PUP removal

[Nihilicide]

Hello,

 

Recently took over a computer that hibernated for a couple of months because of viruses.  Used MBAM a couple of times to remove viruses, however, some PUP's still remain.

 

After removing them, they still return when I scan again.

 

Looking for advice and help, thanks!

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.

• The logs can be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Zip any and all of these logs and attach the file to your next reply.
  

 

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
  • IAT/EAT
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[Nihilicide]

Hello Marius.  Thanks for all your help.

 

DDS (Ver_2012-11-05.02) - NTFS_AMD64 

Internet Explorer: 8.0.7600.16912  BrowserJavaVersion: 10.25.2

Run by Luu desktop at 23:38:38 on 2013-09-03

Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.2039.503 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\ProgramData\eSafe\eGdpSvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe

C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe

C:\Program Files (x86)\CyberLink\Shared files\brs.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Users\Luu desktop\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe

C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe

C:\Program Files (x86)\IObit\Game Booster 3\gbtray.exe

C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe

C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.182\deploy\LoLLauncher.exe

C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.41\deploy\LolClient.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uURLSearchHooks: SweetPacks Toolbar: {7e8a1050-cf67-4575-92df-dcc60e7d952d} - C:\Program Files (x86)\SweetPacks\prxtbSwee.dll

mURLSearchHooks: Vafmusic8 Toolbar: {2088f46c-e352-46dd-9434-bb81014359db} - C:\Program Files (x86)\Vafmusic8\prxtbVafm.dll

mURLSearchHooks: SweetPacks Toolbar: {7e8a1050-cf67-4575-92df-dcc60e7d952d} - C:\Program Files (x86)\SweetPacks\prxtbSwee.dll

mWinlogon: Userinit = userinit.exe,

BHO: Feven 1.7: {11111111-1111-1111-1111-110411051194} - C:\Program Files (x86)\Feven 1.7\Feven 1.7-bho.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Vafmusic8 Toolbar: {2088f46c-e352-46dd-9434-bb81014359db} - C:\Program Files (x86)\Vafmusic8\prxtbVafm.dll

BHO: DownloadTerms: {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\Luu desktop\AppData\Local\DownloadTerms\temp.dat

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: SweetPacks Toolbar: {7e8a1050-cf67-4575-92df-dcc60e7d952d} - C:\Program Files (x86)\SweetPacks\prxtbSwee.dll

BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Luu desktop\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Lyrics-Monkey: {b1fa6175-f91e-45e9-8938-99c7d001f9ae} - C:\Program Files (x86)\Lyrics_Monkey\132.dll

BHO: Define: {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - C:\Users\Luu desktop\AppData\Local\DefineExt\temp.dat

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Vafmusic8 Toolbar: {2088f46c-e352-46dd-9434-bb81014359db} - C:\Program Files (x86)\Vafmusic8\prxtbVafm.dll

TB: SweetPacks Toolbar: {7e8a1050-cf67-4575-92df-dcc60e7d952d} - C:\Program Files (x86)\SweetPacks\prxtbSwee.dll

uRun: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler

uRun: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe

uRun: [steelSeries Engine] C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

mRun: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe

mRun: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [rSkVSbFvavfCaY.exe] C:\ProgramData\rSkVSbFvavfCaY.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

dRun: [dplaysvr] C:\Windows\System32\config\systemprofile\AppData\Local\dplaysvr.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe

uPolicies-Explorer: HideSCAHealth = dword:1

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

mPolicies-System: DisableTaskMgr = dword:1

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

LSP: mswsock.dll

TCP: NameServer = 192.168.1.254

TCP: Interfaces\{906B6449-77E7-4052-866F-E1B3D8799B87} : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{AE1B9603-8EB1-4CE9-AFBA-5BDBEEBD6C33} : DHCPNameServer = 192.168.1.254

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: Feven 1.7: {11111111-1111-1111-1111-110411051194} - C:\Program Files (x86)\Feven 1.7\Feven 1.7-bho64.dll

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

Hosts: 149.5.18.172 www.google-analytics.com.

Hosts: 149.5.18.172 ad-emea.doubleclick.net.

Hosts: 149.5.18.172 www.statcounter.com.

Hosts: 108.163.215.51 www.google-analytics.com.

Hosts: 108.163.215.51 ad-emea.doubleclick.net.

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: C:\Users\Luu desktop\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\{2088f46c-e352-46dd-9434-bb81014359db}\plugins\np-mswmp.dll

FF - plugin: C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\{2088f46c-e352-46dd-9434-bb81014359db}\plugins\npConduitFirefoxPlugin.dll

FF - plugin: C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\{7e8a1050-cf67-4575-92df-dcc60e7d952d}\plugins\np-mswmp.dll

FF - plugin: C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\{7e8a1050-cf67-4575-92df-dcc60e7d952d}\plugins\npConduitFirefoxPlugin.dll

FF - plugin: C:\Windows\System32\npDeployJava1.dll

FF - plugin: C:\Windows\System32\npmproxy.dll

FF - plugin: C:\Windows\System32\npOGPPlugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - plugin: C:\Windows\SysWOW64\npOGPPlugin.dll

FF - ExtSQL: 2013-09-01 13:18; addon@defaulttab.com; C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\addon@defaulttab.com.xpi

FF - ExtSQL: 2013-09-01 13:19; {2088f46c-e352-46dd-9434-bb81014359db}; C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\{2088f46c-e352-46dd-9434-bb81014359db}

FF - ExtSQL: 2013-09-01 13:50; {e63493be-743b-43fe-a188-3a389b64a18f}; C:\Program Files (x86)\Lyrics_Monkey\132.xpi

FF - ExtSQL: 2013-09-01 14:43; eoppnrqmocgit@fmwplidnapyokntwh.net; C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\eoppnrqmocgit@fmwplidnapyokntwh.net

FF - ExtSQL: 2013-09-01 14:44; {7e8a1050-cf67-4575-92df-dcc60e7d952d}; C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\{7e8a1050-cf67-4575-92df-dcc60e7d952d}

FF - ExtSQL: 2013-09-01 14:53; 0efc9c38-1ec7-49ed-8915-53a48b6b7600@e7f17679-2a42-4659-83c5-7ba961fdf75a.com; C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\0efc9c38-1ec7-49ed-8915-53a48b6b7600@e7f17679-2a42-4659-83c5-7ba961fdf75a.com

FF - ExtSQL: 2013-09-02 08:55; vjmlcxrlmadvjmynn@sxsgajbkgr.org; C:\Users\Luu desktop\AppData\Roaming\Mozilla\Firefox\Profiles\i95hv30c.default\extensions\vjmlcxrlmadvjmynn@sxsgajbkgr.org

FF - ExtSQL: !HIDDEN! 2013-09-01 14:43; eoppnrqmocgit@fmwplidnapyokntwh.net; C:\Program Files (x86)\Mozilla Firefox\extensions\eoppnrqmocgit@fmwplidnapyokntwh.net

FF - ExtSQL: !HIDDEN! 2013-09-02 08:55; vjmlcxrlmadvjmynn@sxsgajbkgr.org; C:\Program Files (x86)\Mozilla Firefox\extensions\vjmlcxrlmadvjmynn@sxsgajbkgr.org

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.autoDisableScopes - 0

FF - user.js: extensions.shownSelectionUI - true

.

============= SERVICES / DRIVERS ===============

.

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/02/05 19:43:44];C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-11-17 146928]

R2 DefaultTabUpdate;DefaultTabUpdate;C:\Users\Luu desktop\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [2013-9-1 107520]

R2 DragonSvc;Dragon Service;C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe [2010-7-23 296808]

R2 HsfXAudioService;HsfXAudioService;C:\Windows\System32\svchost.exe -k HsfXAudioService [2009-7-13 27136]

R3 busenum;SteelBusSvc;C:\Windows\System32\drivers\SteelBus64.sys [2013-6-25 134656]

R3 CAXHWBS2;CAXHWBS2;C:\Windows\System32\drivers\CAXHWBS2.sys [2009-2-13 411136]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-2 187392]

R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;C:\Windows\System32\drivers\wg111v3.sys [2011-3-20 446976]

R3 SAlphamHid;SteelHIDSvc;C:\Windows\System32\drivers\SAlpham64.sys [2013-6-25 38016]

S2 BackupStack;Computer Backup (MyPC Backup);C:\Program Files (x86)\MyPC Backup\BackupStack.exe [2013-7-1 32808]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 NMgamingmsFltr;USB Optical Mouse;C:\Windows\System32\drivers\NMgamingms.sys [2009-7-24 11264]

S3 VST64_DPV;VST64_DPV;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

S3 VST64HWBS2;VST64HWBS2;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-13 411136]

.

=============== Created Last 30 ================

.

2013-09-04 06:15:47 -------- d-----w- C:\Windows\pss

2013-09-02 01:25:46 -------- d-----w- C:\Users\Luu desktop\AppData\Local\SteelSeries_ApS

2013-09-02 01:24:09 -------- d-----w- C:\Users\Luu desktop\AppData\Roaming\SteelSeries

2013-09-01 23:46:17 -------- d-----w- C:\ProgramData\SteelSeries

2013-09-01 23:41:19 -------- d-----w- C:\Program Files\SteelSeries

2013-09-01 21:57:35 -------- d-----w- C:\Program Files\Uninstaller

2013-09-01 21:55:21 -------- d-----w- C:\Program Files (x86)\MyPC Backup

2013-09-01 21:54:43 -------- d-----w- C:\Users\Luu desktop\AppData\Roaming\Uniblue

2013-09-01 21:54:43 -------- d-----w- C:\Program Files (x86)\Uniblue

2013-09-01 21:51:59 -------- d-----w- C:\Program Files (x86)\Feven 1.7

2013-09-01 21:49:37 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-09-01 21:49:24 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-09-01 21:44:40 -------- d-----w- C:\Program Files (x86)\SweetPacks

2013-09-01 21:43:51 -------- d-----w- C:\Windows\SysWow64\jmdp

2013-09-01 21:43:45 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin

2013-09-01 21:43:19 829264 ----a-w- C:\Windows\System32\msvcr100.dll

2013-09-01 21:43:19 -------- d-----w- C:\Windows\SysWow64\ARFC

2013-09-01 21:43:18 608080 ----a-w- C:\Windows\System32\msvcp100.dll

2013-09-01 21:43:18 33792 ----a-w- C:\Windows\System32\ImHttpComm.dll

2013-09-01 21:43:18 1648432 ----a-w- C:\Windows\System32\dmwu.exe

2013-09-01 21:43:13 -------- d-----w- C:\Users\Luu desktop\AppData\Local\DownloadTerms

2013-09-01 21:38:19 -------- d-----w- C:\Users\Luu desktop\AppData\Local\Adobe

2013-09-01 21:35:01 -------- d-----w- C:\TDSSKiller_Quarantine

2013-09-01 20:50:43 -------- d-----w- C:\Windows\SysWow64\WNLT

2013-09-01 20:50:30 -------- d-----w- C:\Program Files (x86)\Lyrics_Monkey

2013-09-01 20:43:54 -------- d-----w- C:\Users\Luu desktop\AppData\Roaming\Riot Games

2013-09-01 20:21:37 -------- d-----w- C:\Program Files (x86)\Optimizer Pro

2013-09-01 20:21:16 773712 ----a-w- C:\Windows\SysWow64\msvcr100.dll

2013-09-01 20:21:16 420944 ----a-w- C:\Windows\SysWow64\msvcp100.dll

2013-09-01 20:20:51 -------- d-----w- C:\ProgramData\eSafe

2013-09-01 20:20:48 -------- d-----w- C:\Users\Luu desktop\AppData\Roaming\Desk 365

2013-09-01 20:20:48 -------- d-----w- C:\Program Files (x86)\Desk 365

2013-09-01 20:20:04 -------- d-----w- C:\Program Files (x86)\Conduit

2013-09-01 20:19:46 -------- d-----w- C:\Users\Luu desktop\AppData\Local\Conduit

2013-09-01 20:19:46 -------- d-----w- C:\Program Files (x86)\Vafmusic8

2013-09-01 20:19:14 -------- d-----w- C:\0ec03a6cb3085762eb52886c55d098

2013-09-01 20:19:09 -------- d-----w- C:\Users\Luu desktop\AppData\Roaming\SearchProtect

2013-09-01 20:18:54 -------- d-----w- C:\Users\Luu desktop\AppData\Roaming\DefaultTab

2013-09-01 20:18:25 -------- d-----w- C:\Users\Luu desktop\AppData\Local\DefineExt

.

==================== Find3M  ====================

.

2013-09-01 21:48:55 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-06-25 14:00:36 38016 ----a-w- C:\Windows\System32\drivers\SAlpham64.sys

2013-06-25 14:00:16 134656 ----a-w- C:\Windows\System32\drivers\SteelBus64.sys

.

============= FINISH: 23:40:47.79 ===============

 

 

**

 

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-09-03 23:48:05

Windows 6.1.7600  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3320820AS rev.3.CHL 298.09GB

Running: w0xj5tvz.exe; Driver: C:\Users\LUUDES~1\AppData\Local\Temp\kwdoakod.sys

 

 

---- Threads - GMER 2.1 ----

 

Thread  C:\Windows\System32\svchost.exe [880:2920]                                           000007feebde20c0

Thread  C:\Windows\System32\svchost.exe [880:2952]                                           000007feebde26a8

Thread  C:\Windows\System32\svchost.exe [880:2964]                                           000007feebde29dc

Thread  C:\Windows\System32\svchost.exe [880:1664]                                           000007feebde29dc

Thread  C:\Windows\System32\svchost.exe [880:3320]                                           000007feec1188f8

Thread  C:\Windows\system32\svchost.exe [908:1108]                                           000007fef9ca67dc

Thread  C:\Windows\system32\svchost.exe [908:1188]                                           000007fef9ae1a50

Thread  C:\Windows\system32\svchost.exe [908:2912]                                           000007fefc691a70

Thread  C:\Windows\system32\svchost.exe [908:3040]                                           000007feebbf506c

Thread  C:\Windows\system32\svchost.exe [908:3048]                                           000007feebcc1c20

Thread  C:\Windows\system32\svchost.exe [908:3044]                                           000007feebcc1c20

Thread  C:\Windows\system32\svchost.exe [908:2496]                                           000007feea674164

Thread  C:\Windows\system32\svchost.exe [908:404]                                            000007fef65e1ab0

Thread  C:\Windows\system32\svchost.exe [236:2916]                                           000007feebe00ea8

Thread  C:\Windows\system32\svchost.exe [236:2996]                                           000007feebdf9db0

Thread  C:\Windows\system32\svchost.exe [236:1980]                                           000007feebdfaa10

Thread  C:\Windows\system32\svchost.exe [236:1812]                                           000007feebe01c94

Thread  C:\Windows\system32\svchost.exe [236:1660]                                           000007fefad9bfc4

Thread  C:\Windows\system32\svchost.exe [400:1048]                                           000007fefa463260

Thread  C:\Windows\system32\svchost.exe [400:1056]                                           000007fefa463aac

Thread  C:\Windows\system32\svchost.exe [400:1060]                                           000007fefa463864

Thread  C:\Windows\system32\svchost.exe [400:1064]                                           000007fefa4646d0

Thread  C:\Windows\system32\svchost.exe [400:2596]                                           000007feecf1fdf0

Thread  C:\Windows\system32\svchost.exe [400:2744]                                           000007feed28f978

Thread  C:\Windows\system32\svchost.exe [400:3160]                                           000007fefa463980

Thread  C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1840:3924]                       000007fef1dceb6c

Thread  C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2672:2748]    0000000054a38f75

Thread  C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3424:3432]  000007fef7d26c54

Thread  C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3424:3436]  000007fef7d21690

Thread  C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3424:3460]  000007fef7d21690

 

---- Registry - GMER 2.1 ----

 

Reg     HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes@ActivePowerScheme      7417a010-5f17-408f-90c3-b9015237e83b

 

---- EOF - GMER 2.1 ----

 

 

**

 

 

 

mbam logs.zip

attach.txt

[Psychotic]

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

DefaultTab
Desk 365
Optimizer Pro v3.2
SweetPacks Toolbar
Vafmusic8 Toolbar
Feven 1.7

Close the window.

 

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!

• Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
• Run Combofix.exe
  

When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

[Nihilicide]

Deleted the files.

 

Combofix told me I have Microsoft Security Essentials running but I cannot find it anywhere on the computer.

[Psychotic]

Ignore that warning and proceed

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!