Jump to content

Recommended Posts

I downloaded the malwarebytes .. It stop the Sound mixer malware for a few day by constantly blocking the website incoming from outside.. but it start again 2 days ago..

 

I have window defender also.. none of the program could find the source of the malware... Please help!

Link to post
Share on other sites

This is a Farbar Recovery Scan Tool Scan.. Think it might help whoever helpp me...

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by thanlwin (administrator) on HEIN on 25-03-2014 23:39:58
Running from D:\My files\Downloads History
Windows 8 Pro with Media Center (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Windows\system32\dashost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe
(DT Soft Ltd) D:\Programs\DAEMON Tools Pro\DTShellHlp.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\system32\SndVol.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\system32\mspaint.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Launch LCore] - C:\Program Files\Logitech Gaming Software\LCore.exe [7477016 2013-04-24] (Logitech Inc.)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-03-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-06] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4239564563-3147608319-720328566-1001\...\Run: [skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [18678376 2013-04-19] (Skype Technologies S.A.)
HKU\S-1-5-21-4239564563-3147608319-720328566-1001\...\Run: [DAEMON Tools Pro Agent] - D:\Programs\DAEMON Tools Pro\DTAgent.exe [1163072 2012-04-12] (DT Soft Ltd)
HKU\S-1-5-21-4239564563-3147608319-720328566-1001\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\oovoo.exe [36125760 2013-12-18] (ooVoo LLC)
HKU\S-1-5-21-4239564563-3147608319-720328566-1001\...\Run: [Google Update] - C:\Users\thanlwin\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-07-20] (Google Inc.)
Startup: C:\Users\thanlwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
ShortcutTarget: Rainmeter.lnk -> C:\Users\thanlwin\Rainmeter.exe ()
Startup: C:\Users\thanlwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung Magician.lnk
ShortcutTarget: Samsung Magician.lnk -> C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe (Samsung Electronics.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {0DBB31E6-B3C0-43A8-B3C1-30871C4C9DAC} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: PasswordBox Helper - {5DB69B97-934B-451D-94DB-32EF802A01CD} - C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\thanlwin\AppData\Roaming\Mozilla\Firefox\Profiles\800mol1u.default
FF Homepage: https://www.google.com/

FF NetworkProxy: "http", "194.141.96.189        "
FF NetworkProxy: "http_port", 8080
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @esn/npbattlelog,version=2.3.2 - C:\Program Files (x86)\Battlelog Web Plugins\2.3.2\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 - C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @raidcall.en/RCplugin - C:\Users\thanlwin\AppData\Roaming\rcru\plugins\nprcplugin.dll (Raidcall)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\thanlwin\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\thanlwin\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\thanlwin\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\thanlwin\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\thanlwin\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\thanlwin\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\thanlwin\AppData\Roaming\mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin ProgramFiles/Appdata: C:\Users\thanlwin\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF SearchPlugin: C:\Users\thanlwin\AppData\Roaming\Mozilla\Firefox\Profiles\800mol1u.default\searchplugins\yahoo_ff.xml
FF Extension: SelectionLinks - C:\Users\thanlwin\AppData\Roaming\Mozilla\Firefox\Profiles\800mol1u.default\Extensions\{38397DDF-52A3-4F5F-9741-6A018F9CE445} [2013-06-10]
FF Extension: Adblock Plus - C:\Users\thanlwin\AppData\Roaming\Mozilla\Firefox\Profiles\800mol1u.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-07-21]
FF HKLM-x32\...\Firefox\Extensions: [firefox@passwordbox.com] - C:\Program Files (x86)\PasswordBox\Firefox
FF Extension: PasswordBox - C:\Program Files (x86)\PasswordBox\Firefox [2013-12-01]

Chrome:
=======


CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.110\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.110\pdf.dll ()
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll No File
CHR Extension: (Google Docs) - C:\Users\thanlwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-06-09]
CHR Extension: (Google Drive) - C:\Users\thanlwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-06-09]
CHR Extension: (YouTube) - C:\Users\thanlwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-06-09]
CHR Extension: (Google Search) - C:\Users\thanlwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-06-09]
CHR Extension: (Gmail) - C:\Users\thanlwin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-06-09]
CHR HKLM-x32\...\Chrome\Extension: [jkddfieidmieplblmghkfigknhkjmdaf] - C:\Program Files (x86)\OApps\chrome-sl.crx [2013-06-09]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Services (Whitelisted) =================

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16048 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-22] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [98744 2013-04-23] (Advanced Micro Devices)
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283200 2013-11-02] (DT Soft Ltd)
R3 LGSHidFilt; C:\Windows\system32\DRIVERS\LGSHidFilt.Sys [66800 2013-01-17] (Logitech Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [564792 2013-11-02] (Duplex Secure Ltd.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-20 23:25 - 2014-03-20 23:25 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-20 23:25 - 2014-03-20 23:25 - 00000000 ____D () C:\Users\thanlwin\AppData\Roaming\Malwarebytes
2014-03-20 23:25 - 2014-03-20 23:25 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-20 23:25 - 2014-03-20 23:25 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-20 23:25 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-03-20 23:15 - 2014-03-20 23:16 - 00000000 ____D () C:\AdwCleaner
2014-03-20 23:12 - 2014-03-20 23:12 - 00016555 _____ () C:\ComboFix.txt
2014-03-20 23:06 - 2014-03-20 23:12 - 00000000 ____D () C:\Qoobox
2014-03-20 23:06 - 2014-03-20 23:12 - 00000000 ____D () C:\ComboFix
2014-03-20 23:06 - 2014-03-20 23:11 - 00000000 ____D () C:\Windows\erdnt
2014-03-20 23:06 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-20 23:06 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-20 23:06 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-20 23:06 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-20 23:06 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-20 23:06 - 2000-08-30 20:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2014-03-20 23:06 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-20 23:06 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-20 23:06 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-20 23:01 - 2014-03-20 23:01 - 568666191 _____ () C:\Windows\MEMORY.DMP
2014-03-20 23:01 - 2014-03-20 23:01 - 00281616 _____ () C:\Windows\Minidump\032014-4531-01.dmp
2014-03-20 22:47 - 2014-03-25 23:39 - 00000000 ____D () C:\FRST
2014-03-20 22:29 - 2014-03-20 22:29 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-03-20 22:29 - 2014-03-20 22:29 - 00000000 _____ () C:\autoexec.bat
2014-03-20 22:28 - 2014-03-20 22:33 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-03-20 22:04 - 2014-03-20 22:04 - 00001263 _____ () C:\Users\thanlwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vprot.lnk
2014-03-20 21:34 - 2014-03-25 22:42 - 00000081 _____ () C:\Windows\system32\jfrikff.uro
2014-03-20 21:23 - 2014-03-20 21:23 - 00000064 _____ () C:\Windows\system32\nilxnqk.gxf
2014-03-20 21:23 - 2014-03-20 21:23 - 00000000 _____ () C:\Windows\system32\annqytq.ddk
2014-03-20 21:08 - 2014-03-20 21:08 - 00377857 ____S () C:\Windows\system32\vzblpbx.suf
2014-03-18 18:39 - 2014-03-18 18:39 - 00000000 _____ () C:\Users\thanlwin\Desktop\New Text Document.txt
2014-03-18 17:47 - 2014-03-18 17:47 - 00000000 ____D () C:\Users\thanlwin\Desktop\Dark Crystal Ryze Overlay by Temporalcortex
2014-03-18 17:35 - 2014-03-18 17:35 - 00000883 _____ () C:\Users\thanlwin\Desktop\Pics (2).lnk
2014-02-23 00:19 - 2014-02-23 00:19 - 00000000 ____D () C:\Users\thanlwin\AppData\Roaming\rcru

==================== One Month Modified Files and Folders =======

2014-03-25 23:39 - 2014-03-20 22:47 - 00000000 ____D () C:\FRST
2014-03-25 23:36 - 2013-06-10 05:24 - 00000000 ____D () C:\Users\thanlwin\AppData\Roaming\uTorrent
2014-03-25 23:32 - 2013-07-20 21:47 - 00975872 ___SH () C:\Users\thanlwin\Desktop\Thumbs.db
2014-03-25 23:08 - 2013-07-20 22:42 - 00000930 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4239564563-3147608319-720328566-1001UA.job
2014-03-25 23:06 - 2013-10-26 17:57 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-25 23:00 - 2012-07-26 04:12 - 00000000 ____D () C:\Windows\system32\sru
2014-03-25 22:50 - 2013-06-09 07:20 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-25 22:43 - 2013-06-09 06:21 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4239564563-3147608319-720328566-1001
2014-03-25 22:42 - 2014-03-20 21:34 - 00000081 _____ () C:\Windows\system32\jfrikff.uro
2014-03-25 22:37 - 2013-06-09 07:20 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-25 22:36 - 2012-07-26 03:28 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-25 22:32 - 2013-06-09 21:06 - 00027554 _____ () C:\Windows\PFRO.log
2014-03-25 22:32 - 2012-07-26 03:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-25 22:32 - 2012-07-26 01:26 - 00524288 ___SH () C:\Windows\system32\config\BBI
2014-03-25 22:31 - 2013-06-12 04:29 - 00000000 ____D () C:\Users\thanlwin\AppData\Roaming\Skype
2014-03-25 22:31 - 2013-06-09 06:13 - 02049514 _____ () C:\Windows\WindowsUpdate.log
2014-03-25 20:08 - 2013-07-20 22:42 - 00000878 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4239564563-3147608319-720328566-1001Core.job
2014-03-25 20:03 - 2013-07-20 22:42 - 00003882 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4239564563-3147608319-720328566-1001UA
2014-03-25 20:03 - 2013-07-20 22:42 - 00003502 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4239564563-3147608319-720328566-1001Core
2014-03-23 12:15 - 2013-12-01 05:30 - 00000000 ____D () C:\Program Files (x86)\PasswordBox
2014-03-22 00:34 - 2012-07-26 03:21 - 00053674 _____ () C:\Windows\setupact.log
2014-03-20 23:25 - 2014-03-20 23:25 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-20 23:25 - 2014-03-20 23:25 - 00000000 ____D () C:\Users\thanlwin\AppData\Roaming\Malwarebytes
2014-03-20 23:25 - 2014-03-20 23:25 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-20 23:25 - 2014-03-20 23:25 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-20 23:16 - 2014-03-20 23:15 - 00000000 ____D () C:\AdwCleaner
2014-03-20 23:12 - 2014-03-20 23:12 - 00016555 _____ () C:\ComboFix.txt
2014-03-20 23:12 - 2014-03-20 23:06 - 00000000 ____D () C:\Qoobox
2014-03-20 23:12 - 2014-03-20 23:06 - 00000000 ____D () C:\ComboFix
2014-03-20 23:11 - 2014-03-20 23:06 - 00000000 ____D () C:\Windows\erdnt
2014-03-20 23:10 - 2012-07-26 01:26 - 00000215 _____ () C:\Windows\system.ini
2014-03-20 23:09 - 2013-06-09 06:13 - 00000000 ____D () C:\Users\thanlwin
2014-03-20 23:01 - 2014-03-20 23:01 - 568666191 _____ () C:\Windows\MEMORY.DMP
2014-03-20 23:01 - 2014-03-20 23:01 - 00281616 _____ () C:\Windows\Minidump\032014-4531-01.dmp
2014-03-20 23:01 - 2013-09-29 10:25 - 00000000 ____D () C:\Windows\Minidump
2014-03-20 22:57 - 2013-06-15 05:33 - 00000000 ____D () C:\Program Files (x86)\Battlelog Web Plugins
2014-03-20 22:57 - 2013-06-10 18:22 - 00000000 ____D () C:\ProgramData\Apple
2014-03-20 22:33 - 2014-03-20 22:28 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-03-20 22:33 - 2013-11-02 03:43 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-03-20 22:29 - 2014-03-20 22:29 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-03-20 22:29 - 2014-03-20 22:29 - 00000000 _____ () C:\autoexec.bat
2014-03-20 22:04 - 2014-03-20 22:04 - 00001263 _____ () C:\Users\thanlwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vprot.lnk
2014-03-20 21:23 - 2014-03-20 21:23 - 00000064 _____ () C:\Windows\system32\nilxnqk.gxf
2014-03-20 21:23 - 2014-03-20 21:23 - 00000000 _____ () C:\Windows\system32\annqytq.ddk
2014-03-20 21:08 - 2014-03-20 21:08 - 00377857 ____S () C:\Windows\system32\vzblpbx.suf
2014-03-20 21:08 - 2012-07-26 01:38 - 00000000 ____D () C:\Windows\system32\Sysprep
2014-03-19 02:29 - 2012-07-26 04:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-03-18 18:39 - 2014-03-18 18:39 - 00000000 _____ () C:\Users\thanlwin\Desktop\New Text Document.txt
2014-03-18 17:47 - 2014-03-18 17:47 - 00000000 ____D () C:\Users\thanlwin\Desktop\Dark Crystal Ryze Overlay by Temporalcortex
2014-03-18 17:35 - 2014-03-18 17:35 - 00000883 _____ () C:\Users\thanlwin\Desktop\Pics (2).lnk
2014-03-18 08:46 - 2013-12-15 07:31 - 00000000 ____D () C:\Program Files (x86)\OBS
2014-03-11 14:06 - 2013-10-26 17:57 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-03 22:43 - 2013-06-09 06:13 - 00000000 ____D () C:\Users\thanlwin\AppData\Local\Packages
2014-02-25 23:57 - 2012-07-26 04:12 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-23 00:19 - 2014-02-23 00:19 - 00000000 ____D () C:\Users\thanlwin\AppData\Roaming\rcru

Files to move or delete:
====================
C:\Users\thanlwin\Rainmeter.dll
C:\Users\thanlwin\Rainmeter.exe
C:\Users\thanlwin\SkinInstaller.exe


Some content of TEMP:
====================
C:\Users\thanlwin\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2012-07-25 19:53] - [2012-07-25 23:07] - 0818688 ____A (Microsoft Corporation) ADC1736F560E931C9F5C27600D30F4C1

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-18 06:03

==================== End Of Log ============================

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Please post up the addition.txt by FRST and run the foolowing tool:
 
 
 
Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please post the contents of that log in your next reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.