Jump to content

Jancu6

Members
 View Profile  See their activity

  • Posts

    11

  • Joined

  • Last visited

 Content Type 

Posts posted by Jancu6

    incredibly persistent malware, tried everything I could find

    in Resolved Malware Removal Logs

    Posted

    RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

    mail : tigzyRK<at>gmail<dot>com

    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

    Website : http://tigzy.geekstogo.com/roguekiller.php

    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

    Started in : Normal mode

    User : Michal [Admin rights]

    Mode : Scan -- Date : 01/06/2013 17:31:07

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 12 ¤¤¤

    [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{8E6653D6-5F6B-44D7-A31D-5EF05C3A1016} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

    [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{8E6653D6-5F6B-44D7-A31D-5EF05C3A1016} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

    [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

    [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

    [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

    [HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤

    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD20EARX-00PASB0 +++++

    --- User ---

    [MBR] 7b20f67738d1cca27d76cac5d12c3523

    [bSP] 1200eaf1ec9ef500c1c3a9c1940672d7 : Windows 7/8 MBR Code

    Partition table:

    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 499899 Mo

    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1024000000 | Size: 1407728 Mo

    User = LL1 ... OK!

    User = LL2 ... OK!

    Finished : << RKreport[1]_S_01062013_02d1731.txt >>

    RKreport[1]_S_01062013_02d1731.txt

    incredibly persistent malware, tried everything I could find

    in Resolved Malware Removal Logs

    Posted

    ComboFix 13-01-05.01 - Michal 2013-01-06 2:56.1.4 - x64

    Microsoft Windows 7 Ultimate 6.1.7601.1.1250.48.1033.18.16349.13945 [GMT 1:00]

    Uruchomiony z: c:\users\Michal\Desktop\ComboFix.exe

    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    c:\windows\SysWow64\lsprst7.dll

    c:\windows\SysWow64\ssprs.dll

    .

    .

    ((((((((((((((((((((((((( Pliki utworzone od 2012-12-06 do 2013-01-06 )))))))))))))))))))))))))))))))

    .

    .

    2013-01-06 02:01 . 2013-01-06 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp

    2013-01-05 21:06 . 2013-01-05 21:09 -------- d-----w- c:\program files (x86)\PCSX2 0.9.8

    2013-01-05 17:40 . 2013-01-05 17:43 -------- d-----w- c:\program files (x86)\Unreal 3

    2013-01-05 17:26 . 2013-01-05 17:26 -------- d-----w- c:\program files (x86)\Bethesda Softworks

    2013-01-05 17:13 . 2013-01-05 17:13 -------- d-----w- c:\program files (x86)\SQUARE ENIX

    2013-01-04 15:18 . 2013-01-04 15:18 -------- d-----w- c:\program files (x86)\LaunchLater

    2013-01-03 19:34 . 2013-01-03 19:34 -------- d-s---w- c:\programdata\Shared Space

    2013-01-03 19:33 . 2013-01-03 19:33 -------- d-----w- c:\program files\COMODO

    2013-01-03 19:33 . 2013-01-03 19:34 -------- d-----w- c:\programdata\COMODO

    2013-01-03 19:33 . 2013-01-03 19:33 -------- d-----w- c:\program files (x86)\Common Files\Comodo

    2013-01-03 19:33 . 2013-01-04 14:54 -------- d-----w- c:\program files (x86)\Comodo

    2013-01-03 19:33 . 2013-01-03 19:33 -------- d-----w- c:\programdata\Comodo Downloader

    2013-01-03 18:57 . 2013-01-03 18:57 -------- d-----w- c:\programdata\Malwarebytes

    2013-01-03 18:57 . 2013-01-03 18:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

    2013-01-03 18:57 . 2012-12-14 15:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

    2013-01-03 17:14 . 2012-10-30 22:51 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys

    2013-01-03 17:14 . 2012-10-30 22:51 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

    2013-01-03 17:14 . 2012-10-30 22:51 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys

    2013-01-03 17:14 . 2012-10-30 22:51 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys

    2013-01-03 17:14 . 2012-10-15 16:59 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

    2013-01-03 17:14 . 2012-10-30 22:51 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

    2013-01-03 17:14 . 2012-10-30 22:50 285328 ----a-w- c:\windows\system32\aswBoot.exe

    2013-01-03 17:13 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr

    2013-01-03 17:13 . 2012-10-30 22:50 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe

    2013-01-03 17:13 . 2013-01-03 17:13 -------- d-----w- c:\programdata\AVAST Software

    2013-01-03 17:13 . 2013-01-03 17:13 -------- d-----w- c:\program files\AVAST Software

    2013-01-02 17:51 . 2013-01-02 17:59 -------- d-----w- c:\program files (x86)\Call of Duty Black Ops 2

    2013-01-02 17:50 . 2013-01-02 17:50 -------- d-----w- c:\program files (x86)\GetDiz

    2013-01-01 19:09 . 2013-01-01 19:09 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

    2013-01-01 18:55 . 2013-01-01 18:55 -------- d-----w- c:\program files (x86)\NAMCO BANDAI Games

    2013-01-01 12:58 . 2013-01-01 15:19 -------- d-----w- c:\program files (x86)\Farming Simulator 2013

    2012-12-31 22:46 . 2013-01-01 19:09 -------- d-----w- c:\programdata\Orbit

    2012-12-31 13:53 . 2012-12-31 13:53 -------- d-----w- c:\program files (x86)\ChomikBox

    2012-12-31 10:27 . 2010-06-02 03:55 74072 ----a-w- c:\windows\SysWow64\XAPOFX1_5.dll

    2012-12-31 10:27 . 2010-06-02 03:55 527192 ----a-w- c:\windows\SysWow64\XAudio2_7.dll

    2012-12-31 10:27 . 2010-05-26 10:41 248672 ----a-w- c:\windows\SysWow64\d3dx11_43.dll

    2012-12-31 10:27 . 2010-05-26 10:41 2106216 ----a-w- c:\windows\SysWow64\D3DCompiler_43.dll

    2012-12-31 10:27 . 2010-05-26 10:41 1998168 ----a-w- c:\windows\SysWow64\D3DX9_43.dll

    2012-12-31 10:25 . 2012-12-31 10:25 -------- d-----w- c:\program files (x86)\Microsoft.NET

    2012-12-31 10:14 . 2012-12-31 10:14 -------- d-----w- c:\program files (x86)\2K Games

    2012-12-30 21:33 . 2012-12-30 21:33 916456 ----a-w- c:\windows\system32\deployJava1.dll

    2012-12-30 21:33 . 2012-12-30 21:33 289768 ----a-w- c:\windows\system32\javaws.exe

    2012-12-30 21:33 . 2012-12-30 21:33 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll

    2012-12-30 21:33 . 2012-12-30 21:33 189416 ----a-w- c:\windows\system32\javaw.exe

    2012-12-30 21:33 . 2012-12-30 21:33 188904 ----a-w- c:\windows\system32\java.exe

    2012-12-30 21:33 . 2012-12-30 21:33 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll

    2012-12-30 21:33 . 2012-12-30 21:33 -------- d-----w- c:\program files\Java

    2012-12-30 14:44 . 2012-12-30 14:44 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll

    2012-12-30 14:43 . 2013-01-01 18:55 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE

    2012-12-30 14:43 . 2012-12-30 14:43 -------- d-----w- c:\windows\SysWow64\xlive

    2012-12-30 13:59 . 2012-12-30 14:00 -------- d-----w- c:\program files (x86)\Rockstar Games

    2012-12-26 21:35 . 2013-01-05 21:13 -------- d-----w- c:\program files\MotioninJoy

    2012-12-26 21:35 . 2011-08-29 23:54 117520 ----a-w- c:\windows\system32\drivers\MijXfilt.sys

    2012-12-26 21:35 . 2010-08-19 18:24 74960 ----a-w- c:\windows\system32\drivers\xusb21.sys

    2012-12-26 21:35 . 2010-08-19 18:24 1721576 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

    2012-12-26 21:35 . 2010-05-03 15:12 328712 ----a-w- c:\windows\system32\MijFrc.dll

    2012-12-26 21:29 . 2012-12-26 21:30 -------- d-----w- c:\program files (x86)\Euro Truck Simulator 2

    2012-12-25 13:02 . 2012-12-25 13:02 -------- d-----w- c:\program files\2C-Audio

    2012-12-25 04:12 . 2012-12-25 04:12 -------- d-----w- c:\program files (x86)\apulSoft

    2012-12-25 01:54 . 2009-12-03 21:40 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll

    2012-12-25 01:44 . 2011-07-01 11:31 2181120 ----a-w- c:\windows\system32\ReWire.dll

    2012-12-25 01:44 . 2012-12-25 01:44 -------- d-----w- c:\users\Public\Waves Audio

    2012-12-25 01:41 . 2012-12-25 01:54 -------- d-----w- c:\program files (x86)\Waves

    2012-12-25 01:20 . 2012-12-25 01:20 -------- d-----w- c:\program files (x86)\Common Files\reFX

    2012-12-25 01:20 . 2012-12-25 01:20 1025 ----a-w- c:\windows\SysWow64\sysprs7.dll

    2012-12-25 01:20 . 2012-12-25 01:20 1025 ----a-w- c:\windows\SysWow64\clauth2.dll

    2012-12-25 01:20 . 2012-12-25 01:20 1025 ----a-w- c:\windows\SysWow64\clauth1.dll

    2012-12-25 01:17 . 2009-10-24 20:15 1332224 ----a-w- c:\windows\SysWow64\SYNSOEMU.DLL

    2012-12-25 01:13 . 2012-12-25 01:13 -------- d-----w- c:\program files (x86)\Common Files\SoundToys

    2012-12-25 01:13 . 2012-12-25 01:13 -------- d-----w- c:\program files (x86)\SoundToys

    2012-12-25 01:10 . 1999-12-17 08:13 86016 ----a-w- c:\windows\unvise32.exe

    2012-12-25 01:09 . 2012-12-25 01:09 -------- dc-h--w- c:\programdata\{E26B3878-7CEC-469C-B449-5CAA336DF8CD}

    2012-12-25 01:09 . 2012-12-25 01:09 -------- dc-h--w- c:\programdata\{C78336EC-F2EB-4640-99A4-DFE96581B90B}

    2012-12-25 01:08 . 2012-12-25 01:08 -------- dc-h--w- c:\programdata\{3006A797-CDFA-44FC-98EF-155579E2CDBF}

    2012-12-25 01:08 . 2012-12-25 01:09 -------- d-----w- c:\program files (x86)\Common Files\Native Instruments

    2012-12-25 01:08 . 2012-12-25 01:08 -------- d-----w- c:\program files\Common Files\Native Instruments

    2012-12-25 01:08 . 2012-12-25 01:08 -------- d-----w- c:\program files (x86)\Common Files\Digidesign

    2012-12-25 01:08 . 2012-12-25 01:09 -------- d-----w- c:\program files\Native Instruments

    2012-12-25 01:08 . 2012-12-25 01:08 -------- d-----w- c:\programdata\Native Instruments

    2012-12-25 01:06 . 2012-12-25 01:06 -------- d-----w- c:\program files (x86)\LiquidSonics

    2012-12-25 01:06 . 2012-12-25 01:06 -------- dc-h--w- c:\programdata\{A97DA822-7B29-4F18-A64A-BF94FFFE77FB}

    2012-12-25 01:02 . 2012-12-25 01:02 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll

    2012-12-25 01:02 . 2012-12-25 01:02 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll

    2012-12-25 01:02 . 2012-12-25 01:02 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll

    2012-12-25 00:57 . 2012-12-25 00:57 -------- d-----w- c:\program files (x86)\Cakewalk

    2012-12-25 00:57 . 2012-12-25 00:57 -------- d-----w- C:\Cakewalk Content

    2012-12-25 00:56 . 2012-12-25 13:02 -------- d-----w- c:\program files (x86)\Vstplugins

    2012-12-25 00:45 . 2012-12-25 00:45 -------- d-----w- c:\programdata\Ableton

    2012-12-25 00:44 . 2010-10-08 16:57 368640 ----a-w- c:\windows\SysWow64\ReWire.dll

    2012-12-25 00:44 . 2010-10-08 16:57 233472 ----a-w- c:\windows\SysWow64\REX Shared Library.dll

    2012-12-25 00:43 . 2012-12-25 00:43 -------- d-----w- c:\program files (x86)\Ableton

    2012-12-19 19:46 . 2012-12-19 19:46 -------- d-----w- c:\program files (x86)\Common Files\DVDVideoSoft

    2012-12-19 19:46 . 2012-12-19 19:46 -------- d-----w- c:\program files (x86)\DVDVideoSoft

    2012-12-18 18:08 . 2012-12-18 18:08 -------- d-----w- c:\program files (x86)\AGEIA Technologies

    2012-12-16 14:09 . 2012-12-16 14:46 -------- d-----w- c:\program files (x86)\Guild Wars 2

    2012-12-16 13:58 . 2012-07-03 22:25 31080 ----a-w- c:\windows\system32\nvhdap64.dll

    2012-12-16 13:58 . 2012-07-03 22:25 189288 ----a-w- c:\windows\system32\drivers\nvhda64v.sys

    2012-12-16 13:58 . 2012-07-03 14:37 1472360 ----a-w- c:\windows\system32\nvhdagenco6420103.dll

    2012-12-16 13:56 . 2012-12-31 06:43 -------- d-----w- c:\users\UpdatusUser

    2012-12-16 13:56 . 2013-01-06 02:01 -------- d-----w- c:\programdata\NVIDIA

    2012-12-16 13:55 . 2012-12-01 05:49 3663213 ----a-w- c:\windows\system32\nvcoproc.bin

    2012-12-16 13:55 . 2012-12-01 05:49 63336 ----a-w- c:\windows\system32\nvshext.dll

    2012-12-16 13:55 . 2012-12-01 05:49 118120 ----a-w- c:\windows\system32\nvmctray.dll

    2012-12-16 13:55 . 2012-12-01 05:49 890216 ----a-w- c:\windows\system32\nvvsvc.exe

    2012-12-16 13:55 . 2012-12-01 05:48 6223208 ----a-w- c:\windows\system32\nvcpl.dll

    2012-12-16 13:55 . 2012-12-01 05:48 3311464 ----a-w- c:\windows\system32\nvsvc64.dll

    2012-12-16 13:55 . 2012-08-30 16:18 2557800 ----a-w- c:\windows\system32\nvsvcr.dll

    2012-12-16 13:55 . 2012-12-16 13:55 -------- d-----w- c:\programdata\NVIDIA Corporation

    2012-12-14 19:45 . 2012-12-14 19:45 95904 ----a-w- c:\windows\system32\drivers\inspect.sys

    2012-12-14 19:45 . 2012-12-14 19:45 697960 ----a-w- c:\windows\system32\drivers\cmdguard.sys

    2012-12-14 19:45 . 2012-12-14 19:45 48512 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

    2012-12-14 19:45 . 2012-12-14 19:45 23328 ----a-w- c:\windows\system32\drivers\cmderd.sys

    2012-12-14 19:45 . 2012-12-14 19:45 42856 ----a-w- c:\windows\system32\cmdcsr.dll

    2012-12-14 19:45 . 2012-12-14 19:45 453808 ----a-w- c:\windows\system32\guard64.dll

    2012-12-14 19:45 . 2012-12-14 19:45 350272 ----a-w- c:\windows\SysWow64\guard32.dll

    2012-12-14 19:45 . 2012-12-14 19:45 321744 ----a-w- c:\windows\system32\cmdvrt64.dll

    2012-12-14 19:45 . 2012-12-14 19:45 260304 ----a-w- c:\windows\SysWow64\cmdvrt32.dll

    2012-12-09 21:03 . 2012-12-09 21:03 -------- d-----w- C:\NVIDIA

    2012-12-09 15:18 . 2012-12-09 15:18 -------- d-----w- c:\program files\Nexus Mod Manager

    2012-12-09 14:57 . 2012-12-09 14:57 -------- d-----w- c:\program files (x86)\Common Files\Intel Corporation

    2012-12-09 14:43 . 2013-01-05 17:44 -------- d-----w- c:\program files (x86)\Common Files\Steam

    2012-12-09 14:42 . 2013-01-06 02:02 -------- d-----w- c:\program files (x86)\Steam

    2012-12-09 09:00 . 2012-12-09 09:00 -------- d-----w- c:\program files (x86)\Common Files\Adobe

    2012-12-09 08:57 . 2011-05-10 16:46 557848 ----a-w- c:\windows\system32\drivers\iaStor.sys

    2012-12-09 08:54 . 2012-12-09 08:54 -------- d-----w- c:\windows\AsDmiHtm

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2012-12-04 08:41 . 2012-12-04 08:41 37976 ----a-w- c:\windows\SysWow64\drivers\CFRMD.sys

    2012-12-04 08:41 . 2012-12-04 08:41 37976 ----a-w- c:\windows\inf\CFRMD\cfrmd.sys

    2012-11-30 21:43 . 2012-11-30 21:43 438632 ----a-w- c:\windows\SysWow64\nvStreaming.exe

    2012-11-21 13:10 . 2012-11-21 13:10 3123272 ----a-r- c:\windows\SysWow64\pbsvc.exe

    2012-11-14 18:04 . 2012-11-14 18:04 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

    2012-11-14 18:04 . 2012-11-14 18:04 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

    2012-11-14 18:04 . 2012-11-14 18:04 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

    2012-11-14 18:04 . 2012-11-14 18:04 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

    2012-11-14 18:04 . 2012-11-14 18:04 3149824 ----a-w- c:\windows\system32\win32k.sys

    2012-11-14 18:03 . 2012-11-14 18:03 2048 ----a-w- c:\windows\SysWow64\tzres.dll

    2012-11-14 18:03 . 2012-11-14 18:03 2048 ----a-w- c:\windows\system32\tzres.dll

    2012-11-14 18:03 . 2012-11-14 18:03 70656 ----a-w- c:\windows\system32\nlaapi.dll

    2012-11-14 18:03 . 2012-11-14 18:03 569344 ----a-w- c:\windows\system32\iphlpsvc.dll

    2012-11-14 18:03 . 2012-11-14 18:03 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll

    2012-11-14 18:03 . 2012-11-14 18:03 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

    2012-11-14 18:03 . 2012-11-14 18:03 303104 ----a-w- c:\windows\system32\nlasvc.dll

    2012-11-14 18:03 . 2012-11-14 18:03 246272 ----a-w- c:\windows\system32\netcorehc.dll

    2012-11-14 18:03 . 2012-11-14 18:03 216576 ----a-w- c:\windows\system32\ncsi.dll

    2012-11-14 18:03 . 2012-11-14 18:03 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys

    2012-11-14 18:03 . 2012-11-14 18:03 18944 ----a-w- c:\windows\SysWow64\netevent.dll

    2012-11-14 18:03 . 2012-11-14 18:03 18944 ----a-w- c:\windows\system32\netevent.dll

    2012-11-14 18:03 . 2012-11-14 18:03 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll

    2012-11-14 18:03 . 2012-11-14 18:03 156672 ----a-w- c:\windows\SysWow64\ncsi.dll

    2012-11-14 18:02 . 2012-11-14 18:02 220160 ----a-w- c:\windows\system32\wintrust.dll

    2012-11-14 18:02 . 2012-11-14 18:02 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

    2012-11-14 18:02 . 2012-11-14 18:02 715776 ----a-w- c:\windows\system32\kerberos.dll

    2012-11-14 18:02 . 2012-11-14 18:02 542208 ----a-w- c:\windows\SysWow64\kerberos.dll

    2012-11-14 18:02 . 2012-11-14 18:02 574464 ----a-w- c:\windows\system32\d3d10level9.dll

    2012-11-14 18:02 . 2012-11-14 18:02 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll

    2012-11-14 18:01 . 2012-11-14 18:01 1659760 ----a-w- c:\windows\system32\drivers\ntfs.sys

    2012-11-14 18:01 . 2012-11-14 18:01 376688 ----a-w- c:\windows\system32\drivers\netio.sys

    2012-11-14 18:01 . 2012-11-14 18:01 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

    2012-11-14 18:00 . 2012-11-14 18:00 503808 ----a-w- c:\windows\system32\srcore.dll

    2012-11-14 18:00 . 2012-11-14 18:00 43008 ----a-w- c:\windows\SysWow64\srclient.dll

    2012-11-14 18:00 . 2012-11-14 18:00 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

    2012-11-14 17:59 . 2012-11-14 17:59 7680 ----a-w- c:\windows\SysWow64\instnm.exe

    2012-11-14 17:59 . 2012-11-14 17:59 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 5120 ----a-w- c:\windows\SysWow64\wow32.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 44032 ----a-w- c:\windows\apppatch\acwow64.dll

    2012-11-14 17:59 . 2012-11-14 17:59 424448 ----a-w- c:\windows\system32\KernelBase.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 362496 ----a-w- c:\windows\system32\wow64win.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 338432 ----a-w- c:\windows\system32\conhost.exe

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

    2012-11-14 17:59 . 2012-11-14 17:59 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll

    2012-11-14 17:59 . 2012-11-14 17:59 25600 ----a-w- c:\windows\SysWow64\setup16.exe

    2012-11-14 17:59 . 2012-11-14 17:59 243200 ----a-w- c:\windows\system32\wow64.dll

    .

    .

    ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

    REGEDIT4

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-11-06 3673728]

    "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-09 1354736]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

    "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-19 284440]

    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

    .

    c:\users\Michal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

    Calc.lnk - c:\windows\System32\calc.exe [2009-7-14 918528]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "ConsentPromptBehaviorAdmin"= 0 (0x0)

    "ConsentPromptBehaviorUser"= 3 (0x3)

    "EnableLUA"= 0 (0x0)

    "EnableUIADesktopToggle"= 0 (0x0)

    "PromptOnSecureDesktop"= 0 (0x0)

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

    "HideSCAHealth"= 1 (0x1)

    .

    R1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys [x]

    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

    R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-19 13592]

    R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [2012-12-14 158928]

    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-11-14 19456]

    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]

    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2012-11-14 29696]

    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-11-14 57856]

    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-11-14 30208]

    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]

    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-11-14 1255736]

    S1 aswSnx;aswSnx; [x]

    S1 aswSP;aswSP; [x]

    S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2012-12-14 23328]

    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-12-14 697960]

    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2012-12-14 48512]

    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-12-07 283200]

    S2 aswFsBlk;aswFsBlk; [x]

    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]

    S2 CLPSLauncher;COMODO LPS Launcher;c:\program files (x86)\Common Files\Comodo\launcher_service.exe [2012-11-01 70352]

    S2 GeekBuddyRSP;GeekBuddy Remote Screen Protocol;c:\program files (x86)\Common Files\Comodo\GeekBuddyRSP.exe [2012-10-31 1467088]

    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-11-30 382824]

    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-11-03 130536]

    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-11-03 395752]

    S3 MAUSBFASTTRACKULTRA;Service for M-Audio Fast Track Ultra;c:\windows\system32\DRIVERS\MAudioFastTrackUltra.sys [2011-01-11 197424]

    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

    S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2011-08-29 117520]

    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-05-16 533096]

    .

    .

    --- Inne Usługi/Sterowniki w Pamięci ---

    .

    *NewlyCreated* - WS2IFSL

    .

    Zawartość folderu 'Zaplanowane zadania'

    .

    2013-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-07 20:12]

    .

    2013-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-07 20:12]

    .

    .

    --------- X64 Entries -----------

    .

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

    @="{472083B0-C522-11CF-8763-00608CC02F24}"

    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

    2012-10-30 22:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2011-01-11 809264]

    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2012-12-14 1447632]

    .

    ------- Skan uzupełniający -------

    .

    uLocal Page = c:\windows\system32\blank.htm

    mLocal Page = c:\windows\SysWOW64\blank.htm

    IE: Free YouTube to MP3 Converter - c:\users\Michal\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

    TCP: DhcpNameServer = 192.168.1.1

    TCP: Interfaces\{8E6653D6-5F6B-44D7-A31D-5EF05C3A1016}: NameServer = 8.26.56.26,156.154.70.22

    .

    - - - - USUNIĘTO PUSTE WPISY - - - -

    .

    Wow6432Node-HKLM-Run-tvncontrol - c:\program files (x86)\Common Files\Comodo\tvnserver.exe

    .

    .

    .

    --------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

    @Denied: (Full) (Everyone)

    .

    ------------------------ Pozostałe uruchomione procesy ------------------------

    .

    c:\program files\AVAST Software\Avast\AvastSvc.exe

    c:\windows\SysWOW64\PnkBstrA.exe

    c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

    .

    **************************************************************************

    .

    Czas ukończenia: 2013-01-06 03:05:23 - komputer został uruchomiony ponownie

    ComboFix-quarantined-files.txt 2013-01-06 02:05

    .

    Przed: 247 139 655 680 bytes free

    Po: 246 849 077 248 bytes free

    .

    - - End Of File - - 0F6905A73A57E648C0EDBDECFA83CF56

    incredibly persistent malware, tried everything I could find

    in Resolved Malware Removal Logs

    Posted

    I did those steps about the RogueKiller.

    Anitrootkit didnt find anything, same like before. However, I don't have possibility now to check if that problem still occurs. I am not in Netherlands and the malware seems to activate only there. But, before the anti-rootkit also didn't find any malware, so most probably, when I will plug the cable in Netherland, svchost will come back again. Is it a malware that reacts only with one IP? Or how can I understand that?

    incredibly persistent malware, tried everything I could find

    in Resolved Malware Removal Logs

    Posted

    Okay I uninstalled uTorrent. Here is the report from RogueKiller

    RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

    mail : tigzyRK<at>gmail<dot>com

    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

    Website : http://tigzy.geekstogo.com/roguekiller.php

    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

    Started in : Normal mode

    User : Michal [Admin rights]

    Mode : Scan -- Date : 01/06/2013 01:49:58

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 10 ¤¤¤

    [RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : Adobe (C:\ProgramData\Adobe\EFB01.vbe) -> FOUND

    [sTARTUP][sUSP PATH] LaunchLater.lnk @Michal : C:\Users\Michal\AppData\Roaming\Microsoft\Installer\{B16D2B97-0EAE-44A2-87EA-D6E34A18D4B2}\_DB477A4B1562BA9DC400CD.exe -> FOUND

    [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{8E6653D6-5F6B-44D7-A31D-5EF05C3A1016} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

    [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{8E6653D6-5F6B-44D7-A31D-5EF05C3A1016} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

    [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

    [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤

    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD20EARX-00PASB0 +++++

    --- User ---

    [MBR] 7b20f67738d1cca27d76cac5d12c3523

    [bSP] 1200eaf1ec9ef500c1c3a9c1940672d7 : Windows 7/8 MBR Code

    Partition table:

    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 499899 Mo

    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1024000000 | Size: 1407728 Mo

    User = LL1 ... OK!

    User = LL2 ... OK!

    Finished : << RKreport[1]_S_01062013_02d0149.txt >>

    RKreport[1]_S_01062013_02d0149.txt

    incredibly persistent malware, tried everything I could find

    in Resolved Malware Removal Logs

    Posted

    So, the initial problem was, that Windows Firewall turned itself off. I read in the internet, that this can be fixed by enabling it again in the services.msc, so I did that, and yeah, it worked. But the next time I started my computer I noticed, that it happened again, so I thought - virus. But even full scans with avast didn't find anything, so I read some articles in the internet, and I learned that this is a malware problem.

    I downloaded rKill, I downloaded Malwarebytes software. I found out, that rKill is terminating one svchost process, and this process doesnt have Microsoft copyrights and in the task manager it looks like this: svchost.exe*32 instead of the rest, which doesn't have the *32 tag. Then I run a scan with malwarebytes software and it removes the svchost.exe responsible for the suspicious process. It's located in C:/Users/[username]/AppData/Local/Temp/svchost.exe

    I was scared, so I installed a third party firewall from COMODO right away. I rebooted my computer with new firewall (take note that my network cable was then unplugged). The svchost.exe was no longer in the temp folder, so, with new firewall, I decided to put the cable back. Then I noticed, that after plugging it in, the file generated itself again, and the COMODO firewall showed me, that it is trying to connect to the internet. I blocked this, and made a rule for that. And it happens everytime. I tried also to remove the file manually, change its extension, everything that came to my mind, with no success. I installed some anti-rootkit soft from malware bytes, but it found nothing. I will make a quick summary of what I've done:

    - rKill, terminates the process only when connected to internet

    - malwarebytes scan, removes svchost.exe from appdata/temp only after rKill

    - anti-rootkit scan, nothing found

    - antivirus scan, through and before loading the system, nothing

    - TDSSKiller finds nothing (program I found somewhere that was supposed to help)

    all these steps where done in safemode with networking, with cable unplugged, with cable plugged, in normal windows mode, also both cable versions.

    I ended up with the rule that is blocking the connection and with a LaunchLater program, that launches rKill 10 seconds after booting, because with normal startup sometimes rKill was running too early, before the bad svchost had even started.

    And now the last thing - right now. I am using my desktop computer in another country, with a different internet provider, I connected the internet cable few minutes ago, and the bad svchost is NOT THERE. rKill finds nothing. And before I left, I checked one last time, and the problem was still there, the computer is 100% still infected. I didn't even turn on the computer since then (about 24 hours ago) But it activates only when I am connecting a cable at home in Netherlands, nowhere else. That's most strange to me.

    Please, any genius, help me with this.

    Sorry for my grammar, English is not my native language.

    dds.txt

    attach.txt

    mouse freezes every few seconds for a split second

    in General Windows PC Help

    Posted

    actually, there is nothing I can find in the task manager, what could be chewing up my resources. My processor is on 1%, and physical memory 14%. Nothing special happens there. I've got i5 2500k at 3,3Ghz and 16GB RAM. Always trying to keep startup as clean as possible to not run to many applications at once. There is one svchost that is taking betwen 287k - 320k of memory, changing randomly. None of these processes are detected as malware also.

    mouse freezes every few seconds for a split second

    in General Windows PC Help

    Posted

    Hi everyone.

    I'm having a strange problem here with my mouse. It's wireless Logitech M305. What I noticed since a couple of days, is that from time to time, mouse cursor stops for a split second, as I move it around the screen. For example, I move it to the right, is stops in one point, and as I continue to push it right, it eventually starts working again. What is the most strange thing in this problem, is that when that happens, it's only in one point in the screen. To explain it better, i will give an example: let's say there is a red dot in the centre of my desktop. I am moving the cursor left and right through that dot, and eventually the problem occurs - the mouse freezes on the red dot, I push it further, it works again, but when I go back with the cursor to the dot, it freezes again exactly in the same spot. Let's say, I will repeat it 3 or 4 times, and then suddenly mouse is working good in this spot, but after few minutes it happens again but in a different place on the screen. In the beggining I thought my batteries are empty, so I changed them to new. But it didnt help. I am not using any programs that change cursors, or skins, or anything else. No effects on cursor. Anyone any idea what could it be? Maybe hardware issue? But why it happens only in one spot on the screen?

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.