Slow internet

alextong · June 3, 2013

Hi my comp has slow internet and whenever I restart my comp it seems fine, but it keeps happening constantly so I believe I have some sort of malware causing this.

dds.txt

attach.txt

Psychotic · June 4, 2013

Hi there,

my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

I see you ran Combofix - this tool should only be run when adviced by a trained malware remover.

Please post up the content of C:\combofix.txt.

alextong · June 4, 2013

ComboFix 13-05-21.01 - Alex 04/06/2013 1:37.2.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4094.1612 [GMT -5:00]

Running from: c:\users\Alex\Desktop\ComboFix.exe

AV: Bitdefender Antivirus *Enabled/Updated* {9B5F5313-CAF9-DD97-C460-E778420237B4}

FW: Bitdefender Firewall *Enabled* {A364D236-8096-DCCF-EF3F-4E4DBCD170CF}

SP: Bitdefender Antispyware *Enabled/Updated* {203EB2F7-ECC3-D219-FED0-DC0A39857D09}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\Services.exe was found and disinfected

Restored copy from - c:\windows\erdnt\cache64\services.exe

.

((((((((((((((((((((((((( Files Created from 2013-05-04 to 2013-06-04 )))))))))))))))))))))))))))))))

.

2013-06-04 06:45 . 2013-06-04 06:45 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-06-04 06:45 . 2013-06-04 06:45 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-05-31 08:15 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DB08786F-0359-43F0-980C-19BA8B1D9285}\mpengine.dll

2013-05-30 18:08 . 2013-05-30 18:08 382536 ----a-w- c:\windows\system32\drivers\trufos.sys

2013-05-22 15:07 . 2013-05-22 15:07 -------- d-----w- c:\users\Alex\AppData\Roaming\SUPERAntiSpyware.com

2013-05-22 15:07 . 2013-05-22 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2013-05-22 15:07 . 2013-05-22 15:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2013-05-22 05:39 . 2013-05-22 05:39 -------- d-----w- c:\program files\HitmanPro

2013-05-21 05:15 . 2013-05-21 05:20 -------- d-----w- c:\programdata\HitmanPro

2013-05-15 07:05 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll

2013-05-15 07:05 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-05-15 07:05 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2013-05-15 07:03 . 2013-04-05 01:19 10926080 ----a-w- c:\windows\system32\ieframe.dll

2013-05-15 07:02 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-05-15 07:02 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-05-15 07:02 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll

2013-05-15 07:02 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll

2013-05-15 07:02 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll

2013-05-15 07:02 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll

2013-05-15 07:02 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe

2013-05-15 07:02 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll

2013-05-15 07:02 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll

2013-05-15 07:01 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll

2013-05-15 07:01 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll

2013-05-15 07:01 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys

2013-05-13 03:33 . 2013-05-13 23:33 -------- d-----w- c:\program files (x86)\EasyLife

2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2013-05-05 08:13 . 2013-05-05 08:13 -------- d-----w- c:\program files (x86)\Common Files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-15 22:36 . 2010-06-24 19:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-05-15 07:08 . 2011-02-11 23:32 75016696 ----a-w- c:\windows\system32\MRT.exe

2013-05-15 01:16 . 2012-04-08 00:50 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-05-15 01:16 . 2011-05-21 22:13 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-15 01:16 . 2013-02-09 18:16 17613192 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2013-05-02 07:06 . 2011-02-11 22:53 278800 ------w- c:\windows\system32\MpSigStub.exe

2013-04-26 18:49 . 2013-04-26 18:49 718840 ----a-w- c:\windows\system32\drivers\avc3.sys

2013-04-26 18:49 . 2013-01-29 20:57 593144 ----a-w- c:\windows\system32\drivers\avckf.sys

2013-04-13 05:49 . 2013-05-15 07:02 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49 . 2013-05-15 07:02 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49 . 2013-05-15 07:02 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49 . 2013-05-15 07:02 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45 . 2013-05-15 07:02 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-05-15 07:02 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-12 14:45 . 2013-04-24 02:53 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-04 19:50 . 2011-02-16 21:35 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-04 10:35 . 2013-04-18 05:55 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-28 19:40 . 2013-03-28 19:40 147232 ----a-w- c:\windows\system32\drivers\gzflt.sys

2013-03-23 01:09 . 2013-03-23 01:09 354656 ----a-w- c:\windows\SysWow64\DivXControlPanelApplet.cpl

2013-03-19 06:04 . 2013-04-10 10:16 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 05:46 . 2013-04-10 10:16 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 05:04 . 2013-04-10 10:16 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-10 10:16 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47 . 2013-04-10 10:16 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-03-19 03:06 . 2013-04-10 10:16 112640 ----a-w- c:\windows\system32\smss.exe

2013-03-15 05:53 . 2013-03-27 06:40 968408 ----a-w- c:\windows\SysWow64\nvumdshim.dll

2013-03-15 05:53 . 2013-03-27 06:40 7573816 ----a-w- c:\windows\system32\nvopencl.dll

2013-03-15 05:53 . 2013-03-27 06:40 6271872 ----a-w- c:\windows\SysWow64\nvopencl.dll

2013-03-15 05:53 . 2013-03-27 06:40 15508512 ----a-w- c:\windows\system32\nvwgf2umx.dll

2013-03-15 05:53 . 2013-03-27 06:40 13088000 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2013-03-15 05:53 . 2013-03-27 06:40 26956576 ----a-w- c:\windows\system32\nvoglv64.dll

2013-03-15 05:53 . 2013-03-27 06:40 250504 ----a-w- c:\windows\system32\nvinitx.dll

2013-03-15 05:53 . 2013-03-27 06:40 20542752 ----a-w- c:\windows\SysWow64\nvoglv32.dll

2013-03-15 05:53 . 2013-03-27 06:40 205184 ----a-w- c:\windows\SysWow64\nvinit.dll

2013-03-15 05:53 . 2013-03-27 06:40 1807136 ----a-w- c:\windows\system32\nvdispco6431422.dll

2013-03-15 05:53 . 2013-03-27 06:40 1510176 ----a-w- c:\windows\system32\nvdispgenco6431422.dll

2013-03-15 05:53 . 2013-03-27 06:40 11048736 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2013-03-15 05:53 . 2013-03-27 06:40 9414456 ----a-w- c:\windows\system32\nvcuda.dll

2013-03-15 05:53 . 2013-03-27 06:40 7959000 ----a-w- c:\windows\SysWow64\nvcuda.dll

2013-03-15 05:53 . 2013-03-27 06:40 2913056 ----a-w- c:\windows\system32\nvcuvid.dll

2013-03-15 05:53 . 2013-03-27 06:40 2728736 ----a-w- c:\windows\SysWow64\nvcuvid.dll

2013-03-15 05:53 . 2013-03-27 06:40 2355488 ----a-w- c:\windows\system32\nvcuvenc.dll

2013-03-15 05:53 . 2013-03-27 06:40 1995552 ----a-w- c:\windows\SysWow64\nvcuvenc.dll

2013-03-15 05:53 . 2013-03-27 06:40 17990800 ----a-w- c:\windows\system32\nvd3dumx.dll

2013-03-15 05:53 . 2013-03-27 06:40 2539128 ----a-w- c:\windows\SysWow64\nvapi.dll

2013-03-15 05:53 . 2013-03-27 06:40 25256736 ----a-w- c:\windows\system32\nvcompiler.dll

2013-03-15 05:53 . 2013-03-27 06:40 17560352 ----a-w- c:\windows\SysWow64\nvcompiler.dll

2013-03-15 05:53 . 2012-10-01 21:00 1118776 ----a-w- c:\windows\system32\nvumdshimx.dll

2013-03-15 05:53 . 2012-10-01 21:00 2864144 ----a-w- c:\windows\system32\nvapi64.dll

2013-03-15 05:53 . 2012-10-01 21:00 15042928 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2013-03-15 04:16 . 2012-10-01 21:01 3477280 ----a-w- c:\windows\system32\nvsvc64.dll

2013-03-15 04:16 . 2012-10-01 21:01 6398240 ----a-w- c:\windows\system32\nvcpl.dll

2013-03-15 04:16 . 2012-10-01 21:01 877856 ----a-w- c:\windows\system32\nvvsvc.exe

2013-03-15 04:16 . 2012-10-01 21:01 63776 ----a-w- c:\windows\system32\nvshext.dll

2013-03-15 04:16 . 2012-10-01 21:01 237856 ----a-w- c:\windows\system32\nvmctray.dll

2013-03-15 03:07 . 2013-03-15 03:07 559904 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2013-03-13 16:24 . 2012-10-01 21:01 3065455 ----a-w- c:\windows\system32\nvcoproc.bin

2013-03-08 07:13 . 2012-07-04 05:23 861088 ----a-w- c:\windows\SysWow64\npdeployJava1.dll

2013-03-08 07:13 . 2011-04-09 05:02 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"AlcoholAutomount"="c:\program files (x86)\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-09-18 205976]

"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2013-01-23 3093624]

"GoogleChromeAutoLaunch_AD2529C7DB5B63D28C23362385276129"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2013-05-23 825808]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-28 18642024]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-05-15 5622512]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2010-06-25 2441840]

"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]

"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2013-04-15 450560]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBJAC0AQQAwAEUAMgBQAC0AQgBZADIANwBRAC0AOQAyAEEAVABBAC0AMAA0AFEASwAyAC0ASgBKAEgAMABQAA&inst=NwA2AC0AMQAyADMAMAA2ADkANwAxADAAMAAtAFgATwAzADYAKwAxAC0AUABMACsAOQAtAE4AMQBEACsAMQAtAEMASQBQACsAMgAtAEQARABUACsAMQA5ADMAOQAzAC0ARABEADkAMAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAEYAVQBJACsAMgAtAEMASQBBADkAMAArADIALQBDAEkARAArADEALQBJAEkAUwBCACsANgA∏=94&ver=9.0.894" [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"midi9"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"

"LGODDFU"="c:\program files (x86)\lg_fwupdate\fwupdate.exe" blrun

"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "c:\program files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"

"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\program files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\program files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

.

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate1ce063f4b077b48;Google Update Service (gupdate1ce063f4b077b48);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-08 116648]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-02-28 161384]

R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-06-25 52320]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-02-06 102936]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]

R3 gupdatem1ce063f4b42fdae;Google Update Service (gupdatem1ce063f4b42fdae);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-08 116648]

R3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys [x]

R3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys [x]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-02-06 203544]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2012-07-19 738152]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-12 1255736]

R3 X6va005;X6va005;c:\users\Alex\AppData\Local\Temp\0052D83.tmp [x]

R4 BdDesktopParental;Bitdefender Desktop Parental Control;c:\program files\Bitdefender\Bitdefender 2013\bdparentalservice.exe [2013-03-28 69392]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [2013-04-26 718840]

S0 gzflt;gzflt;c:\windows\system32\DRIVERS\gzflt.sys [2013-03-28 147232]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-05-24 868848]

S1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2013-04-26 93600]

S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [2011-11-15 103504]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2013-05-07 143088]

S2 Browser Manager;Browser Manager;c:\programdata\Browser Manager\2.6.1249.132\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe [2013-03-22 2787280]

S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-09-21 21992]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-03-15 383264]

S2 UPDATESRV;Bitdefender Desktop Update Service;c:\program files\Bitdefender\Bitdefender 2013\updatesrv.exe [2013-03-28 68856]

S3 avchv;avchv Function Driver;c:\windows\system32\DRIVERS\avchv.sys [2012-12-10 261056]

S3 avckf;avckf;c:\windows\system32\DRIVERS\avckf.sys [2013-04-26 593144]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-04-27 83080]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-04-27 184968]

S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]

S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 31232]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-05-15 1327520]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-05-24 04:22 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 01:16]

.

2013-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-08 20:59]

.

2013-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-08 20:59]

.

2013-05-22 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 4bb79e0a-c88b-45a9-bf37-db1db02f900e.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-05-07 22:37]

.

2013-05-22 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 9bd39073-fc8c-4c65-a482-1a870d3c84d6.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-05-07 22:37]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]

"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]

"Bdagent"="c:\program files\Bitdefender\Bitdefender 2013\bdagent.exe" [2013-04-26 1569536]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.ca/

mStart Page = about:blank

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = hxxp://neulion.vo.llnwd.net;http://e2.cdnl3.neulion.com;http://nlds*.cdnllnw.neulion.com;http://nlds*.cdnl3.neulion.com;*.local

uInternet Settings,ProxyServer = 196.1.70.201:80

IE: &D&ownload &with BitComet

IE: &D&ownload all with BitComet

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000

IE: Free YouTube to MP3 Converter - c:\users\Alex\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

LSP: c:\program files\Bitdefender\Bitdefender 2013\BdProvider32\BdProvider.dll

TCP: DhcpNameServer = 192.168.10.1

TCP: Interfaces\{E09EDCB8-669E-49C6-941C-A5CE4A7712D6}: DhcpNameServer = 192.168.10.1

Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files (x86)\TurboTax 2012\ic2012pp.dll

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{D0F4A166-B8D4-48b8-9D63-80849FE137CB} - (no file)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]

"ImagePath"="\??\c:\users\Alex\AppData\Local\Temp\0052D83.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\DataMngr\Files\ChromeHomepage]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr\Files\Homepage]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr\Files\SelectedSearch]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr\Files\UrlbarSearch]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr\List\Item1]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr\List\Item2]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr\List\Item3]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr\Toolbar]

@Denied: (2) (LocalSystem)

"Flag"=dword:00000000

.

[HKEY_USERS\.Default\Software\DataMngr_Toolbar]

@Denied: (2) (LocalSystem)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\List\Item1]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1308584036-2535814143-2627783230-1000)

"Flag"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\List\Item2]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1308584036-2535814143-2627783230-1000)

"Flag"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\List\Item3]

@Denied: (2) (LocalSystem)

@Denied: (2) (S-1-5-21-1308584036-2535814143-2627783230-1000)

"Flag"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

.

**************************************************************************

.

Completion time: 2013-06-04 01:53:06 - machine was rebooted

ComboFix-quarantined-files.txt 2013-06-04 06:53

ComboFix2.txt 2013-05-22 06:49

.

Pre-Run: 84,557,176,832 bytes free

Post-Run: 84,299,825,152 bytes free

.

- - End Of File - - 955D32811525C9B415735013F5292A64

Psychotic · June 4, 2013

You were infected by a rootkit.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers.
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

CF-Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



http://forums.malwarebytes.org/index.php?showtopic=127238&pid=687087&st=0entry687087

COLLECT::
c:\users\Alex\AppData\Local\Temp\0052D83.tmp

DRIVER::
X6va005
Browser Manager

FOLDER::
c:\programdata\Browser Manager

CLEARJAVACACHE::

Save this as CFScript.txt, in the same location as ComboFix.exe. (If you already deleted it, download it again from here and save it to your desktop)

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

MBAM

Run Malwarebytes´ Antimalware.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Post that log back here.

alextong · June 4, 2013

ComboFix 13-05-21.01 - Alex 04/06/2013 2:33.3.4 - x64 NETWORK

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4094.2572 [GMT -5:00]

Running from: c:\users\Alex\Desktop\ComboFix.exe

Command switches used :: c:\users\Alex\Desktop\CFScript.txt

AV: Bitdefender Antivirus *Disabled/Outdated* {9B5F5313-CAF9-DD97-C460-E778420237B4}

FW: Bitdefender Firewall *Disabled* {A364D236-8096-DCCF-EF3F-4E4DBCD170CF}

SP: Bitdefender Antispyware *Disabled/Outdated* {203EB2F7-ECC3-D219-FED0-DC0A39857D09}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\Browser Manager

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\bl

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.settings

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\dm

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\00

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\01

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\02

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\03

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\10

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\11

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\12

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\13

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\20

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\21

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\22

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\23

c:\programdata\Browser Manager\2.6.1339.144\{16cdff19-861d-48e3-a751-d99a27784753}\uninstall.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_X6VA005

-------\Service_Browser Manager

-------\Service_X6va005

.

((((((((((((((((((((((((( Files Created from 2013-05-04 to 2013-06-04 )))))))))))))))))))))))))))))))

.

2013-06-04 07:39 . 2013-06-04 07:39 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-06-04 07:39 . 2013-06-04 07:39 -------- d-----w- c:\users\Default\AppData\Local\temp