Jump to content

MBAM picked up a few Trojans


Recommended Posts

Merged 3 post

Hello all, did an MBAM scan and it picked up a few Trojans yesterday. I did a second scan today because I was helping a friend of mine with his MBAM and noticed there was another update, so I did another quick scan. Both logs are pasted in. Username and PC name have been changed as a precaution.

----

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.05.16.08

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

username :: pcname [administrator]

5/16/2012 4:34:12 PM

mbam-log-2012-05-16 (16-34-12).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 199770

Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 1

C:\Users\username\AppData\Local\Temp\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 7

C:\Users\username\AppData\Local\Temp\archivezz.exe (Trojan.P2P.Worm) -> Quarantined and deleted successfully.

C:\Users\username\Local Settings\Temporary Internet Files\Content.IE5\WMC2FB93\archivezz[1].exe (Trojan.P2P.Worm) -> Quarantined and deleted successfully.

C:\Users\username\AppData\Local\Temp\dclogs\2012-05-12-7.dc (Stolen.Data) -> Quarantined and deleted successfully.

C:\Users\username\AppData\Local\Temp\dclogs\2012-05-16-4.dc (Stolen.Data) -> Quarantined and deleted successfully.

C:\Windows\Temp\Volume.exe (Backdoor.Agent) -> Quarantined and deleted successfully.

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soundfx .exe (Backdoor.Agent) -> Quarantined and deleted successfully.

C:\Users\username\AppData\Local\Temp\Soundfx .exe (Backdoor.Agent) -> Quarantined and deleted successfully.

(end)

Second log:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.17.08

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

username :: pcname [administrator]

5/17/2012 1:01:02 PM

mbam-log-2012-05-17 (13-01-02).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 201994

Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Is there anything I need to do to make sure this thing is gone? I've run a full scan of the C:\ drive using MSE and Avira and they both came up clean after this.

Forgot to mention that I ran dds.scr and ComboFix. I know we shouldn't run ComboFix before doing anything, but I felt a bit paranoid so decided to Google some posts from this forum and did a few precautionary things.

Anyway here are the two files from dds.scr.

Argh, sorry, learned I can just copy-paste the logs in. Here you go:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.0

Run by username at 13:17:23 on 2012-05-17

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

F:\Apache 2.2\bin\httpd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

F:\Apache 2.2\bin\httpd.exe

C:\Program Files\NetLimiter 3\nlsvc.exe

C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\MSI Afterburner\MSIAfterburner.exe

C:\Windows\Explorer.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Eraser\Eraser.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Program Files\Keybreeze\Keybreeze.exe

C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

U:\Steam\Steam.exe

C:\Program Files\Unified Remote\RemoteServer.exe

C:\Program Files\NetLimiter 3\NLClientApp.exe

S:\Web Downloads\HotSwap! 5.0.0.0\32bit\HotSwap!.EXE

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

F:\Apache 2.2\bin\ApacheMonitor.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Users\username\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files\AutoHotkey\AutoHotkey.exe

C:\Program Files\Xfire\Xfire.exe

C:\Program Files\Logitech\SetPointG\SetPointII.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosHdpProc.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

S:\Web Downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k iissvcs

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: ExplorerBHO Class: {449d0d6e-2412-4e61-b68f-1cb625cd9e52} - c:\program files\classic shell\ClassicExplorer32.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

BHO: ClassicIE9BHO Class: {ea801577-e6ad-4bd5-8f71-4be0154331a4} - c:\program files\classic shell\ClassicIE9DLL_32.dll

TB: Classic Explorer Bar: {553891b7-a0d5-4526-be18-d3ce461d6310} - c:\program files\classic shell\ClassicExplorer32.dll

uRun: [steam] "u:\steam\steam.exe" -silent

uRun: [unified Remote v2] c:\program files\unified remote\RemoteServer.exe

uRun: [NetLimiter] c:\program files\netlimiter 3\NLClientApp.exe /tray

uRun: [HotSwap! Applet] "s:\web downloads\hotswap! 5.0.0.0\32bit\HotSwap!.EXE"

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [unlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"

mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart

mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe

mRun: [Keybreeze] c:\program files\keybreeze\Keybreeze.exe /a

mRun: [iTSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /START

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe

mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000

IE: {56753E59-AF1D-4FBA-9E15-31557124ADA2} - c:\program files\classic shell\ClassicIE9_32.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {64964764-1101-4bbd-8891-B56B1A53B9B3} - {553891B7-A0D5-4526-BE18-D3CE461D6310} - c:\program files\classic shell\ClassicExplorer32.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab

DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{820E3859-17B5-42E9-95E6-4AD1FEE7A169} : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{820E3859-17B5-42E9-95E6-4AD1FEE7A169} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\username\appdata\roaming\mozilla\firefox\profiles\zvfbcchj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

.

============= SERVICES / DRIVERS ===============

.

R? ALSysIO;ALSysIO

R? Amazon Download Agent;Amazon Download Agent

R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? HTCAND32;HTC Device Driver

R? htcnprot;HTC NDIS Protocol Driver

R? MozillaMaintenance;Mozilla Maintenance Service

R? NLNdisPT;NetLimiter Ndis Protocol Service

R? npggsvc;nProtect GameGuard Service

R? NVHDA;Service for NVIDIA High Definition Audio Driver

R? rspAux;rspAux

R? StorSvc;Storage Service

R? TsUsbFlt;TsUsbFlt

R? vpcuxd;USB Virtualization Stub Service

R? WatAdminSvc;Windows Activation Technologies Service

R? WSDPrintDevice;WSD Print Support via UMB

S? AntiVirSchedulerService;Avira Scheduler

S? AntiVirService;Avira Realtime Protection

S? Apache2.2;Apache2.2

S? avgntflt;avgntflt

S? avkmgr;avkmgr

S? cpuz133;cpuz133

S? cpuz134;cpuz134

S? dtsoftbus01;DAEMON Tools Virtual Bus Driver

S? EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM)

S? ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver

S? MayPro;TigerGame SuperJoy Box Pro Filter Service

S? MBAMSwissArmy;MBAMSwissArmy

S? MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver

S? NLNdisMP;NLNdisMP

S? nltdi;nltdi

S? PassThru Service;Internet Pass-Through Service

S? RTCore32;RTCore32

S? RTL8167;Realtek 8167 NT Driver

.

=============== Created Last 30 ================

.

2012-05-17 22:51:00 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-05-17 05:17:47 -------- d-----w- c:\users\username\appdata\roaming\Avira

2012-05-17 05:13:29 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2012-05-17 05:13:29 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2012-05-17 05:13:27 -------- d-----w- c:\programdata\Avira

2012-05-17 05:13:27 -------- d-----w- c:\program files\Avira

2012-05-17 03:59:05 -------- d-----w- c:\program files\ESET

2012-05-17 03:21:05 -------- d-----w- C:\$RECYCLE.BIN

2012-05-17 03:15:43 98816 ----a-w- c:\windows\sed.exe

2012-05-17 03:15:43 518144 ----a-w- c:\windows\SWREG.exe

2012-05-17 03:15:43 256000 ----a-w- c:\windows\PEV.exe

2012-05-17 03:15:43 208896 ----a-w- c:\windows\MBR.exe

2012-05-17 03:15:40 -------- d-----w- C:\ComboFix

2012-05-17 02:45:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-17 02:45:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-17 00:40:10 -------- d-----w- c:\programdata\Kaspersky Lab

2012-05-16 04:58:15 -------- d-----w- c:\users\username\appdata\local\SRKX

2012-05-10 23:38:26 -------- d-----w- c:\program files\Sony

2012-05-10 10:31:34 -------- d-----w- c:\program files\Handbrake

2012-05-10 09:30:08 -------- d-----w- c:\program files\VirtualDub-1.10.1

2012-05-09 01:15:06 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll

2012-05-09 01:15:06 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll

2012-05-09 01:15:06 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll

2012-05-09 01:15:06 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL

2012-05-09 01:15:05 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-09 01:14:46 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-09 01:14:45 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-09 01:14:45 2343424 ----a-w- c:\windows\system32\win32k.sys

2012-05-09 01:14:45 1077248 ----a-w- c:\windows\system32\DWrite.dll

2012-05-09 01:14:39 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-07 01:10:17 -------- d-----w- c:\users\username\appdata\local\Google

2012-05-06 04:38:46 -------- d-----w- c:\programdata\id Software

2012-05-04 02:52:36 -------- d-----w- c:\users\username\appdata\roaming\RenPy

2012-05-01 07:32:19 -------- d-----w- c:\program files\Radiodelay

2012-05-01 04:37:43 -------- d-----w- c:\users\username\appdata\local\CRE

2012-05-01 04:37:42 -------- d-----w- c:\program files\Conduit

2012-05-01 04:37:41 -------- d-----w- c:\users\username\appdata\local\Conduit

2012-04-27 03:58:43 61440 ----a-w- c:\windows\system32\ASIW32N50.dll

2012-04-27 03:58:43 16302 ----a-w- c:\windows\system32\ASINDIS5.sys

2012-04-27 03:58:43 15577 ----a-w- c:\windows\system32\ASINDIS3.vxd

2012-04-27 03:58:43 -------- d-----w- c:\program files\ASUS

2012-04-27 03:58:37 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll

2012-04-27 03:58:37 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll

2012-04-27 03:58:37 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe

2012-04-27 03:58:37 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll

2012-04-27 03:58:37 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll

2012-04-27 03:58:37 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll

2012-04-27 03:58:30 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll

2012-04-27 03:58:29 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll

2012-04-25 02:44:16 -------- d-----w- c:\program files\Mozilla Maintenance Service

2012-04-25 02:44:15 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe

2012-04-25 02:44:15 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe

2012-04-18 08:13:14 -------- d-----w- c:\program files\SplitMediaLabs

.

==================== Find3M ====================

.

2012-05-17 00:53:37 772552 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-05-17 00:53:37 687560 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-09 23:15:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-09 23:15:37 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-03-14 23:06:08 42392 ----a-w- c:\windows\system32\xfcodec.dll

2012-03-01 05:46:57 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-03-01 05:37:41 172544 ----a-w- c:\windows\system32\wintrust.dll

2012-03-01 05:33:23 159232 ----a-w- c:\windows\system32\imagehlp.dll

2012-03-01 05:29:16 5120 ----a-w- c:\windows\system32\wmi.dll

2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll

2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll

2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 13:10:36.08 ===============

.

==== Installed Programs ======================

.

AaAaAA!!! - A Reckless Disregard for Gravity

AaaaaAAaaaAAAaaAAAAaAAAAA!!! for the Awesome

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.1

AI War: Fleet Command

Alien Swarm

Amazon Games & Software Downloader

AMIP (remove only)

Analogue: A Hate Story Demo

And Yet It Moves

Apache HTTP Server 2.2.21

Assassin's Creed II

ASUS WL-330gE Wireless AP

Audacity 1.3.14 (Unicode)

AutoHotkey 1.0.48.05

AutoIt v3.3.6.1

Avadon: The Black Fortress

Avira Free Antivirus

Bastion

Beat Hazard

BEEP

Beyond Good & Evil

BioShock

BioShock 2

BIT.TRIP BEAT

BIT.TRIP RUNNER

Bitcoin

BitTornado 0.3.18

Blueberry Garden

Bluetooth Stack for Windows by Toshiba

Blur

Borderlands

Botanicula

Braid

Burnout Paradise The Ultimate Box

CamStudio

Cargo! - The quest for gravity Demo

CCleaner

Charles

Classic Shell

CleanMem

Clipboard Monitor

CodeBlocks

Combined Community Codec Pack 2011-11-11

Compatibility Pack for the 2007 Office system

Consolas Font Family

Core Temp version 0.99.7

Counter-Strike: Source

CPUID CPU-Z 1.56

CPUID HWMonitor 1.16

Crysis 2 Demo

CrystalDiskInfo 4.1.4

DAEMON Tools Lite

Darkspore Beta

Darwinia

Data Lifeguard Diagnostic for Windows

DEFCON

Defense Grid: The Awakening

Deus Ex: Game of the Year Edition

Deus Ex: Human Revolution

DEVIL MAY CRY 4

Diablo III Beta

Divine Divinity

Divinity II - The Dragon Knight Saga

DLC Quest

Doc Clock: The Toasted Sandwich of Time

DogFighter

Dropbox

Droplitz

Dual-Core Optimizer

Duke Nukem Forever

Dungeons of Dredmor

Dwarfs!?

EasyBCD 2.0

EDGE

Eraser 6.0.6.1376

eReg

Fate of the World

FFmpeg for Audacity on Windows

File Renamer - Basic

FileMind QuickFix

FileZilla Client 3.5.3

FINAL FANTASY XIV

Flight Control HD

Foreign Legion: Buckets of Blood

Foxit Reader

Fraps (remove only)

FreeProxy version 4.10

Frozen Synapse

Garry's Mod

Geometry Wars: Retro Evolved

GrayWall 1

Greed Corp

GTK+ 2.10.13 runtime environment

Half-Life 2

Half-Life 2: Deathmatch

Half-Life 2: Episode One

Half-Life 2: Episode Two

Half-Life 2: Lost Coast

HandBrake 0.9.6

HD Tune 2.55

HD Tune Pro 4.50

Hex Workshop v6

HiJackThis

HP USB Disk Storage Format Tool

HTC BMP USB Driver

HTC Driver Installer

HTC Sync

HxD Hex Editor version 1.7.7.0

Hydrophobia: Prophecy

Inside a Star-filled Sky

IntelR Solid-State Drive Toolbox

IrfanView (remove only)

Iron Grip: Warlord

Jamestown

Japanese Fonts Support For Adobe Reader 9

Java Auto Updater

Java 6 Update 32

Java 7 Update 4

JavaFX 2.0.3

JDownloader

Just Cause 2

Keybreeze

Killing Floor

Lame ACM MP3 Codec

LAME v3.98.3 for Audacity

LatencyMon 2.03

Left 4 Dead

Left 4 Dead 2

LibreOffice 3.4

LibreOffice 3.4 Help Pack (English)

LIMBO

Logitech SetPoint 6.0

Lumines

Machinarium

Magic: The Gathering ? Duels of the Planeswalkers 2012

Magicka

Malwarebytes Anti-Malware version 1.61.0.1400

ManyCam 2.4 (remove only)

Mass Effect

Mass Effect 2

MatrixEngine

Medal of Honor? MP Beta

MediaInfo 0.7.34

Microsoft .NET Compact Framework 3.5

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft AppLocale

Microsoft Flight

Microsoft Games for Windows - LIVE Redistributable

Microsoft Games for Windows Marketplace

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft Office Project Professional 2003

Microsoft Office Visio Professional 2003

Microsoft SQL Server Compact 3.5 ENU

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Windows Application Compatibility Database

Microsoft XNA Framework Redistributable 3.0

Microsoft XNA Framework Redistributable 3.1

Microsoft XNA Framework Redistributable 4.0

Mirror's Edge

MonitorTest V3.0

Moonbase Alpha

MotioninJoy ds3 driver version 0.6.0005

Mozilla Firefox 12.0 (x86 en-US)

Mozilla Maintenance Service

Mozilla Thunderbird 12.0.1 (x86 en-US)

MSI Afterburner 2.0.0

MSVCRT Redists

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB973685)

Multiwinia

Need for Speed Hot Pursuit

Need for Speed: SHIFT

Need For Speed? World

NetLimiter 3

Nexus Mod Manager

Nimbus

NirSoft ShellExView

Noitu Love 2 Devolution

Notepad++

NVIDIA Control Panel 295.73

NVIDIA Graphics Driver 295.73

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.0209

Oddworld: Abe's Oddysee

OpenAL

Oracle VM VirtualBox 4.0.12

Orcs Must Die!

Osmos

Painkiller: Black Edition

Peggle Extreme

PHANTASY STAR ONLINE 2

PHANTASY STAR ONLINE 2 キャラクタークリエイト体験版

Plain Sight

PlayOnline Viewer & Tetra Master

Portal

PowerISO

PSP ISO Compressor

Psychonauts

Puzzle Agent

Puzzle Agent 2

Puzzle Dimension

QT Lite 4.1.0

Quake Live Mozilla Plugin

QuantZ

Radiodelay (remove only)

Rapture Resource Manager

Real Alternative 2.0.2 Lite

Recettear: An Item Shop's Tale

RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition

Rock of Ages

RUSH

Rusty Hearts

S.T.A.L.K.E.R.: Call of Pripyat

SABnzbd (remove only)

Saira

Sanctum

SeaTools for Windows

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

SEGA Genesis & Mega Drive Classics

Sequence

Serious Sam 3: BFE

Serious Sam HD: The First Encounter

Serious Sam HD: The Second Encounter

Shadowgrounds

Shadowgrounds Editor

Shadowgrounds: Survivor

Shatter

ShiftWindow 1.02

Sid Meier's Civilization V

SkyDrift

Skype? 5.3

Solar 2

Space Pirates and Zombies

SpaceChem

Speccy

SpeedFan (remove only)

Spiral Knights

SSDlife Free

Steam

Street Fighter X Tekken

Super Meat Boy

SUPER STREET FIGHTER IV: ARCADE EDITION

Supercade

Swords and Soldiers HD

System Requirements Lab

Team Fortress Classic

Terraria

The Binding Of Isaac

The Polynomial

The Tiny Bang Story

The Witcher: Enhanced Edition

The Wonderful End of the World

TigerGame PS/PS2 Game Controller Adapter series to pc USB Drive

TightVNC 2.0.4

Time Gentlemen, Please!

Titan Attacks

Toki Tori

Torchlight

Trine

Ubisoft Game Launcher

Undelete Plus 2.98

Unified Remote

Universe Sandbox

Unlocker 1.8.9

Unreal Tournament 2004

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Uplink

Vegas Pro 11.0

Ventrilo Client

Ventrilo Server

Virtual Audio Cable 4.9

VLC media player 1.1.11

VS10RuntimeWin32

VVVVVV

WBFS Manager 3.0

Winamp

Winamp Application Detect

Windosill

Windows Live ID Sign-in Assistant

Windows Live Messenger

Windows Media Player Firefox Plugin

Windows Mobile Device Center

Windows XP Mode

WinPcap 4.1.2

WinRAR archiver

Wireshark 1.4.2

World of Goo

Worms Reloaded

x264vfw - H.264/MPEG-4 AVC codec (remove only)

X3: Albion Prelude

X3: Terran Conflict

Xfire (remove only)

XNote Stopwatch

Xotic

XSplit

Yosumin!

Zombie Driver

.

==== End Of File ===========================

Attach.txt

DDS.txt

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Hello, thanks for the reply. Here's the log:

So far I haven't noticed any suspicious behavior. I actually installed Avast Antivirus (Avira was sluggish) and Comodo Firewall after posting my log. Comodo gives me great granular control over application behavior - I like it. Haven't noticed anything weird or stuff trying to "phone home".

Anyway, here's the Full Scan log of my System Partition.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.26.06

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

username :: pcname [administrator]

5/26/2012 1:46:23 PM

mbam-log-2012-05-26 (13-46-23).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 340751

Time elapsed: 15 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

No changes in computer behavior from my previous post. Here's the ComboFix log:

ComboFix 12-05-27.02 - username 7/2012 Sun 11:26:57.2.8 - x86

Running from: c:\users\username\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-04-27 to 2012-05-27 )))))))))))))))))))))))))))))))

.

.

2012-05-27 21:32 . 2012-05-27 21:32 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-26 14:01 . 2012-05-26 14:01 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D6E9B1DB-A287-4115-B959-63B60F2D8467}\offreg.dll

2012-05-25 21:34 . 2012-05-25 21:34 -------- d-----w- c:\program files\HT OMEGA STRIKER7.1

2012-05-25 21:34 . 2007-12-14 02:12 122880 ------w- c:\windows\system32\Cm_Oal.dll

2012-05-25 21:34 . 2011-03-30 22:16 1569792 ----a-w- c:\windows\system32\drivers\cmudax3.sys

2012-05-25 21:34 . 2012-05-15 11:43 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D6E9B1DB-A287-4115-B959-63B60F2D8467}\mpengine.dll

2012-05-24 21:34 . 2012-05-24 21:34 -------- d-----we c:\users\username\AppData\Local\Google

2012-05-24 21:30 . 2012-05-24 21:30 -------- d-----w- c:\program files\LinkShellExtension

2012-05-23 00:17 . 2012-05-15 09:28 645440 ----a-w- c:\windows\system32\nvvsvc.exe

2012-05-23 00:17 . 2012-05-15 09:28 62272 ----a-w- c:\windows\system32\nvshext.dll

2012-05-23 00:17 . 2012-05-15 09:28 2621723 ----a-w- c:\windows\system32\nvcoproc.bin

2012-05-23 00:17 . 2012-05-15 09:28 108352 ----a-w- c:\windows\system32\nvmctray.dll

2012-05-23 00:17 . 2012-05-15 09:28 3931456 ----a-w- c:\windows\system32\nvcpl.dll

2012-05-23 00:17 . 2012-05-15 09:27 2759488 ----a-w- c:\windows\system32\nvsvc.dll

2012-05-23 00:17 . 2012-05-15 10:26 61248 ----a-w- c:\windows\system32\OpenCL.dll

2012-05-18 22:30 . 2012-05-18 23:01 56 --sh--r- c:\windows\system32\CF133FD050.sys

2012-05-18 22:30 . 2012-05-18 23:01 1160 --sha-w- c:\windows\system32\KGyGaAvL.sys

2012-05-18 22:13 . 2012-05-18 22:13 -------- d-----w- c:\program files\Enterbrain

2012-05-18 22:13 . 2012-05-18 22:13 -------- d-----w- c:\program files\Common Files\Enterbrain

2012-05-18 07:20 . 2012-05-18 07:34 -------- d-----w- c:\programdata\Comodo

2012-05-18 07:20 . 2012-05-18 07:20 -------- d-----w- c:\program files\COMODO

2012-05-18 02:06 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-05-18 02:06 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-05-18 02:06 . 2012-04-04 02:50 51424 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-05-18 02:06 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-05-18 02:06 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-05-18 02:06 . 2012-03-07 00:01 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-05-18 02:06 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr

2012-05-18 02:06 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe

2012-05-18 02:06 . 2012-05-18 02:06 -------- d-----w- c:\programdata\AVAST Software

2012-05-18 02:06 . 2012-05-18 02:06 -------- d-----w- c:\program files\AVAST Software

2012-05-17 03:59 . 2012-05-17 03:59 -------- d-----w- c:\program files\ESET

2012-05-17 02:45 . 2012-05-17 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-17 02:45 . 2012-04-05 01:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-17 00:40 . 2012-05-17 00:40 -------- d-----w- c:\programdata\Kaspersky Lab

2012-05-16 04:58 . 2012-05-16 04:58 -------- d-----w- c:\users\username\AppData\Local\SRKX

2012-05-10 23:38 . 2012-05-10 23:38 -------- d-----w- c:\program files\Sony

2012-05-10 10:31 . 2012-05-10 10:31 -------- d-----w- c:\program files\Handbrake

2012-05-10 09:30 . 2012-05-10 09:30 -------- d-----w- c:\program files\VirtualDub-1.10.1

2012-05-09 01:15 . 2012-03-31 04:30 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL

2012-05-09 01:15 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-09 01:15 . 2012-03-31 04:29 989184 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll

2012-05-09 01:15 . 2012-03-31 04:29 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll

2012-05-09 01:15 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-09 01:14 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-09 01:14 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-09 01:14 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys

2012-05-09 01:14 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll

2012-05-09 01:14 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-06 04:38 . 2012-05-06 04:38 -------- d-----w- c:\programdata\id Software

2012-05-04 02:52 . 2012-05-04 02:52 -------- d-----w- c:\users\username\AppData\Roaming\RenPy

2012-05-01 07:32 . 2012-05-01 07:32 -------- d-----w- c:\program files\Radiodelay

2012-05-01 04:37 . 2012-05-01 04:37 -------- d-----w- c:\users\username\AppData\Local\CRE

2012-05-01 04:37 . 2012-05-01 04:37 -------- d-----w- c:\program files\Conduit

2012-05-01 04:37 . 2012-05-03 01:27 -------- d-----w- c:\users\username\AppData\Local\Conduit

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-17 00:53 . 2012-02-28 16:13 772552 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-05-17 00:53 . 2010-05-20 06:43 687560 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-09 23:15 . 2012-04-05 00:23 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-09 23:15 . 2011-08-10 03:35 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-14 23:06 . 2012-03-14 23:06 42392 ----a-w- c:\windows\system32\xfcodec.dll

2012-03-12 07:13 . 2012-03-12 07:13 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2012-03-12 07:13 . 2012-03-12 07:13 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2012-03-12 07:13 . 2012-03-12 07:13 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys

2012-03-12 07:13 . 2012-03-12 07:13 33984 ----a-w- c:\windows\system32\cmdcsr.dll

2012-03-12 07:13 . 2012-03-12 07:13 301224 ----a-w- c:\windows\system32\guard32.dll

2012-03-01 05:46 . 2012-04-10 22:41 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-03-01 05:37 . 2012-04-10 22:41 172544 ----a-w- c:\windows\system32\wintrust.dll

2012-03-01 05:33 . 2012-04-10 22:41 159232 ----a-w- c:\windows\system32\imagehlp.dll

2012-03-01 05:29 . 2012-04-10 22:41 5120 ----a-w- c:\windows\system32\wmi.dll

2012-02-28 01:18 . 2012-04-10 22:45 1799168 ----a-w- c:\windows\system32\jscript9.dll

2012-02-28 01:11 . 2012-04-10 22:45 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-28 01:11 . 2012-04-10 22:45 1127424 ----a-w- c:\windows\system32\wininet.dll

2012-02-28 01:03 . 2012-04-10 22:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-25 02:44 . 2011-03-23 05:50 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}]

2011-04-01 07:45 286208 ----a-w- c:\program files\Classic Shell\ClassicIE9DLL_32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu]

@="{0A479751-02BC-11d3-A855-0004AC2568AA}"

[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}]

2012-04-11 04:30 417792 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink]

@="{0A479751-02BC-11d3-A855-0004AC2568DD}"

[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}]

2012-04-11 04:30 417792 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink]

@="{0A479751-02BC-11d3-A855-0004AC2568EE}"

[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}]

2012-04-11 04:30 417792 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]

@="{594D4122-1F87-41E2-96C7-825FB4796516}"

[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]

2011-04-01 07:45 501760 ----a-w- c:\program files\Classic Shell\ClassicExplorer32.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="u:\steam\steam.exe" [2011-08-02 1242448]

"Unified Remote v2"="c:\program files\Unified Remote\RemoteServer.exe" [2012-03-04 232032]

"NetLimiter"="c:\program files\NetLimiter 3\NLClientApp.exe" [2010-08-31 1781760]

"HotSwap! Applet"="s:\web downloads\HotSwap! 5.0.0.0\32bit\HotSwap!.EXE" [2009-11-11 107520]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2009-12-15 976784]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

"Keybreeze"="c:\program files\Keybreeze\Keybreeze.exe" [2010-03-01 1503232]

"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-18 651264]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512]

"Cmaudio8768GX"="c:\windows\system\HsMgr.exe" [2008-07-12 200704]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\guard32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux9"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]

R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]

R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-23 23040]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976]

R3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys [2010-08-31 5230088]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-08-07 3993808]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]

R3 rspAux;rspAux;c:\windows\system32\DRIVERS\rspAux32.sys [2011-01-27 19000]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-07-16 101680]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 12800]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]

S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-03-12 491816]

S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2012-03-12 39640]

S1 nltdi;nltdi;c:\program files\NetLimiter 3\nltdi.sys [2010-08-31 5281672]

S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-07-16 154416]

S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-07-16 33072]

S2 Apache2.2;Apache2.2;f:\apache 2.2\bin\httpd.exe [2011-09-09 20549]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-03-07 57688]

S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-05-11 20072]

S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]

S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]

S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-01-26 218688]

S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [2011-01-02 40576]

S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]

S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\Drivers\MayPro.sys [2007-08-13 21024]

S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2011-11-11 95304]

S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys [2010-08-31 5230088]

S3 RTCore32;RTCore32;c:\program files\MSI Afterburner\RTCore32.sys [2010-08-31 12088]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-07-16 113456]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {{56753E59-AF1D-4FBA-9E15-31557124ADA2} - c:\program files\Classic Shell\ClassicIE9_32.exe

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{820E3859-17B5-42E9-95E6-4AD1FEE7A169}: NameServer = 8.8.8.8,8.8.4.4

FF - ProfilePath - c:\users\username\AppData\Roaming\Mozilla\Firefox\Profiles\zvfbcchj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-CmPCIaudio - CMICNFG3.cpl

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'lsass.exe'(792)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'Explorer.exe'(6472)

c:\windows\system32\guard32.dll

c:\program files\Xfire\xfire_toucan_45386.dll

c:\users\username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

c:\program files\LinkShellExtension\RockallDLL.dll

.

Completion time: 2012-05-27 11:33:50

ComboFix-quarantined-files.txt 2012-05-27 21:33

.

Pre-Run: 882,114,560 bytes free

Post-Run: 828,694,528 bytes free

.

- - End Of File - - DFB3AC75B0B6C555B0273F95E96450E1

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Here's my usual final post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Securing Your Web Browser
    This paper will help you configure your web browser for safer internet surfing.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.