Jump to content

Svchost.exe trying to access malicious sites


NeoX12

Recommended Posts

Malwarebytes Quick Scan Log


Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org
Database version: v2013.01.22.03Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
HahaHeadshot :: HAHAHEADSHOT-PC [administrator]
Protection: Enabled26-Jan-13 1:25:42 PM
mbam-log-2013-01-26 (13-25-42).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 268774
Time elapsed: 5 minute(s), 51 second(s)Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)Files Detected: 0
(No malicious items detected)
(end)

svchost.exe activities


2013/01/26 00:29:29 +0600 HAHAHEADSHOT-PC HahaHeadshot IP-BLOCK 58.240.223.154 (Type: incoming, Port: 1433, Process: svchost.exe)
2013/01/26 13:18:36 +0600 HAHAHEADSHOT-PC HahaHeadshot IP-BLOCK 178.152.0.236 (Type: incoming, Port: 20068, Process: svchost.exe)

DDS log


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.4.1
Run by HahaHeadshot at 13:34:12 on 2013-01-26
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2040.679 [GMT 6:00]
.
AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
F:\Advanced SystemCare 6\ASCService.exe
F:\COMODO\COMODO Internet Security\cmdagent.exe
F:\SandBoxie FINAL\SbieSvc.exe
F:\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\QUBEE WCM\GPCommonService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
F:\Defraggg\oodag.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\Wondershare\Wondershare Application Center\WACService.exe
C:\Windows\system32\vmnetdhcp.exe
F:\VMWARE INSTALLED\vmware-authd.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
F:\Advanced SystemCare 6\Monitor.exe
F:\Malwarebytes' Anti-Malware\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\KeyScrambler\KeyScrambler.exe
F:\Avast\AvastUI.exe
C:\Program Files\QUBEE WCM\QUBEE WCM.exe
F:\Internet Download Manager\IDMan.exe
C:\Users\HahaHeadshot\AppData\Local\Learnpulse\Screenpresso\Screenpresso.exe
F:\SandBoxie FINAL\SbieCtrl.exe
F:\Internet Download Manager\IEMonitor.exe
C:\Program Files\QUBEE WCM\wimax\WmMMgr.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
F:\Malwarebytes' Anti-Malware\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
F:\Acrobat\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
F:\Microsoft Office 2007\Office12\EXCEL.EXE
C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
H:\Desktop 29-12\ReverseTethering_2.30\AndroidTool.exe
H:\Desktop 29-12\ReverseTethering_2.30\adb.exe
C:\Users\HahaHeadshot\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Windows\system32\taskhost.exe
F:\VLC\vlc.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HahaHeadshot\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uProxyServer = ftp=70.116.71.141:32420;http=180.234.110.74:8080;https=70.116.71.141:32420;socks=70.116.71.141:32420
uProxyOverride = <local>
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - f:\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - f:\microsoft office 2007\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - f:\avast\aswWebRepIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - f:\avast\aswWebRepIE.dll
uRun: [QUBEE WCM] "c:\program files\qubee wcm\QUBEE WCM.exe" minimized
uRun: [IDMan] f:\internet download manager\IDMan.exe /onboot
uRun: [Screenpresso] "c:\users\hahaheadshot\appdata\local\learnpulse\screenpresso\Screenpresso.exe" -startup
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [SandboxieControl] f:\sandboxie final\sbiectrl.exe
uRun: [Advanced SystemCare 6] "f:\advanced systemcare 6\ASCTray.exe" /AutoStart
mRun: [Malwarebytes' Anti-Malware] "f:\malwarebytes' anti-malware\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KeyScrambler] c:\program files\keyscrambler\keyscrambler.exe /a
mRun: [avast] "f:\avast\avastUI.exe" /nogui
mRun: [ShaPlus Bandwidth Meter] "c:\program files\shaplus bandwidth meter\ShaPlus Bandwidth Meter" /s
dRun: [Advanced SystemCare 5] "f:\advanced systemcare 5\ASCTray.exe" /AutoStart
StartupFolder: c:\users\hahahe~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\hahaheadshot\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-Explorer: NoDriveTypeAutoRun = dword:95
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - f:\roboform\RoboFormComCustomizeIEMenu.html
IE: Download all links with IDM - f:\internet download manager\IEGetAll.htm
IE: Download with IDM - f:\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - f:\micros~1\office12\EXCEL.EXE/3000
IE: Fill Forms - f:\roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - f:\roboform\RoboFormComShowToolbar.html
IE: Save Forms - f:\roboform\RoboFormComSavePass.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\microsoft office 2007\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: %windir%\system32\vsocklib.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: NameServer = 180.234.0.193 180.234.0.197
TCP: Interfaces\{3EEA6427-1FE0-40C9-A24E-B98783DB4F92} : DHCPNameServer = 180.234.0.193 180.234.0.197
TCP: Interfaces\{4D9B5384-F63E-43EB-81DF-79B7693D6D57} : DHCPNameServer = 180.234.0.193 180.234.0.197
TCP: Interfaces\{72B120FA-B5F8-476A-9969-EA92F2EDDB8B} : DHCPNameServer = 180.234.0.193
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - f:\microsoft office 2007\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
AppInit_DLLs= c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - f:\microsoft office 2007\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\hahaheadshot\appdata\roaming\mozilla\firefox\profiles\n9ap4412.default\
FF - prefs.js: browser.startup.homepage - hxxp://us-mg4.mail.yahoo.com/neo/launch?.rand=8eg2sb9i2ju0a
FF - component: c:\users\hahaheadshot\appdata\roaming\idm\idmmzcc5\components\idmmzcc.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\hahaheadshot\appdata\local\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\users\hahaheadshot\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_146.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: f:\acrobat\acrobat\browser\nppdf32.dll
FF - plugin: f:\java\bin\npjpi170_10.dll
FF - ExtSQL: 2013-01-07 01:13; CookiesIE@yahoo.com; c:\users\hahaheadshot\appdata\roaming\mozilla\firefox\profiles\n9ap4412.default\extensions\CookiesIE@yahoo.com.xpi
FF - ExtSQL: 2013-01-15 18:29; {ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99}; c:\users\hahaheadshot\appdata\roaming\mozilla\firefox\profiles\n9ap4412.default\extensions\{ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99}.xpi
FF - ExtSQL: 2013-01-15 18:31; cookieimporter@krk; c:\users\hahaheadshot\appdata\roaming\mozilla\firefox\profiles\n9ap4412.default\extensions\cookieimporter@krk.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: content.max.tokenizing.time - 2250000
.
============= SERVICES / DRIVERS ===============
.
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-10-11 61296]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-10-31 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-10-31 361032]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2012-3-11 19600]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-3-11 491816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2012-3-11 39640]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-6-9 242240]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\drivers\hssdrv6.sys [2013-1-11 36040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;f:\advanced systemcare 6\ASCService.exe [2013-1-18 1026432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-10-31 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-31 58680]
R2 avast! Antivirus;avast! Antivirus;f:\avast\AvastSvc.exe [2012-11-1 44808]
R2 GPCommonService;GPCommonService;c:\program files\qubee wcm\GPCommonService.exe [2012-8-5 90112]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2013-1-11 533288]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe [2013-1-11 389928]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2012-8-24 97632]
R2 MBAMService;MBAMService;f:\malwarebytes' anti-malware\malwarebytes' anti-malware\mbamservice.exe [2012-7-19 655944]
R2 MTKWMPROT;MediaTek WiMAX Modem Protocol Driver;c:\windows\system32\drivers\mtkwmptv.sys [2012-8-2 15360]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2012-4-19 5120]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2012-8-1 719512]
R2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2011-7-12 22768]
R2 WACService;WACService;c:\program files\wondershare\wondershare application center\WACService.exe [2012-12-7 103272]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2012-6-7 173880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-26 22344]
R3 MT7118VU;MediaTek MT7118 WiMAX USB Card Driver for VISTA;c:\windows\system32\drivers\mt7118vu.sys [2012-4-12 131072]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
R3 SbieDrv;SbieDrv;f:\sandboxie final\SbieDrv.sys [2010-7-4 119016]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\drivers\taphss6.sys [2013-1-11 37064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 metasploitPostgreSQL;metasploitPostgreSQL;G:/MSF_IN~1/POSTGR~1/bin/pg_ctl.exe runservice -N "metasploitPostgreSQL" -D "G:/MSF_IN~1/POSTGR~1/data" --> G:/MSF_IN~1/POSTGR~1/bin/pg_ctl.exe runservice -N metasploitPostgreSQL [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
S2 VMwareHostd;VMware Workstation Server;f:\vmware installed\vmware-hostd.exe [2012-8-15 15680000]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-9-19 83168]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-2-16 11520]
.
=============== Created Last 30 ================
.
2013-01-15 18:13:47 -------- d-----w- c:\users\hahaheadshot\appdata\local\Learnpulse
2013-01-15 17:35:24 -------- d-----w- c:\program files\WinHTTrack
2013-01-15 17:25:58 -------- d-----w- c:\program files\YPOPs
2013-01-15 17:25:57 -------- d-----w- c:\users\hahaheadshot\YPOPs
2013-01-14 17:58:58 -------- d-----w- c:\users\hahaheadshot\appdata\roaming\FFSJ
2013-01-14 17:53:19 794906 ----a-w- c:\windows\unins000.exe
2013-01-14 17:53:19 -------- d-----w- c:\windows\system32\FFSJ
2013-01-10 19:41:34 37064 ----a-w- c:\windows\system32\drivers\taphss6.sys
2013-01-10 19:27:44 36040 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2013-01-08 19:08:45 -------- d-----w- c:\users\hahaheadshot\appdata\roaming\DiskSpaceFan
2013-01-02 16:14:26 -------- d-----w- C:\emailextractor14
2013-01-01 05:14:28 -------- d-----w- c:\users\hahaheadshot\backup
2013-01-01 05:14:26 -------- d-----w- c:\users\hahaheadshot\download
2012-12-31 19:10:36 -------- d-----w- c:\program files\ShaPlus Bandwidth Meter
.
==================== Find3M ====================
.
2013-01-13 16:54:39 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-13 16:54:39 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-22 09:39:34 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-22 09:39:34 859072 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-12-22 09:39:34 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-30 22:51:58 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:51:57 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-10-30 22:51:07 41224 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 13:35:15.60 ===============

DDS attach log:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 17-Apr-12 11:04:07 PM
System Uptime: 26-Jan-13 12:52:36 AM (13 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | 945GCM-S2C
Processor: Intel(R) Pentium(R) Dual CPU E2220 @ 2.40GHz | Socket 775 | 2400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 20 GiB total, 2.534 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 32.757 GiB free.
E: is FIXED (NTFS) - 98 GiB total, 13.522 GiB free.
F: is FIXED (NTFS) - 98 GiB total, 28.721 GiB free.
G: is FIXED (NTFS) - 49 GiB total, 29.206 GiB free.
H: is FIXED (NTFS) - 49 GiB total, 10.655 GiB free.
I: is FIXED (NTFS) - 104 GiB total, 38.785 GiB free.
J: is CDROM ()
L: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP179: 25-Jan-13 10:40:11 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
µTorrent
7-Zip 9.10 beta
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe Shockwave Player 11.6
Advanced SystemCare 6
AI RoboForm (All Users)
avast! Free Antivirus
Camtasia Studio 7
Canon ScanGear Starter
CanoScan Toolbox Ver4.9
CCleaner
Clownfish for Skype
CoffeeCup HTML Editor
COMODO Internet Security
DAEMON Tools Lite
Disk Space Fan 4 (4.1.1.79)
Dropbox
Email Extractor 14 1.0
ESET Online Scanner v3
F.lux
File Shredder 2.5
File Splitter and Joiner (FFSJ v3.3)
Google Chrome
Google Drive
Google Update Helper
Gyazo 1.0
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946344)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB951708)
Hotspot Shield 2.83
Internet Download Manager
Java 7 Update 10
Java Auto Updater
Java(TM) 6 Update 32
JavaFX 2.1.0
KeyScrambler
LAME v3.99.3 (for Windows)
Maintenance Samsung ML-1660 Series
Malwarebytes Anti-Malware version 1.62.0.1300
Manual CanoScan LiDE 25
Metasploit
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Movie Studio Platinum 12.0
Mozilla Firefox (3.6)
Mozilla Maintenance Service
MSVCRT Redists
O&O Defrag Professional
OpenVPN 2.2.2
Palringo
Python 2.7.3
QUBEE WiMAX Connection Manager
Recuva
Sandboxie 3.46
ScanSoft OmniPage SE 4.0
Screenpresso
SES Driver
ShaPlus Bandwidth Meter 1.3.1
SIW version 2011.10.29
Skype™ 5.10
Spotflux
SQL Server System CLR Types
StreamTransport version: 1.0.2.2171
Stronghold 2
SUPERAntiSpyware
swMSM
tools-freebsd
tools-linux
tools-netware
tools-solaris
tools-windows
tools-winPre2k
Total Video Converter 3.71 100812
TrueCrypt
Unity Web Player
VLC media player 1.1.10
VMware Workstation
WinHTTrack Website Copier 3.46-1
WinPcap 4.1.2
WinRAR 4.00 (32-bit)
Wireshark 1.8.4 (32-bit)
Wondershare Application Center 1.0.0.58
Wondershare MobileGo for Android ( Version 2.1.5 )
YPOPs! 0.9.7.3
.
==== Event Viewer Messages From Past Week ========
.
25-Jan-13 10:02:44 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
25-Jan-13 10:02:44 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-2147218173.
25-Jan-13 10:01:50 AM, Error: Service Control Manager [7024] - The VMware Workstation Server service terminated with service-specific error %%-1.
25-Jan-13 10:01:37 AM, Error: Service Control Manager [7000] - The metasploitPostgreSQL service failed to start due to the following error: The system cannot find the file specified.
25-Jan-13 10:01:36 AM, Error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the file specified.
24-Jan-13 2:27:29 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
.
==== End Of File ===========================

PC does slow down at times for no reason.

Do let me know if there's anything else I need to do.

Thank you so much for your help (:

P.S. I can't do anything that MIGHT make my pc crash, say run combofix or anything. I can't risk it. I have very important files on board and there's no place for me to take a backup. Hope you understand.

Cheers.

Link to post
Share on other sites

  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Link to post
Share on other sites

  • Staff

Greetings

 

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

 

 

 

Gringo

Link to post
Share on other sites

I ran Security Check:

Results of screen317's Security Check version 0.99.57

Windows 7 x86 (UAC is enabled)

Out of date service pack!!

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

COMODO Antivirus

(On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

SUPERAntiSpyware

Malwarebytes Anti-Malware version 1.62.0.1300

CCleaner

JavaFX 2.1.0

Java 6 Update 32

Java 7 Update 10

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 11.5.502.146

Mozilla Firefox (3.6) Firefox out of Date!

Google Chrome 24.0.1312.52

Google Chrome 24.0.1312.56

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Comodo Firewall cmdagent.exe

AvastSvc.exe

AvastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.