Drakath Posted August 7, 2013 ID:712006 Share Posted August 7, 2013 Hello, I have a huge problem with viruses and other junk. I didn't have any Antivirus program for about 2 months. Few days ago my video card started acting weird, it randomly freezes and outputs this image:http://postimg.org/image/mtcywdbp3/ It was okay until today I got black screen and had to restart the pc. Mostly it happens when I leave the pc for about 10 mins (AFK) (Sleep mode is disabled).So today I did a scan with Malwarebytes and got a long list of viruses and other junk. It also had this trojan called "Bitcoin" which I heard is really bad.Please help me to remove all that malware.Here is the log:Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.07.05Windows 8 x64 NTFSInternet Explorer 10.0.9200.16635Gabrielius :: GAMING-LAND [administrator]8/7/2013 4:22:53 PMMBAM-log-2013-08-07 (16-59-50).txtScan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 454290Time elapsed: 36 minute(s), 19 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|svchost (Backdoor.Bot) -> Data: "C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\nircmd.exe" exec hide "C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\start.bat" -> No action taken.Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 4C:\Users\Gabrielius\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> No action taken.C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) -> No action taken.Files Detected: 33C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.C:\Users\Gabrielius\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQ2MC4FH\pack[1].7z (PUP.Browser.Defender.A) -> No action taken.C:\Users\Gabrielius\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGCMSQ07\WebCakesetup[1].exe (PUP.Optional.Yontoo) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\bundlesweetimsetup.exe (PUP.Optional.SweetIM) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\DeltaTB.exe (PUP.Optional.Babylon.A) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\drivers.zip (Trojan.BitCoinMiner) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\FreeMouseAutoClickerSetup.exe (PUP.Optional.Somoto) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\OptimizerPro.exe (PUP.Optional.OptimizePro.A) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\PCPerformerSetup.exe (PUP.Optional.InstallBrain) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\WinUpdate.zip (Trojan.BitcoinMiner) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\19C26F33-BAB0-7891-B991-8D83AC94A98F\Latest\ccp.exe (PUP.Babylon.A) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\19C26F33-BAB0-7891-B991-8D83AC94A98F\Latest\MyBabylonTB.exe (PUP.Optional.Delta) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\19C26F33-BAB0-7891-B991-8D83AC94A98F\Latest\Setup.exe (PUP.Optional.Babylon.A) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\iswizard\dwm.exe (Trojan.BitcoinMiner) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\iswizard\iswizard.7z (Trojan.BitcoinMiner) -> No action taken.C:\Users\Gabrielius\AppData\Local\Temp\iswizard\wuaudit.exe (Trojan.BitcoinMiner) -> No action taken.C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\svchost.exe (Trojan.BitCoinMiner) -> No action taken.C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\cpu\LiveComm.exe (Trojan.BitcoinMiner) -> No action taken.C:\Users\Gabrielius\Desktop\cheat.exe (Malware.Packer.Gen) -> No action taken.C:\Users\Gabrielius\Desktop\Artix Games and Hacks\AQp00n3d (LH) 4.1 (Test) 3.zip (Malware.Gen) -> No action taken.C:\Users\Gabrielius\Desktop\Stuff\Dark+10Tr-LNG_v1.0.exe (VirTool.Obfuscator) -> No action taken.C:\Users\Gabrielius\Downloads\CheatEngine62.exe (PUP.Optional.Somoto) -> No action taken.C:\Users\Gabrielius\Downloads\SoftonicDownloader_for_auto-clicker.exe (PUP.Optional.Softonic) -> No action taken.C:\Users\Gabrielius\Downloads\SoftonicDownloader_for_scite.exe (PUP.Optional.Softonic) -> No action taken.C:\Users\Gabrielius\Downloads\Unlocker1.9.2.exe (PUP.Optional.Babylon.A) -> No action taken.C:\Users\Gabrielius\Downloads\WINDOWS 7 Ultimate SP1 x64 September 2012 [ThumperDC]\Windows Loader 2.1.7 By Daz.rar (PUP.HackTool.H) -> No action taken.C:\Users\Gabrielius\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> No action taken.C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\nircmd.exe (Backdoor.Bot) -> No action taken.C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll (PUP.Optional.Tarma.A) -> No action taken.(end) Link to post Share on other sites More sharing options...
Maniac Posted August 7, 2013 ID:712040 Share Posted August 7, 2013 Hello Drakath and ! My name is Borislav and I will be glad to help you solve your malware problem. Please note:If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.Please follow the instructions here and then post the log files in your next reply. http://forums.malwarebytes.org/index.php?showtopic=9573 Link to post Share on other sites More sharing options...
Drakath Posted August 7, 2013 Author ID:712103 Share Posted August 7, 2013 DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16537 BrowserJavaVersion: 10.25.2 Run by Gabrielius at 22:04:09 on 2013-08-07 „Microsoft“ Windows 8 Enterprise 6.2.9200.0.1252.1.1033.18.16345.13431 [GMT 3:00] . AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\dashost.exe C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe C:\Windows\SysWOW64\PnkBstrA.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\system32\taskhostex.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler.exe C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler64.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\System32\RuntimeBroker.exe C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Games\MTA San Andreas 1.3\server\MTA Server.exe C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\dwm.exe C:\Windows\system32\taskmgr.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uURLSearchHooks: FCToolbarURLSearchHook Class: {61420c5c-7f3e-4f29-9987-e7e31687ab75} - C:\Program Files (x86)\AdventureQuest Worlds Toolbar\Helper.dll uURLSearchHooks: <No Name>: - LocalServer32 - <no file> mWinlogon: Userinit = userinit.exe BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll BHO: AdventureQuest Worlds Toolbar BHO: {745A6D3B-4DB0-4246-B596-9189787D4ED5} - C:\Program Files (x86)\AdventureQuest Worlds Toolbar\Toolbar.dll BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll BHO: {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - <orphaned> BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll TB: AdventureQuest Worlds Toolbar: {3385E2D6-567B-4FC6-8F0F-D7A8C6E6118C} - C:\Program Files (x86)\AdventureQuest Worlds Toolbar\Toolbar.dll TB: AdventureQuest Worlds Toolbar: {3385E2D6-567B-4FC6-8F0F-D7A8C6E6118C} - C:\Program Files (x86)\AdventureQuest Worlds Toolbar\Toolbar.dll uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun uRun: [uTorrent] "C:\Users\Gabrielius\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED uRun: [NvidiaHostStart] C:\Users\Gabrielius\AppData\Local\NVIDIA Corporation\nvsync.exe uRun: [AdobeBridge] <no file> mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office15\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office15\ONBttnIE.dll/105 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll TCP: NameServer = 192.168.11.1 TCP: Interfaces\{5FD1F44E-EE10-4CEB-A62E-A15BFE29DB55} : DHCPNameServer = 192.168.11.1 Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll SSODL: WebCheck - <orphaned> mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned> x64-SSODL: WebCheck - <orphaned> . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Gabrielius\AppData\Roaming\Mozilla\Firefox\Profiles\rijiyuj7.default\ FF - prefs.js: browser.search.selectedEngine - Search the Web FF - prefs.js: browser.startup.homepage - about:home FF - prefs.js: network.proxy.ftp - 218.93.53.116 FF - prefs.js: network.proxy.ftp_port - 8888 FF - prefs.js: network.proxy.http - 218.93.53.116 FF - prefs.js: network.proxy.http_port - 8888 FF - prefs.js: network.proxy.socks - 218.93.53.116 FF - prefs.js: network.proxy.socks_port - 8888 FF - prefs.js: network.proxy.ssl - 218.93.53.116 FF - prefs.js: network.proxy.ssl_port - 8888 FF - prefs.js: network.proxy.type - 0 FF - plugin: C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll FF - plugin: C:\Users\Gabrielius\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll FF - plugin: C:\Windows\SysWOW64\npmproxy.dll FF - ExtSQL: 2013-06-25 19:56; {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}; C:\Users\Gabrielius\AppData\Roaming\Mozilla\Firefox\Profiles\rijiyuj7.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} FF - ExtSQL: 2013-07-12 15:39; {88c4479d-3515-4ca3-a805-27b920c3bf6d}; C:\Users\Gabrielius\AppData\Roaming\Mozilla\Firefox\Profiles\rijiyuj7.default\extensions\{88c4479d-3515-4ca3-a805-27b920c3bf6d}.xpi . ---- FIREFOX POLICIES ---- FF - user.js: extensions.delta.tlbrSrchUrl - FF - user.js: extensions.delta.id - 102573bb00000000000094de802b2c74 FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} FF - user.js: extensions.delta.instlDay - 15866 FF - user.js: extensions.delta.vrsn - 1.8.21.5 FF - user.js: extensions.delta.vrsni - 1.8.21.5 FF - user.js: extensions.delta.vrsnTs - 1.8.21.519:02:58 FF - user.js: extensions.delta.prtnrId - delta FF - user.js: extensions.delta.prdct - delta FF - user.js: extensions.delta.aflt - babsst FF - user.js: extensions.delta.smplGrp - none FF - user.js: extensions.delta.tlbrId - base FF - user.js: extensions.delta.instlRef - sst FF - user.js: extensions.delta.dfltLng - en FF - user.js: extensions.delta.excTlbr - false FF - user.js: extensions.delta.ffxUnstlRst - true FF - user.js: extensions.delta.admin - false FF - user.js: extensions.delta_i.babTrack - affID=44444 FF - user.js: extensions.delta_i.babExt - FF - user.js: extensions.delta_i.srcExt - ss FF - user.js: extensions.delta.autoRvrt - false FF - user.js: extensions.delta.rvrt - false FF - user.js: extensions.delta.newTab - false user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);user_pref('extensions.blocklist.enabled', false); . ============= SERVICES / DRIVERS =============== . R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\Drivers\dtsoftbus01.sys [2013-4-27 283200] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-6-21 413472] R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-4-27 4150112] R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\Drivers\L1C63x64.sys [2012-6-2 100864] S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\Drivers\ssudbus.sys [2013-6-4 103448] S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE [2012-10-2 178824] S3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2012-6-2 589824] S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\Drivers\ssudmdm.sys [2013-6-4 203672] S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096] S3 UsbFltr;WayTech USB Filter Driver;C:\Windows\System32\Drivers\UsbFltr.sys [2007-4-9 12288] S3 vmbusr;Virtual Machine Bus Provider;C:\Windows\System32\Drivers\vmbusr.sys [2012-7-26 117248] S3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-26 198656] . =============== File Associations =============== . FileExt: .vbe: VBEFile=C:\Windows\SysWow64\WScript.exe "%1" %* . =============== Created Last 30 ================ . 2013-08-07 13:22:16 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys 2013-08-07 13:22:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware 2013-08-07 11:01:36 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DBCC43D7-5153-4CFE-81C0-C32E1997B3ED}\mpengine.dll 2013-08-06 10:03:42 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2013-08-05 13:48:47 -------- d-----w- C:\Program Files (x86)\Resource Hacker 2013-08-05 13:37:05 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll 2013-08-05 13:26:03 -------- d-----w- C:\Program Files (x86)\MyPC Backup 2013-08-05 13:25:14 -------- d-----w- C:\Program Files (x86)\OApps 2013-08-05 13:25:12 -------- d-----w- C:\ProgramData\Tarma Installer 2013-08-01 09:35:44 262832 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10212.bin 2013-07-24 21:04:32 -------- d-----w- C:\Program Files (x86)\Shivinder Singh Narr 2013-07-23 17:54:19 -------- d-----r- C:\Program Files (x86)\Skype 2013-07-22 15:32:03 -------- d-----w- C:\Users\Gabrielius\AppData\Roaming\Kalypso Media 2013-07-22 15:32:03 -------- d-----w- C:\Users\Gabrielius\AppData\Local\FLT 2013-07-14 18:36:12 -------- d-----w- C:\ProgramData\SystemRequirementsLab 2013-07-12 12:50:32 -------- d-----w- C:\Program Files (x86)\Common Files\FreeCause 2013-07-12 12:50:28 -------- d-----w- C:\Program Files (x86)\AdventureQuest Worlds Toolbar 2013-07-12 12:39:18 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service 2013-07-10 11:46:23 2035200 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll 2013-07-10 11:46:23 1617920 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL 2013-07-10 11:46:23 1318912 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll 2013-07-10 11:46:23 1306112 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll 2013-07-10 11:46:23 1272320 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll 2013-07-10 11:46:22 1413632 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll 2013-07-10 11:46:22 1029632 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\journal.dll 2013-07-10 11:39:51 4036096 ----a-w- C:\Windows\System32\win32k.sys . ==================== Find3M ==================== . 2013-07-01 10:40:58 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll 2013-07-01 10:40:57 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll 2013-07-01 10:40:57 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll 2013-06-27 22:04:51 78200 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2013-06-27 22:04:51 693112 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2013-06-23 18:23:59 5856 ----a-w- C:\ProgramData\NanoRepository.bin 2013-06-21 10:23:16 6496544 ----a-w- C:\Windows\System32\nvcpl.dll 2013-06-21 10:23:16 3514656 ----a-w- C:\Windows\System32\nvsvc64.dll 2013-06-21 10:23:11 884512 ----a-w- C:\Windows\System32\nvvsvc.exe 2013-06-21 10:23:10 63776 ----a-w- C:\Windows\System32\nvshext.dll 2013-06-21 10:23:10 237856 ----a-w- C:\Windows\System32\nvmctray.dll 2013-06-21 02:16:02 566048 ----a-w- C:\Windows\SysWow64\nvStreaming.exe 2013-06-20 04:17:49 3253909 ----a-w- C:\Windows\System32\nvcoproc.bin 2013-06-16 22:41:31 997632 ----a-w- C:\Windows\System32\drivers\ndis.sys 2013-06-11 23:43:37 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll 2013-06-11 23:43:00 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll 2013-06-11 23:26:20 2241024 ----a-w- C:\Windows\System32\wininet.dll 2013-06-11 23:25:16 3958784 ----a-w- C:\Windows\System32\jscript9.dll 2013-06-04 06:15:02 103448 ----a-w- C:\Windows\System32\drivers\ssudbus.sys 2013-06-04 06:15:00 203672 ----a-w- C:\Windows\System32\drivers\ssudmdm.sys 2013-06-01 11:54:16 194816 ----a-w- C:\Windows\System32\drivers\sdbus.sys 2013-06-01 11:54:10 125184 ----a-w- C:\Windows\System32\drivers\dumpsd.sys 2013-06-01 11:34:21 2391280 ----a-w- C:\Windows\explorer.exe 2013-06-01 11:33:13 2233600 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2013-06-01 11:29:35 337152 ----a-w- C:\Windows\System32\drivers\USBXHCI.SYS 2013-06-01 11:29:35 213248 ----a-w- C:\Windows\System32\drivers\UCX01000.SYS 2013-06-01 11:26:33 327936 ----a-w- C:\Windows\System32\drivers\volsnap.sys 2013-06-01 11:26:31 6987008 ----a-w- C:\Windows\System32\ntoskrnl.exe 2013-06-01 10:24:46 2106176 ----a-w- C:\Windows\SysWow64\explorer.exe 2013-06-01 09:25:52 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll 2013-06-01 09:25:05 67584 ----a-w- C:\Windows\SysWow64\samlib.dll 2013-06-01 09:25:03 496640 ----a-w- C:\Windows\SysWow64\qedit.dll 2013-06-01 09:24:19 493056 ----a-w- C:\Windows\SysWow64\mscms.dll 2013-06-01 09:24:09 850944 ----a-w- C:\Windows\SysWow64\mfasfsrcsnk.dll 2013-06-01 09:24:09 1453568 ----a-w- C:\Windows\SysWow64\mfcore.dll 2013-06-01 09:23:46 1842176 ----a-w- C:\Windows\SysWow64\dwmcore.dll 2013-06-01 09:23:06 680960 ----a-w- C:\Windows\System32\vds.exe 2013-06-01 09:22:47 80896 ----a-w- C:\Windows\System32\MbaeParserTask.exe 2013-06-01 09:22:33 523264 ----a-w- C:\Windows\System32\XpsGdiConverter.dll 2013-06-01 09:22:33 446976 ----a-w- C:\Windows\System32\wwansvc.dll 2013-06-01 09:22:09 190976 ----a-w- C:\Windows\System32\vdsutil.dll 2013-06-01 09:21:39 729600 ----a-w- C:\Windows\System32\samsrv.dll 2013-06-01 09:21:39 106496 ----a-w- C:\Windows\System32\samlib.dll 2013-06-01 09:21:34 595968 ----a-w- C:\Windows\System32\qedit.dll 2013-06-01 09:20:45 583168 ----a-w- C:\Windows\System32\mscms.dll 2013-06-01 09:20:34 1527808 ----a-w- C:\Windows\System32\mfcore.dll 2013-06-01 09:20:34 1048576 ----a-w- C:\Windows\System32\mfasfsrcsnk.dll 2013-06-01 09:20:04 2219520 ----a-w- C:\Windows\System32\dwmcore.dll 2013-06-01 09:19:58 207872 ----a-w- C:\Windows\System32\DeviceSetupManager.dll 2013-06-01 09:19:42 785408 ----a-w- C:\Windows\System32\audiosrv.dll 2013-06-01 03:08:57 37632 ----a-w- C:\Windows\System32\drivers\BthAvrcpTg.sys 2013-05-27 22:03:52 146 ----a-w- C:\virus.reg 2013-05-27 22:02:42 53 ----a-w- C:\start.bat 2013-05-24 22:09:20 1403296 ----a-w- C:\Windows\System32\winload.efi 2013-05-24 22:09:20 1271584 ----a-w- C:\Windows\System32\winload.exe 2013-05-24 22:09:20 1217352 ----a-w- C:\Windows\System32\winresume.efi 2013-05-24 22:09:20 1093904 ----a-w- C:\Windows\System32\winresume.exe 2013-05-23 23:01:46 1300992 ----a-w- C:\Windows\System32\gdi32.dll 2013-05-23 22:27:05 1022464 ----a-w- C:\Windows\SysWow64\gdi32.dll 2013-05-15 22:37:03 44032 ----a-w- C:\Windows\SysWow64\UXInit.dll 2013-05-15 22:35:49 53760 ----a-w- C:\Windows\System32\UXInit.dll 2013-05-15 22:35:47 144384 ----a-w- C:\Windows\System32\tssdisai.dll 2013-05-15 02:25:59 888320 ----a-w- C:\Windows\System32\autochk.exe 2013-05-15 02:25:44 542208 ----a-w- C:\Windows\System32\untfs.dll 2013-05-15 02:24:10 793088 ----a-w- C:\Windows\SysWow64\autochk.exe 2013-05-15 02:24:01 482816 ----a-w- C:\Windows\SysWow64\untfs.dll 2013-05-14 13:14:01 2706432 ----a-w- C:\Windows\System32\mshtml.tlb 2013-05-14 09:23:31 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2013-05-12 21:42:27 1832224 ----a-w- C:\Windows\System32\nvdispco6432018.dll 2013-05-12 21:42:27 1511712 ----a-w- C:\Windows\System32\nvdispgenco6432018.dll . ============= FINISH: 22:04:22.84 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . „Microsoft“ Windows 8 Enterprise Boot Device: \Device\HarddiskVolume1 Install Date: 4/27/2013 1:37:05 PM System Uptime: 8/7/2013 4:16:34 PM (6 hours ago) . Motherboard: Gigabyte Technology Co., Ltd. | | H77-DS3H Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz | Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz | 3901/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 465 GiB total, 213.338 GiB free. D: is CDROM () E: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP17: 7/16/2013 9:03:36 PM - Installed Assassin's Creed(R) III v1.06 RP18: 7/22/2013 6:28:04 PM - Installed DirectX RP19: 7/23/2013 6:56:24 PM - Installed Skype™ 6.6 RP20: 7/25/2013 12:03:58 AM - Installed Ultimate Auto Typer Ver. 3.0 RP21: 8/2/2013 2:41:18 PM - Scheduled Checkpoint . ==== Installed Programs ====================== . µTorrent Adobe Flash Player 11 Plugin Adobe Photoshop CS6 AdventureQuest Worlds Toolbar Assassin's Creed(R) III v1.06 Astroburn Lite Bandicam Bandisoft MPEG-1 Decoder Bundled software uninstaller Cheat Engine 6.2 Company of Heroes 2 Counter-Strike Global Offensive DAEMON Tools Lite Definition Update for Microsoft Office 2013 (KB2760587) 64-Bit Edition FileZilla Client 3.7.1 Fraps v3.5.99 Build 15618 Google Chrome Google Earth Google Update Helper GTA San Andreas Java 7 Update 25 Java Auto Updater K-Lite Codec Pack 6.0.4 (Basic) Malwarebytes Anti-Malware version 1.75.0.1300 Microsoft Access MUI (English) 2013 Microsoft Access Setup Metadata MUI (English) 2013 Microsoft DCF MUI (English) 2013 Microsoft Excel MUI (English) 2013 Microsoft Groove MUI (English) 2013 Microsoft InfoPath MUI (English) 2013 Microsoft Lync MUI (English) 2013 Microsoft Office 32-bit Components 2013 Microsoft Office OSM MUI (English) 2013 Microsoft Office OSM UX MUI (English) 2013 Microsoft Office Professional Plus 2013 Microsoft Office Proofing (English) 2013 Microsoft Office Proofing Tools 2013 - English Microsoft Office Proofing Tools 2013 - Español Microsoft Office Shared 32-bit MUI (English) 2013 Microsoft Office Shared MUI (English) 2013 Microsoft Office Shared Setup Metadata MUI (English) 2013 Microsoft OneNote MUI (English) 2013 Microsoft Outlook MUI (English) 2013 Microsoft PowerPoint MUI (English) 2013 Microsoft Publisher MUI (English) 2013 Microsoft Silverlight Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Word MUI (English) 2013 Microsoft_VC100_CRT_x86 Microsoft_VC80_CRT_x86 Microsoft_VC90_CRT_x86 Minecraft1.5.1 Mozilla Firefox 22.0 (x86 en-US) Mozilla Maintenance Service MTA:SA v1.3.3 Notepad++ NVIDIA 3D Vision Controller Driver 320.49 NVIDIA 3D Vision Driver 320.49 NVIDIA Control Panel 320.49 NVIDIA GeForce Experience 1.5.1 NVIDIA Graphics Driver 320.49 NVIDIA HD Audio Driver 1.3.24.2 NVIDIA Install Application NVIDIA PhysX NVIDIA PhysX System Software 9.13.0604 NVIDIA Stereoscopic 3D Driver NVIDIA Update 6.4.23 NVIDIA Update Components Outils de vérification linguistique 2013 de Microsoft Office - Français PDF Settings CS6 PunkBuster Services PuTTY version 0.62 Resource Hacker Version 3.6.0 Security Update for Microsoft Lync 2013 (KB2817465) 64-Bit Edition Security Update for Microsoft Office 2013 (KB2817491) 64-Bit Edition Skype™ 6.6 System Requirements Lab CYRI TeamViewer 8 Tomb Raider Ultimate Auto Typer Ver. 3.0 Unity Web Player Update for Microsoft Access 2013 (KB2760350) 64-Bit Edition Update for Microsoft Excel 2013 (KB2760339) 64-Bit Edition Update for Microsoft Office 2013 (KB2726954) 64-Bit Edition Update for Microsoft Office 2013 (KB2726996) 64-Bit Edition Update for Microsoft Office 2013 (KB2737954) 64-Bit Edition Update for Microsoft Office 2013 (KB2752025) 64-Bit Edition Update for Microsoft Office 2013 (KB2752094) 64-Bit Edition Update for Microsoft Office 2013 (KB2752101) 64-Bit Edition Update for Microsoft Office 2013 (KB2760224) 64-Bit Edition Update for Microsoft Office 2013 (KB2760538) 64-Bit Edition Update for Microsoft Office 2013 (KB2760610) 64-Bit Edition Update for Microsoft Office 2013 (KB2767845) 64-Bit Edition Update for Microsoft Office 2013 (KB2767851) 64-Bit Edition Update for Microsoft Office 2013 (KB2767860) 64-Bit Edition Update for Microsoft Office 2013 (KB2768016) 64-Bit Edition Update for Microsoft Office 2013 (KB2810010) 64-Bit Edition Update for Microsoft Office 2013 (KB2817320) 64-Bit Edition Update for Microsoft Office 2013 (KB2817482) 64-Bit Edition Update for Microsoft Office 2013 (KB2817489) 64-Bit Edition Update for Microsoft Office 2013 (KB2817492) 64-Bit Edition Update for Microsoft OneNote 2013 (KB2817467) 64-Bit Edition Update for Microsoft Outlook 2013 (KB2817468) 64-Bit Edition Update for Microsoft PowerPoint 2013 (KB2726947) 64-Bit Edition Update for Microsoft PowerPoint 2013 (KB2810006) 64-Bit Edition Update for Microsoft SkyDrive Pro (KB2817469) 64-Bit Edition Update for Microsoft Visio 2013 (KB2810008) 64-Bit Edition Update for Microsoft Visio Viewer 2013 (KB2768338) 64-Bit Edition Update for Microsoft Word 2013 (KB2767863) 64-Bit Edition Update for Microsoft Word 2013 (KB2810086) 64-Bit Edition Uplay WinRAR 4.20 (64-bit) YouTube Song Downloader . ==== Event Viewer Messages From Past Week ======== . 8/5/2013 4:29:41 PM, Error: Service Control Manager [7031] - WebCakeUpdater tarnybos skirtas laikas netiketai baigesi. Tai buvo atlikta 1 karta (-us). Šis koregavimo veiksmas užims 5000 milisek.: Restart the service. 8/5/2013 4:25:28 PM, Error: Service Control Manager [7030] - DefaultTabSearch tarnyba pažymeta kaip interaktyvioji tarnyba. Taciau sistema sukonfiguruota neleisti interaktyviuju tarnybu. Ši tarnyba gali tinkamai neveikti. . ==== End Of File =========================== Link to post Share on other sites More sharing options...
Maniac Posted August 8, 2013 ID:712417 Share Posted August 8, 2013 Step 1 Please uninstall the following applications: µTorrent AdventureQuest Worlds Toolbar Step 2 Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.Step 3 Please download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.Your computer will be rebooted automatically. A text file will open after the restart.Please post the content of that logfile with your next answer.You can find the logfile at C:\AdwCleaner[s1].txt as well.Step 4Launch Malwarebytes' Anti-MalwareGo to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.Go to Scanner tab and select Perform Quick Scan, then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately. In your next reply, post the following log files:Junkware Removal Tool logAdwCleaner logMalwarebytes' Anti-Malware log Link to post Share on other sites More sharing options...
Drakath Posted August 8, 2013 Author ID:712497 Share Posted August 8, 2013 Is it necessary to uninstall uTorrent ? Can I just end its process ? Link to post Share on other sites More sharing options...
Maniac Posted August 8, 2013 ID:712519 Share Posted August 8, 2013 Please read this thread: http://forums.malwarebytes.org/index.php?showtopic=97700 Link to post Share on other sites More sharing options...
Drakath Posted August 8, 2013 Author ID:712561 Share Posted August 8, 2013 I guess its just a coincidence, but when I was about to click "Remove Selected" my screen went black and I had to restart the pc. I did the quick scan again and removed it successfully, here is the log:Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.08.06Windows 8 x64 NTFSInternet Explorer 10.0.9200.16635Gabrielius :: GAMING-LAND [administrator]8/8/2013 9:38:08 PMmbam-log-2013-08-08 (21-38-08).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 244122Time elapsed: 4 minute(s), 17 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|svchost (Backdoor.Bot) -> Data: "C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\nircmd.exe" exec hide "C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\start.bat" -> Quarantined and deleted successfully.Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 22C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\svchost.exe (Trojan.BitCoinMiner) -> Quarantined and deleted successfully.C:\Users\Gabrielius\Desktop\cheat.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\bundlesweetimsetup.exe (PUP.Optional.SweetIM) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\DeltaTB.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\drivers.zip (Trojan.BitCoinMiner) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\FreeMouseAutoClickerSetup.exe (PUP.Optional.Somoto) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\OptimizerPro.exe (PUP.Optional.OptimizePro.A) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\PCPerformerSetup.exe (PUP.Optional.InstallBrain) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\WinUpdate.zip (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\19C26F33-BAB0-7891-B991-8D83AC94A98F\Latest\ccp.exe (PUP.Babylon.A) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\19C26F33-BAB0-7891-B991-8D83AC94A98F\Latest\MyBabylonTB.exe (PUP.Optional.Delta) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\19C26F33-BAB0-7891-B991-8D83AC94A98F\Latest\Setup.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\iswizard\dwm.exe (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\iswizard\iswizard.7z (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Local\Temp\iswizard\wuaudit.exe (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.C:\Users\Gabrielius\Downloads\CheatEngine62.exe (PUP.Optional.Somoto) -> Quarantined and deleted successfully.C:\Users\Gabrielius\Downloads\SoftonicDownloader_for_auto-clicker.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.C:\Users\Gabrielius\Downloads\SoftonicDownloader_for_scite.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.C:\Users\Gabrielius\Downloads\Unlocker1.9.2.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.C:\Users\Gabrielius\Local Settings\Temporary Internet Files\Content.IE5\DQ2MC4FH\pack[1].7z (PUP.Browser.Defender.A) -> Quarantined and deleted successfully.C:\Users\Gabrielius\Local Settings\Temporary Internet Files\Content.IE5\JGCMSQ07\WebCakesetup[1].exe (PUP.Optional.Yontoo) -> Quarantined and deleted successfully.C:\Users\Gabrielius\AppData\Roaming\Microsoft\WinUpdate\nircmd.exe (Backdoor.Bot) -> Quarantined and deleted successfully.(end) Link to post Share on other sites More sharing options...
Drakath Posted August 8, 2013 Author ID:712563 Share Posted August 8, 2013 Sorry, something went wrong. Here are the JRT and AdwCleaner logs: Link to post Share on other sites More sharing options...
Drakath Posted August 8, 2013 Author ID:712565 Share Posted August 8, 2013 Sorry, something went wrong. Here are the JRT and AdwCleaner logs:Strange, the logs doesn't show up. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 5.3.8 (08.07.2013:4)OS: Windows 8 Enterprise x64Ran by Gabrielius on Thu 08/08/2013 at 20:27:07.89~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B? Value Name Type Value Data ======================================================================================== tsiVideo REG_SZ C:\Windows\SysWOW64\rundll32.exe C:\Users\GABRIE~1\AppData\Local\Temp\\tsiVi132.dll,start ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\1clickdownloadSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\babsolutionSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\biFailed to delete: [Registry Key] HKEY_CURRENT_USER\Software\datamngrFailed to delete: [Registry Key] HKEY_CURRENT_USER\Software\datamngr_toolbarSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installcoreSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonicSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\trolltechSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\competeincSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\freecauseSuccessfully deleted: [Registry Key] "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1609100127-955032454-4246939457-1001\Software\SweetIM"Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\babylonFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\datamngrSuccessfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.capFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\datamngrSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A4FB83DB-39D0-42C3-AF08-18BA28F624CC} ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\ProgramData\babylon"Successfully deleted: [Folder] "C:\ProgramData\tarma installer"Successfully deleted: [Folder] "C:\Users\Gabrielius\AppData\Roaming\babylon"Successfully deleted: [Folder] "C:\Program Files (x86)\adventurequest worlds toolbar"Successfully deleted: [Folder] "C:\Program Files (x86)\mypc backup"Successfully deleted: [Folder] "C:\Program Files (x86)\oapps"Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\freecause" ~~~ FireFox Successfully deleted: [File] C:\Users\Gabrielius\AppData\Roaming\mozilla\firefox\profiles\rijiyuj7.default\user.jsSuccessfully deleted: [File] C:\Users\Gabrielius\AppData\Roaming\mozilla\firefox\profiles\rijiyuj7.default\invalidprefs.jsSuccessfully deleted: [File] C:\Users\Gabrielius\AppData\Roaming\mozilla\firefox\profiles\rijiyuj7.default\searchplugins\babylon.xmlSuccessfully deleted: [File] C:\Users\Gabrielius\AppData\Roaming\mozilla\firefox\profiles\rijiyuj7.default\searchplugins\delta.xmlSuccessfully deleted: [Folder] C:\Users\Gabrielius\AppData\Roaming\mozilla\firefox\profiles\rijiyuj7.default\fctbSuccessfully deleted the following from C:\Users\Gabrielius\AppData\Roaming\mozilla\firefox\profiles\rijiyuj7.default\prefs.js user_pref("extensions.delta.admin", false);user_pref("extensions.delta.aflt", "babsst");user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");user_pref("extensions.delta.autoRvrt", "false");user_pref("extensions.delta.dfltLng", "en");user_pref("extensions.delta.excTlbr", false);user_pref("extensions.delta.ffxUnstlRst", true);user_pref("extensions.delta.id", "102573bb00000000000094de802b2c74");user_pref("extensions.delta.instlDay", "15866");user_pref("extensions.delta.instlRef", "sst");user_pref("extensions.delta.newTab", false);user_pref("extensions.delta.prdct", "delta");user_pref("extensions.delta.prtnrId", "delta");user_pref("extensions.delta.rvrt", "false");user_pref("extensions.delta.smplGrp", "none");user_pref("extensions.delta.tlbrId", "base");user_pref("extensions.delta.tlbrSrchUrl", "");user_pref("extensions.delta.vrsn", "1.8.21.5");user_pref("extensions.delta.vrsnTs", "1.8.21.519:02:58");user_pref("extensions.delta.vrsni", "1.8.21.5");user_pref("extensions.delta_i.babExt", "");user_pref("extensions.delta_i.babTrack", "affID=44444");user_pref("extensions.delta_i.srcExt", "ss");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.2797317.KeywordHistory", "my%2520ip%7C");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.AutoSearchEventData", "auto%20search");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.ClearCacheDate", 7);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.DisplayEULA", false);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.DnsCatchEventData", "dns%20catch");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.EnableDCA", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.FirstLaunchShown", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.LoadLayoutDate.59925", 7);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.NewTabSearchEventData", "tab%20search");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.ShowRecommendedOptions", false);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.StateReportDate", "1375867824291");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.TopRightSearchEventData", "top%20right%20search");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.Uninstall", false);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.beforeInstallSaved", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.beforeinstall.homepage", "chrome%3A//branding/locale/browserconfig.properties");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.beforeinstall.search", "Google");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.comp.search.2797317.width", "263");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.customNewTab", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.CaptureType", 2);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingDisabled", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130806.connection_error", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130806.invalid_cert", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130806.server_error", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130806.success", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130807.connection_error", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130807.invalid_cert", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130807.server_error", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.clickSendingStats.20130807.success", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.dcaConfigInterval", "2880");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.enableVoicebox", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.epochTimeInterval", "1440");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.eulaVersion", 20110301);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.lastDcaConfigTime", "1375907297798");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.lastDcaStatus", 1);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.lastEpochTime", "1375907297140");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.lastEventSendAttemptDate", "20130807");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.lastPingTime", "1375811248678");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.panelID", "FCZ3AGLfox");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.pingInterval", "1440");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.privacyFailures", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.probationLength", 0);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.userID", "FCZ3AGL84219440");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.dca.version", "1.7.0.9411");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.installDate", "07122013");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.dca.version", "1.300.434");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.helpUsImprove", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.hideOthers", false);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.processAddrBar", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.restoreSearch", false);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.searchHistory", true);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.session", "64160F31B854C3F923CCFB483E25060DE13EB84992691F44CB25432DFABE2BF3EFABDABF22ADF8A4F87C8518AF233F30291D219203CEF3Duser_pref("freecause88c4479d35154ca3a80527b920c3bf6d.showFirstLaunchOptions", false);user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.tb_lang", "en");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.tool_id", "59925");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.user_id", "84219440");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.user_key", "f204b3a7600585c892968f91c5b8aff256f1e4a6");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.user_layouts", "59925");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.user_lnames", "AdventureQuest%20Worlds%20Toolbar");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.xml_service_url", "64e3a27980eeceb34248bc3e680b4e63");user_pref("freecause88c4479d35154ca3a80527b920c3bf6d.yahooSearch", true);Emptied folder: C:\Users\Gabrielius\AppData\Roaming\mozilla\firefox\profiles\rijiyuj7.default\minidumps [2 files] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Thu 08/08/2013 at 20:29:09.28End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # AdwCleaner v2.306 - Logfile created 08/08/2013 at 21:15:53# Updated 19/07/2013 by Xplode# Operating system : Windows 8 Enterprise (64 bits)# User : Gabrielius - GAMING-LAND# Boot Mode : Normal# Running from : C:\Users\Gabrielius\Downloads\AdwCleaner.exe# Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\Gabrielius\AppData\Local\Bundled software uninstaller ***** [Registry] ***** Key Deleted : HKCU\Software\CompeteIncKey Deleted : HKCU\Software\DataMngrKey Deleted : HKCU\Software\DataMngr_ToolbarKey Deleted : HKLM\Software\DataMngrKey Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCSKey Deleted : HKLM\SOFTWARE\Wow6432Node\5a6dcdcb33fbe13Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\bi_uninstallerKey Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Key Deleted : HKLM\SOFTWARE\Tarma Installer ***** [internet Browsers] ***** -\\ Internet Explorer v10.0.9200.16537 [OK] Registry is clean. -\\ Mozilla Firefox v22.0 (en-US) File : C:\Users\Gabrielius\AppData\Roaming\Mozilla\Firefox\Profiles\rijiyuj7.default\prefs.js Deleted : user_pref("browser.search.defaultenginename", "Search the Web");Deleted : user_pref("browser.search.selectedEngine", "Search the Web"); -\\ Google Chrome v28.0.1500.95 File : C:\Users\Gabrielius\AppData\Local\Google\Chrome\User Data\Default\Preferences ************************* AdwCleaner[s1].txt - [1920 octets] - [08/08/2013 21:15:53] ########## EOF - C:\AdwCleaner[s1].txt - [1980 octets] ########## Link to post Share on other sites More sharing options...
Maniac Posted August 9, 2013 ID:712831 Share Posted August 9, 2013 BACKDOOR WARNING One or more of the identified infections is known to use a backdoor. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: Help: I Got Hacked. Now What Do I Do? Help: I Got Hacked. Now What Do I Do? Part II How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know. Link to post Share on other sites More sharing options...
Drakath Posted August 9, 2013 Author ID:712851 Share Posted August 9, 2013 I think it will be best if I reinstall my OS. But is it safe to do banking after I reinstall it ? Link to post Share on other sites More sharing options...
Maniac Posted August 9, 2013 ID:712852 Share Posted August 9, 2013 Yes, will be safe after all. Some future malware preventions: users.telenet.be/bluepatchy/miekiemoes/prevention.html Safe surfing! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 12, 2013 Root Admin ID:714228 Share Posted August 12, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts