I guess I got Infected

[Pyrolean]

Hi,

 

Since my computer is lately running too slow, I suspect I got infected by a virus or anything similar.

 

Please find here my DDS and Roughkiller logs:

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 10.0.9200.16611

Run by Luis at 15:26:37 on 2013-07-03

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\Explorer.EXE

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkService

.

============== Pseudo HJT Report ===============

.

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL

BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: An vorhandene PDF-Datei anfügen - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: In Adobe PDF konvertieren - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Linkziel in Adobe PDF konvertieren - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Nach Microsoft E&xcel exportieren - c:\progra~1\micros~1\office14\EXCEL.EXE/3000

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll

TCP: NameServer = 212.186.211.21 195.34.133.21

TCP: Interfaces\{EDF01445-80BF-47F3-BF3A-EF7CAD19CB2F} : DHCPNameServer = 212.186.211.21 195.34.133.21

TCP: Interfaces\{EDF01445-80BF-47F3-BF3A-EF7CAD19CB2F}\7416C61687970235F523337353 : DHCPNameServer = 192.168.16.1

TCP: Interfaces\{EDF01445-80BF-47F3-BF3A-EF7CAD19CB2F}\F456354714D274163747 : DHCPNameServer = 213.33.99.70 80.120.17.70

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: SDWinLogon - SDWinLogon.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2013-07-02 06:10:09 7068072 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bc0bdf9c-f751-44d5-9d45-a2c61b031471}\mpengine.dll

2013-06-26 19:44:17 -------- d-----w- c:\users\luis\appdata\roaming\Canneverbe Limited

2013-06-26 19:44:17 -------- d-----w- c:\programdata\Canneverbe Limited

2013-06-21 14:58:28 -------- d-----w- c:\program files\Microsoft Security Client

2013-06-18 12:28:51 -------- d-----w- c:\program files\Medieval Software

2013-06-12 20:23:06 2706432 ----a-w- c:\windows\system32\mshtml.tlb

2013-06-12 20:23:05 218112 ----a-w- c:\program files\internet explorer\sqmapi.dll

2013-06-12 06:07:27 1505280 ----a-w- c:\windows\system32\d3d11.dll

2013-06-12 06:07:20 24576 ----a-w- c:\windows\system32\cryptdlg.dll

2013-06-12 06:07:12 903168 ----a-w- c:\windows\system32\certutil.exe

2013-06-12 06:07:12 1160192 ----a-w- c:\windows\system32\crypt32.dll

2013-06-12 06:07:11 43008 ----a-w- c:\windows\system32\certenc.dll

2013-06-12 06:07:11 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2013-06-12 06:07:11 103936 ----a-w- c:\windows\system32\cryptnet.dll

2013-06-12 06:07:05 492544 ----a-w- c:\windows\system32\win32spl.dll

2013-06-12 06:07:04 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll

2013-06-12 06:07:01 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-06-12 06:07:00 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-06-12 06:06:57 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-06-10 17:47:54 -------- d-----w- c:\windows\pss

2013-06-09 15:56:10 -------- d-----w- c:\users\luis\appdata\roaming\CANON INC

2013-06-09 14:58:41 -------- d-----w- c:\users\luis\appdata\roaming\Canon_Inc_IC

2013-06-09 14:56:09 -------- d-----w- c:\program files\Canon

2013-06-09 14:56:05 -------- d-----w- c:\program files\common files\Canon_Inc_IC

2013-06-09 14:42:55 -------- d-----w- c:\programdata\Canon_Inc_IC

2013-06-08 19:27:06 73728 ----a-r- c:\users\luis\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2013-06-08 19:27:06 73728 ----a-r- c:\users\luis\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2013-06-08 19:27:06 73728 ----a-r- c:\users\luis\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe

2013-06-08 19:07:38 -------- d-----w- c:\program files\DirectVobSub

.

==================== Find3M  ====================

.

2013-07-03 13:03:36 23552 ----a-w- c:\windows\system32\drivers\monitor.sys.bak

2013-06-28 08:36:12 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys

2013-06-28 08:35:53 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2013-05-17 01:25:57 1767936 ----a-w- c:\windows\system32\wininet.dll

2013-05-17 01:25:27 2877440 ----a-w- c:\windows\system32\jscript9.dll

2013-05-17 01:25:26 61440 ----a-w- c:\windows\system32\iesetup.dll

2013-05-17 01:25:26 109056 ----a-w- c:\windows\system32\iesysprep.dll

2013-05-14 08:40:13 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2013-05-11 08:45:33 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-05-10 07:57:38 49728 ----a-w- c:\windows\system32\AdobePDF.dll

2013-05-10 07:57:34 25160 ----a-w- c:\windows\system32\AdobePDFUI.dll

2013-05-09 08:59:10 61680 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2013-05-09 08:59:10 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2013-05-09 08:59:09 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2013-05-09 08:58:37 41664 ----a-w- c:\windows\avastSS.scr

2013-05-02 00:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe

2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-10 05:18:40 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-04-10 05:18:40 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-04-10 03:14:06 2347520 ----a-w- c:\windows\system32\win32k.sys

2013-04-09 13:37:00 51144 ----a-w- c:\windows\system32\drivers\Soluto.sys

.

============= FINISH: 15:27:21,41 ===============

 

 

 

 

 

RogueKiller V8.6.2 [Jul  2 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Luis [Admin rights]

Mode : Scan -- Date : 07/03/2013 15:33:24

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0:  +++++

--- User ---

[MBR] 98c63b410177239a0580bee34c6ab7d9

[bSP] 88b1216fb8708809541a6ecd3c228b11 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 226259 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 463378860 | Size: 12213 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_07032013_153324.txt >>

 

 

 

 

 

Thanks in advance for your help!

 

Cheers,

P.

attach.rar

[Pyrolean]

Hi,

 

can anyone help me?

[Maniac]

Hello Pyrolean and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

• Launch Malwarebytes' Anti-Malware
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Please scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

  ESET OnlineScan

• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

    Save it to your Desktop.

  • Double click on the to download the ESET Smart Installer. icon on your Desktop.
• Check "YES, I accept the Terms of Use."
• Click the Start button.
• Accept any security warnings from your browser.
• Under Scan Settings, check "Scan Archives" and "Remove found threats"
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
• ESET Online Scanner log

[Pyrolean]

Hi!

 

Thanks for your reply!

 

There goes the first log:

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Versión de la Base de Datos: v2013.07.03.05

 

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 10.0.9200.16618

Luis :: LUIS-PC [administrador]

 

03.07.2013 15:10:54

mbam-log-2013-07-03 (15-10-54).txt

 

Tipos de Análisis: Análisis Rápido

Opciones de análisis activado: Memoria | Inicio | Registro | Sistema de archivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM

Opciones de análisis desactivados: P2P

Objetos examinados: 200111

Tiempo transcurrido: 5 minuto(s), 36 segundo(s)

 

Procesos en Memoria Detectados: 0

(No se han detectado elementos maliciosos)

 

Módulos de Memoria Detectados: 0

(No se han detectado elementos maliciosos)

 

Claves del Registro Detectados: 0

(No se han detectado elementos maliciosos)

 

Valores del Registro Detectados: 0

(No se han detectado elementos maliciosos)

 

Elementos de Datos del Registro Detectados: 0

(No se han detectado elementos maliciosos)

 

Carpetas Detectadas: 0

(No se han detectado elementos maliciosos)

 

Archivos Detectados: 0

(No se han detectado elementos maliciosos)

 

fin)

[Pyrolean]

Hi again!

 

And here the second log from ESET Online Scanner:

 

 

C:\Windows.old\Users\Pyogenesis\Downloads\winamp563_full_emusic-7plus_all.exe Win32/OpenCandy application

C:\Windows.old\Documents and Settings\Pyogenesis\Downloads\winamp563_full_emusic-7plus_all.exe Win32/OpenCandy application cleaned by deleting - quarantined

[Maniac]

Download Dr.Web CureIt to the desktop.

The download is nearly 104.6 MB in size

• Turn OFF your antivirus program.

  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

• Turn off any other add-on security app {if you have them} like MBAM File System Protection.
• If this system is Windows 8/7 or VISTA, then Right-click on drweb-cureit.exe and select Run as Administrator.
• Otherwise, on Windows XP, doubleclick on drweb-cureit.exe file to start the tool.
• You will see a screen similar to this:

  

  Click the checkbox to participate, and then click on Continue button.

• Next

  

  Click on Select onjects for scanning

• Next

  

  Put a checkmark by clicking on the boxes as shown.

  Do not select Temporary files or System Restore points.

  Then click on Start scanning button

• The scan in progress will be shown like this

  

• IF something is detected, you will see a screen similar to this

  

  For each item "detected", click on the Action column down arrow, like this

  

  Your options will be Cure or Ignore

  IF you see an item that you are very sure is ok, then un-check the checkbox for that item.

  Typically, you will keep the Cure default.

  Then click on the Neutralize button.

• When the actions are completed, you will see this

  

• Click on the green Open Report line. It will pop-up the report in NOTEPAD.

  Save the report to your desktop. The report will be called Cureit.log

• Close Dr.Web Cureit.
• Reboot your computer to allow files that were in use to be moved/deleted during reboot.
• After reboot, attach the log Cureit.log you saved previously in your next reply.

Re-Enable your antivirus program when all done.

[Pyrolean]

Hi,

 

I did the scanning, but since no threat was found, I have no report to paste.

 

Which one schould be the next step?

 

Thanks,

P.

[Maniac]

How are things running now?

[Pyrolean]

Hi,

 

the pc is still running a little bit slow. Also, sometimes, whenever I jump from one tab to another I see half a second like a flawed screening of the content of the tab (as if it were like a virus blocked sreening, but only half a second).

 

Looking forward to your further help, thanks again!

 

Cheers,

P.

[Maniac]

Your system seems to be clean.

Please try these tips:

http://forums.malwarebytes.org/index.php?showtopic=81990

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!