238915-1604221776-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2928) c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre7\bin\jqs.exe c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe . ************************************************************************** . Completion time: 2012-12-29 18:02:03 - machine was rebooted ComboFix-quarantined-files.txt 2012-12-29 16:01 ComboFix2.txt 2012-12-29 14:30 ComboFix3.txt 2012-12-28 11:27 ComboFix4.txt 2012-12-27 20:59 . Pre-Run: 8.343.384.064 bytes free Post-Run: 8.295.497.728 bytes free . - - End Of File - - 137EB10C1C24674BA1A3A930942CB02F
  7. MarianAlexandru
    I downloaded NPE from another website but once the download reaches 100% the virus blocks it, if I try to run NPE I get this error: "NPE.exe is not a valid Win32 application"
  8. MarianAlexandru
    The virus is blocking the website, can you give me the direct link for download?
  9. MarianAlexandru
    Yes I ran the uninstaller found on their website, I tried to run it from different locations with no result. ComboFix log: ComboFix 12-12-29.02 - Marian 29.12.2012 16:17:37.4.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1150.809 [GMT 2:00] Running from: c:\documents and settings\Marian\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\autorun.inf c:\documents and settings\Marian\Local Settings\Application Data\NGen.exe D:\autorun.inf . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_AMSINT32 -------\Service_amsint32 . . ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 ))))))))))))))))))))))))))))))) . . 2012-12-29 14:12 . 2012-12-29 14:12 92160 ----a-w- C:\aklremover.exe 2012-12-28 18:11 . 2012-12-29 00:21 103140 ----a-w- C:\vafhd.exe 2012-12-28 15:32 . 2012-12-29 14:08 -------- d-----w- c:\windows\system32\CatRoot2 2012-12-27 10:13 . 2012-12-27 10:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-12-27 10:13 . 2012-09-29 17:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-27 10:08 . 2012-12-27 10:08 -------- d-----w- C:\TDSSKiller_Quarantine 2012-12-22 22:08 . 2012-12-22 22:13 -------- d-----w- c:\documents and settings\Marian\Application Data\Realore All My Gods 2012-12-22 10:41 . 2012-12-22 10:41 -------- d-----w- c:\documents and settings\Marian\Application Data\AlawarEntertainment 2012-12-22 10:40 . 2012-12-22 10:40 -------- d-----w- C:\Downloads 2012-12-22 10:00 . 2012-12-22 10:05 -------- d-----w- c:\documents and settings\Marian\Application Data\adelantado_big_fish_en 2012-12-22 09:56 . 2012-12-22 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games 2012-12-22 09:54 . 2012-12-22 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache 2012-12-19 22:13 . 2012-12-19 22:13 -------- d-----w- c:\documents and settings\Marian\Application Data\Canneverbe Limited 2012-12-19 22:13 . 2012-12-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited 2012-12-19 20:15 . 2012-12-29 00:32 -------- d-----w- c:\documents and settings\Marian\Application Data\vlc 2012-12-19 20:14 . 2012-12-19 20:14 -------- d-----w- c:\program files\VideoLAN 2012-12-18 14:31 . 2012-12-18 14:31 -------- d-----w- c:\program files\Axantum 2012-12-09 13:13 . 2012-12-10 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\notracks.com 2012-12-09 12:28 . 2012-11-22 13:10 380240 ----a-w- c:\windows\system32\EasyRedirect.dll 2012-12-03 17:38 . 2012-12-03 17:43 -------- d-----w- c:\documents and settings\Marian\Application Data\Charles . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-11 19:58 . 2012-08-18 13:38 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-11 19:58 . 2012-08-18 13:38 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-10-12 13:43 . 2012-08-18 14:14 821736 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-10-12 13:43 . 2012-08-18 14:14 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-12-06 06:27 . 2012-12-06 06:27 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys [-] 2008-04-13 21:10 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes] "62.75.206.182,255.255.255.255,10.10.13.113,1"="" "173.245.61.58,255.255.255.255,10.10.13.113,1"="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\WINDOWS\\system32\\taskmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "d:\\vipmetin2\\metin2client.bin"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Documents and Settings\\Marian\\Desktop\\mbar-1.01.0.1011\\mbar\\fixdamage.exe"= "c:\\WINDOWS\\system32\\Ati2evxx.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"= "c:\\Documents and Settings\\Marian\\Desktop\\ComboFix.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"= "c:\\Documents and Settings\\Marian\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Documents and Settings\\Marian\\My Documents\\MSDCSC\\msdcsc.exe"= "c:\\Program Files\\Glary Utilities\\initialize.exe"= . R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [10/26/2012 9:35 PM 156800] R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [10/26/2012 9:35 PM 5248] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/27/2012 12:13 PM 399432] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2012 12:13 PM 676936] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2012 12:13 PM 22856] S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-18 19:58] . 2012-12-29 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2012-08-19 23:22] . 2012-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1604221776-839522115-1003Core.job - c:\documents and settings\Marian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-16 11:09] . 2012-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1604221776-839522115-1003UA.job - c:\documents and settings\Marian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-16 11:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = about:blank IE: E&xport în Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\ FF - ExtSQL: 2012-11-10 16:51; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi FF - ExtSQL: 2012-12-03 19:41; {3e9a3920-1b27-11da-8cd6-0800200c9a66}; c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\extensions\{3e9a3920-1b27-11da-8cd6-0800200c9a66}.xpi . - - - - ORPHANS REMOVED - - - - . HKCU-Run-/sam/man - c:\documents and settings\Marian\Local Settings\Application Data\NGen.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-29 16:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1177238915-1604221776-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(676) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2404) c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre7\bin\jqs.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe . ************************************************************************** . Completion time: 2012-12-29 16:30:54 - machine was rebooted ComboFix-quarantined-files.txt 2012-12-29 14:30 ComboFix2.txt 2012-12-28 11:27 ComboFix3.txt 2012-12-27 20:59 . Pre-Run: 8.453.410.816 bytes free Post-Run: 8.389.349.376 bytes free . - - End Of File - - 3A2A110CB12ACED06744CD3DF2CC7A70
  10. MarianAlexandru
    I have no idea how this keylogger got on my system.
  11. MarianAlexandru
    When I run the uninstaller it says Ardamax Keylogger not found.
  12. MarianAlexandru
    So ardamax keylogger prevents me from going to any ativirus website?
  13. MarianAlexandru
    The computer's running normally, but I still can't access anti-virus websites such as kasperksy or virustotal. The qmkw file doesn't appear in the C: drive anymore, though there's a new file now vafhd.exe (scanned it with MB and it's the same virus). Here's the checkup.txt: Results of screen317's Security Check version 0.99.56 Windows XP Service Pack 3 x86 (UAC is disabled!) Internet Explorer 7 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Please wait while WMIC compiles updated MOF files. WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.65.1.1000 JavaFX 2.1.1 Java 7 Update 9 Adobe Flash Player 11.5.502.135 Mozilla Firefox (17.0.1) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 18% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````
  14. MarianAlexandru
    Yes, the error shows up only when opening ComboFix. AdwCleanerS1.txt
  15. MarianAlexandru
    The FixIt from Microsoft didn't work, I still get the NSIS error when trying to open ComboFix. I looked into AdwCleaner log and there's nothing I wan't to keep. Here's the log: AdwCleanerR1.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.