Jump to content

Trojan Fynloski.AA / keylogger?


rat
 Share

Recommended Posts

Hey!

 

On 6th September, my AV (NOD32) gave me the following message:

 

2013-09-06 16:49:41 Startup scanner file Operating memory » C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe a variant of Win32/Fynloski.AA trojan unable to clean

 

 

At first I thought it was a false positive, but over the days, it continued to give me this error.
Duly, I started researching and ended up using your wonderful Malwarebytes Anti-Malware. The following log was produced:

 

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org
 
Database version: v2013.09.11.08
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16686
Joey :: QWERTY [administrator]
 
2013-09-11 23:36:12
mbam-log-2013-09-11 (23-36-12).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229303
Time elapsed: 16 minute(s), 10 second(s)
 
Memory Processes Detected: 2
C:\Users\Joey\AppData\Roaming\Microsoft\Windows\appverif.exe (FakeMS) -> 2872 -> Delete on reboot.
C:\Users\Joey\AppData\Roaming\Microsoft\Windows\driverquery.exe (Trojan.Agent) -> 3240 -> Delete on reboot.
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 3
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199} (PUP.Optional.Iminent.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48d2-9061-8BBD4899EB08} (PUP.Optional.Iminent.A) -> No action taken.
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.
 
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|Standard Dynamic Printing Port Monitor (FakeMS) -> Data: C:\Users\Joey\AppData\Roaming\Microsoft\Windows\appverif.exe -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 1
C:\Users\Joey\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.
 
Files Detected: 9
C:\Users\Joey\AppData\Roaming\Microsoft\Windows\appverif.exe (FakeMS) -> Delete on reboot.
C:\Windows\KMSEmulator.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\Joey\AppData\Roaming\dclogs\2013-09-06-6.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Joey\AppData\Roaming\dclogs\2013-09-07-7.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Joey\AppData\Roaming\dclogs\2013-09-08-1.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Joey\AppData\Roaming\dclogs\2013-09-09-2.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Joey\AppData\Roaming\dclogs\2013-09-10-3.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Joey\AppData\Roaming\dclogs\2013-09-11-4.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Joey\AppData\Roaming\Microsoft\Windows\driverquery.exe (Trojan.Agent) -> Delete on reboot.
 
(end)
 
 
Looking at the files corresponding to the (Stolen.Data) entries, they were log-files containing ALL of my keystrokes and activity on my computer since 6th September. The first entry of the log from "2013-09-6-6.dc" occurred 2 hours before NOD32 alerted me about Fynloski.AA for the first time. In other words, there's probably a connection there.
 
Here are the logs from DDS:

DDS.txt:
 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by Joey at 4:00:44 on 2013-09-12
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.46.1033.18.3327.1816 [GMT 2:00]
.
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\UnsignedThemesSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\FsUsbExService.Exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Users\Joey\Local Settings\Apps\F.lux\flux.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uProxyServer = 178.18.17.208:8080
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\office15\OCHelper.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office15\URLREDIR.DLL
BHO: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - <orphaned>
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [F.lux] "c:\users\joey\local settings\apps\f.lux\flux.exe" /noshow
mRun: [Cm108Sound] RunDll32 cm108.cpl,CMICtrlWnd
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\aggior~1.lnk - c:\program files\eset\minodlogin\launcher.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:95
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: E&xportera till Microsoft Excel - c:\progra~1\micros~1\office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Ski&cka till OneNote - c:\progra~1\micros~1\office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office15\ONBttnIELinkedNotes.dll
TCP: NameServer = 95.80.0.144 95.80.0.98 95.80.0.34
TCP: Interfaces\{6202A1C9-B91C-47FF-984B-FFF203AB1748} : DHCPNameServer = 95.80.0.144 95.80.0.98 95.80.0.34
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - c:\program files\microsoft office\office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.66\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 161.58.195.155 tempdomainname.com
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2013-2-20 47568]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-4-24 11448]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2013-2-20 171680]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2013-1-10 46056]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-11-16 217088]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2013-4-24 291840]
R2 AODDriver4.01;AODDriver4.01;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.02\AsSysCtrlService.exe [2010-4-24 90112]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2013-3-21 1341664]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2013-3-19 233472]
R2 PDFSFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2012-8-23 69016]
R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-7-13 21096]
R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [2009-7-13 25448]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-2-13 37944]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-5-14 86656]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-19 242240]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2013-3-19 37344]
R3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\drivers\hidusbf.sys [2011-4-12 5568]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-9 27632]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AODDriver4.0;AODDriver4.0;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 busenum;SteelBusSvc;c:\windows\system32\drivers\SteelBus.sys [2012-5-23 93440]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-2-6 83864]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2013-4-24 12400]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-10-30 14848]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2013-9-7 27192]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-4-29 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-4-29 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-4-29 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-4-29 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-4-29 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-4-29 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-4-29 109864]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-2-6 181784]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2012-7-11 1517056]
S3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\wat\WatAdminSvc.exe [2013-3-9 1343400]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-4-30 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-4-30 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-4-30 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-4-30 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-4-30 25704]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
SUnknown TsUsbFlt;TsUsbFlt; [x]
SUnknown tsusbhub;tsusbhub; [x]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\NOTEPAD.EXE=c:\windows\system32\NOTEPAD.EXE %1 [userChoice]
FileExt: .ini: Applications\NOTEPAD.EXE=c:\windows\system32\NOTEPAD.EXE %1 [userChoice]
.
=============== Created Last 30 ================
.
2013-09-11 21:35:51 -------- d-----w- c:\users\joey\appdata\roaming\Malwarebytes
2013-09-11 21:34:56 -------- d-----w- c:\programdata\Malwarebytes
2013-09-11 21:34:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-11 21:34:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-11 12:39:35 7166848 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{435898e9-61e7-43c4-bcaf-a9642b9ec114}\mpengine.dll
2013-09-07 17:57:10 -------- d-----w- c:\users\joey\appdata\local\VS Revo Group
2013-09-07 17:57:07 -------- d-----w- c:\programdata\VS Revo Group
2013-09-07 17:57:06 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2013-09-07 17:57:05 -------- d-----w- c:\program files\Revo Uninstaller Pro
2013-09-07 14:15:41 -------- d-----w- c:\program files\AMD AVT
2013-09-06 12:53:45 -------- d-----w- c:\programdata\Steam
2013-09-03 16:28:49 921 ----a-w- c:\windows\QSFVExit.bat
2013-08-31 18:43:53 -------- d-----w- c:\users\joey\appdata\roaming\PeerNetworking
2013-08-22 08:15:37 -------- d-----w- c:\users\joey\appdata\local\gtk-2.0
2013-08-20 08:26:16 497664 ----a-w- c:\windows\system32\ac3filter.acm.new
2013-08-20 08:26:05 -------- d-----w- c:\users\joey\appdata\roaming\Advanced
2013-08-20 08:25:44 -------- d-----w- c:\program files\Shark007
2013-08-20 08:10:24 -------- d-----w- c:\programdata\Advanced
2013-08-19 17:53:03 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-19 17:27:19 -------- d-----w- c:\program files\SoundWire Server
2013-08-19 11:19:40 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-09-10 21:40:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-10 21:40:06 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-19 17:52:50 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-19 17:52:50 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-10 03:59:10 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- c:\windows\system32\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-08-10 03:07:50 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-08-10 02:17:19 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-08-08 01:03:07 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-08-05 09:00:00 1565184 ----a-w- c:\windows\system32\VSFilter.dll
2013-08-05 01:56:47 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-08-02 01:50:36 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-08-02 01:49:19 293376 ----a-w- c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57 271360 ----a-w- c:\windows\system32\conhost.exe
2013-08-02 00:43:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-07-25 08:57:27 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03:34 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53:46 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52:10 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50:42 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46:31 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-06 05:05:35 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-15 03:38:43 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2010-05-08 13:25:37 8921 ----a-w- c:\program files\dizzy.exe
.
============= FINISH:  4:00:54,82 ===============
 

 

 

Attach.txt:
 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 2010-03-18 11:51:03
System Uptime: 2013-09-12 03:49:11 (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | M4A78-E
Processor: AMD Phenom II X4 940 Processor | AM2 | 3000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 283 GiB total, 157,712 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc1-810f-11d0-bec7-08002be2092f}
Description: VIA 1394 OHCI Compliant Host Controller
Device ID: PCI\VEN_1106&DEV_3403&SUBSYS_83841043&REV_00\4&32CBD392&0&0038
Manufacturer: VIA
Name: VIA 1394 OHCI Compliant Host Controller
PNP Device ID: PCI\VEN_1106&DEV_3403&SUBSYS_83841043&REV_00\4&32CBD392&0&0038
Service: 1394ohci
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: archlp
Device ID: ROOT\LEGACY_ARCHLP\0000
Manufacturer: 
Name: archlp
PNP Device ID: ROOT\LEGACY_ARCHLP\0000
Service: archlp
.
==== System Restore Points ===================
.
RP2379: 2013-09-11 14:36:39 - Windows Update
RP2380: 2013-09-11 19:33:17 - Windows Update
RP2381: 2013-09-11 23:02:26 - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.22beta
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03) - Svenska
AI Suite
AMD Accelerated Video Transcoding
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Fuel
AMD Media Foundation Decoders
AMD VISION Engine Control Center
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
AviSynth 2.5
Call of Duty® 4 - Modern Warfare 1.6 Patch
Call of Duty® 4 - Modern Warfare 1.7 Patch
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Compatibility Pack för Office 2007-systemet
Cool & Quiet
DAEMON Tools Lite
Definition Update for Microsoft Office 2013 (KB2760587) 32-Bit Edition
Dropbox
erLC
erLT
ESET Smart Security
F.lux
FLAC 1.2.1b (remove only)
Freemake Video Converter version 4.0.0
Google Chrome
Google Update Helper
ImgBurn
Java 7 Update 25
Java Auto Updater
LAME v3.99.3 (for Windows)
Malwarebytes Anti-Malware version 1.75.0.1300
Media Player Classic - Home Cinema 1.6.1.4235
Microsoft Access MUI (Swedish) 2013
Microsoft DCF MUI (Swedish) 2013
Microsoft Excel MUI (Swedish) 2013
Microsoft Groove MUI (Swedish) 2013
Microsoft InfoPath MUI (Swedish) 2013
Microsoft Lync MUI (Swedish) 2013
Microsoft Office Korrekturhilfen 2013 - Deutsch
Microsoft Office OSM MUI (Swedish) 2013
Microsoft Office OSM UX MUI (Swedish) 2013
Microsoft Office Professional Plus 2013
Microsoft Office Proofing (Swedish) 2013
Microsoft Office Proofing Tools 2013 - English
Microsoft Office Proofing Tools 2013 - Svenska
Microsoft Office Shared MUI (Swedish) 2013
Microsoft Officen tarkistustyökalut 2013 - suomi
Microsoft OneNote MUI (Swedish) 2013
Microsoft Outlook MUI (Swedish) 2013
Microsoft PowerPoint MUI (Swedish) 2013
Microsoft Publisher MUI (Swedish) 2013
Microsoft Word MUI (Swedish) 2013
MKVToolNix 6.2.0
MTP Porting Kit
MyFreeCodec
PerfectDisk 12.5 Professional
Revo Uninstaller Pro 3.0.7
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Security Update for Microsoft Excel 2013 (KB2768017) 32-Bit Edition
Security Update for Microsoft Office 2013 (KB2810009) 32-Bit Edition
Shark007 Advanced Codecs
Skype™ 6.3
SoundWire Server version 1.7.3
swMSM
Update for Microsoft Access 2013 (KB2752093) 32-Bit Edition
Update for Microsoft Lync 2013 (KB2817621) 32-Bit Edition
Update for Microsoft Office 2013 (KB2726954) 32-Bit Edition
Update for Microsoft Office 2013 (KB2726996) 32-Bit Edition
Update for Microsoft Office 2013 (KB2727096) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760224) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760267) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760533) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760538) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760539) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760553) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760610) 32-Bit Edition
Update for Microsoft Office 2013 (KB2767845) 32-Bit Edition
Update for Microsoft Office 2013 (KB2767851) 32-Bit Edition
Update for Microsoft Office 2013 (KB2767860) 32-Bit Edition
Update for Microsoft Office 2013 (KB2768014) 32-Bit Edition
Update for Microsoft Office 2013 (KB2768016) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817311) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817489) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817491) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817493) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817626) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817632) 32-Bit Edition
Update for Microsoft OneNote 2013 (KB2768011) 32-Bit Edition
Update for Microsoft OneNote 2013 (KB2817467) 32-Bit Edition
Update for Microsoft Outlook 2013 (KB2817629) 32-Bit Edition
Update for Microsoft PowerPoint 2013 (KB2810006) 32-Bit Edition
Update for Microsoft SkyDrive Pro (KB2817622) 32-Bit Edition
Update for Microsoft Visio 2013 (KB2810008) 32-Bit Edition
Update for Microsoft Visio Viewer 2013 (KB2768338) 32-Bit Edition
Update for Microsoft Word 2013 (KB2767863) 32-Bit Edition
Update for Microsoft Word 2013 (KB2817308) 32-Bit Edition
Update for Microsoft Word 2013 (KB2817627) 32-Bit Edition
USB PnP Sound Device
UxStyle Core Beta
Visual C++ 9.0 CRT (x86) WinSXS MSM
Visual C++ 9.0 OpenMP (x86) WinSXS MSM
VLC media player 2.0.6
.
==== End Of File ===========================
 


Now, I've noticed I was unable to write letters with apostrophes (such as é and ó) after 6th September, something I've heard is associated with keyloggers.

I've already taken measures to change the passwords on the most important websites (banking, social media, e-mail etc.). Luckily I've been using a password manager, so most of the passwords seem to not have been compromised.

I'm unsure how I should proceed from hereon, and whether my computer is actually 100% clean.

Thank you for the help!

Best regards,
Rat

 

Link to post
Share on other sites

Hello Rat and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
There is no such a guarantee in this case.

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

Hey Borislav,

 

Thanks for your help. I just completed a full format and re-installation of Windows 7 today. Also installed ESET Smart Security, and about to buy your Malwarebytes Anti-Malware aswell. Do you think I should still go on with the procedure you suggested?

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.