Jump to content

check it as soon as possible


hciic

Recommended Posts

hi sir yesterday i download a file from my email. I know this was fud or what but remote administrative trojan.

He wish to get access to my computer through that file. It was not detected by avast antivirus i scan my computer with malwarebytes and didn't detect any thing. but there is one thing i see malewarebyte detect some out going connection two times and block i am going to upload that pictures also.

please need suggestion what to do.check the picture also malwarebyte detect

dds.txt

attach.txt

post-121309-0-01199600-1354370263.png

Link to post
Share on other sites

Run the following and post the log..

Please download RogueKiller from here http://tigzy.geeksto...RogueKiller.exe and save Direct to your Desktop.

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • 1. Wait until Prescan has finished...
  • The following EULA will appear, please select accept
    RKLicence.png
  • 2. Ensure MBR scan, Check faked and AntiRootkit are checked
  • 3. Select Scan
    RK1A.png
  • When the scan completes select Report, copy and paste that to your reply.

RK2A.png

Link to post
Share on other sites

RogueKiller V8.3.1 [Nov 29 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : iamnoob [Admin rights]

Mode : Scan -- Date : 12/02/2012 00:56:53

¤¤¤ Bad processes : 3 ¤¤¤

[sUSP PATH] ouc.exe -- C:\ProgramData\Broadband\OnlineUpdate\ouc.exe -> KILLED [TermProc]

[sUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc]

[sUSP PATH] VaudiX.exe -- C:\ProgramData\Premium\VaudiX\VaudiX.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 13 ¤¤¤

[TASK][sUSP PATH] VaudiXUpdaterTask{7DC5EE4F-4C00-487D-A34F-077B97CF1758}.job : C:\ProgramData\Premium\VaudiX\VaudiX.exe /schedule /profilepath "C:\ProgramData\Premium\VaudiX\profile.ini" -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{25347A4F-DA88-49EA-9B2E-C2FBBEF62F3B} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{3EF3295D-ADE4-4B0E-86F4-7719FBD610F4} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{71DC5600-291B-41DD-AFC4-AE2546950FB7} : NameServer (119.159.255.36) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{A3AF4DD0-55AB-418C-9A51-6A1F3D8F6FAF} : NameServer (203.99.163.240,208.67.222.222) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{25347A4F-DA88-49EA-9B2E-C2FBBEF62F3B} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{3EF3295D-ADE4-4B0E-86F4-7719FBD610F4} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{71DC5600-291B-41DD-AFC4-AE2546950FB7} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{A3AF4DD0-55AB-418C-9A51-6A1F3D8F6FAF} : NameServer (203.99.163.240,208.67.222.222) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++

--- User ---

[MBR] 3d3494d314718fa29b77a3b995c031da

[bSP] bf1a441159fc0e25446037daca2178a1 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 80303 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 164667392 | Size: 80000 Mo

3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 328507392 | Size: 144840 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12022012_02d0056.txt >>

RKreport[1]_S_12022012_02d0056.txt

Link to post
Share on other sites

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

Combofix

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

ComboFix 12-12-01.02 - iamnoob 12/02/2012 1:20.1.2 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3003.1371 [GMT 5:00]

Running from: c:\users\iamnoob\Downloads\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

ADS - system32: deleted 12 bytes in 1 streams.

.

((((((((((((((((((((((((( Files Created from 2012-11-01 to 2012-12-01 )))))))))))))))))))))))))))))))

.

.

2012-12-01 20:31 . 2012-12-01 20:31 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-01 19:56 . 2012-12-01 19:56 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-12-01 19:55 . 2012-12-01 19:55 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD732E4B-D13F-4D53-8442-0DB68E28E5C9}\offreg.dll

2012-12-01 18:27 . 2012-12-01 18:27 -------- d-----w- c:\programdata\TamoSoft

2012-12-01 18:27 . 2012-12-01 18:27 -------- d-----w- c:\program files\CommView

2012-11-30 21:30 . 2012-12-01 10:18 -------- d-----w- c:\program files\Exterminate It!

2012-11-29 21:28 . 2012-11-30 19:44 -------- d-----w- c:\program files\Paint.NET

2012-11-29 13:53 . 2012-11-29 13:53 -------- d-----w- c:\program files\Pixlr

2012-11-29 13:53 . 2012-11-29 13:53 -------- d-----w- c:\program files\Common Files\Adobe AIR

2012-11-26 10:05 . 2012-11-26 10:05 -------- d-----w- c:\programdata\Broadband

2012-11-26 10:04 . 2012-11-27 20:58 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll

2012-11-26 10:04 . 2012-11-27 20:58 1112288 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll

2012-11-26 10:02 . 2012-11-27 21:00 -------- d-----w- c:\programdata\DatacardService

2012-11-25 05:57 . 2012-11-25 06:01 -------- d-----w- c:\program files\FDRLab

2012-11-25 05:46 . 2012-11-25 05:46 -------- d-----w- c:\windows\Sun

2012-11-25 05:34 . 2012-11-25 05:56 -------- d-----w- c:\program files\Stealth Keyword Competition Analyzer

2012-11-24 09:26 . 2012-11-24 09:26 -------- d-----w- c:\users\Public\DesktopSuper-AlexaBooster V1.10

2012-11-24 09:26 . 2012-11-24 09:26 -------- d-----w- c:\users\Public\DesktopSuper Alexa Booster

2012-11-24 09:26 . 2012-11-24 09:26 -------- d-----w- c:\program files\Super AlexaBooster

2012-11-24 05:54 . 2012-11-25 06:36 -------- d-----w- c:\programdata\Keyword Sniper Pro

2012-11-24 05:54 . 2008-04-13 21:12 506368 ----a-w- c:\windows\system32\msxml.dll

2012-11-24 05:54 . 2012-11-25 06:36 -------- d-----w- c:\program files\Keyword Sniper Pro

2012-11-24 05:54 . 2008-05-14 17:48 28672 ----a-w- c:\windows\system32\lgpi32.dll

2012-11-24 05:54 . 1997-01-24 11:29 1334032 ----a-w- c:\windows\system32\msvbvm50.dll

2012-11-21 08:15 . 2012-11-21 08:15 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys

2012-11-20 06:00 . 2012-11-20 06:00 -------- d-sh--w- c:\windows\system32\AI_RecycleBin

2012-11-20 06:00 . 2012-11-20 06:00 -------- d-----w- c:\programdata\Caphyon

2012-11-20 05:59 . 2012-11-20 11:12 -------- d-----w- c:\program files\spotflux

2012-11-20 05:58 . 2012-11-20 05:58 -------- d-----w- c:\program files\Common Files\Java

2012-11-20 05:57 . 2012-11-20 05:57 -------- d-----w- c:\program files\Oracle

2012-11-20 05:57 . 2012-05-04 14:29 772504 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-11-20 05:57 . 2012-05-04 14:29 687504 ----a-w- c:\windows\system32\deployJava1.dll

2012-11-20 05:56 . 2012-11-20 05:56 -------- d-----w- c:\program files\Java

2012-11-14 00:43 . 2012-11-14 00:43 -------- d-----w- c:\program files\Foxit Software

2012-11-14 00:17 . 2012-11-14 00:17 32000 ----a-w- c:\windows\system32\drivers\stppp.sys

2012-11-14 00:17 . 2012-11-14 00:17 30464 ----a-w- c:\windows\system32\drivers\st330.sys

2012-11-14 00:17 . 2012-11-14 00:17 16128 ----a-w- c:\windows\system32\drivers\lpwdm.sys

2012-11-14 00:17 . 2012-11-14 00:17 12672 ----a-w- c:\windows\system32\drivers\stbus.sys

2012-11-14 00:13 . 2012-11-14 00:13 -------- d-----w- c:\program files\Thomson SpeedTouch

2012-11-12 15:08 . 2012-11-12 15:08 -------- d-----w- c:\program files\Microsoft Works

2012-11-12 15:07 . 2012-11-24 21:08 -------- d-----w- c:\program files\Microsoft.NET

2012-11-12 15:07 . 2012-11-12 15:07 -------- d-----w- c:\windows\PCHEALTH

2012-11-12 15:06 . 2012-11-12 15:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2012-11-12 15:05 . 2012-11-12 15:10 -------- d-----w- c:\programdata\Microsoft Help

2012-11-12 15:04 . 2012-11-12 15:04 -------- d-----r- C:\MSOCache

2012-11-12 10:09 . 2012-11-12 10:09 -------- d-----w- c:\program files\TheBestSpinner3

2012-11-11 22:15 . 2012-11-11 22:15 -------- d-----w- c:\program files\Notepad++

2012-11-11 21:04 . 2012-11-11 21:04 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-11 21:04 . 2012-11-11 21:04 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-11 21:04 . 2012-11-11 21:04 -------- d-----w- c:\windows\system32\Macromed

2012-11-11 17:52 . 2012-11-11 17:52 -------- d-----w- c:\program files\VaudiX

2012-11-11 17:51 . 2012-11-11 17:52 -------- d-----w- c:\programdata\Premium

2012-11-11 00:03 . 2012-11-11 00:03 -------- d-----w- c:\programdata\Persist

2012-11-10 19:26 . 2012-11-11 17:52 -------- d-----w- c:\programdata\InstallMate

2012-11-08 18:27 . 2012-11-22 11:51 -------- d-----r- c:\program files\Skype

2012-11-08 18:27 . 2012-11-08 18:27 -------- d-----w- c:\program files\Common Files\Skype

2012-11-08 18:27 . 2012-11-22 11:51 -------- d-----w- c:\programdata\Skype

2012-11-08 17:51 . 2012-11-08 17:51 -------- d-----w- c:\program files\Acer

2012-11-08 17:51 . 2012-11-08 17:50 206208 ----a-w- c:\windows\PLFSetI.exe

2012-11-08 17:51 . 2009-12-16 10:13 113264 ----a-w- c:\windows\FixUVC.exe

2012-11-08 17:42 . 2009-12-02 14:52 24576 ----a-w- c:\windows\snuvcdsm.exe

2012-11-08 17:42 . 2009-09-10 14:18 239616 ----a-w- c:\windows\system32\rsnp2uvc.dll

2012-11-08 17:42 . 2009-09-10 13:29 1761280 ----a-w- c:\windows\system32\drivers\snp2uvc.sys

2012-11-08 17:42 . 2008-12-29 12:13 28544 ----a-w- c:\windows\system32\drivers\sncduvc.sys

2012-11-08 17:42 . 2012-11-08 17:42 -------- d-----w- c:\program files\Common Files\SNP2UVC

2012-11-08 17:42 . 2012-11-08 17:42 -------- d-----w- c:\windows\SUYIN NB Cam

2012-11-08 17:42 . 2009-11-20 10:36 94208 ----a-w- c:\windows\PLFSetL.exe

2012-11-08 17:42 . 2012-11-08 17:51 -------- d--h--w- c:\program files\InstallShield Installation Information

2012-11-08 12:52 . 2012-11-08 12:52 -------- d-----w- c:\programdata\Malwarebytes

2012-11-08 12:52 . 2012-11-08 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-08 12:52 . 2012-09-29 14:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-08 12:48 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-11-08 12:48 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll

2012-11-08 12:48 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll

2012-11-07 04:22 . 2012-11-06 15:34 -------- d-----w- c:\windows\Panther

2012-11-07 01:05 . 2012-09-14 18:28 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-07 01:04 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll

2012-11-07 01:04 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys

2012-11-07 01:04 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll

2012-11-07 01:04 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll

2012-11-07 01:04 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll

2012-11-07 01:04 . 2011-02-24 05:38 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2012-11-07 01:04 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll

2012-11-07 01:04 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll

2012-11-07 01:04 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll

2012-11-07 01:04 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\explorer.exe

2012-11-07 01:04 . 2012-08-10 23:56 542208 ----a-w- c:\windows\system32\kerberos.dll

2012-11-07 00:48 . 2012-10-15 15:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-11-07 00:48 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-11-07 00:32 . 2012-11-07 00:42 -------- d-----w- c:\program files\Google

2012-11-06 17:59 . 2012-11-06 17:59 -------- d-----w- c:\program files\Intel

2012-11-06 17:59 . 2012-11-06 17:59 -------- d-----w- C:\Intel

2012-11-06 17:56 . 2012-10-16 20:32 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD732E4B-D13F-4D53-8442-0DB68E28E5C9}\mpengine.dll

2012-11-06 17:56 . 2012-05-31 06:25 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-11-06 17:20 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll

2012-11-06 17:20 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-11-06 17:20 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2012-11-06 17:12 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-11-06 17:12 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-11-06 17:12 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-11-06 17:12 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-11-06 17:12 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-11-06 17:12 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-11-06 17:12 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-11-06 17:12 . 2012-06-02 10:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-11-06 17:12 . 2012-06-02 10:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-11-06 17:07 . 2010-04-21 13:47 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys

2012-11-06 17:07 . 2012-11-06 17:07 -------- d-----w- c:\program files\EVDO BROADBAND PTCL

2012-11-06 17:06 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-11-06 17:06 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-11-06 17:06 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-11-06 17:06 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-11-06 17:06 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-11-06 17:06 . 2012-11-29 13:53 -------- d-sh--w- c:\windows\Installer

2012-11-06 17:05 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr

2012-11-06 17:05 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-11-06 17:05 . 2012-11-06 17:05 -------- d-----w- c:\programdata\Alwil Software

2012-11-06 17:05 . 2012-11-06 17:05 -------- d-----w- c:\program files\Alwil Software

2012-11-06 15:34 . 2012-11-30 19:45 -------- d-----w- c:\users\iamnoob

2012-11-06 15:34 . 2012-11-06 15:34 -------- d-----w- C:\Recovery

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-06 18:26 . 2009-07-20 10:30 5958656 ----a-w- c:\windows\system32\drivers\NETw1v32.sys

2012-11-06 18:26 . 2009-07-20 09:13 2756608 ----a-w- c:\windows\system32\NETw1r32.dll

2012-11-06 18:26 . 2009-07-20 09:11 675840 ----a-w- c:\windows\system32\NETw1c32.dll

2012-10-28 11:09 . 2012-10-28 11:09 34016 ----a-w- c:\windows\system32\drivers\tap0901.sys

2012-09-25 08:57 . 2010-04-01 08:30 19560 ----a-w- c:\windows\system32\drivers\cv2k1.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 22:50 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-05 23:12 94208 ----a-w- c:\users\iamnoob\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-05 23:12 94208 ----a-w- c:\users\iamnoob\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-05 23:12 94208 ----a-w- c:\users\iamnoob\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-05 23:12 94208 ----a-w- c:\users\iamnoob\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-11-09 17877168]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]

"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-10-30 4297136]

.

c:\users\iamnoob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\iamnoob\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-11-6 26619512]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\VaudiX\sprotector.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagnostics]

2012-11-14 00:17 557149 ----a-w- c:\program files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]

2012-11-08 17:50 206208 ----a-w- c:\windows\PLFSetI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]

2009-11-20 10:36 94208 ----a-w- c:\windows\PLFSetL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snuvcdsm]

2009-12-02 14:52 24576 ----a-w- c:\windows\snuvcdsm.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-01-17 06:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

R1 TsVp;TsVp;c:\windows\system32\DRIVERS\tsvp.sys [x]

R2 Broadband. RunOuc;Broadband. OUC;c:\program files\Broadband\UpdateDog\ouc.exe [x]

R2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\DatacardService\HWDeviceService.exe [x]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]

R2 UDisk Monitor;UDisk Monitor;c:\program files\EVDO BROADBAND PTCL\bin\MonServiceUDisk.exe [x]

R3 CV2K1;CommView Network Monitor;c:\windows\system32\DRIVERS\cv2k1.sys [x]

R3 DrvAgent32;DrvAgent32;c:\windows\system32\Drivers\DrvAgent32.sys [x]

R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]

R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [x]

R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [x]

R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 TsVlb;TsVlb;c:\windows\system32\DRIVERS\tsvlb.sys [x]

R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [x]

S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]

S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NETw1v32;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw1v32.sys [x]

S3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;c:\windows\system32\DRIVERS\tscomm.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - CV2K1

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-07 00:32]

.

2012-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-07 00:32]

.

2012-12-01 c:\windows\Tasks\VaudiXUpdaterTask{7DC5EE4F-4C00-487D-A34F-077B97CF1758}.job

- c:\programdata\Premium\VaudiX\VaudiX.exe [2012-11-11 14:50]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 44.0.0.253 44.0.0.3 44.0.0.4 4.2.2.1

TCP: Interfaces\{25347A4F-DA88-49EA-9B2E-C2FBBEF62F3B}: NameServer = 119.159.255.36 8.8.8.8

TCP: Interfaces\{3EF3295D-ADE4-4B0E-86F4-7719FBD610F4}: NameServer = 119.159.255.36 8.8.8.8

TCP: Interfaces\{71DC5600-291B-41DD-AFC4-AE2546950FB7}: NameServer = 119.159.255.36

TCP: Interfaces\{A3AF4DD0-55AB-418C-9A51-6A1F3D8F6FAF}: NameServer = 203.99.163.240,208.67.222.222

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-BaofengPlatform - c:\program files\Baofeng\StormPlayer\BaofengPlatform.exe

MSConfigStartUp-snp2uvc - c:\windows\vsnp2uvc.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\st330service]

"ImagePath"="C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5448)

c:\users\iamnoob\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

Completion time: 2012-12-02 01:35:49

ComboFix-quarantined-files.txt 2012-12-01 20:35

.

Pre-Run: 62,497,198,080 bytes free

Post-Run: 62,415,138,816 bytes free

.

- - End Of File - - 779A9C23FEE59B61A4EE576418B7943A

Link to post
Share on other sites

If you care to read the intial set of instructions for combofix you are told if you see that very error re-boot and it will disappear without any loss...

Do you recognize any of these IP addresses, they are for somewhere in Pakistan/Islamabad

TCP: Interfaces\{25347A4F-DA88-49EA-9B2E-C2FBBEF62F3B}: NameServer = 119.159.255.36 8.8.8.8

TCP: Interfaces\{3EF3295D-ADE4-4B0E-86F4-7719FBD610F4}: NameServer = 119.159.255.36 8.8.8.8

TCP: Interfaces\{71DC5600-291B-41DD-AFC4-AE2546950FB7}: NameServer = 119.159.255.36

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:


KillAll::
CearJavaCache::
Folder::
c:\program files\VaudiX
c:\programdata\Premium
DDS::
TCP: Interfaces\{25347A4F-DA88-49EA-9B2E-C2FBBEF62F3B}: NameServer = 119.159.255.36 8.8.8.8
TCP: Interfaces\{3EF3295D-ADE4-4B0E-86F4-7719FBD610F4}: NameServer = 119.159.255.36 8.8.8.8
TCP: Interfaces\{71DC5600-291B-41DD-AFC4-AE2546950FB7}: NameServer = 119.159.255.36
TCP: Interfaces\{A3AF4DD0-55AB-418C-9A51-6A1F3D8F6FAF}: NameServer = 203.99.163.240,208.67.222.222

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Post those two logs in your reply, also give an update on any issues or concerns...

Kevin

Link to post
Share on other sites

RogueKiller V8.3.1 [Dec 2 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : iamnoob [Admin rights]

Mode : Scan -- Date : 12/03/2012 16:45:11

¤¤¤ Bad processes : 3 ¤¤¤

[sUSP PATH] ouc.exe -- C:\ProgramData\Broadband\OnlineUpdate\ouc.exe -> KILLED [TermProc]

[sUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc]

[sUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 13 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{25347A4F-DA88-49EA-9B2E-C2FBBEF62F3B} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{3EF3295D-ADE4-4B0E-86F4-7719FBD610F4} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{71DC5600-291B-41DD-AFC4-AE2546950FB7} : NameServer (119.159.255.36) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{A3AF4DD0-55AB-418C-9A51-6A1F3D8F6FAF} : NameServer (203.99.163.240,208.67.222.222) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{25347A4F-DA88-49EA-9B2E-C2FBBEF62F3B} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{3EF3295D-ADE4-4B0E-86F4-7719FBD610F4} : NameServer (119.159.255.36 8.8.8.8) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{71DC5600-291B-41DD-AFC4-AE2546950FB7} : NameServer (119.159.255.36) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{A3AF4DD0-55AB-418C-9A51-6A1F3D8F6FAF} : NameServer (203.99.163.240,208.67.222.222) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++

--- User ---

[MBR] 3d3494d314718fa29b77a3b995c031da

[bSP] bf1a441159fc0e25446037daca2178a1 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 80303 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 164667392 | Size: 80000 Mo

3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 328507392 | Size: 144840 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_S_12032012_02d1645.txt >>

RKreport[1]_S_12022012_02d0056.txt ; RKreport[2]_S_12032012_02d1645.txt

Link to post
Share on other sites

OK, run RogueKiller again, when the scan completes hit the Delete Tab,

When that completes hit the DNSFix tab.

Post those logs.

Next,

Open Malwarebytes, check for updates then run Quick scan. Full instructions follow if Malwarebytes is not installed:

Malwarebytes Anti-Malware and save it to your desktop.

Alernative D/L mirror

Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

  • mbamicontw5.gif Please download
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post that log

Next,

Re-run DDS and post fresh set of logs, I give instructions again incase needed:

Download and save DDS to your Desktop from either of the following links:

http://download.bleepingcomputer.com/sUBs/dds.scr

http://compendiate.net/sUBs/dds/dds.scr

Double click DDS to run the scan, Vista or Windows 7 user accept UAC alert.

There will be an alert that two logs will be saved to the Desktop, DDS.txt and Attach.txt

Copy and paste those two logs to your reply when the scan is complete....

Thanks,

Kevin

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.