Jump to content

Malware found backdoor.agent, did I get rid of it and what is the damage?


max3d
 Share

Recommended Posts

Hi,

I suspected a virus as the computer was extremely slow. Microsoft Essentials and Trend Micro House Call didn´t notice anything. However I could see lots of network activity while nothing should be active.

When I ran a full scan of Micro Essentials in safe mode over night I noticed it was terminated in the middle of the night and my event logger showed a successful login while I was sleeping!

I tried Malwarebytes quick scan and it found three infections:

heuristics.shuriken File

heuristics.shuriken Registry

Backdoor.agent file c:\windows\system32\cml.exe

I let the program remove these.

My problem and question is, am I now free of all backdoors AND how much damage will have been done by someone nosing around on my system. For instance can passwords stored by IE, Chrome and FF be read by a remote hacker? I presume he has been copying all files on my system.

I will copy the output of scr.com and that of RogueKiller below it. Attached is the attach.txt file. What worries me is that Roguekiller identified a Skype service as dangerous AFTER MBAM did its job.

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.0

Run by Saskia Bakker at 14:07:38 on 2012-08-16

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12286.6414 [GMT 2:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\SysWOW64\svchost.exe -k Akamai

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe

C:\Program Files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe

c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Windows\System32\snmp.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\syswow64\snmp.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\vmnat.exe

C:\Windows\SysWOW64\vmnetdhcp.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe

C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Google\Update\1.3.21.115\GoogleCrashHandler.exe

C:\Program Files (x86)\Google\Update\1.3.21.115\GoogleCrashHandler64.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\Local Settings\Apps\F.lux\flux.exe

C:\Program Files (x86)\VoipBuster.com\VoipBuster\voipbuster.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\PicPick\picpick.exe

C:\Program Files (x86)\Google\Drive\googledrivesync.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\easyVoipRecorder\easyVoipRecorder.exe

C:\Program Files (x86)\easyVoipRecorder\easyVoipRecorderMonitor.exe

C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe

C:\Users\Saskia Bakker\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe

C:\Program Files (x86)\Google\Google Talk\googletalk.exe

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files (x86)\EASEUS\Todo Backup\bin\EuWatch.exe

C:\Program Files (x86)\EASEUS\Todo Backup\bin\TrayNotify.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files (x86)\Google\Drive\googledrivesync.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe

C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Bar = Preserve

uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

uRun: [AdobeBridge]

uRun: [Google Update] "C:\Users\Saskia Bakker\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [CA5002FA326C99572E9584EF833B0C63492F5BB0._service_run] "C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service

uRun: [F.lux] "C:\Users\Saskia Bakker\Local Settings\Apps\F.lux\flux.exe" /noshow

uRun: [VoipBuster] "C:\Program Files (x86)\VoipBuster.com\VoipBuster\voipbuster.exe" -nosplash -minimized

uRun: [CompuCare Check for updates] C:\Users\Saskia Bakker\AppData\Roaming\SuperPump\updater.exe

uRun: [PicPick Start] C:\Program Files (x86)\PicPick\picpick.exe /startup

uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart

uRun: [MusicManager] "C:\Users\Saskia Bakker\AppData\Local\Programs\Google\MusicManager\MusicManager.exe"

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

uRun: [easyVoipRecorder] C:\Program Files (x86)\easyVoipRecorder\easyVoipRecorder.exe /Minimize

uRun: [easyVoipRecorderMonitor] C:\Program Files (x86)\easyVoipRecorder\easyVoipRecorderMonitor.exe /Minimize

uRun: [GoogleChromeAutoLaunch_CCF267AB6A67B2874293D0CD9CA77E97] "C:\Users\Saskia Bakker\AppData\Local\Google\Chrome\Application\chrome.exe" --no-startup-window

uRun: [sony PC Companion] "C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe" /Background

uRun: [spotify Web Helper] "C:\Users\Saskia Bakker\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"

mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [<NO NAME>]

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart

mRun: [MobileBroadband] C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent

mRun: [EaseUs Watch] "C:\Program Files (x86)\EaseUS\Todo Backup\bin\EuWatch.exe"

mRun: [EaseUs Tray] "C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe"

mRun: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce: [XHD_II] C:\Program Files (x86)\gigabyte\xhd_ii\xhd2_tray.exe

mRunOnce: [DES2] C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2.exe state

mRunOnce: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETCall.exe

StartupFolder: C:\Users\SASKIA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CPU-Z.lnk - C:\Program Files\CPUID\CPU-Z\cpuz.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ET6.lnk - C:\Windows\Installer\{457D7505-D665-4F95-91C3-ECB8C56E9ACA}\ET6SC.exe_457D7505D6654F9591C3ECB8C56E9ACA.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: C:\Windows\system32\EasyRedirect.dll

LSP: C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll

DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx

TCP: DhcpNameServer = 10.20.0.250 62.37.225.57

TCP: Interfaces\{13DAB7F9-7681-44F2-B781-777EB15452F2} : DhcpNameServer = 192.168.1.1 10.20.0.250 62.37.225.57

TCP: Interfaces\{13DAB7F9-7681-44F2-B781-777EB15452F2}\14E64627F69646455647865627 : DhcpNameServer = 192.168.2.254

TCP: Interfaces\{13DAB7F9-7681-44F2-B781-777EB15452F2}\659405D284F4453505F445E236F6D60293532353933333333302B6470226F4 : DhcpNameServer = 10.254.67.1 80.58.0.33

TCP: Interfaces\{13DAB7F9-7681-44F2-B781-777EB15452F2}\75946494D224C45554E236F6D602935323437373733333021686370216F4 : DhcpNameServer = 10.5.112.1 10.0.0.1

TCP: Interfaces\{13DAB7F9-7681-44F2-B781-777EB15452F2}\95D294E6475627E65647022484132353D223024556C602935323933323236363 : DhcpNameServer = 62.82.36.6 62.82.36.2

TCP: Interfaces\{1BF23D67-E048-4ACB-B5D0-6FCECF0F75D9} : DhcpNameServer = 10.11.0.1

TCP: Interfaces\{3245C811-1AED-47F3-8108-4A9A3FBFC289} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{6869DBF3-1F5C-43DC-8207-25DA271EB9A3} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{C06AF5AD-416C-45E1-A9EE-4E0D3FF3BEAD} : DhcpNameServer = 10.20.0.250 62.37.225.57

TCP: Interfaces\{F377B502-C75E-445B-881B-8FF07E686059} : NameServer = 212.166.132.110 212.73.32.67

TCP: Interfaces\{FC3FB497-AB0F-411A-96EF-2479E0853B1B} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{FC3FB497-AB0F-411A-96EF-2479E0853B1B} : DhcpNameServer = 10.20.0.250 62.37.225.57

TCP: Interfaces\{FC3FB497-AB0F-411A-96EF-2479E0853B1B}\44F6E602A45716E60275966496021303024556C602935323933323236363 : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{FC3FB497-AB0F-411A-96EF-2479E0853B1B}\44F6E602A45716E60275966496021303024556C602935323933323236363 : DhcpNameServer = 46.37.96.22 46.37.96.23

TCP: Interfaces\{FC3FB497-AB0F-411A-96EF-2479E0853B1B}\759664960234F6E6E656364702D405231323024502935313036333530303 : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{FC3FB497-AB0F-411A-96EF-2479E0853B1B}\759664960234F6E6E656364702D405231323024502935313036333530303 : DhcpNameServer = 46.37.96.22 46.37.96.23

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

EB-X64: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File

mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun-x64: [(Default)]

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart

mRun-x64: [MobileBroadband] C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent

mRun-x64: [EaseUs Watch] "C:\Program Files (x86)\EaseUS\Todo Backup\bin\EuWatch.exe"

mRun-x64: [EaseUs Tray] "C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe"

mRun-x64: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce-x64: [XHD_II] C:\Program Files (x86)\gigabyte\xhd_ii\xhd2_tray.exe

mRunOnce-x64: [DES2] C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2.exe state

mRunOnce-x64: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETCall.exe

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Saskia Bakker\AppData\Roaming\Mozilla\Firefox\Profiles\sqkhjbg3.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:home

FF - component: C:\Program Files (x86)\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll

FF - plugin: C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll

FF - plugin: C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll

FF - plugin: C:\Program Files\sView 2009\StBrowserPlugins\npStBrowserPlugin.dll

FF - plugin: C:\Users\Saskia Bakker\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Users\Saskia Bakker\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\Saskia Bakker\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - plugin: C:\Windows\SysWOW64\NPSWF32.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.BabylonToolbar_i.id - d04d7cd900000000000000ff1bf23d67

FF - user.js: extensions.BabylonToolbar_i.hardId - d04d7cd900000000000000ff1bf23d67

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15309

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1711:43:53

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.newTab - false

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100489

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

============= SERVICES / DRIVERS ===============

.

R0 EUBAKUP;EUBAKUP;C:\Windows\system32\drivers\eubakup.sys --> C:\Windows\system32\drivers\eubakup.sys [?]

R0 EUBKMON;EUBKMON;C:\Windows\system32\drivers\EUBKMON.sys --> C:\Windows\system32\drivers\EUBKMON.sys [?]

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R1 ArcSec;ArcSec;C:\Windows\system32\drivers\ArcSec.sys --> C:\Windows\system32\drivers\ArcSec.sys [?]

R1 EUDSKACS;EUDSKACS;\??\C:\Windows\system32\drivers\eudskacs.sys --> C:\Windows\system32\drivers\eudskacs.sys [?]

R1 EUFDDISK;EUFDDISK;\??\C:\Windows\system32\drivers\EuFdDisk.sys --> C:\Windows\system32\drivers\EuFdDisk.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]

R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-14 20992]

R2 EaseUS Agent;EaseUS Agent Service;C:\Program Files (x86)\EASEUS\Todo Backup\bin\Agent.exe [2012-7-9 70280]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [2012-3-20 155136]

R2 Guard Agent;Guard Agent Service;C:\Program Files (x86)\EASEUS\Todo Backup\bin\GuardAgent.exe [2012-7-9 24712]

R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2009-10-7 191000]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-16 655944]

R2 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2012-5-15 2218600]

R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-3-23 31920]

R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-7-5 3048136]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-4-7 378472]

R2 VmbService;Vodafone Mobile Broadband Service;C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2011-3-29 9216]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [2012-3-20 5683712]

R3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2010-8-7 30528]

R3 huawei_enumerator;huawei_enumerator;C:\Windows\system32\DRIVERS\ew_jubusenum.sys --> C:\Windows\system32\DRIVERS\ew_jubusenum.sys [?]

R3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\system32\DRIVERS\lvpopf64.sys --> C:\Windows\system32\DRIVERS\lvpopf64.sys [?]

R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]

R3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\drivers\LVUSBS64.sys --> C:\Windows\system32\drivers\LVUSBS64.sys [?]

R3 LVUVC64;Logitech QuickCam Fusion(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]

R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-10 250056]

S3 AODDriver;AODDriver;C:\Program Files (x86)\GIGABYTE\ET6\amd64\AODDriver.sys [2010-3-12 52280]

S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrxusb.sys --> C:\Windows\system32\DRIVERS\athrxusb.sys [?]

S3 CGVPNCliSrvc;CyberGhost VPN Client;C:\Program Files\CyberGhost VPN\CGVPNCliService.exe [2011-10-25 2428968]

S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2012-2-13 14216]

S3 etdrv;etdrv;C:\Windows\etdrv.sys [2010-8-7 25640]

S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2012-2-13 8456]

S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\system32\DRIVERS\ewusbnet.sys --> C:\Windows\system32\DRIVERS\ewusbnet.sys [?]

S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys --> C:\Windows\system32\DRIVERS\ggflt.sys [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]

S3 huawei_cdcacm;huawei_cdcacm;C:\Windows\system32\DRIVERS\ew_jucdcacm.sys --> C:\Windows\system32\DRIVERS\ew_jucdcacm.sys [?]

S3 huawei_ext_ctrl;huawei_ext_ctrl;C:\Windows\system32\DRIVERS\ew_juextctrl.sys --> C:\Windows\system32\DRIVERS\ew_juextctrl.sys [?]

S3 huawei_wwanecm;huawei_wwanecm;C:\Windows\system32\DRIVERS\ew_juwwanecm.sys --> C:\Windows\system32\DRIVERS\ew_juwwanecm.sys [?]

S3 hwusbfake;Huawei DataCard USB Fake;C:\Windows\system32\DRIVERS\ewusbfake.sys --> C:\Windows\system32\DRIVERS\ewusbfake.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-18 114144]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]

S3 rtkio;rtkio;C:\Program Files (x86)\Realtek\Smart Dual Lan\rtkio.sys [2010-1-1 17392]

S3 Sony PC Companion;Sony PC Companion;C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe [2012-7-11 155320]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2011-8-5 306400]

S4 COM Service;COM Service;C:\Program Files (x86)\GIGABYTE\G.O.M\GCSVR.exe [2010-8-7 16384]

S4 DES2 Service;DES2 Service for Energy Saving.;C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe [2010-8-7 68136]

S4 EasyRedirect;EasyRedirect;C:\Program Files (x86)\Easy-Hide-IP\rdr\EasyRedirect.exe [2011-8-28 3092480]

S4 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S4 Nalperion;Nalperion;C:\Windows\system32\nlssrv32.exe --> C:\Windows\system32\nlssrv32.exe [?]

S4 SDLService;SDLService;C:\Program Files (x86)\Realtek\Smart Dual Lan\SDLService.exe [2010-1-1 88064]

S4 Smart TimeLock;Smart TimeLock Service;C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe [2010-8-7 114688]

S4 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-8-17 2358656]

S4 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-3-25 539248]

.

=============== Created Last 30 ================

.

2012-08-16 11:56:43 -------- d-----w- C:\Program Files (x86)\ESET

2012-08-16 10:23:43 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2114CE06-2A4D-438D-B495-7D5CD896CD07}\mpengine.dll

2012-08-16 08:58:23 -------- d-----w- C:\Users\Saskia Bakker\AppData\Roaming\Malwarebytes

2012-08-16 08:58:16 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-08-16 08:58:16 -------- d-----w- C:\ProgramData\Malwarebytes

2012-08-16 08:58:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-15 14:23:16 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-08-12 20:51:23 129024 ----a-w- C:\Windows\RegBootClean64.exe

2012-08-09 14:59:19 417792 ----a-w- C:\Program Files (x86)\Windows Media Player\Plugins\wmp_scrobbler.dll

2012-08-09 14:59:19 -------- d-----w- C:\ProgramData\Last.fm

2012-08-09 13:24:24 -------- d-----w- C:\Users\Saskia Bakker\AppData\Local\Last.fm

2012-08-09 13:24:20 -------- d-----w- C:\Program Files (x86)\Last.fm

2012-08-04 22:20:34 -------- d-----w- C:\Program Files (x86)\Common Files\Protexis

2012-08-04 22:18:37 -------- d-----w- C:\Users\Saskia Bakker\AppData\Local\Corel

2012-08-04 22:16:23 -------- d-----w- C:\Program Files (x86)\Common Files\Corel

2012-08-03 15:12:16 -------- d-----w- C:\VueScan

2012-08-03 03:38:24 9826504 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe

2012-07-28 16:04:56 -------- d-----w- C:\Users\Saskia Bakker\AppData\Roaming\RealNetworks

2012-07-28 16:04:22 -------- d-----w- C:\ProgramData\RealNetworks

2012-07-28 16:04:22 -------- d-----w- C:\Program Files (x86)\RealNetworks

2012-07-27 20:51:30 184248 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2012-07-27 20:51:30 184248 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

2012-07-27 01:45:30 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-27 01:35:40 -------- d-----w- C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2

2012-07-27 01:11:48 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client

2012-07-27 01:09:01 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-07-27 01:09:01 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-07-27 01:09:00 174200 ----a-w- C:\Program Files\Internet Explorer\sqmapi.dll

2012-07-27 01:09:00 140920 ----a-w- C:\Program Files (x86)\Internet Explorer\sqmapi.dll

2012-07-26 05:31:03 1544704 ----a-w- C:\Windows\System32\DWrite.dll

2012-07-26 05:31:02 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-07-26 05:20:49 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-07-26 05:20:48 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll

2012-07-26 05:20:48 2048 ----a-w- C:\Windows\System32\msxml3r.dll

2012-07-26 05:20:48 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-07-26 05:20:48 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-07-26 05:20:48 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-07-26 05:03:54 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-07-26 05:03:54 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-07-26 05:03:54 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-07-26 05:03:52 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2012-07-26 05:03:52 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-07-26 05:03:52 458704 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-07-26 05:03:52 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-07-26 05:03:52 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-07-26 05:03:52 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-07-26 05:03:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-07-26 05:03:52 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-07-26 05:03:52 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-07-26 04:56:41 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-07-26 04:47:12 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-07-26 04:47:12 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-07-26 04:47:11 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-07-26 04:07:21 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-07-26 04:07:21 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL

2012-07-26 04:07:21 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll

2012-07-26 04:07:21 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll

2012-07-26 04:07:21 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll

2012-07-26 03:56:33 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-07-26 02:17:09 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys

2012-07-26 02:17:07 3216384 ----a-w- C:\Windows\System32\msi.dll

2012-07-26 02:17:07 2342400 ----a-w- C:\Windows\SysWow64\msi.dll

2012-07-26 02:17:00 1462272 ----a-w- C:\Windows\System32\crypt32.dll

2012-07-26 02:16:59 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-07-26 02:16:59 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-07-26 02:16:59 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-07-26 02:16:59 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-07-26 02:16:59 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2012-07-26 01:43:11 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-07-26 01:03:41 81408 ----a-w- C:\Windows\System32\imagehlp.dll

2012-07-26 01:03:41 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2012-07-26 01:03:41 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2012-07-26 01:03:40 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2012-07-26 01:03:40 5120 ----a-w- C:\Windows\System32\wmi.dll

2012-07-26 01:03:40 220672 ----a-w- C:\Windows\System32\wintrust.dll

2012-07-26 01:03:40 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-07-26 00:08:43 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-07-26 00:08:43 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-07-26 00:08:42 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2012-07-25 23:54:15 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-07-25 23:54:01 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-07-25 23:53:33 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-07-25 23:53:33 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-07-25 22:13:54 -------- d-----w- C:\Users\Saskia Bakker\AppData\Local\MetaGeek,_LLC

2012-07-25 22:07:53 -------- d-----w- C:\Program Files (x86)\MetaGeek

2012-07-22 14:03:14 -------- d-----w- C:\Users\Saskia Bakker\AppData\Local\Macromedia

2012-07-19 23:19:51 772592 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

.

==================== Find3M ====================

.

2012-08-16 10:56:37 30528 ----a-w- C:\Windows\GVTDrv64.sys

2012-08-16 10:56:25 25640 ----a-w- C:\Windows\gdrv.sys

2012-08-15 16:39:00 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-15 16:38:59 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-04 22:26:59 3140 --sha-w- C:\ProgramData\KGyGaAvL.sys

2012-07-29 23:53:00 454656 --sha-w- C:\EUMONBMP.SYS

2012-07-19 23:19:30 687600 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-07-05 21:51:56 27760 ----a-w- C:\Windows\System32\drivers\ggsemc.sys

2012-07-05 21:51:56 14448 ----a-w- C:\Windows\System32\drivers\ggflt.sys

2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll

2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2011-08-23 16:42:54 332144 ----a-w- C:\Program Files (x86)\Common Files\MediaOrganizer.dll

2011-08-23 16:35:38 33136 ----a-w- C:\Program Files (x86)\Common Files\FlickrProvider.dll

2011-08-23 16:35:14 402800 ----a-w- C:\Program Files (x86)\Common Files\facebook.dll

2011-08-23 16:35:14 130416 ----a-w- C:\Program Files (x86)\Common Files\PluginCommon.dll

2011-08-23 16:34:26 465264 ----a-w- C:\Program Files (x86)\Common Files\AppFramework.dll

.

============= FINISH: 14:08:57.18 ===============

Rogue quarantine.txt

Time : 16/08/2012 14:16:23

--------------------------

[c2c_service.exe.vir] -> C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

Time : 16/08/2012 14:16:28

--------------------------

[c2c_service.exe.vir] -> C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

Time : 16/08/2012 14:16:31

--------------------------

[c2c_service.exe.vir] -> C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

Rogue general RKreport:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Saskia Bakker [Admin rights]

Mode: DNSFix -- Date: 08/16/2012 14:16:31

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{F377B502-C75E-445B-881B-8FF07E686059} : NameServer (212.166.132.110 212.73.32.67) -> REPLACED ()

[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{F377B502-C75E-445B-881B-8FF07E686059} : NameServer (212.166.132.110 212.73.32.67) -> REPLACED ()

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Attach.txt

Link to post
Share on other sites

Hello max3d and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

When we find a problem with malware type of backdoor, we must do the following:

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

We can not say anything for sure - what was stolen, or whether you are already totally clean. If you need an additional checks, we could help.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Thread re-opened per request by Max3d.

@ Max3d

Please always be prompt to reply to Maniac.

I will Maurice and will turn on email notifications. Missed that.

I have read all the links and understand that I will need to reformat to be sure. To do so I need to make backups of all data. Would these be safe? I have a separate data disk without any executables.

Also I suddenly noticed a new problems. The scans are still clean (but I understand from the provided links this is no longer 100% reliable) but suddenly (two days ago) Chrome stopped opening most websites. Not all though, for instance G+ still works. The error is always the same: it takes ages to load the site fully and then it says ´took to long, do you want to wait etc." The same sites can be opened in FireFox and IE.

I checked the MBAM settings and it suddenly had one site in the ignore list. I haven´t added it, but on doing a reverse ping it said it was the openx.org site which seems innocent. However when I run a tracert to that exact IP address 173.241.240.153 in a DOS box it says

Tracing route to ox-173-241-240-153.xa.dc.openx.org [173.241.240.153]

over a maximum of 30 hops:

1 General failure.

I checked the MBAM protection log and it shows several blocks to this IP address coming from iexplore.exe, firefox.exe and chrome.exe. They all have a line like this:

2012/08/25 03:25:13 +0200 WORKSTATION ComputerName IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 62202, Process: firefox.exe) with a variety of port number from 8 to some in the 50.000 range and in the 60.000 range.

What I try to figure out is if this is still a symptom of a root kit somewhere or totally unrelated. If I´m free of the threat now, I can start preparing for backups and a complete format. If I´m still under remote control I don´t even feel comfortable using any browser, reading my email and transferring my data to another PC. Maybe you can help me out.

Link to post
Share on other sites

I have read all the links and understand that I will need to reformat to be sure. To do so I need to make backups of all data. Would these be safe? I have a separate data disk without any executables.

It is important to do not have any executable files in your backup. If not, no problem.

What I try to figure out is if this is still a symptom of a root kit somewhere or totally unrelated. If I´m free of the threat now, I can start preparing for backups and a complete format. If I´m still under remote control I don´t even feel comfortable using any browser, reading my email and transferring my data to another PC. Maybe you can help me out.

Most likely due to malware.

are browser stored passwords readable for an attacker?

Read my Backdoor warning again.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

Browsers do the best for you as protected you, but is there is a chance - yes, there is always a chance, so change all of them from a clean system.

Malware prevention tips after the format:

http://forums.malwarebytes.org/index.php?showtopic=104379

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.