Trojan.Agent.DL Reoccurance

[Jedarius]

Latest MBAM log:

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.19.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/19/2013 9:54:20 PM

mbam-log-2013-02-19 (21-54-20).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 208944

Time elapsed: 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|WindowsLiveUpdate (Trojan.Agent.DL) -> Data: C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe (Trojan.Agent.DL) -> Quarantined and deleted successfully.

(end)

[TheDarkKnight]

Hello Jedarius,

I have an idea.

Please follow these instructions to remove the remaining malicious entries:

• Please close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open Notepad and copy/paste the text in the quotebox below into it:
  Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

  
  killall::
  Folder::
  C:\Users\Hai\AppData\Roaming\MCommon
  

• Save this as CFScript.txt, in the same location as ComboFix.exe.
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe.
  
• When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

Now try MBAM please.

[Jedarius]

Thanks for the help!

Here's the ComboFix log:

ComboFix 13-02-18.02 - Hai 02/19/2013 23:43:40.6.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16339.12315 [GMT -8:00]

Running from: c:\users\Hai\Desktop\ComboFix.exe

Command switches used :: c:\users\Hai\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Hai\AppData\Local\Temp\26b4a1dd-e07b-48af-be4e-9642b273284b\CliSecureRT.dll

c:\users\Hai\AppData\Roaming\MCommon

c:\users\Hai\AppData\Roaming\MCommon\config.dat

c:\users\Hai\AppData\Roaming\MCommon\sites.dat

c:\users\Hai\AppData\Roaming\MCommon\uid.dat

c:\users\Hai\AppData\Roaming\MCommon\uinfo.dat

c:\users\Hai\AppData\Roaming\MCommon\vinfo.dat

.

.

((((((((((((((((((((((((( Files Created from 2013-01-20 to 2013-02-20 )))))))))))))))))))))))))))))))

.

.

2013-02-20 07:45 . 2013-02-20 07:45 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-20 07:16 . 2013-02-20 07:16 -------- d-----w- c:\users\Hai\AppData\Roaming\Intuit Canada

2013-02-20 07:16 . 2013-02-20 07:16 -------- d-----w- c:\program files (x86)\Common Files\Intuit

2013-02-20 07:16 . 2013-02-20 07:16 -------- d-----w- c:\programdata\Intuit Canada

2013-02-16 23:45 . 2013-02-16 23:45 -------- d-----w- c:\program files (x86)\ESET

2013-02-15 04:35 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll

2013-02-15 04:35 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll

2013-02-14 03:14 . 2013-02-14 03:14 -------- d-----w- C:\_OTL

2013-02-12 07:15 . 2013-02-12 07:16 -------- d-----w- c:\windows\SysWow64\wbem\Performance

2013-02-12 07:05 . 2013-02-12 07:17 181064 ----a-w- c:\windows\PSEXESVC.EXE

2013-02-12 07:03 . 2013-02-12 07:17 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs

2013-02-11 05:42 . 2013-02-11 05:42 -------- d-----w- c:\program files\CCleaner

2013-02-06 07:12 . 2013-02-06 07:12 -------- d-----w- c:\users\Hai\AppData\Local\Futuremark

2013-02-06 06:31 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4326CDFA-7DE5-4A98-8004-087A3FB46E4C}\mpengine.dll

2013-02-02 07:18 . 2013-02-02 07:18 -------- d-----w- c:\users\Hai\AppData\Roaming\SUPERAntiSpyware.com

2013-02-02 07:17 . 2013-02-02 07:17 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2013-01-31 05:00 . 2012-06-05 07:37 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys

2013-01-28 08:08 . 2013-01-28 08:08 -------- d-----w- c:\programdata\id Software

2013-01-23 07:45 . 2013-01-23 07:45 -------- d-----w- c:\users\Hai\AppData\Local\4A Games

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-18 00:00 . 2012-05-04 04:11 1048576 ----a-w- c:\windows\PE_Rom.dll

2013-02-15 04:37 . 2012-05-01 09:41 70004024 ----a-w- c:\windows\system32\MRT.exe

2013-01-17 09:28 . 2012-05-01 10:10 273840 ------w- c:\windows\system32\MpSigStub.exe

2013-01-04 04:43 . 2013-02-15 04:34 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-12-29 10:54 . 2012-12-29 10:54 550328 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-12-29 10:34 . 2013-01-05 22:24 1813432 ----a-w- c:\windows\system32\nvdispco64.dll

2012-12-29 10:34 . 2013-01-05 22:24 1504696 ----a-w- c:\windows\system32\nvdispgenco64.dll

2012-12-29 10:34 . 2013-01-05 22:24 7565240 ----a-w- c:\windows\system32\nvopencl.dll

2012-12-29 10:34 . 2013-01-05 22:24 6263784 ----a-w- c:\windows\SysWow64\nvopencl.dll

2012-12-29 10:34 . 2013-01-05 22:24 15052368 ----a-w- c:\windows\system32\nvwgf2umx.dll

2012-12-29 10:34 . 2013-01-05 22:24 12641120 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-12-29 10:34 . 2013-01-05 22:24 958272 ----a-w- c:\windows\SysWow64\nvumdshim.dll

2012-12-29 10:34 . 2013-01-05 22:24 26931128 ----a-w- c:\windows\system32\nvoglv64.dll

2012-12-29 10:34 . 2013-01-05 22:24 1107592 ----a-w- c:\windows\system32\nvumdshimx.dll

2012-12-29 10:34 . 2013-01-05 22:24 10997176 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2012-12-29 10:34 . 2013-01-05 22:24 9389888 ----a-w- c:\windows\system32\nvcuda.dll

2012-12-29 10:34 . 2013-01-05 22:24 7931896 ----a-w- c:\windows\SysWow64\nvcuda.dll

2012-12-29 10:34 . 2013-01-05 22:24 364984 ----a-w- c:\windows\SysWow64\nvEncodeAPI.dll

2012-12-29 10:34 . 2013-01-05 22:24 2504248 ----a-w- c:\windows\SysWow64\nvapi.dll

2012-12-29 10:34 . 2013-01-05 22:24 246024 ----a-w- c:\windows\system32\nvinitx.dll

2012-12-29 10:34 . 2013-01-05 22:24 2344888 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-12-29 10:34 . 2013-01-05 22:24 20450232 ----a-w- c:\windows\SysWow64\nvoglv32.dll

2012-12-29 10:34 . 2013-01-05 22:24 201728 ----a-w- c:\windows\SysWow64\nvinit.dll

2012-12-29 10:34 . 2013-01-05 22:24 1985976 ----a-w- c:\windows\SysWow64\nvcuvenc.dll

2012-12-29 10:34 . 2013-01-05 22:24 18054312 ----a-w- c:\windows\system32\nvd3dumx.dll

2012-12-29 10:34 . 2013-01-05 22:24 420280 ----a-w- c:\windows\system32\nvEncodeAPI64.dll

2012-12-29 10:34 . 2013-01-05 22:24 2904504 ----a-w- c:\windows\system32\nvcuvid.dll

2012-12-29 10:34 . 2013-01-05 22:24 2824656 ----a-w- c:\windows\system32\nvapi64.dll

2012-12-29 10:34 . 2013-01-05 22:24 2720696 ----a-w- c:\windows\SysWow64\nvcuvid.dll

2012-12-29 10:34 . 2013-01-05 22:24 25256376 ----a-w- c:\windows\system32\nvcompiler.dll

2012-12-29 10:34 . 2013-01-05 22:24 17560504 ----a-w- c:\windows\SysWow64\nvcompiler.dll

2012-12-29 10:34 . 2013-01-05 22:24 15129064 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-12-29 08:40 . 2013-01-05 22:24 6382008 ----a-w- c:\windows\system32\nvcpl.dll

2012-12-29 08:40 . 2013-01-05 22:24 3455416 ----a-w- c:\windows\system32\nvsvc64.dll

2012-12-29 08:40 . 2013-01-05 22:24 2923201 ----a-w- c:\windows\system32\nvcoproc.bin

2012-12-29 08:40 . 2013-01-05 22:24 884152 ----a-w- c:\windows\system32\nvvsvc.exe

2012-12-29 08:40 . 2013-01-05 22:24 63928 ----a-w- c:\windows\system32\nvshext.dll

2012-12-29 08:40 . 2013-01-05 22:24 118712 ----a-w- c:\windows\system32\nvmctray.dll

2012-12-24 18:41 . 2012-12-24 18:41 1712201 ----a-w- c:\windows\SysWow64\InetClnt.dll

2012-12-23 04:42 . 2012-05-21 03:29 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2012-12-23 02:33 . 2012-05-21 03:27 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2012-12-16 17:11 . 2012-12-29 04:34 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 14:45 . 2012-12-29 04:34 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-16 14:13 . 2012-12-29 04:34 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-16 14:13 . 2012-12-29 04:34 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-15 00:49 . 2012-09-15 08:08 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-07 13:20 . 2013-01-18 03:52 441856 ----a-w- c:\windows\system32\Wpc.dll

2012-12-07 13:15 . 2013-01-18 03:52 2746368 ----a-w- c:\windows\system32\gameux.dll

2012-12-07 12:26 . 2013-01-18 03:52 308736 ----a-w- c:\windows\SysWow64\Wpc.dll

2012-12-07 12:20 . 2013-01-18 03:52 2576384 ----a-w- c:\windows\SysWow64\gameux.dll

2012-12-07 11:20 . 2013-01-18 03:52 30720 ----a-w- c:\windows\system32\usk.rs

2012-12-07 11:20 . 2013-01-18 03:52 43520 ----a-w- c:\windows\system32\csrr.rs

2012-12-07 11:20 . 2013-01-18 03:52 23552 ----a-w- c:\windows\system32\oflc.rs

2012-12-07 11:20 . 2013-01-18 03:52 45568 ----a-w- c:\windows\system32\oflc-nz.rs

2012-12-07 11:20 . 2013-01-18 03:52 44544 ----a-w- c:\windows\system32\pegibbfc.rs

2012-12-07 11:20 . 2013-01-18 03:52 20480 ----a-w- c:\windows\system32\pegi-fi.rs

2012-12-07 11:20 . 2013-01-18 03:52 20480 ----a-w- c:\windows\system32\pegi-pt.rs

2012-12-07 11:19 . 2013-01-18 03:52 20480 ----a-w- c:\windows\system32\pegi.rs

2012-12-07 11:19 . 2013-01-18 03:52 46592 ----a-w- c:\windows\system32\fpb.rs

2012-12-07 11:19 . 2013-01-18 03:52 40960 ----a-w- c:\windows\system32\cob-au.rs

2012-12-07 11:19 . 2013-01-18 03:52 21504 ----a-w- c:\windows\system32\grb.rs

2012-12-07 11:19 . 2013-01-18 03:52 15360 ----a-w- c:\windows\system32\djctq.rs

2012-12-07 11:19 . 2013-01-18 03:52 55296 ----a-w- c:\windows\system32\cero.rs

2012-12-07 11:19 . 2013-01-18 03:52 51712 ----a-w- c:\windows\system32\esrb.rs

2012-12-07 10:46 . 2013-01-18 03:52 43520 ----a-w- c:\windows\SysWow64\csrr.rs

2012-12-07 10:46 . 2013-01-18 03:52 30720 ----a-w- c:\windows\SysWow64\usk.rs

2012-12-07 10:46 . 2013-01-18 03:52 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs

2012-12-07 10:46 . 2013-01-18 03:52 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs

2012-12-07 10:46 . 2013-01-18 03:52 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs

2012-12-07 10:46 . 2013-01-18 03:52 23552 ----a-w- c:\windows\SysWow64\oflc.rs

2012-12-07 10:46 . 2013-01-18 03:52 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs

2012-12-07 10:46 . 2013-01-18 03:52 46592 ----a-w- c:\windows\SysWow64\fpb.rs

2012-12-07 10:46 . 2013-01-18 03:52 20480 ----a-w- c:\windows\SysWow64\pegi.rs

2012-12-07 10:46 . 2013-01-18 03:52 21504 ----a-w- c:\windows\SysWow64\grb.rs

2012-12-07 10:46 . 2013-01-18 03:52 40960 ----a-w- c:\windows\SysWow64\cob-au.rs

2012-12-07 10:46 . 2013-01-18 03:52 15360 ----a-w- c:\windows\SysWow64\djctq.rs

2012-12-07 10:46 . 2013-01-18 03:52 55296 ----a-w- c:\windows\SysWow64\cero.rs

2012-12-07 10:46 . 2013-01-18 03:52 51712 ----a-w- c:\windows\SysWow64\esrb.rs

2012-12-03 15:47 . 2013-01-04 05:53 60776 ----a-w- c:\windows\system32\OpenCL.dll

2012-12-03 15:47 . 2013-01-04 05:53 52584 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-11-30 05:45 . 2013-01-18 03:52 362496 ----a-w- c:\windows\system32\wow64win.dll

2012-11-30 05:45 . 2013-01-18 03:52 243200 ----a-w- c:\windows\system32\wow64.dll

2012-11-30 05:45 . 2013-01-18 03:52 13312 ----a-w- c:\windows\system32\wow64cpu.dll

2012-11-30 05:43 . 2013-01-18 03:52 16384 ----a-w- c:\windows\system32\ntvdm64.dll

2012-11-30 05:41 . 2013-01-18 03:52 424448 ----a-w- c:\windows\system32\KernelBase.dll

2012-11-30 05:41 . 2013-01-18 03:52 1161216 ----a-w- c:\windows\system32\kernel32.dll

2012-11-30 05:38 . 2013-01-18 03:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2012-11-30 05:38 . 2013-01-18 03:52 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d6a4}]

2010-11-05 01:58 297808 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-12-12 969104]

"KiesHelper"="d:\program files (x86)\Samsung\Kies\Kies\KiesHelper.exe" [2012-06-08 958392]

"KiesPDLR"="d:\program files (x86)\Samsung\Kies\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-06-08 21432]

"DAEMON Tools Lite"="d:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Samsung Network PC Fax.lnk - c:\windows\System32\spool\drivers\x64\3\NetFaxTray64.exe [2012-9-17 273408]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-11-30 13592]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-01-20 363800]

R3 AiCharger;AiCharger;SysWow64\drivers\AiCharger.sys [x]

R3 cpuz136;cpuz136;c:\windows\TEMP\cpuz136\cpuz136_x64.sys [x]

R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2012-12-17 137488]

R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2011-05-27 160768]

R3 LADF_CaptureOnly;LADF Capture Filter Driver;c:\windows\system32\DRIVERS\ladfGSCamd64.sys [2011-04-11 410184]

R3 LADF_RenderOnly;LADF Render Filter Driver;c:\windows\system32\DRIVERS\ladfGSRamd64.sys [2011-04-11 341832]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-23 77104]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-15 1255736]

S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys [2012-01-06 49760]

S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152]

S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-10-20 283200]

S1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;d:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.18\atkexComSvc.exe [2011-10-29 918448]

S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [2012-02-02 951936]

S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]

S2 AsusFanControlService;AsusFanControlService;c:\program files (x86)\ASUS\AsusFanControlService\1.00.24\AsusFanControlService.exe [2012-02-01 1489024]

S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2012-03-09 23816]

S2 DTSAudioSvc;DTSAudioSvc;c:\program files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [2011-08-05 225280]

S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2012-01-11 627936]

S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-08-16 178344]

S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2012-01-20 161560]

S2 MBAMScheduler;MBAMScheduler;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-15 398184]

S2 MBAMService;MBAMService;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-15 682344]

S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [2009-10-23 19720]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-23 79504]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]

S2 Samsung Network Fax Server;Samsung Network Fax Server;c:\windows\system32\spool\drivers\x64\3\NetFaxServer64.exe [2012-04-26 237056]

S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2012-02-15 11576]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-29 383416]

S2 WinFLdrv;WinFLdrv;SysWOW64\WinFLdrv.sys [x]

S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-11-03 130536]

S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-11-03 395752]

S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys [x]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-09-19 102368]

S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2010-08-17 26136]

S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096]

S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200]

S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]

S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-15 24176]

S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-09-19 203104]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 18:54]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-12-28 6457960]

"RtHDVBg_DTS"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-11-15 1156712]

"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 5889816]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - d:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - d:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.1

Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - d:\program files (x86)\TurboTax 2012\ic2012pp.dll

FF - ProfilePath - c:\users\Hai\AppData\Roaming\Mozilla\Firefox\Profiles\c4g4sdlg.default\

FF - ExtSQL: !HIDDEN! 2012-05-07 18:22; hotfix@mozilla.org; c:\users\Hai\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe

c:\program files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe

d:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

.

**************************************************************************

.

Completion time: 2013-02-19 23:48:28 - machine was rebooted

ComboFix-quarantined-files.txt 2013-02-20 07:48

ComboFix2.txt 2013-02-17 23:54

ComboFix3.txt 2013-02-16 07:38

ComboFix4.txt 2013-02-06 15:29

ComboFix5.txt 2013-02-20 07:43

.

Pre-Run: 151,778,177,024 bytes free

Post-Run: 153,561,280,512 bytes free

.

- - End Of File - - 0E4F4677486C46ED140F043907FA4D9B

and MBAM log:

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.19.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Disabled

2/19/2013 11:49:23 PM

mbam-log-2013-02-19 (23-49-23).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 208433

Time elapsed: 1 minute(s), 16 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[TheDarkKnight]

Hey Jedarius,

Please monitor MBAM for the next day and see how it goes.

[Jedarius]

I think that did it, gonna give it another 24 hrs before we can call it a victory.

Here's the latest MBAM:

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.19.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/21/2013 1:38:40 PM

mbam-log-2013-02-21 (13-38-40).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 208421

Time elapsed: 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[TheDarkKnight]

Hello Jedarius,

Great!

[Jedarius]

Clean run of MBAM this morning, I think we can officially close this case. Thank you for the help!

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.19.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/22/2013 9:28:53 AM

mbam-log-2013-02-22 (09-28-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 230087

Time elapsed: 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[TheDarkKnight]

Good morning Jedarius,

Good to hear!

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[TheDarkKnight]

Just a side note: I am away until Tuesday.

[TheDarkKnight]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[Jedarius]

Results of screen317's Security Check version 0.99.60

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Windows Firewall Disabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java 6 Update 21

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 11.2.202.233 Flash Player out of Date!

Adobe Reader 10.1.3 Adobe Reader out of Date!

Mozilla Firefox (19.0)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 43% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

[TheDarkKnight]

Hi Jedarius,

I notice that you have the User Account Control turned off. This is a very important security feature on Windows Vista and 7, as it allows you to restrict access to your computer and control programs that try to run. Please see below on how to turn it on:

http://windows.microsoft.com/en-AU/windows-vista/Turn-User-Account-Control-on-or-off

=====

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

• Please go to the below link and download the latest Windows 7 version:
  

http://www.java.com/en/download/manual.jsp

• Save it to your Desktop.
  
• Please go to Start>Control Panel>Programs.
  
• Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them:
  
• Select Uninstall.
  
• Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.

=====

Next, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

• Please go to Start>All Programs>Adobe Reader.
  
• Open Adobe Reader and navigate to Help>Check for Updates.
  
• Please follow the prompts to install the latest version.

Then, your version of Adobe Flash Player is out of date. Please follow these instructions to update to the latest version:

Go to the Adobe Global Notifications Update website here:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html#118377

A small box to the right within the window should load. Please select how often you would like Adobe to check for a new update for its Flash Player.

Note: This has to be done separately for Firefox and IE.

If a new version is found:

• Please tick the License Agreement.
  
• Click Install.
  Note: If you are running Mozilla Firefox all of its windows will need to be closed.
• Click Done.

Note: In future if an update is available Adobe will notify you on your Desktop via the Adobe Download Manager.

=====

In addition, your version of Mozilla Firefox is out of date. Please do the following to update it:

• Go to Start>All Programs>Mozilla Firefox.
  
• Click Firefox>Help>About Firefox.
  
• Let it search for any updates and install them when found.
  
• Please restart your computer if prompted.

=====

I also notice that your hard drive is heavily defragmented. This can lead to slower speeds on your computer. I recommend trying one of these free defragmenting programs:

Defraggler or Auslogics Disk Defrag.

=====

In your reply please let me know how the updates go.

[Jedarius]

I've done all the updates...and my drive C: is an SSD so that's fine that it shows up as fragmented.

Latest MBAM shows I'm clean, should be good to close this up. Thanks very much for all your help!

[TheDarkKnight]

Hello Jedarius,

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

And AdwCleaner:

• Please double click on adwcleaner.exe to run the tool.
  
• Click on Uninstall.
  
• Confirm with Yes.

To remove all of the tools we used and the files and folders they created do the following:

Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.

=====

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!