Jump to content

Am I infected?

Commodent

By Commodent
in Resolved Malware Removal Logs

 Share

Recommended Posts

Commodent

Commodent

Posted
Posted

A friend of mine just just upgraded Office 2010 on my computer to Office 2013. Some days after my antivirus detected a trojan named Win32/Malagent. Although it put the trojan in quarantine I'm still worried. I know these thing may be very hard to get rid of.

dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16464 BrowserJavaVersion: 10.15.2

Run by Felles at 18:48:27 on 2013-02-24

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.47.1044.18.4085.2694 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k imgsvc

c:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\System32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Users\Felles\AppData\Roaming\uTorrent\uTorrent.exe

C:\Windows\system32\igfxsrvc.exe

C:\Users\Felles\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Users\Felles\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit = userinit.exe

BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL

BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [uTorrent] "C:\Users\Felles\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

uRun: [spotify Web Helper] "C:\Users\Felles\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\Users\Felles\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Felles\AppData\Roaming\Dropbox\bin\Dropbox.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office15\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~3\Office15\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll

IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll

TCP: NameServer = 84.208.20.110 84.208.20.111

TCP: Interfaces\{C4D993BE-D4DF-4271-8953-DCE6675C40BF} : DHCPNameServer = 84.208.20.110 84.208.20.111

Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL

Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL

x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll

x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL

x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Felles\AppData\Roaming\Mozilla\Firefox\Profiles\4kt7xcpg.default\

FF - plugin: C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - ExtSQL: 2013-02-10 18:57; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\Felles\AppData\Roaming\Mozilla\Firefox\Profiles\4kt7xcpg.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

FF - ExtSQL: 2013-02-23 23:56; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; C:\Users\Felles\AppData\Roaming\Mozilla\Firefox\Profiles\4kt7xcpg.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2013-2-9 88576]

R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]

R3 LVUVC64;Logitech QuickCam E3500(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2009-10-7 6379288]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]

S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2012-10-1 178824]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992]

S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]

S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]

S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]

.

=============== Created Last 30 ================

.

2013-02-24 16:01:36 9162192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{03642C89-D377-4911-AEDA-6518DB60F98B}\mpengine.dll

2013-02-23 23:12:55 -------- d-----w- C:\Users\Felles\AppData\Roaming\Malwarebytes

2013-02-23 23:12:46 -------- d-----w- C:\ProgramData\Malwarebytes

2013-02-23 23:12:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-02-23 23:12:35 -------- d-----w- C:\Users\Felles\AppData\Local\Programs

2013-02-23 22:58:36 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2013-02-23 22:58:36 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2013-02-23 08:35:09 9162192 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-02-21 14:33:04 -------- d-----w- C:\Windows\PCHEALTH

2013-02-20 16:18:44 -------- d-----w- C:\Program Files\CCleaner

2013-02-20 15:41:56 -------- d-----w- C:\Users\Felles\AppData\Local\ElevatedDiagnostics

2013-02-20 15:38:01 -------- d-----w- C:\MATS

2013-02-19 20:31:32 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-02-19 20:29:36 -------- d-----w- C:\Users\Felles\AppData\Local\Spotify

2013-02-19 20:27:05 -------- d-----w- C:\Users\Felles\AppData\Roaming\Spotify

2013-02-19 17:20:23 -------- d-----w- C:\Program Files (x86)\NirSoft

2013-02-19 16:48:37 -------- d-----w- C:\Program Files (x86)\MSECache

2013-02-19 16:30:03 -------- d-----w- C:\ProgramData\regid.1991-06.com.microsoft

2013-02-19 16:29:35 -------- d-----w- C:\Program Files\Microsoft SQL Server

2013-02-19 16:03:42 -------- d-----w- C:\Users\Felles\AppData\Local\Microsoft Toolkit

2013-02-14 17:40:29 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server

2013-02-14 17:40:11 -------- d-----w- C:\Program Files\Microsoft Synchronization Services

2013-02-14 17:40:11 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition

2013-02-14 17:40:02 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services

2013-02-14 17:40:02 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition

2013-02-14 17:39:44 205984 ----a-w- C:\ProgramData\Microsoft\VBExpress\10.0\1033\ResourceCache.dll

2013-02-14 17:38:23 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0

2013-02-14 17:37:42 -------- d-----w- C:\Program Files\Microsoft Visual Studio 10.0

2013-02-14 17:37:42 -------- d-----w- C:\Program Files\Microsoft Help Viewer

2013-02-13 18:02:24 996352 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll

2013-02-13 18:02:24 768000 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll

2013-02-13 10:46:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-02-13 10:46:43 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-02-13 10:46:42 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-02-13 10:46:38 3153408 ----a-w- C:\Windows\System32\win32k.sys

2013-02-13 10:46:37 215040 ----a-w- C:\Windows\System32\winsrv.dll

2013-02-13 10:46:36 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2013-02-13 10:46:36 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2013-02-13 10:46:36 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2013-02-13 10:46:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2013-02-13 10:46:35 2048 ----a-w- C:\Windows\SysWow64\user.exe

2013-02-13 10:46:34 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2013-02-13 10:46:34 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2013-02-11 19:18:35 741480 ------w- C:\Windows\System32\HPDiscoPMa111.dll

2013-02-11 19:18:11 -------- d-----w- C:\Program Files (x86)\HP

2013-02-11 19:18:09 -------- d-----w- C:\Program Files\HP

2013-02-11 19:17:54 -------- d-----w- C:\Users\Felles\AppData\Local\HP

2013-02-11 11:36:59 142336 ----a-w- C:\Windows\System32\poqexec.exe

2013-02-11 11:35:46 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2013-02-11 11:34:58 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2013-02-11 11:33:48 498688 ----a-w- C:\Windows\System32\drivers\afd.sys

2013-02-11 11:32:28 95744 ----a-w- C:\Windows\System32\synceng.dll

2013-02-11 11:30:58 331776 ----a-w- C:\Windows\System32\oleacc.dll

2013-02-11 11:29:53 1731920 ----a-w- C:\Windows\System32\ntdll.dll

2013-02-11 11:29:53 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll

2013-02-11 11:29:38 67072 ----a-w- C:\Windows\splwow64.exe

2013-02-11 11:29:38 559104 ----a-w- C:\Windows\System32\spoolsv.exe

2013-02-10 20:03:12 2560 ----a-w- C:\Windows\System32\drivers\nb-NO\wdf01000.sys.mui

2013-02-10 20:03:11 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2013-02-10 20:03:11 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2013-02-10 20:03:11 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2013-02-10 20:02:24 294912 ----a-w- C:\Windows\System32\browserchoice.exe

2013-02-10 20:02:00 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll

2013-02-10 20:02:00 46080 ----a-w- C:\Windows\System32\atmlib.dll

2013-02-10 20:02:00 367616 ----a-w- C:\Windows\System32\atmfd.dll

2013-02-10 20:02:00 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2013-02-10 20:02:00 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2013-02-10 20:02:00 100864 ----a-w- C:\Windows\System32\fontsub.dll

2013-02-10 20:01:41 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2013-02-10 20:01:41 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2013-02-10 20:01:40 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2013-02-10 20:01:40 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2013-02-10 20:01:40 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2013-02-10 20:01:39 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2013-02-10 20:01:39 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2013-02-10 20:00:49 81408 ----a-w- C:\Windows\System32\imagehlp.dll

2013-02-10 20:00:49 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2013-02-10 20:00:49 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2013-02-10 20:00:48 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2013-02-10 20:00:48 5120 ----a-w- C:\Windows\System32\wmi.dll

2013-02-10 19:48:06 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2013-02-10 19:48:06 1464320 ----a-w- C:\Windows\System32\crypt32.dll

2013-02-10 19:48:06 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2013-02-10 19:48:06 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2013-02-10 19:48:06 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll

2013-02-10 19:48:06 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2013-02-10 19:47:54 77312 ----a-w- C:\Windows\System32\packager.dll

2013-02-10 19:47:54 67072 ----a-w- C:\Windows\SysWow64\packager.dll

2013-02-10 19:35:35 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2013-02-10 19:35:35 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2013-02-10 19:35:35 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2013-02-10 19:32:00 -------- d-----w- C:\Windows\AutoKMS

2013-02-10 19:24:01 -------- d-----w- C:\Program Files\Microsoft Analysis Services

2013-02-10 19:24:01 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services

2013-02-10 19:23:49 -------- d-----w- C:\Users\Felles\AppData\Local\Microsoft Help

2013-02-10 18:17:41 -------- d-----r- C:\Users\Felles\Dropbox

2013-02-10 18:11:27 -------- d-----w- C:\Users\Felles\AppData\Roaming\Dropbox

2013-02-10 17:10:59 -------- d-----r- C:\Program Files (x86)\Skype

2013-02-10 17:06:49 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{05A42983-3869-4314-816A-0B96B944CCF1}\gapaengine.dll

2013-02-09 21:13:28 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client

2013-02-09 21:13:24 -------- d-----w- C:\Program Files\Microsoft Security Client

2013-02-09 20:48:23 -------- d-----w- C:\Users\Felles\AppData\Roaming\uTorrent

2013-02-09 19:20:02 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2013-02-09 19:19:56 99840 ----a-w- C:\Windows\System32\wudriver.dll

2013-02-09 19:19:49 36864 ----a-w- C:\Windows\System32\wuapp.exe

2013-02-09 19:19:49 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2013-02-09 19:18:29 -------- d-----w- C:\Users\Felles\AppData\Local\Macromedia

2013-02-09 19:17:27 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-02-09 19:17:27 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-02-09 19:17:03 -------- d-sh--w- C:\Windows\Installer

2013-02-09 19:15:11 74096 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-02-09 19:15:11 697712 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-02-09 19:12:36 -------- d-----w- C:\Users\Felles\AppData\Local\Mozilla

2013-02-09 19:12:21 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service

2013-02-09 19:08:35 1002008 ----a-w- C:\Windows\SysWow64\igxpun.exe

2013-02-09 19:08:35 -------- d-----w- C:\Windows\SysWow64\x64

2013-02-09 19:08:35 -------- d-----w- C:\Windows\SysWow64\Lang

2013-02-09 19:02:56 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll

2013-02-09 19:02:51 -------- d-----w- C:\Intel

2013-02-09 19:02:48 -------- d-----w- C:\dell

2013-02-09 18:35:13 -------- d-----w- C:\Windows\Panther

2013-02-09 18:34:59 -------- d-sh--w- C:\Boot

.

==================== Find3M ====================

.

2013-02-09 20:13:18 833024 ----a-w- C:\Windows\SysWow64\user32.dll

2013-02-09 20:13:18 1008640 ----a-w- C:\Windows\System32\user32.dll

2013-02-09 19:03:30 525792 ----a-w- C:\Windows\DIFxAPI.dll

2013-02-09 18:54:30 833024 ----a-w- C:\Windows\SysWow64\user32.dll.old

2013-02-09 18:54:30 1008640 ----a-w- C:\Windows\System32\user32.dll.old

2013-01-30 10:53:22 273840 ------w- C:\Windows\System32\MpSigStub.exe

2013-01-09 01:19:09 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2013-01-09 01:12:03 1392128 ----a-w- C:\Windows\System32\wininet.dll

2013-01-09 01:11:06 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2013-01-09 01:07:51 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2013-01-09 01:07:47 599040 ----a-w- C:\Windows\System32\vbscript.dll

2013-01-09 01:04:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2013-01-08 22:11:21 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-01-08 22:03:20 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-01-08 22:03:12 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2013-01-08 21:59:02 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2013-01-08 21:58:29 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2013-01-08 21:56:23 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll

2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll

2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll

2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll

2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs

2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs

2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs

2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs

2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs

2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs

2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs

2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs

2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs

2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs

2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs

2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs

2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs

2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs

2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-11-30 05:41:07 424448 ----a-w- C:\Windows\System32\KernelBase.dll

2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

.

============= FINISH: 18:49:15,46 ===============

attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume3

Install Date: 09.02.2013 19:52:22

System Uptime: 24.02.2013 18:42:28 (0 hours ago)

.

Motherboard: Dell Inc. | | 0N826N

Processor: Intel® Core™2 Duo CPU E7400 @ 2.80GHz | Socket 775 | 2800/266mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 283 GiB total, 238,409 GiB free.

D: is FIXED (NTFS) - 15 GiB total, 8,448 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP46: 20.02.2013 17:26:08 - Installed Microsoft Office Home and Student 2010 Trial

RP48: 20.02.2013 17:59:07 - Installed Microsoft Office Professional Plus 2010 Trial

RP49: 21.02.2013 14:52:19 - Installed WinZip 17.0

RP50: 21.02.2013 14:57:11 - Installed Microsoft Office Professional Plus 2013

RP51: 21.02.2013 14:57:24 - PROPLUSR

RP52: 21.02.2013 15:09:28 - Configured Microsoft Office Professional Plus 2013

RP53: 21.02.2013 15:09:40 - PROPLUSR

RP54: 21.02.2013 15:24:33 - Removed Microsoft Office Professional Plus 2013

RP55: 21.02.2013 15:24:46 - PROPLUSR

RP56: 21.02.2013 15:29:09 - Installed Microsoft Office Professional Plus 2013

RP57: 21.02.2013 15:29:25 - PROPLUS

RP58: 22.02.2013 09:17:06 - Windows Update

.

==== Installed Programs ======================

.

Adobe Flash Player 11 Plugin

µTorrent

CCleaner

Definition update for Microsoft Office 2013 (KB2760587) 64-Bit Edition

Dropbox

Foxit Reader

HP Photosmart 5510 series basisprogramvare

Intel® Graphics Media Accelerator Driver

Java 7 Update 15

Java Auto Updater

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile NOR Language Pack

Microsoft .NET Framework 4 Extended

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Access MUI (English) 2013

Microsoft Access Setup Metadata MUI (English) 2013

Microsoft Application Error Reporting

Microsoft DCF MUI (English) 2013

Microsoft Excel MUI (English) 2013

Microsoft Groove MUI (English) 2013

Microsoft Help Viewer 1.0

Microsoft InfoPath MUI (English) 2013

Microsoft Lync MUI (English) 2013

Microsoft Office-korrekturverktøy 2013 - bokmål

Microsoft Office 32-bit Components 2013

Microsoft Office OSM MUI (English) 2013

Microsoft Office OSM UX MUI (English) 2013

Microsoft Office Professional Plus 2013

Microsoft Office Proofing (English) 2013

Microsoft Office Proofing Tools 2013 - English

Microsoft Office Proofing Tools 2013 - Español

Microsoft Office Shared 32-bit MUI (English) 2013

Microsoft Office Shared MUI (English) 2013

Microsoft Office Shared Setup Metadata MUI (English) 2013

Microsoft OneNote MUI (English) 2013

Microsoft Outlook MUI (English) 2013

Microsoft PowerPoint MUI (English) 2013

Microsoft Publisher MUI (English) 2013

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2008 R2 Management Objects

Microsoft SQL Server Compact 3.5 SP2 ENU

Microsoft SQL Server Compact 3.5 SP2 x64 ENU

Microsoft SQL Server System CLR Types

Microsoft Visual Basic 2010 Express - ENU

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Runtime - 10.0.30319

Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools

Microsoft Visual Studio 2010 Express Prerequisites x64 - ENU

Microsoft Word MUI (English) 2013

Mozilla Firefox 19.0 (x86 nb-NO)

Mozilla Maintenance Service

Outils de vérification linguistique 2013 de Microsoft Office - Français

Realtek High Definition Audio Driver

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Security Update for Microsoft Visual Basic 2010 Express - ENU (KB2251489)

Skype™ 6.1

Spotify

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Access 2013 (KB2760350) 64-Bit Edition

Update for Microsoft Excel 2013 (KB2760339) 64-Bit Edition

Update for Microsoft Lync 2013 (KB2760512) 64-Bit Edition

Update for Microsoft Office 2013 (KB2726954) 64-Bit Edition

Update for Microsoft Office 2013 (KB2726961) 64-Bit Edition

Update for Microsoft Office 2013 (KB2726996) 64-Bit Edition

Update for Microsoft Office 2013 (KB2737954) 64-Bit Edition

Update for Microsoft Office 2013 (KB2752025) 64-Bit Edition

Update for Microsoft Office 2013 (KB2752101) 64-Bit Edition

Update for Microsoft Office 2013 (KB2760224) 64-Bit Edition

Update for Microsoft Office 2013 (KB2760311) 64-Bit Edition

Update for Microsoft Office 2013 (KB2760318) 64-Bit Edition

Update for Microsoft Office 2013 (KB2767845) 64-Bit Edition

Update for Microsoft Office 2013 (KB2767852) 64-Bit Edition

Update for Microsoft Office 2013 (KB2767861) 64-Bit Edition

Update for Microsoft Office 2013 (KB2767864) 64-Bit Edition

Update for Microsoft OneNote 2013 (KB2737968) 64-Bit Edition

Update for Microsoft PowerPoint 2013 (KB2726947) 64-Bit Edition

Update for Microsoft SkyDrive Pro (KB2760214) 64-Bit Edition

Update for Microsoft Visio Viewer 2013 (KB2767856) 64-Bit Edition

Update for Microsoft Word 2013 (KB2760244) 64-Bit Edition

Update for Microsoft Word 2013 (KB2767854) 64-Bit Edition

Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU

WinZip 17.0

.

==== End Of File ===========================

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello Commodent,

Your logs showed some peer-to-peer filesharing apps: uTorrent.

Please Uninstall it as well as any other such peer-to-peer filesharing app and confirm doing so in your next reply.

I do not recommend the use of P-2-P programs since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Forum policy on peer-to-peer-programs:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

http://forums.malwarebytes.org/index.php?showtopic=97700

Please download Rooter.exe and save to your desktop.

alternate download link

  • Double-click on Rooter.exe to start the tool. If using Vista or WIN7, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.

Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Link to post
Share on other sites
Commodent

Commodent

Posted
  • Author
Posted

I have uninstaled uTorrent

Rooter log:

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows 7 . (6.1.7601) Service Pack 1

[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel

.

[wscsvc] (Security Center) RUNNING (state:4)

[MpsSvc] RUNNING (state:4)

Windows Firewall -> Enabled

Windows Defender -> Enabled

User Account Control (UAC) -> Enabled

.

Internet Explorer 9.0.8112.16421

Mozilla Firefox 19.0 (nb-NO)

.

C:\ [Fixed-NTFS] .. ( Total:283 Go - Free:238 Go )

D:\ [Fixed-NTFS] .. ( Total:14 Go - Free:8 Go )

E:\ [CD_Rom]

F:\ [Removable]

G:\ [Removable]

H:\ [Removable]

I:\ [Removable]

.

Scan : 19:56.04

Path : C:\Users\Felles\Downloads\Rooter.exe

User : Felles ( Administrator -> YES )

.

----------------------\\ Processes

.

Locked [system Process] (0)

Locked System (4)

______ ???±?????? (276)

______ ???±?????? (408)

______ ???±?????? (476)

______ ???±?????? (496)

______ ???±?????? (536)

______ ???±?????? (568)

______ ???±?????? (596)

______ ???±?????? (604)

______ ???±?????? (704)

______ ???±?????? (776)

______ ???±?????? (832)

______ ???±?????? (960)

______ ???±?????? (1000)

______ ???±?????? (308)

______ ???±?????? (652)

______ ???±?????? (1108)

______ ???±?????? (1256)

______ ???±?????? (1352)

______ ???±?????? (1484)

______ ???±?????? (1536)

______ ???±?????? (1688)

______ ???±?????? (1016)

______ ???±?????? (2216)

______ ???±?????? (2456)

______ ???±?????? (2540)

______ ???±?????? (2564)

______ ???±?????? (2716)

______ ???±?????? (2724)

______ ???±?????? (2732)

______ ???±?????? (2740)

______ ???±?????? (2800)

______ C:\Users\Felles\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (2176)

______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (2304)

______ ???±?????? (2448)

______ ???±?????? (932)

______ ???±?????? (3260)

______ ???±?????? (2252)

______ ???±?????? (3036)

______ ???±?????? (1128)

______ ???±?????? (1276)

______ ???±?????? (3940)

______ C:\Users\Felles\Downloads\Rooter.exe (2868)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:65769984)

\Device\Harddisk0\Partition2 (Start_Offset:66060288 | Length:16106127360)

\Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:16172187648 | Length:303899344896)

.

----------------------\\ Scheduled Tasks

.

C:\Windows\Tasks\SA.DAT

C:\Windows\Tasks\SCHEDLGU.TXT

.

----------------------\\ Registry

.

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 19:56.07

.

C:\Rooter$\Rooter_2.txt - (24/02/2013 | 19:56.07)

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller

Link to post
Share on other sites
Commodent

Commodent

Posted
  • Author
Posted

Report:

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Felles [Admin rights]

Mode : Scan -- Date : 02/25/2013 18:34:00

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[HJPOL] HKCU\[...]\System : DisableTaskmgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\windows\system32\config\SYSTEM

-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ ATA Device +++++

--- User ---

[MBR] 20e6b3d3b35e806d2201545a115e661a

[bSP] 1dc4e275a0f3fe9188daf4672c07248a : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 15360 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31586304 | Size: 289821 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02252013_02d1834.txt >>

RKreport[1]_S_02252013_02d1834.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

  • Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-Click RogueKiller and select Run as Administrator.
  • Wait until Prescan finishes.
  • On the RogueKiller console, click the Registry tab.
    Put a check next to all of these and uncheck the rest: (if found)
    [HJPOL] HKCU\[...]\System : DisableTaskmgr (0) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

  • Then click on Delete on the right hand column under Options.
  • When done, logoff & Restart the system.
  • The log will be found as RKreport
    Copy & Paste the contents into next reply.

Step 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Step 3

If MBAM is not installed now on this system, then Download and Save the setup http://download.bleepingcomputer.com/malwarebytes/mbam-setup-1.70.0.1100.exe

Then next, right-click on the setup EXE and select Run as Administrator

and for the purposes we need, decline the Trial offer

Once the initial setup is done, then, Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Quick Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.