Unsure if malware or not

xeraese · September 16, 2012

The internet browsers are loading slowly and most of the times unresponsive especially google chrome.

I had a friend checked it out yesterday (he knows more about this than me) and he found out the

svchost.exe-k localservice is not running properly or something (forgot what he said).

I tried using Malwarebytes Anti-Malware but the problem still persists. Found some malware, though not sure

if they are; wxdf and gbox.

I found this forum by chance while trying to fix it myself since I dont want to format my pc if it's solveable.

While checking for others with similar problem to mine, the closest I found was almost the same

one but with background ad noise which I haven't heard...yet...I think.

Anyhow here is the dds log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2

Run by Ryuujin91 at 12:54:48 on 2012-09-16

Microsoft Windows 7 Home Premium 6.1.7600.0.932.81.1033.18.3583.2235 [GMT 8:00]

.

AV: Kaspersky Internet Security *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Kaspersky Internet Security *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}

FW: Kaspersky Internet Security *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\svchost.exe -k Akamai

G:\Kaspersky\avp.exe

G:\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\PnkBstrA.exe

C:\Windows\system32\PnkBstrB.exe

C:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Windows\system32\svchost.exe -k imgsvc

G:\Tunngle\TnglCtrl.exe

C:\Windows\System32\Drivers\WTSRV.EXE

G:\Kaspersky\avp.exe

G:\PowerISO\PWRISOVM.EXE

C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe

C:\Windows\System32\WTClient.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Users\Ryuujin91\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Users\Ryuujin91\AppData\Local\Akamai\netsession_win.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Users\Ryuujin91\AppData\Local\Akamai\netsession_win.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com.my/

uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - g:\kaspersky\ievkbd.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - g:\kaspersky\klwtbbho.dll

TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Google Update] "c:\users\ryuujin91\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [Akamai NetSession Interface] "c:\users\ryuujin91\appdata\local\akamai\netsession_win.exe"

mRun: [AVP] "g:\kaspersky\avp.exe"

mRun: [Adobe Reader Speed Launcher] "g:\adobe\reader\Reader_sl.exe"

mRun: [PWRISOVM.EXE] g:\poweriso\PWRISOVM.EXE

mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [WTClient] WTClient.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\users\ryuuji~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Anti-Banner - g:\kaspersky\ie_banner_deny.htm

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - g:\kaspersky\klwtbbho.dll

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - g:\kaspersky\klwtbbho.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{146AD9BC-F77B-4BD5-AD06-7FAAB0BD74B6} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2768937C-EDB5-4083-9B24-5AA082B3F6E3} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{2768937C-EDB5-4083-9B24-5AA082B3F6E3} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{61044311-285E-41C3-B3B3-F25B2B7CE6AC} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{6F74F726-DAA0-4127-8FB4-4EDB275099AC} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{982477FF-6E96-4200-9489-E2F459180B08} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{982477FF-6E96-4200-9489-E2F459180B08} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{9BC7C9CF-0353-4E06-95CA-798D886FAA30} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{EC5A0AAF-4F3C-4610-99C5-58D1344383DA} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{EEAC4984-054E-4B1F-A76F-D2365BE8FD5E} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{EEAC4984-054E-4B1F-A76F-D2365BE8FD5E} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{F0869FD8-EDD3-4EE1-86AA-5821E2D4AF67} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{F0869FD8-EDD3-4EE1-86AA-5821E2D4AF67} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{F0869FD8-EDD3-4EE1-86AA-5821E2D4AF67}\B4F644F575942554C4543535 : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{F0869FD8-EDD3-4EE1-86AA-5821E2D4AF67}\B4F644F575942554C4543535 : DhcpNameServer = 192.168.1.1

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: g:\kasper~1\mzvkbd3.dll,c:\progra~1\sprote~1\sprote~1.dll,g:\kasper~1\kloehk.dll

.

============= SERVICES / DRIVERS ===============

.

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2010-4-22 22104]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-6 163328]

R2 AVP;Kaspersky Anti-Virus Service;g:\kaspersky\avp.exe -r --> g:\kaspersky\avp.exe -r [?]

R2 MBAMScheduler;MBAMScheduler;g:\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-16 399432]

R2 TunngleService;TunngleService;g:\tunngle\TnglCtrl.exe [2011-10-25 745832]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-12-6 9067008]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-12-6 264192]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-18 85520]

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-3-3 218688]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-16 22856]

R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2012-1-19 23208]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2011-10-25 27136]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-3-8 1102848]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;g:\malwarebytes' anti-malware\mbamservice.exe [2012-9-16 676936]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-9-10 250568]

S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-16 25832]

S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-6-11 545792]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-16 1343400]

S3 WL230V32;Aztech 802.11g WL230 1211B Driver;c:\windows\system32\drivers\WlanUZG.sys [2010-11-21 449536]

.

=============== Created Last 30 ================

.

2012-09-15 23:31:52 -------- d-----w- c:\programdata\Tunngle

2012-09-15 23:09:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-15 23:05:18 -------- d-----w- c:\users\ryuujin91\appdata\roaming\PC Cleaners

2012-09-15 23:05:11 4571960 ----a-w- c:\windows\uninst.exe

2012-09-15 23:05:09 -------- d-----w- c:\users\ryuujin91\appdata\roaming\PCPro

2012-09-15 23:05:09 -------- d-----w- c:\programdata\PC1Data

2012-09-15 23:05:09 -------- d-----w- c:\program files\PC Cleaners

2012-09-15 09:41:53 -------- d-----w- c:\program files\CCleaner

2012-09-15 05:56:13 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-14 07:17:30 -------- d-----w- c:\users\ryuujin91\appdata\roaming\Malwarebytes

2012-09-14 07:16:56 -------- d-----w- c:\programdata\Malwarebytes

2012-09-14 06:58:44 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0a2cf04b-fb58-4598-aa6f-fadfacc20fb5}\offreg.dll

2012-09-14 06:43:26 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0a2cf04b-fb58-4598-aa6f-fadfacc20fb5}\mpengine.dll

2012-09-14 06:43:18 490496 ----a-w- c:\windows\system32\d3d10level9.dll

2012-09-10 08:35:47 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-26 11:43:08 -------- d-----w- c:\programdata\GBox

2012-08-26 11:43:03 -------- d-----w- c:\program files\SProtector

2012-08-26 11:41:33 -------- d-----w- c:\programdata\InstallMate

2012-08-21 21:07:49 -------- d-----w- c:\users\ryuujin91\appdata\roaming\Skyrim NPC Editor

2012-08-21 04:56:13 -------- d-----w- c:\users\ryuujin91\appdata\local\Skyrim NPC Editor

2012-08-20 23:05:19 -------- d-----w- c:\users\ryuujin91\appdata\local\Black_Tree_Gaming

.

==================== Find3M ====================

.

2012-09-15 05:56:04 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-09-15 05:56:04 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-10 08:35:47 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-18 17:10:29 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-04 21:23:55 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23:55 102912 ----a-w- c:\windows\system32\browser.dll

2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 12:55:24.39 ===============

PS. I apologize if my english is problematic. Still learning more about english...

LDTate · September 19, 2012

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from this link

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have XP SP3, use the XP SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

xeraese · September 20, 2012

First of all, sorry, I forgot to turn off the windows defender. Just realized it when I saw the log when combofix finished, I hope this

doesn't interfere with the program...

Thank you very much. The internet browsers are back to normal and so far no other problems left, I think...

Here's the combofix log:

ComboFix 12-09-18.07 - Ryuujin91 20/09/2012 8:54.1.4 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.932.81.1033.18.3583.2358 [GMT 8:00]

Running from: c:\users\Ryuujin91\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}

FW: Kaspersky Internet Security *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}

SP: Kaspersky Internet Security *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Ryuujin91\AppData\Roaming\698e8de9c79e614b8d6a96b5ce9682e6-i686.cache-2

c:\users\Ryuujin91\AppData\Roaming\BDL+D

c:\users\Ryuujin91\AppData\Roaming\BDL+D\DLSite(DIGI)\W-D-00023\____.hld

c:\users\Ryuujin91\AppData\Roaming\BDL+D\DLSite(DIGI)\W-D-00023\____.sys

c:\users\Ryuujin91\AppData\Roaming\BDL+D\MANGAGAMER.COM\E8CF49B1-CE27-40B2-80C2-6E4ED4417092\____.hld

c:\users\Ryuujin91\AppData\Roaming\BDL+D\MANGAGAMER.COM\E8CF49B1-CE27-40B2-80C2-6E4ED4417092\____.sys

c:\windows\IsUn0411.exe

c:\windows\system32\SET7FDD.tmp

c:\windows\system32\SET80F8.tmp

c:\windows\system32\SET8C48.tmp

c:\windows\system32\SET8D93.tmp

c:\windows\system32\SET8DC4.tmp

c:\windows\system32\SET8E34.tmp

c:\windows\system32\SET8E84.tmp

c:\windows\system32\themeservice.dll.tmp

c:\windows\system32\themeui.dll.tmp

c:\windows\system32\uxtheme.dll.tmp

G:\RealPlayer.exe

.

((((((((((((((((((((((((( Files Created from 2012-08-20 to 2012-09-20 )))))))))))))))))))))))))))))))

.

2012-09-20 01:05 . 2012-09-20 01:05 -------- d-----w- c:\users\Ryuujin91\AppData\Local\temp

2012-09-20 01:05 . 2012-09-20 01:05 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-20 01:02 . 2012-09-20 01:02 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{068FEC54-38D7-461B-90E5-3B072C06FEC8}\offreg.dll

2012-09-18 23:22 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{068FEC54-38D7-461B-90E5-3B072C06FEC8}\mpengine.dll

2012-09-15 23:31 . 2012-09-15 23:31 -------- d-----w- c:\programdata\Tunngle

2012-09-15 23:09 . 2012-09-07 09:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-15 23:05 . 2012-09-15 23:05 -------- d-----w- c:\users\Ryuujin91\AppData\Roaming\PC Cleaners

2012-09-15 23:05 . 2012-09-15 23:03 4571960 ----a-w- c:\windows\uninst.exe

2012-09-15 23:05 . 2012-09-15 23:05 -------- d-----w- c:\users\Ryuujin91\AppData\Roaming\PCPro

2012-09-15 23:05 . 2012-09-15 23:05 -------- d-----w- c:\program files\PC Cleaners

2012-09-15 23:05 . 2012-09-15 23:05 -------- d-----w- c:\programdata\PC1Data

2012-09-15 09:41 . 2012-09-15 09:41 -------- d-----w- c:\program files\CCleaner

2012-09-15 07:16 . 2012-09-15 07:16 -------- d-----w- c:\program files\Common Files\Java

2012-09-15 05:56 . 2012-09-15 05:56 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-14 07:17 . 2012-09-14 07:17 -------- d-----w- c:\users\Ryuujin91\AppData\Roaming\Malwarebytes

2012-09-14 07:16 . 2012-09-14 07:16 -------- d-----w- c:\programdata\Malwarebytes

2012-09-14 06:43 . 2012-08-02 17:05 490496 ----a-w- c:\windows\system32\d3d10level9.dll

2012-09-10 22:46 . 2012-09-10 22:46 -------- d-----w- c:\users\Ryuujin91\AppData\Roaming\InstallShield

2012-09-10 08:35 . 2012-09-10 08:35 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-26 11:43 . 2012-09-15 23:31 -------- d-----w- c:\programdata\GBox

2012-08-26 11:43 . 2012-08-26 11:43 -------- d-----w- c:\program files\SProtector

2012-08-26 11:41 . 2012-09-14 06:34 -------- d-----w- c:\programdata\InstallMate

2012-08-21 21:07 . 2012-08-21 21:07 -------- d-----w- c:\users\Ryuujin91\AppData\Roaming\Skyrim NPC Editor

2012-08-21 04:56 . 2012-08-21 04:56 -------- d-----w- c:\users\Ryuujin91\AppData\Local\Skyrim NPC Editor

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-15 05:56 . 2012-07-05 22:51 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-09-15 05:56 . 2011-02-17 11:08 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-10 08:35 . 2011-06-15 22:30 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-18 17:10 . 2012-08-16 00:04 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-04 21:23 . 2012-08-16 00:03 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23 . 2012-08-16 00:03 102912 ----a-w- c:\windows\system32\browser.dll

2012-06-29 00:16 . 2012-08-16 19:01 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09 . 2012-08-16 19:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08 . 2012-08-16 19:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04 . 2012-08-16 19:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00 . 2012-08-16 19:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

"Akamai NetSession Interface"="c:\users\Ryuujin91\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVP"="g:\kaspersky\avp.exe" [2010-11-21 352976]

"Adobe Reader Speed Launcher"="g:\adobe\Reader\Reader_sl.exe" [2008-06-11 34672]

"PWRISOVM.EXE"="g:\poweriso\PWRISOVM.EXE" [2008-11-02 167936]

"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2009-10-28 1701888]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]

"WTClient"="WTClient.exe" [2009-10-30 32768]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\users\Ryuujin91\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=g:\kasper~1\mzvkbd3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 MBAMService;MBAMService;g:\malwarebytes' anti-malware\mbamservice.exe [x]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [x]

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\dragon age\bin_ship\DAUpdaterSvc.Service.exe [x]

R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]

R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\System32\Drivers\PTSimHid.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WL230V32;Aztech 802.11g WL230 1211B Driver;c:\windows\system32\DRIVERS\WlanUZG.sys [x]

R3 XDva356;XDva356;c:\windows\system32\XDva356.sys [x]

R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]

S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]

S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 MBAMScheduler;MBAMScheduler;g:\malwarebytes' anti-malware\mbamscheduler.exe [x]

S2 TunngleService;TunngleService;g:\tunngle\TnglCtrl.exe [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]

S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [x]

S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-10 08:35]

.

2012-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-234617212-88641621-211170840-1000Core.job

- c:\users\Ryuujin91\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-17 03:40]

.

2012-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-234617212-88641621-211170840-1000UA.job

- c:\users\Ryuujin91\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-17 03:40]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.my/

uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>

IE: Add to Anti-Banner - g:\kaspersky\ie_banner_deny.htm

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2768937C-EDB5-4083-9B24-5AA082B3F6E3}: NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{982477FF-6E96-4200-9489-E2F459180B08}: NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{EEAC4984-054E-4B1F-A76F-D2365BE8FD5E}: NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{F0869FD8-EDD3-4EE1-86AA-5821E2D4AF67}: NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{F0869FD8-EDD3-4EE1-86AA-5821E2D4AF67}\B4F644F575942554C4543535: NameServer = 208.67.222.222,208.67.220.220

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-InstallShield_{19B5CAAF-3E36-40F4-83F2-45E0D258000C} - c:\program files\InstallShield Installation Information\{19B5CAAF-3E36-40F4-83F2-45E0D258000C}\setup.exe

AddRemove-InstallShield_{C7B5C8A0-CE3F-4645-A0B6-B5515794076D} - c:\program files\InstallShield Installation Information\{C7B5C8A0-CE3F-4645-A0B6-B5515794076D}\setup.exe

AddRemove-InstallShield_{EFE563B0-DDDB-45AF-B49A-C109C93E5F35} - c:\program files\InstallShield Installation Information\{EFE563B0-DDDB-45AF-B49A-C109C93E5F35}\setup.exe

AddRemove-{173F2B02-2AAA-414F-A2D8-44870BB98F7A} - c:\program files (x86)\InstallShield Installation Information\{173F2B02-2AAA-414F-A2D8-44870BB98F7A}\setup.exe

AddRemove-{4F4C5E11-0612-48D2-8055-987992AAC432} - c:\programdata\wxDfast\uninstall.exe

AddRemove-・￢￣?UI§YA?T±?1??‘a?i - c:\windows\IsUn0411.exe

AddRemove-ｷｬｯｽﾙﾌｧﾝﾀｼﾞｱ聖魔大戦 - c:\windows\IsUn0411.exe

AddRemove-Mozilla Firefox 8.0.1 (x86 en-US) - g:\firefox\uninstall\helper.exe

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_5891ae0.dll"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-09-20 09:08:47

ComboFix-quarantined-files.txt 2012-09-20 01:08

.

Pre-Run: 100,875,194,368 bytes free

Post-Run: 113,323,560,960 bytes free

.

- - End Of File - - 248C976A2CC6221ACD013C1E6E5ED8D1

LDTate · September 20, 2012

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

Click START run
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

Click START Search
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Here's my usual final post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.
Securing Your Web Browser
This paper will help you configure your web browser for safer internet surfing.
Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
•Free browser plug-in for Internet Explorer and Firefox
•Real-time safety ratings
•Ideal for Facebook, Twitter and LinkedIn
JAVA Click this link and click on the Free JAVA Download
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

Dynamically Blocks Malware Sites & Servers
Malware Execution Prevention

Save yourself the hassle and get protected.

xeraese · September 22, 2012

Thank you very much for the help. I'm so glad this forum is here.

I did the combofix /uninstall and am now updating my pc as instructed.

Read the advices you gave and now changing my way into more secured one.

Again, thank you for helping me, you guys are real lifesavers.

LDTate · September 22, 2012

You're more than welcome.

Glad we were able to help

Peace be with you

LDTate · September 22, 2012

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Sign In

Unsure if malware or not

Recommended Posts

xeraese

Link to post

Share on other sites

LDTate

Link to post

Share on other sites

xeraese

Link to post

Share on other sites

LDTate

Link to post

Share on other sites

xeraese

Link to post

Share on other sites

LDTate

Link to post

Share on other sites

LDTate

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information