Jump to content

GadgetBox Infection


Corvo

Recommended Posts

Hello,

I've been having some trouble removing the Gadgetbox 'search engine' from my computer; I uninstalled it and restored my Chrome homepage/search defaults, but upon start up the first tab still goes to the Gadgetbox search. I've run quick and full scans with MalwareBytes, but it didn't turn up anything pertinent.

Any help would be appreciated.

DDS Log -

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2

Run by Jeff at 12:51:40 on 2012-12-22

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4094.1882 [GMT -5:00]

.

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe

C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\PROGRA~1\FOLDER~1\FGKey64.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe

C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe

C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe

C:\Program Files (x86)\uTorrent\uTorrent.exe

C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\AVG\AVG2012\avgtray.exe

C:\Program Files (x86)\AVG Secure Search\vprot.exe

C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files (x86)\EfficientPIM\EfficientPIM.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

Q:\140061.enu\Office14\ONENOTEM.EXE

C:\Program Files (x86)\DisplayFusion\DisplayFusionHookx86.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\notepad.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.gboxapp.com/

mStart Page = hxxp://search.gboxapp.com/

uURLSearchHooks: <No Name>: - LocalServer32 - <no file>

uURLSearchHooks: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\6.6\ytdToolbarIE.dll

uURLSearchHooks: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll

mURLSearchHooks: <No Name>: - LocalServer32 - <no file>

mURLSearchHooks: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: {81C43C4F-6052-4731-9CBD-06E2DE6767B7} - <orphaned>

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\6.6\ytdToolbarIE.dll

TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll

TB: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\6.6\ytdToolbarIE.dll

TB: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll

EB: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll

uRun: [steam] "C:\Program Files (x86)\Steam\steam.exe" -silent

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [DisplayFusion] "C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe"

uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent

uRun: [Rainlendar2] C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe

uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED

mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r

mRun: [EfficientPIMFree] <no file>

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript

StartupFolder: C:\Users\Jeff\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EFFICI~2.LNK - C:\Program Files (x86)\EfficientPIM\EfficientPIM.exe

StartupFolder: C:\Users\Jeff\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{79C6D880-194F-41A7-98F3-7CAABEFD9239} : DHCPNameServer = 192.168.0.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll

SSODL: WebCheck - <orphaned>

x64-BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"

x64-IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll

x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll

x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\8ns9sbyy.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.gboxapp.com/?q=

FF - prefs.js: browser.search.selectedEngine - GadgetBox

FF - prefs.js: browser.startup.homepage - hxxp://search.gboxapp.com/

FF - prefs.js: keyword.URL - hxxp://search.gboxapp.com/?q=

FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\12.1.5\npsitesafety.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll

FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll

FF - plugin: C:\Windows\System32\Wat\npWatWeb.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - ExtSQL: 2012-12-22 09:53; gadget@gadgetbox; C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\8ns9sbyy.default\extensions\gadget@gadgetbox

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-4-19 28480]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-1-31 36944]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-7-26 291680]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2011-12-23 47696]

R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-7-24 30568]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-4-6 254528]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-6-11 239616]

R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2012-11-28 793600]

R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]

R2 FGUARD64;FGUARD64;C:\Program Files\Folder Guard\FGUARD64.sys [2012-3-8 73552]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-3 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-3 676936]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]

R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [2012-11-8 711112]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-2-23 95760]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-3 25928]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]

R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]

R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]

R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2011-4-3 1342064]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-4-4 1255736]

.

=============== Created Last 30 ================

.

2012-12-22 13:43:02 -------- d-----w- C:\ProgramData\GadgetBox

2012-12-22 13:43:01 -------- d-----w- C:\Program Files (x86)\GadgetBox

2012-12-22 13:41:01 -------- d-----w- C:\ProgramData\CloudSoft

2012-12-21 00:41:57 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-21 00:41:57 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-21 00:41:56 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-21 00:41:56 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-12 13:37:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-12-12 13:36:58 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-12-04 15:22:29 -------- d-----w- C:\Program Files (x86)\YTD Toolbar

2012-12-04 15:22:29 -------- d-----w- C:\Program Files (x86)\Application Updater

2012-12-04 06:32:17 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation

2012-11-30 05:48:50 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-11-30 05:48:48 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-11-30 05:48:06 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

.

==================== Find3M ====================

.

2012-12-12 18:10:23 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 18:10:23 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-11-22 08:20:36 3147264 ----a-w- C:\Windows\System32\win32k.sys

2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-11-09 05:34:27 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-11-09 03:50:13 30568 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys

2012-11-02 05:27:51 478208 ----a-w- C:\Windows\System32\dpnet.dll

2012-11-02 04:48:28 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll

2012-10-04 17:38:56 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-10-04 17:38:56 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-10-04 17:38:56 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-10-04 17:38:24 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-10-04 17:35:22 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-10-04 17:32:16 425984 ----a-w- C:\Windows\System32\KernelBase.dll

2012-10-04 16:54:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-10-04 16:54:17 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-10-04 15:19:57 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-10-04 14:49:27 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-10-04 14:49:22 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-10-04 14:49:22 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-10-04 14:44:29 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-10-04 14:44:29 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-10-04 14:44:29 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-10-04 14:44:29 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-09-29 23:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-25 22:39:14 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-09-25 21:55:17 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

.

============= FINISH: 12:52:07.01 ===============

attach.txt

dds.txt

Link to post
Share on other sites

Hello Corvo and welcome to MalwareBytes forums.

Your logs showed some peer-to-peer filesharing apps: uTorrent.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Forum policy on peer-to-peer-programs:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

http://forums.malwar...showtopic=97700

Remove it and confirm that in your next reply, before we get going further.

p.s. Moderator note: Please always Copy all contents of log(s) and Paste directly into main-body of Reply.

Do NOT use the attach option unless I ask you.

Edited by Maurice Naggar
Link to post
Share on other sites

Start Chrome browser. Press & hold SHIFT+CTRL+Del keys to get menu for clearing browing data:

Check Empty the cache

Delete cookies and other site and plug-in data

and press Clear browsing data button

Still in Chrome, press ALT+F then Settings

Click Extensions on the left.

Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.

Now Close the Chrome browser.

NEXT:

These steps are for Corvo only. If you are a casual viewer, do NOT try this on your system!

If you are not Corvo and have a similar problem, do NOT post here; start your own topic

The fixes in this Topic are for this system only! Do not apply the fix-instructions from this topic to your System or any other one!

You will want to print out or copy these instructions to Notepad for offline reference!

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

For help reference, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

2. Open notepad and copy/paste the text in the quotebox below into it:


KILLALL::

DDS::
uStart Page = hxxp://search.gboxapp.com/
mStart Page = hxxp://search.gboxapp.com/
uURLSearchHooks: <No Name>: - LocalServer32
uURLSearchHooks: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll
mURLSearchHooks: <No Name>: - LocalServer32
mURLSearchHooks: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll
BHO: {81C43C4F-6052-4731-9CBD-06E2DE6767B7}
TB: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll
EB: GagetBox: {3B81079D-2AC9-425f-A494-A1C7D93AFA3C} - C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll
FF - prefs.js: browser.search.defaulturl - hxxp://search.gboxapp.com/?q=
FF - prefs.js: browser.search.selectedEngine - GadgetBox
FF - prefs.js: browser.startup.homepage - hxxp://search.gboxapp.com/
FF - prefs.js: keyword.URL - hxxp://search.gboxapp.com/?q=

File::
C:\Program Files (x86)\GadgetBox\gadgetBoxTB.dll

Folder::
C:\ProgramData\GadgetBox
C:\Program Files (x86)\GadgetBox

Save this as CFScript.txt, in the same location as ComboFix.exe

3. Close any (all) open browsers. That's to include Closing Internet Explorer, + Firefox, + Chrome.

4:

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

There will be more to do later !

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.