Jump to content

Recurring Trojan.Agent.DL and WindowsLiveUpdate.exe

AndyP888

By AndyP888
in Resolved Malware Removal Logs

 Share

Recommended Posts

AndyP888

AndyP888

Posted
  • Author
Posted

ComboFix 13-02-26.01 - Andrea 01/03/2013 4:33.3.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.12279.9963 [GMT 11:00]

Running from: c:\users\Andrea\Desktop\ComboFix.exe

Command switches used :: c:\users\Andrea\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Andrea\AppData\Local\Google\Chrome\Application\chrome.exe

c:\users\Andrea\AppData\Local\Temp\_MEI34202\_ctypes.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\_elementtree.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\_hashlib.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\_socket.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\_ssl.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\pyexpat.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\pysqlite2._sqlite.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\python26.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\pythoncom26.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\PyWinTypes26.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\select.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\unicodedata.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32api.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32com.shell.shell.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32crypt.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32event.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32file.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32inet.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32pdh.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32process.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32profile.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32security.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\win32ts.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\windows._cacheinvalidation.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wx._controls_.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wx._core_.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wx._gdi_.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wx._html2.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wx._misc_.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wx._windows_.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wx._wizard.pyd

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wxbase293u_net_vc.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wxbase293u_vc.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wxmsw293u_adv_vc.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wxmsw293u_core_vc.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wxmsw293u_html_vc.dll

c:\users\Andrea\AppData\Local\Temp\_MEI34202\wxmsw293u_webview_vc.dll

.

.

((((((((((((((((((((((((( Files Created from 2013-01-28 to 2013-02-28 )))))))))))))))))))))))))))))))

.

.

2013-02-28 17:40 . 2013-02-28 17:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-28 17:23 . 2013-02-28 17:23 -------- d-----w- c:\program files (x86)\ERUNT

2013-02-27 19:35 . 2013-02-28 17:25 -------- d-----w- c:\windows\system32\catroot2

2013-02-27 19:28 . 2013-02-27 19:29 -------- d-----w- c:\windows\SysWow64\wbem\Performance

2013-02-27 17:38 . 2013-02-27 19:32 181064 ----a-w- c:\windows\PSEXESVC.EXE

2013-02-27 17:38 . 2013-02-27 17:38 -------- d-----w- c:\program files (x86)\Tweaking.com

2013-02-27 10:22 . 2013-02-27 10:22 -------- d-----w- c:\users\Andrea\AppData\Local\Diagnostics

2013-02-26 20:51 . 2013-02-26 20:51 -------- d-----w- c:\users\Andrea\AppData\Local\VirtualStore

2013-02-25 19:39 . 2013-02-25 19:39 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-02-23 13:44 . 2013-02-23 13:44 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-02-21 12:40 . 2013-02-21 12:40 -------- d-----w- c:\programdata\ALM

2013-02-21 12:30 . 2008-04-06 18:38 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll

2013-02-21 12:04 . 2013-02-21 12:04 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2013-02-21 11:57 . 2013-02-21 11:57 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared

2013-02-17 11:14 . 2013-02-17 11:14 -------- d-----w- C:\_OTL

2013-02-15 22:31 . 2013-02-15 22:31 186432 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2013-02-14 16:03 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll

2013-02-14 16:03 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll

2013-02-14 16:00 . 2013-01-09 01:53 763424 ----a-w- c:\program files\Internet Explorer\iexplore.exe

2013-02-13 22:52 . 2013-01-05 05:53 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-02-13 22:52 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-02-13 22:52 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-02-13 22:52 . 2013-01-04 03:26 3153408 ----a-w- c:\windows\system32\win32k.sys

2013-02-13 22:52 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll

2013-02-13 22:52 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2013-02-13 22:52 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2013-02-13 22:52 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2013-02-13 22:52 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe

2013-02-13 22:52 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2013-02-13 22:51 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-02-13 22:51 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-25 19:39 . 2012-06-21 03:02 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-02-25 19:39 . 2012-06-21 03:02 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-02-15 05:34 . 2012-04-10 11:26 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-02-15 05:34 . 2011-08-31 21:54 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-02-14 16:07 . 2011-08-07 11:01 70004024 ----a-w- c:\windows\system32\MRT.exe

2013-01-04 04:43 . 2013-02-13 22:52 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-12-17 23:06 . 2013-01-21 11:25 4659712 ----a-w- c:\windows\SysWow64\Redemption.dll

2012-12-17 23:06 . 2012-12-17 23:06 90112 ----a-w- c:\windows\MAMCityDownload.ocx

2012-12-17 23:06 . 2012-12-17 23:06 330240 ----a-w- c:\windows\MASetupCaller.dll

2012-12-17 23:06 . 2012-12-17 23:06 30568 ----a-w- c:\windows\MusiccityDownload.exe

2012-12-17 23:06 . 2012-12-17 23:06 974848 ----a-w- c:\windows\SysWow64\cis-2.4.dll

2012-12-17 23:06 . 2012-12-17 23:06 81920 ----a-w- c:\windows\SysWow64\issacapi_bs-2.3.dll

2012-12-17 23:06 . 2012-12-17 23:06 65536 ----a-w- c:\windows\SysWow64\issacapi_pe-2.3.dll

2012-12-17 23:06 . 2012-12-17 23:06 57344 ----a-w- c:\windows\SysWow64\MTXSYNCICON.dll

2012-12-17 23:06 . 2012-12-17 23:06 57344 ----a-w- c:\windows\SysWow64\MK_Lyric.dll

2012-12-17 23:06 . 2012-12-17 23:06 57344 ----a-w- c:\windows\SysWow64\issacapi_se-2.3.dll

2012-12-17 23:06 . 2012-12-17 23:06 569344 ----a-w- c:\windows\SysWow64\muzdecode.ax

2012-12-17 23:06 . 2012-12-17 23:06 491520 ----a-w- c:\windows\SysWow64\muzapp.dll

2012-12-17 23:06 . 2012-12-17 23:06 49152 ----a-w- c:\windows\SysWow64\MaJGUILib.dll

2012-12-17 23:06 . 2012-12-17 23:06 45320 ----a-w- c:\windows\SysWow64\MAMACExtract.dll

2012-12-17 23:06 . 2012-12-17 23:06 45056 ----a-w- c:\windows\SysWow64\MaXMLProto.dll

2012-12-17 23:06 . 2012-12-17 23:06 45056 ----a-w- c:\windows\SysWow64\MACXMLProto.dll

2012-12-17 23:06 . 2012-12-17 23:06 40960 ----a-w- c:\windows\SysWow64\MTTELECHIP.dll

2012-12-17 23:06 . 2012-12-17 23:06 352256 ----a-w- c:\windows\SysWow64\MSLUR71.dll

2012-12-17 23:06 . 2012-12-17 23:06 258048 ----a-w- c:\windows\SysWow64\muzoggsp.ax

2012-12-17 23:06 . 2012-12-17 23:06 245760 ----a-w- c:\windows\SysWow64\MSCLib.dll

2012-12-17 23:06 . 2012-12-17 23:06 24576 ----a-w- c:\windows\SysWow64\MASetupCleaner.exe

2012-12-17 23:06 . 2012-12-17 23:06 200704 ----a-w- c:\windows\SysWow64\muzwmts.dll

2012-12-17 23:06 . 2012-12-17 23:06 155648 ----a-w- c:\windows\SysWow64\MSFLib.dll

2012-12-17 23:06 . 2012-12-17 23:06 143360 ----a-w- c:\windows\SysWow64\3DAudio.ax

2012-12-17 23:06 . 2012-12-17 23:06 135168 ----a-w- c:\windows\SysWow64\muzaf1.dll

2012-12-17 23:06 . 2012-12-17 23:06 131072 ----a-w- c:\windows\SysWow64\muzmpgsp.ax

2012-12-17 23:06 . 2012-12-17 23:06 122880 ----a-w- c:\windows\SysWow64\muzeffect.ax

2012-12-17 23:06 . 2012-12-17 23:06 118784 ----a-w- c:\windows\SysWow64\MaDRM.dll

2012-12-17 23:06 . 2012-12-17 23:06 110592 ----a-w- c:\windows\SysWow64\muzmp4sp.ax

2012-12-17 23:06 . 2013-01-21 11:25 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll

2012-12-16 17:11 . 2012-12-21 16:00 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 14:45 . 2012-12-21 16:00 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-16 14:13 . 2012-12-21 16:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-16 14:13 . 2012-12-21 16:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-14 05:49 . 2011-08-19 11:08 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-13 02:50 . 2012-12-13 02:50 6112864 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-12-13 02:50 . 2012-12-13 02:50 54784 ----a-w- c:\windows\system32\drivers\usbaapl64.sys

2012-12-07 13:20 . 2013-01-09 04:34 441856 ----a-w- c:\windows\system32\Wpc.dll

2012-12-07 13:15 . 2013-01-09 04:34 2746368 ----a-w- c:\windows\system32\gameux.dll

2012-12-07 12:26 . 2013-01-09 04:34 308736 ----a-w- c:\windows\SysWow64\Wpc.dll

2012-12-07 12:20 . 2013-01-09 04:34 2576384 ----a-w- c:\windows\SysWow64\gameux.dll

2012-12-07 11:20 . 2013-01-09 04:34 30720 ----a-w- c:\windows\system32\usk.rs

2012-12-07 11:20 . 2013-01-09 04:34 43520 ----a-w- c:\windows\system32\csrr.rs

2012-12-07 11:20 . 2013-01-09 04:34 23552 ----a-w- c:\windows\system32\oflc.rs

2012-12-07 11:20 . 2013-01-09 04:34 45568 ----a-w- c:\windows\system32\oflc-nz.rs

2012-12-07 11:20 . 2013-01-09 04:34 44544 ----a-w- c:\windows\system32\pegibbfc.rs

2012-12-07 11:20 . 2013-01-09 04:34 20480 ----a-w- c:\windows\system32\pegi-fi.rs

2012-12-07 11:20 . 2013-01-09 04:34 20480 ----a-w- c:\windows\system32\pegi-pt.rs

2012-12-07 11:19 . 2013-01-09 04:34 20480 ----a-w- c:\windows\system32\pegi.rs

2012-12-07 11:19 . 2013-01-09 04:34 46592 ----a-w- c:\windows\system32\fpb.rs

2012-12-07 11:19 . 2013-01-09 04:34 40960 ----a-w- c:\windows\system32\cob-au.rs

2012-12-07 11:19 . 2013-01-09 04:34 21504 ----a-w- c:\windows\system32\grb.rs

2012-12-07 11:19 . 2013-01-09 04:34 15360 ----a-w- c:\windows\system32\djctq.rs

2012-12-07 11:19 . 2013-01-09 04:34 55296 ----a-w- c:\windows\system32\cero.rs

2012-12-07 11:19 . 2013-01-09 04:34 51712 ----a-w- c:\windows\system32\esrb.rs

2012-12-07 10:46 . 2013-01-09 04:34 43520 ----a-w- c:\windows\SysWow64\csrr.rs

2012-12-07 10:46 . 2013-01-09 04:34 30720 ----a-w- c:\windows\SysWow64\usk.rs

2012-12-07 10:46 . 2013-01-09 04:34 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs

2012-12-07 10:46 . 2013-01-09 04:34 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs

2012-12-07 10:46 . 2013-01-09 04:34 23552 ----a-w- c:\windows\SysWow64\oflc.rs

2012-12-07 10:46 . 2013-01-09 04:34 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs

2012-12-07 10:46 . 2013-01-09 04:34 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs

2012-12-07 10:46 . 2013-01-09 04:34 46592 ----a-w- c:\windows\SysWow64\fpb.rs

2012-12-07 10:46 . 2013-01-09 04:34 20480 ----a-w- c:\windows\SysWow64\pegi.rs

2012-12-07 10:46 . 2013-01-09 04:34 21504 ----a-w- c:\windows\SysWow64\grb.rs

2012-12-07 10:46 . 2013-01-09 04:34 40960 ----a-w- c:\windows\SysWow64\cob-au.rs

2012-12-07 10:46 . 2013-01-09 04:34 15360 ----a-w- c:\windows\SysWow64\djctq.rs

2012-12-07 10:46 . 2013-01-09 04:34 55296 ----a-w- c:\windows\SysWow64\cero.rs

2012-12-07 10:46 . 2013-01-09 04:34 51712 ----a-w- c:\windows\SysWow64\esrb.rs

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d2a2}]

2010-11-21 03:24 297808 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Grid"="c:\program files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [2011-01-26 401408]

"FMCore.exe"="c:\program files (x86)\Extensis\Suitcase Fusion 3\FMCore.exe" [2011-07-10 8125440]

"ANT Agent"="c:\program files (x86)\Garmin\ANT Agent\ANT Agent.exe" [2012-03-23 14749544]

"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2012-12-20 1476104]

"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2012-12-17 16328976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files (x86)\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]

"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-16 113288]

"NeroFilterCheck"="c:\windows\SysWOW64\NeroCheck.exe" [2001-07-09 155648]

"GBMPro8Agent"="c:\program files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe" [2007-12-02 230016]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]

"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-09 49208]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-12-10 3147384]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-24 421888]

"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-12-20 310280]

"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-9-8 1207312]

QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-3-21 724992]

UltraMon.lnk - c:\windows\Installer\{537056B7-32A4-4408-9B54-0341963C7C9C}\IcoUltraMon.ico [2011-8-14 29310]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-09-20 102368]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]

R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2013-02-21 1038088]

R3 libusb0;libusb-win32 - Kernel Driver 04/08/2011 1.2.4.0;c:\windows\system32\DRIVERS\libusb0.sys [2011-05-13 44480]

R3 MSICDSetup;MSICDSetup;E:\CDriver64.sys [x]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-09-20 203104]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-05 1255736]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]

S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-14 63328]

S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-20 225120]

S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-11-15 111968]

S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-13 40800]

S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-07-01 293416]

S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]

S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-01 185696]

S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-09-20 200032]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-19 203776]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-15 5814904]

S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-07-06 375176]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-11 15928]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 UltraMonUtility;UltraMon Utility Driver;c:\program files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-13 20512]

S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-11-17 115216]

S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [2009-06-17 74256]

S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [2009-06-17 13328]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-02-10 82432]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-02-10 181760]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]

S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 05:34]

.

2013-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-24 11:26]

.

2013-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-24 11:26]

.

2013-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4219751069-628700628-3337679430-1002Core.job

- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-18 00:50]

.

2013-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4219751069-628700628-3337679430-1002UA.job

- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-18 00:50]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2012-12-17 08:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2012-12-17 08:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2012-12-17 08:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2012-12-17 08:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WrtMon.exe"="c:\windows\system32\spool\drivers\x64\3\WrtMon.exe" [2006-09-19 20480]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]

"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1238528]

"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-11 57928]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files (x86)\Stardock\ObjectDockPlus2\ODMenu64.dll" [2010-03-24 633200]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = https://www.google.com.au/

mLocal Page = c:\windows\SysWOW64\blank.htm

uSearchAssistant = hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=AU&userid=9246367d-bfe6-44ca-abc5-1966ba841cf1&searchtype=ds&q={searchTerms}

IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 211.31.138.11 211.29.132.12 198.142.0.51

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB

FF - ProfilePath - c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\sl89vjk1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: keyword.URL - hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=AU&userid=9246367d-bfe6-44ca-abc5-1966ba841cf1&searchtype=ds&q=

FF - ExtSQL: !HIDDEN! 2012-11-14 10:54; hotfix@mozilla.org; c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix

FF - user.js: extensions.autoDisableScopes - 10

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-GoogleChromeAutoLaunch_233139F6EC4DEC81E5C5F2F1CB87FB15 - c:\users\Andrea\AppData\Local\Google\Chrome\Application\chrome.exe

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

AddRemove-Intel® Integrated Performance Primitives 1.1 - c:\windows\system32\UninstIPP.isu

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

.

**************************************************************************

.

Completion time: 2013-03-01 04:46:30 - machine was rebooted

ComboFix-quarantined-files.txt 2013-02-28 17:46

ComboFix2.txt 2013-02-19 09:07

.

Pre-Run: 354,552,557,568 bytes free

Post-Run: 354,716,262,400 bytes free

.

- - End Of File - - BFDB58EF6D72A0B00E8D2A0AFF261F0B

Link to post
Share on other sites
AndyP888

AndyP888

Posted
  • Author
Posted

I reinstalled Chrome, took those steps you suggested.

*****Now, upon restart, AVG detected and removed the WindowsLiveUpdate.exe virus again from the same original location.

AVG log:

Identity Protection detection

Detection name;"Result";"Detection time";"Object Type";"Process"

Unknown, C:\Users\Andrea\Desktop\RogueKiller.exe;"Moved to Virus Vault";"27/02/2013, 6:46:51 AM";"File or Directory";""

Unknown, C:\ComboFix\REGT.3XE;"Moved to Virus Vault";"27/02/2013, 7:46:38 PM";"File or Directory";""

IDP.Trojan.83802FBC, C:\USERS\ANDREA\APPDATA\ROAMING\MCOMMON\WINDOWSLIVEUPDATE.EXE;"Moved to Virus Vault";"1/03/2013, 5:58:22 AM";"File or Directory";""

I have disconnected the internet on that computer and have gone back to son's laptop to post this.

Does this mean everything we've tried thus far has been a waste of time? Would I be better off doing a clean reinstall? As time-consuming as it is, I feel like I am never going to be completely rid of this infection and I cannot be without the use of this computer for long as I use it to work from home.

Starting to feel desperate! :(

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

It is all up to you if you would want to wipe the system and start fresh with a new clean install of Windows 7.

That is the only way for you to feel confident that the system is "safer" to use.

This time though, I would "urge" you to NOT use AVG !! IMHO, it is not one that I recommend.

I would suggest you get & use Microsoft Security Essentials.

IF you do -plan- on a new / clean install ----

I would suggest you see this page How to Do a Clean Installation with Windows 7.

I suggest you delete all existing partitions on the HDD as part of the new Windows 7 install.

Let me know what you have decided.

Link to post
Share on other sites
AndyP888

AndyP888

Posted
  • Author
Posted

Thank you Maurice, I really appreciate the help you have given me, but it seems that this infection is just sending us round in circles.

Why do you suggest deleting all partitions?

BTW this is a desktop pc with 2 HDDs, one I use for OS & applications©, one for data(D). Is the trojan likely to be only on the C Drive?

I have used MSE a couple of years ago when it was recommended by a friend in IT, however I went back to AVG when I found it was letting some things slip through. The IT friend then told me he'd done the same thing. I notice that Avast is often recommended on this forum, but I can't seem to find consistent reviews that confirm better performance than AVG? I used to have a paid version of CA antivirus but it let more slip through than AVG so again I went back to AVG.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

One deletes the partition that has Windows as part of the clean install. That is highly recommended by me to insure a really "clean" slate.

Now then, had you had a full system image backup of your system, then that would be the ideal way to do this "do over" install.

My take, having helped many many folks .... Avast! is a bit more "controlling" and some people have a tough time turning it OFF when the need arises during a malware cleanup situation.

AVG has had a not so good reputation for some time now. It's best days are long gone.

If you do not care for MSE, you should look at getting AVIRA free antivirus ---- if cost is an issue.

If cost is not an issue, you should look at ESET or Kaspersky.

In addition, I would urge you to have the PRO license for MBAM, as that gives you a much better edge in preventing malware from getting very far.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.