Possibly Infected, Pro User

[uncleseano]

Heya, was shipped over here from

 

https://forums.malwarebytes.org/index.php?showtopic=136435

 

Has all the required lods in that topic so ave a luck see and gimmie some advice!

 

Only things that changed since that topic was utorrent being removed.

 

HUZZAH

 

 

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply
 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
  • IAT/EAT
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[uncleseano]

Oki Doki, lets get this ball rolling, here goes...

 

DDS Log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 7.0.6002.18005  BrowserJavaVersion: 10.45.2
Run by Sean at 8:53:17 on 2013-11-15
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.353.1033.18.8173.5596 [GMT 0:00]
.
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k bthaudiosvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.bigsamo.com/start
mWinlogon: Userinit = userinit.exe
BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [AdobeBridge] <no file>
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com





TCP: NameServer = 89.101.160.4 89.101.160.5
TCP: Interfaces\{1874E3AA-4FAD-4F0E-86E6-3F8BD22F0660} : DHCPNameServer = 89.101.160.4 89.101.160.5
TCP: Interfaces\{F60008FA-2AED-40EA-8673-742CA53F3306} : DHCPNameServer = 89.101.160.4 89.101.160.5
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
AppInit_DLLs=    C:\Windows\SysWOW64\guard32.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\ydk51uj7.default\
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Users\Sean\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
.
============= SERVICES / DRIVERS ===============
.
R0 NBVol;Nero Backup Volume Filter Driver;C:\Windows\System32\drivers\NBVol.sys [2012-2-12 72240]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\Windows\System32\drivers\NBVolUp.sys [2012-2-12 15920]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-1-18 55280]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\drivers\cmderd.sys [2011-12-19 22736]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2011-12-19 584056]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2011-12-19 45872]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-1-18 279616]
R1 NEOFLTR_710_19243;Juniper Networks TDI Filter Driver (NEOFLTR_710_19243);C:\Windows\System32\drivers\NEOFLTR_710_19243.SYS [2012-1-20 99152]
R2 BstHdDrv;BlueStacks Hypervisor;C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [2013-9-19 70984]
R2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [2013-9-19 384840]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 27648]
R2 HFGService;Handsfree Headset Service;C:\Windows\System32\svchost.exe -k bthaudiosvc [2008-1-21 27648]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-11-12 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-11-12 701512]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-2-24 126952]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2012-5-28 389608]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-11-12 25928]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-11-13 121416]
S2 BstHdAndroidSvc;BlueStacks Android Service;C:\Program Files (x86)\BlueStacks\HD-Service.exe [2013-9-19 393032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BthAudioHF;BthAudioHF Service;C:\Windows\System32\drivers\BthAudioHF.sys [2010-2-5 56728]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-2-6 102936]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-2-6 203544]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2013-7-20 1022632]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2012-1-17 89920]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-11-13 07:24:32    82896128    ----a-w-    C:\Windows\System32\mrt.exe
2013-10-23 08:20:08    6669600    ----a-w-    C:\Windows\System32\nvcpl.dll
2013-10-23 08:20:07    3489568    ----a-w-    C:\Windows\System32\nvsvc64.dll
2013-10-23 08:20:05    922912    ----a-w-    C:\Windows\System32\nvvsvc.exe
2013-10-23 08:20:05    63776    ----a-w-    C:\Windows\System32\nvshext.dll
2013-10-23 08:20:05    219424    ----a-w-    C:\Windows\System32\nvmctray.dll
2013-10-20 08:38:41    119296    ----a-w-    C:\Windows\SysWow64\zlib.dll
2013-10-18 11:41:00    312744    ----a-w-    C:\Windows\System32\javaws.exe
2013-10-18 11:41:00    189352    ----a-w-    C:\Windows\System32\javaw.exe
2013-10-18 11:41:00    189352    ----a-w-    C:\Windows\System32\java.exe
2013-10-18 11:41:00    108968    ----a-w-    C:\Windows\System32\WindowsAccessBridge-64.dll
2013-10-16 00:48:05    1884448    ----a-w-    C:\Windows\System32\nvdispco6433158.dll
2013-10-16 00:48:05    1511712    ----a-w-    C:\Windows\System32\nvdispgenco6433158.dll
2013-10-15 21:47:36    2559776    ----a-w-    C:\Windows\System32\nvsvcr.dll
2013-10-12 14:36:29    1032192    ----a-w-    C:\Windows\System32\wininet.dll
2013-10-12 14:36:11    1430528    ----a-w-    C:\Windows\System32\urlmon.dll
2013-10-12 14:36:10    108544    ----a-w-    C:\Windows\System32\url.dll
2013-10-12 14:33:59    1129984    ----a-w-    C:\Windows\System32\mstime.dll
2013-10-12 14:33:47    763392    ----a-w-    C:\Windows\System32\mshtmled.dll
2013-10-12 14:33:47    5737984    ----a-w-    C:\Windows\System32\mshtml.dll
2013-10-12 14:33:46    623104    ----a-w-    C:\Windows\System32\msfeeds.dll
2013-10-12 14:33:14    32256    ----a-w-    C:\Windows\System32\jsproxy.dll
2013-10-12 14:33:00    224768    ----a-w-    C:\Windows\System32\ieui.dll
2013-10-12 14:32:59    7051776    ----a-w-    C:\Windows\System32\ieframe.dll
2013-10-12 14:32:59    377856    ----a-w-    C:\Windows\System32\iertutil.dll
2013-10-12 14:32:59    249856    ----a-w-    C:\Windows\System32\iepeers.dll
2013-10-12 14:32:57    422400    ----a-w-    C:\Windows\System32\ieapfltr.dll
2013-10-12 14:32:57    146944    ----a-w-    C:\Windows\apppatch\AppPatch64\iebrshim.dll
2013-10-12 14:31:59    33792    ----a-w-    C:\Windows\System32\corpol.dll
2013-10-12 13:02:00    485376    ----a-w-    C:\Windows\System32\html.iec
2013-10-12 12:23:36    1383424    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-10-12 12:13:00    834048    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-10-12 10:52:18    389632    ----a-w-    C:\Windows\SysWow64\html.iec
2013-10-12 10:41:13    1383424    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-10-11 04:23:42    462848    ----a-w-    C:\Windows\System32\IKEEXT.DLL
2013-10-11 04:23:21    781824    ----a-w-    C:\Windows\System32\FWPUCLNT.DLL
2013-10-11 02:07:57    596480    ----a-w-    C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-10 12:37:11    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-10 12:37:11    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-08 06:50:37    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-08 06:46:52    264616    ----a-w-    C:\Windows\SysWow64\javaws.exe
2013-10-08 06:46:47    175016    ----a-w-    C:\Windows\SysWow64\javaw.exe
2013-10-08 06:46:23    174504    ----a-w-    C:\Windows\SysWow64\java.exe
2013-10-03 15:03:41    389632    ----a-w-    C:\Windows\System32\gdi32.dll
2013-10-03 15:02:58    1278976    ----a-w-    C:\Windows\System32\crypt32.dll
2013-10-03 12:46:36    304128    ----a-w-    C:\Windows\SysWow64\gdi32.dll
2013-10-03 12:45:45    993792    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-09-27 08:57:55    1884448    ----a-w-    C:\Windows\System32\nvdispco6433140.dll
2013-09-27 08:57:55    1511712    ----a-w-    C:\Windows\System32\nvdispgenco6433140.dll
2013-09-12 08:58:10    1884448    ----a-w-    C:\Windows\System32\nvdispco6432723.dll
2013-09-12 08:58:10    1511712    ----a-w-    C:\Windows\System32\nvdispgenco6432723.dll
2013-09-04 02:31:51    404992    ----a-w-    C:\Windows\System32\drivers\afd.sys
2013-08-29 07:48:37    2775552    ----a-w-    C:\Windows\System32\win32k.sys
2013-08-27 03:39:20    327680    ----a-w-    C:\Windows\System32\d3d10_1core.dll
2013-08-27 03:39:20    287232    ----a-w-    C:\Windows\System32\d3d10core.dll
2013-08-27 03:39:20    196096    ----a-w-    C:\Windows\System32\d3d10_1.dll
2013-08-27 03:39:20    1268224    ----a-w-    C:\Windows\System32\d3d10.dll
2013-08-27 02:47:50    219648    ----a-w-    C:\Windows\SysWow64\d3d10_1core.dll
2013-08-27 02:47:50    189952    ----a-w-    C:\Windows\SysWow64\d3d10core.dll
2013-08-27 02:47:50    160768    ----a-w-    C:\Windows\SysWow64\d3d10_1.dll
2013-08-27 02:47:50    1029120    ----a-w-    C:\Windows\SysWow64\d3d10.dll
2013-08-27 02:32:30    2002944    ----a-w-    C:\Windows\System32\d3d10warp.dll
2013-08-27 02:30:51    566272    ----a-w-    C:\Windows\System32\d3d10level9.dll
2013-08-27 02:06:03    834048    ----a-w-    C:\Windows\System32\d2d1.dll
2013-08-27 02:00:46    1556480    ----a-w-    C:\Windows\System32\DWrite.dll
2013-08-27 02:00:46    1149952    ----a-w-    C:\Windows\System32\FntCache.dll
2013-08-27 01:52:08    1172480    ----a-w-    C:\Windows\SysWow64\d3d10warp.dll
2013-08-27 01:50:40    486400    ----a-w-    C:\Windows\SysWow64\d3d10level9.dll
2013-08-27 01:32:20    683008    ----a-w-    C:\Windows\SysWow64\d2d1.dll
2013-08-27 01:28:36    1069056    ----a-w-    C:\Windows\SysWow64\DWrite.dll
2013-08-18 21:02:58    1884448    ----a-w-    C:\Windows\System32\nvdispco6432680.dll
2013-08-18 21:02:58    1511712    ----a-w-    C:\Windows\System32\nvdispgenco6432680.dll
.
============= FINISH:  8:54:28.16 ===============
 

 

Attach Log:

 

 

Ark:

The save button wouldnt create any logs for GMER so I copied it here from clipboard. Hope that works

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-15 09:04:52
Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000340AS rev.SD1A 931.51GB
Running: 5ltrtezc.exe; Driver: C:\Users\Sean\AppData\Local\Temp\kwliqaow.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification

---- Registry - GMER 2.1 ----

Reg       HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57                                             
Reg       HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583421e5e                                             
Reg       HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583421e5e@0014beef4133                                0xC7 0xBE 0xDA 0x9C ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{629be977-f31e-4080-896d-3de7be43258f}@Dhcpv6State  0
Reg       HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet)                         
Reg       HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583421e5e (not active ControlSet)                         
Reg       HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583421e5e@0014beef4133                                    0xC7 0xBE 0xDA 0x9C ...

---- EOF - GMER 2.1 ----
 

 

Thanks mister, now go get um Tiger!

[Psychotic]

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!

• Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
• Run Combofix.exe
  

When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

[uncleseano]

Ok weird, it didnt do anything for me. It said it was backing up the reg but didnt seem to copy anything or create a log. It did however create a weird number/aplhabeth thingy with the icon of 'My Computer' in my C: Drive.  When I restarted my Mbam icon was back green but I'm not sure if that's because comboFix did its thing or just that comodo was turned off....

 

More help please!

[Psychotic]

Please reboot into safe mode and try again, please.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!