Jump to content

Possibly infected.


Recommended Posts

I found a file in my sandbox roaming folder with a few eh interesting things:

 

Found at: C:\Sandbox\Jezza\DefaultBox\user\current\AppData\Roaming\dclogs\2013-05-13-2.dc      open in notepad and it reveals:

 

:: Facebook - Google Chrome (7:43:59 AM)
 
 
:: ESET Smart Security (7:44:00 AM)
 
:: Facebook - Google Chrome (7:50:53 AM)
Seems legit
Seems legit
 
 
:: Clipboard Change : size = 7 Bytes (7:50:53 AM)
ktfo609
 

 

 

 

 

 

 

 

 

Have done malwarebytes full scan. ESET full scan. Bit defender scan. Nothing showing up but the fact the file was sitting there worries me.

 

 

 

 

 

Other file attached

DDS:

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16611  BrowserJavaVersion: 10.21.2
Run by Jezza at 21:17:12 on 2013-07-01
Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.16381.9909 [GMT 1:00]
.
AV: ESET Smart Security 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Virtual Router\VirtualRouterService.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Virtual Router\VirtualRouterClient.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Origin\Origin.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\TechSmith\Jing\Jing.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\calc.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\mmc.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uProxyServer = 210.125.29.212:80
mWinlogon: Userinit = userinit.exe,
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [AdobeBridge] <no file>
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VIRTUA~1.LNK - C:\Windows\Installer\{BE905C46-2B34-4D73-AEE1-769ED138E0FF}\_118D1A4EFFA6998C3492EB.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: C:\Program Files (x86)\FlyVPN\FlyVPNBind.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{7BF76A08-3D33-4207-889F-B069109A78FF} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{870C08CE-07A5-4DFF-BA44-D8DCDC22B897} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{BC796B97-C139-4F7C-8330-19ECC055EA07} : DHCPNameServer = 10.11.0.1
TCP: Interfaces\{ED202015-80A0-49BA-BB26-FE823F0EB4F7} : DHCPNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
AppInit_DLLs= c:\progra~2\magnipic\sprote~1.dll c:\progra~2\browse~1\sprote~1.dll C:\Windows\SysWOW64\guard32.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jezza\AppData\Roaming\Mozilla\Firefox\Profiles\hryejo7u.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\2.1.7\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Users\Jezza\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Windows\System32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;C:\Windows\System32\drivers\epfwwfp.sys [2012-3-14 62496]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2012-11-8 584056]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2012-11-8 38144]
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2012-3-14 209768]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\System32\drivers\EpfwLWF.sys [2012-3-14 38288]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-10-23 240640]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-9-28 361984]
R2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2012-3-7 913144]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-19 701512]
R2 Virtual Router;VirtualRouterService;C:\Program Files (x86)\Virtual Router\VirtualRouterService.exe [2013-2-10 12288]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2012-10-5 46136]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2013-2-19 65152]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2013-2-19 88832]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-2-19 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-1-1 646248]
R3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\System32\drivers\ScreamingBAudio64.sys [2010-7-1 38992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-4-24 161384]
S3 AIDA64Driver;FinalWire AIDA64 Kernel Driver;C:\Program Files (x86)\FinalWire\AIDA64 Extreme Edition\kerneld.x64 [2013-2-19 30624]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 96896]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2013-1-3 17480]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2013-1-3 9800]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2012-10-17 920864]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-11-19 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-11-19 181248]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-4-20 19456]
S3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-4-20 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-4-20 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-6 1255736]
S4 DragonUpdater;COMODO Dragon Update Service;C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2013-4-19 2074760]
S4 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-19 418376]
S4 PdiService;Portrait Displays SDK Service;C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2013-1-5 109168]
S4 RalinkRegistryWriter;Ralink Registry Writer;C:\Program Files (x86)\Ralink\Common\RaRegistry.exe [2012-10-17 185632]
S4 RalinkRegistryWriter64;Ralink Registry Writer 64;C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe [2012-10-17 212256]
S4 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S4 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2012-12-31 3467768]
.
=============== File Associations ===============
.
FileExt: .js: Applications\Notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [userChoice]
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-07-01 20:14:53 -------- d-----w- C:\Users\Jezza\AppData\Roaming\QuickScan
2013-07-01 20:04:41 -------- d-----w- C:\Program Files\trend micro
2013-06-28 06:45:25 9552976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{25B66433-91E4-4679-8A9A-FAFFD668D59A}\mpengine.dll
2013-06-27 21:42:29 -------- d-----w- C:\MTK FirmwareAdapter Tool
2013-06-27 18:00:25 -------- d-----w- C:\Users\Jezza\AppData\Local\Chris_Pietschmann_(http__
2013-06-27 17:05:03 -------- d-----w- C:\Program Files (x86)\Virtual Router
2013-06-25 21:50:27 -------- d-----w- C:\ProgramData\SP_FT_Logs
2013-06-25 00:25:27 256 ----a-w- C:\Users\Jezza\advanced_ip_scanner_Favorites.bin
2013-06-24 20:31:02 210 ----a-w- C:\Users\Jezza\advanced_ip_scanner_MAC.bin
2013-06-24 18:46:39 -------- d-----w- C:\Program Files (x86)\Advanced IP Scanner v2
2013-06-20 19:21:17 -------- d-----w- C:\Program Files (x86)\Battlelog Web Plugins
2013-06-20 18:56:46 262552 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-06-20 18:45:25 3323752 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2013-06-19 20:45:32 308736 ----a-w- C:\Windows\System32\ssleay32.dll
2013-06-19 20:45:32 1503744 ----a-w- C:\Windows\System32\libeay32.dll
2013-06-19 20:45:21 327008 ----a-w- C:\Windows\System32\RaCoInstx.dll
2013-06-19 20:45:21 1733216 ----a-w- C:\Windows\System32\drivers\netr28ux.sys
2013-06-17 19:56:04 -------- d-----w- C:\ProgramData\Trymedia
2013-06-17 19:54:53 98304 ----a-w- C:\Windows\SysWow64\CmdLineExt.dll
2013-06-12 10:07:42 751104 ----a-w- C:\Windows\System32\win32spl.dll
.
==================== Find3M  ====================
.
2013-07-01 18:04:39 291088 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2013-07-01 18:04:39 291088 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2013-07-01 18:04:30 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2013-06-21 22:11:47 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2013-05-17 01:25:57 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-17 01:25:27 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-17 01:25:26 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-05-17 01:25:26 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-05-17 00:59:03 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-05-17 00:58:10 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-17 00:58:08 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-05-17 00:58:08 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-05-16 16:38:45 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-16 16:38:45 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-14 13:14:01 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-14 12:23:25 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-14 09:23:31 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-14 08:40:13 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-05-10 05:49:27 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-05-08 20:14:46 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-08 20:14:43 866720 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-05-08 20:14:43 788896 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-05-08 06:39:01 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-05-02 01:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-26 04:55:21 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-04-25 23:30:32 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-04-19 16:57:02 56072 ----a-w- C:\Windows\System32\certsentry.dll
2013-04-19 16:57:02 47368 ----a-w- C:\Windows\SysWow64\certsentry.dll
2013-04-17 07:02:06 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24:46 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-04-04 13:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-28 17:47:39 14794312 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
.
============= FINISH: 21:17:38.14 ===============
 
Link to post
Share on other sites

Hello and welcome to the MalwareBytes forum.

My name is Maurice Naggar.

This system shows 2 firewalls. Please advise why.

FW: COMODO Firewall *Enabled*

FW: ESET Personal firewall *Enabled*

If any of Eset is a trial, then uninstall ESET and restart Windows fresh.

Having more than one 3rd-party firewall will lead to conflicts and deadlocks.

Remove 1 or the other and tell me which one was removed.

P.S.

Make sure that your system is set to the correct Date and time (local). For some reason, the logs tend to indicate it does not have the right date.

Peer-to-peer apps

Your logs showed some peer-to-peer filesharing apps: µTorrent

I do not recommend the use of P-2-P programs since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Forum policy on peer-to-peer-programs:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

http://forums.malwarebytes.org/index.php?showtopic=97700

Java

There are several out-of-date and insecure Java runtimes. Uninstall them.

Java 7 Update 21

Java Auto Updater

Java SE Development Kit 6 Update 20

Java SE Development Kit 7 Update 21

Java vulnerabilities are a never ending occurence. Bottom line is, if your system does not have an installed 3rd-party application that needs it, then unistall it.

If you do have that dependency, then turn off Java in your browsers.

If somehow, you have a often-used website that needs Java to display all information, then just use a specific browser and only allow Java in that one.

  • A: If you decide to keep Java:

    The Java runtime components are typically located at

    C:\Program Files (x86)\Java\jre7\bin

    Locate javacpl.exe the Java control panel.

    Right click and select Open

    Click on the Update tab

    Put a checkmark at "Check for updates automatically"

    On the General tab, under Temporary Internet Files, click the Settings button.

    Next, click on the Delete Files button

    Checkmark (select) all boxes you can & Click OK on Delete Temporary Files Window.

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    Click OK to leave the Temporary Files Window

    Click on the Advanced tab

    Expand Miscellaneous:

    Un-check "place Java icon in system tray"

    Un-check "Java quick starter"

    Exit/close

    You need to remove older versions of Java runtime. Do this:

    Download & Save to your Desktop or a new folder Javara.zip

    Extract the contents of the zip file. Then double click Javara.exe to run it.

    JavaRa is a simple tool that does a simple job: it removes old and redundant versions of the Java Runtime Environment (JRE).

  • B: If you want to disable Java in your browser:

    How to disable Java in various browsers : http://blog.eset.com/2012/08/29/disabling-java-a-safer-way-to-browse

    Also see No, Seriously, Just Disable Java in Your Browser Right Now

  • As noted by Brian Krebs,

    Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin.

    Also see How to protect your computer against dangerous Java Applets

    Download Dr.Web CureIt to the desktop.

    The download is nearly 104.6 MB in size

    • Turn OFF your antivirus program.

      How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    • Turn off any other add-on security app {if you have them} like MBAM File System Protection.
    • Close all your open windows-apps, so that no other application is open. Allow the DrWeb Cure-It to be running without any other interference. Do not use the system while it is running.
    • If this system is Windows 8/7 or VISTA, then Right-click on Drweb-cureit-9_zpsa6b7b265.gifdrweb-cureit.exe and select Run as Administrator.
    • Otherwise, on Windows XP, doubleclick on Drweb-cureit-9_zpsa6b7b265.gifdrweb-cureit.exe file to start the tool.
    • You will see a screen similar to this:

      Drweb-cureit-1_zps34a2f747.gif

      Click the checkbox to participate, and then click on Continue button.

    • Next

      Drweb-cureit-2_zpsee7bdcb6.gif

      Click on Select onjects for scanning

    • Next

      Drweb-cureit-3_zps137b4332.gif

      Put a checkmark by clicking on the boxes as shown.

      Do not select Temporary files or System Restore points.

      Then click on Start scanning button

    • The scan in progress will be shown like this

      Drweb-cureit-4_zps211037d0.gif

    • IF something is detected, you will see a screen similar to this

      Drweb-cureit-5_zpsd7be6acf.gif

      For each item "detected", click on the Action column down arrow, like this

      Drweb-cureit-8_zpsb099f9d5.gif

      Your options will be Cure or Ignore

      IF you see an item that you are very sure is ok, then un-check the checkbox for that item.

      Typically, you will keep the Cure default.

      Then click on the Neutralize button.

    • When the actions are completed, you will see this

      Drweb-cureit-7_zpsd290a127.gif

    • Click on the green Open Report line. It will pop-up the report in NOTEPAD.

      Save the report to your desktop. The report will be called Cureit.log

    • Close Dr.Web Cureit.
    • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
    • After reboot, attach the log Cureit.log you saved previously in your next reply.
    Re-Enable your antivirus program when all done.
Edited by Maurice Naggar
Link to post
Share on other sites

Hello,

 

I'm very skeptical when it comes to been hacking and generally consider myself very secure. I have never had a clash with either firewall as I have custom rules set up on eset not to interfere but only monitor specific. Everything else has to be approved manually via comodo when it attempts to reach the internet preventing unauthorized access.I have played with the settings trying to reach a good spot I would prefer to keep both typically. I would be happy to modify the rules if requested though. The computers date is 100% correct.

 

 

Removed utorrent and removed all java using the program you listed. LOG attached

cureit.log

Link to post
Share on other sites

I would (again) urge you to only have 1 software firewall. By having 2 you are setting up the likelyhood of conflicts.

Next, place the system into Safe mode with Networking.

Restart your pc. And right away, tap & retap the F8 Function-key on your keyboard.

You should see Windows Advanced Options menu.

Select Safe Mode with Networking or

Safe mode or

VGA mode

with Safe Mode with Networking being the ideal first choice.

• Advanced startup options (including safe mode)

The Advanced Boot Options screen lets you start Windows in advanced troubleshooting modes. You can access the menu by turning on your computer and pressing the F8 key ...

http://windows.microsoft.com/en-US/windows7/Advanced-startup-options-including-safe-mode

Then use & run MBAM as follows:

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

look down the screen to Action for potentially unwanted modifications

and select "Do not show in results list" from the drop down (arrow) selections.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Now, logoff and restart Windows into normal mode.

Close all open browsers at this point.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Start Internet Explorer

Using Internet Explorer browser only, go to BitDefender Quickscan website:

http://quickscan.bitdefender.com

and click "Start Scan".

Observe your browser in case it shows a notice/message bar to allow download and installation of a tool.

Allow the download and install of qsax.cab from BitDefender. Right-click the IE info bar and select Install to install the BitDefender quick scan module.

If prompted, reply yes to allow it to run.

Press the Allow button and follow prompts.

Press the "Start Scan" once more.

You'll see the EULA in a pop-up window. Click the I accept & then the OK button

Note: The FAQ is here --> http://quickscan.bitdefender.com/faq/

and that QuickScan has no removal capability.

The site boasts a 60-second scan. Do have patience as it likely will take longer.

It may seem to stall at moments, but have patience; it will move on.

You'll see a progress bar at top right of window.

Hopefully you will see a No infections found in the bar-winddow. Press the View Log button.

The log report will show in your text editor. Save the log.

Do a Select ALL, Copy. Then paste contents into your next reply.

When all done, Re-Enable your antivirus program.

Link to post
Share on other sites

Do your work. Then when that is completed, I am urging you to use Safe Mode with Networking, and then start one of the programs, watch it as it starts, select the choices I listed, and then let it run by itself, and just let it complete.

There is likely "some period of time" (like before you turn in for the evening) that you start the Task and checkup on it in the morning.

That's all I ask.

I am trying to help you.

But as time passes (and there's been 7+ days since I replied) I will lose a track of where things are.

See if you can squeeze in some time this weekend.

Edited by Maurice Naggar
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.