Jump to content

Keylogger?www.24x7pchelp.com/www.ammyy.com

Dieselwrangler
 Share

Recommended Posts

Dieselwrangler

Dieselwrangler

Posted
Posted

We got caught up in a phone scam, where the caller had my wife step through a series of run commands on the computer. It started with opening event viewer, where it showed 28000 errors. They had her enter www.ammyy.com, and then a dos window to tree, then back at the run window, entered inf. I'm not sure if they had her do any more there until she entered www.24x7pchelp.com at the run window.

My concern is that they may have installed a keylogger, or other unwanted bit of software, after getting the remote access. I ran an old program that claims to detect keyloggers(kldetector13), that popped up a short list of questionable activities. I had no idea what to do with the information, so I got rid of it and came here.Attach.zip

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7287

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

7/26/2011 4:26:17 PM

mbam-log-2011-07-26 (16-26-17).txt

Scan type: Quick scan

Objects scanned: 184560

Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_27

Run by Katherine at 16:28:09 on 2011-07-26

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1022.263 [GMT -6:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\SynTPStart.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\system32\SearchIndexer.exe

C:\Users\Katherine\Desktop\ywle3blx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ca/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRunOnce: [AntiLogger10_Uninstall1] c:\windows\system32\winlogon.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{C9FA4103-3F1F-4CF0-9B72-7301F6CF3CAF} : DhcpNameServer = 192.168.1.254

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\katherine\appdata\roaming\mozilla\firefox\profiles\lvs0gjc3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: network.proxy.ftp - ;https=;

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60061

FF - prefs.js: network.proxy.ssl - ;

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKsl7df5e66c;MpKsl7df5e66c;c:\programdata\microsoft\microsoft antimalware\definition updates\{e7b17506-88bb-4bcd-8d44-5c86beffdb90}\MpKsl7df5e66c.sys [2011-7-26 28752]

R1 MpKsl8e8289eb;MpKsl8e8289eb;c:\programdata\microsoft\microsoft antimalware\definition updates\{e7b17506-88bb-4bcd-8d44-5c86beffdb90}\MpKsl8e8289eb.sys [2011-7-26 28752]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.sys [2010-10-11 5120]

R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 VSTHWATI;VSTHWATI;c:\windows\system32\drivers\VSTATI3.SYS [2009-7-13 236032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-3-16 15872]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-4-27 362600]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-16 52224]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-16 1343400]

.

=============== Created Last 30 ================

.

2011-07-26 21:16:26 -------- dc-h--w- c:\programdata\~0

2011-07-26 21:16:08 -------- d-----w- c:\program files\AntiLogger

2011-07-26 21:00:34 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e7b17506-88bb-4bcd-8d44-5c86beffdb90}\MpKsl7df5e66c.sys

2011-07-26 18:17:16 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e7b17506-88bb-4bcd-8d44-5c86beffdb90}\MpKsl8e8289eb.sys

2011-07-26 18:16:50 6881616 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e7b17506-88bb-4bcd-8d44-5c86beffdb90}\mpengine.dll

2011-07-26 14:52:41 -------- d-----w- c:\programdata\AMMYY

2011-07-18 23:06:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-16 22:30:48 -------- d-sh--w- C:\$RECYCLE.BIN

2011-07-15 20:35:02 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-07-15 20:35:02 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-07-15 20:35:02 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-07-15 20:35:01 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-07-15 20:35:01 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-07-15 20:35:01 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-06-30 21:35:59 293376 ----a-w- c:\windows\system32\umpnpmgr.dll

2011-06-30 21:35:56 1401344 ----a-w- c:\windows\system32\mssrch.dll

2011-06-30 21:35:55 427520 ----a-w- c:\windows\system32\SearchIndexer.exe

2011-06-30 21:35:55 1549312 ----a-w- c:\windows\system32\tquery.dll

2011-06-30 21:35:54 337408 ----a-w- c:\windows\system32\mssph.dll

2011-06-30 21:35:54 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe

2011-06-30 21:35:53 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe

2011-06-30 21:35:53 666624 ----a-w- c:\windows\system32\mssvp.dll

2011-06-30 21:35:53 197120 ----a-w- c:\windows\system32\mssphtb.dll

2011-06-30 21:35:52 59392 ----a-w- c:\windows\system32\msscntrs.dll

2011-06-30 19:19:21 -------- d-----w- c:\program files\SystemRequirementsLab

.

==================== Find3M ====================

.

2011-07-07 01:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 01:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 19:01:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-11 02:29:25 2334208 ----a-w- c:\windows\system32\win32k.sys

2011-06-03 06:01:04 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-06-03 05:56:57 271872 ----a-w- c:\windows\system32\conhost.exe

2011-05-14 06:26:31 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-05-14 04:15:39 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-05-14 04:15:38 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-05-14 04:15:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-05-14 04:15:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-05-03 04:30:02 741376 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 02:46:33 311808 ----a-w- c:\windows\system32\drivers\srv.sys

2011-04-29 02:46:15 310272 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-04-29 02:46:10 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys

.

============= FINISH: 16:29:09.18 ===============

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
Dieselwrangler

Dieselwrangler

Posted
  • Author
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

ComboFix 11-07-31.01 - Katherine 07/30/2011 14:22:01.3.1 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1022.318 [GMT -6:00]

Running from: c:\users\Katherine\Downloads\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\AMMYY

c:\programdata\AMMYY\hr

c:\programdata\AMMYY\settings.bin

.

.

((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))

.

.

2011-07-30 20:28 . 2011-07-30 20:28 -------- d-----w- c:\users\Public\AppData\Local\temp

2011-07-30 20:28 . 2011-07-30 20:28 -------- d-----w- c:\users\Keith\AppData\Local\temp

2011-07-30 20:28 . 2011-07-30 20:28 -------- d-----w- c:\users\Keith.Katherine-PC\AppData\Local\temp

2011-07-30 20:28 . 2011-07-30 20:28 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-07-30 20:19 . 2011-07-30 20:19 -------- d-----w- C:\32788R22FWJFW

2011-07-30 01:37 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1EF5F323-BB46-4220-8654-B1154B6707B0}\mpengine.dll

2011-07-28 22:41 . 2011-07-28 22:41 -------- d-----w- c:\users\Katherine\AppData\Roaming\SUPERAntiSpyware.com

2011-07-28 22:41 . 2011-07-28 22:41 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-07-28 22:40 . 2011-07-28 22:41 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-07-27 19:42 . 2011-07-27 19:42 -------- d-----w- c:\users\Katherine\AppData\Roaming\Avira

2011-07-27 19:41 . 2011-07-28 22:39 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-07-27 19:41 . 2011-07-28 22:39 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-27 19:41 . 2011-07-27 19:41 -------- d-----w- c:\programdata\Avira

2011-07-27 19:41 . 2011-07-27 19:41 -------- d-----w- c:\program files\Avira

2011-07-27 19:40 . 2011-07-27 19:40 388096 ----a-r- c:\users\Katherine\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-27 19:40 . 2011-07-27 19:40 -------- d-----w- c:\program files\Trend Micro

2011-07-27 19:22 . 2011-07-27 19:22 -------- d-----w- c:\program files\CCleaner

2011-07-27 01:30 . 2011-07-27 01:30 -------- d-----w- c:\program files\Lavasoft

2011-07-27 01:14 . 2011-07-27 19:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-07-27 01:14 . 2011-07-27 08:47 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-26 21:16 . 2011-07-27 00:38 -------- dc----w- c:\programdata\~0

2011-07-26 21:16 . 2011-07-27 00:38 -------- d-----w- c:\program files\AntiLogger

2011-07-18 23:06 . 2011-07-18 23:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 20:38 . 2011-07-15 20:38 -------- d-----w- c:\program files\Microsoft Silverlight

2011-07-15 20:35 . 2011-03-25 02:58 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-07-15 20:35 . 2011-03-25 02:58 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-07-15 20:35 . 2011-03-25 02:57 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-07-15 20:35 . 2011-03-25 02:58 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-07-15 20:35 . 2011-03-25 02:57 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-07-15 20:35 . 2011-03-25 02:57 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-06-30 21:35 . 2011-05-24 10:44 293376 ----a-w- c:\windows\system32\umpnpmgr.dll

2011-06-30 21:35 . 2011-05-04 04:32 1401344 ----a-w- c:\windows\system32\mssrch.dll

2011-06-30 21:35 . 2011-05-04 04:34 1549312 ----a-w- c:\windows\system32\tquery.dll

2011-06-30 21:35 . 2011-05-04 04:28 427520 ----a-w- c:\windows\system32\SearchIndexer.exe

2011-06-30 21:35 . 2011-05-04 04:32 337408 ----a-w- c:\windows\system32\mssph.dll

2011-06-30 21:35 . 2011-05-04 04:28 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe

2011-06-30 21:35 . 2011-05-04 04:32 666624 ----a-w- c:\windows\system32\mssvp.dll

2011-06-30 21:35 . 2011-05-04 04:32 197120 ----a-w- c:\windows\system32\mssphtb.dll

2011-06-30 21:35 . 2011-05-04 04:28 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe

2011-06-30 21:35 . 2011-05-04 04:32 59392 ----a-w- c:\windows\system32\msscntrs.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-27 01:33 . 2011-04-16 18:32 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-13 03:39 . 2011-03-17 14:28 6881616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-07-07 01:52 . 2011-03-18 10:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 01:52 . 2011-03-18 10:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 19:01 . 2011-03-16 09:14 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-03 04:30 . 2011-06-15 15:00 741376 ----a-w- c:\windows\system32\inetcomm.dll

2011-06-24 20:08 . 2011-03-23 16:36 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1021224]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

.

R1 MpKsl0874a679;MpKsl0874a679;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BFAB721B-6315-43BD-A094-83D0705B3255}\MpKsl0874a679.sys [x]

R1 MpKsl0a636e1e;MpKsl0a636e1e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1785256F-A3EF-432F-AFAF-9802E06A723E}\MpKsl0a636e1e.sys [x]

R1 MpKsl0b44de94;MpKsl0b44de94;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B1957C2-5770-4D77-8C2B-4FBB5BBF7BCD}\MpKsl0b44de94.sys [x]

R1 MpKsl14dd3416;MpKsl14dd3416;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8A777D70-C873-451F-A0AB-495361EDD541}\MpKsl14dd3416.sys [x]

R1 MpKsl1535ca37;MpKsl1535ca37;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1B4AF124-EC19-403D-A233-1CBF8EE67AA3}\MpKsl1535ca37.sys [x]

R1 MpKsl19c79e08;MpKsl19c79e08;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E16D2EEC-6012-4D28-88A3-41BEAB1636B9}\MpKsl19c79e08.sys [x]

R1 MpKsl1b9e9a78;MpKsl1b9e9a78;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1DA1370-E332-475C-92E7-781431118219}\MpKsl1b9e9a78.sys [x]

R1 MpKsl1e77a4e5;MpKsl1e77a4e5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F2E4FEF3-5979-4F89-B82F-1EA00353BFCB}\MpKsl1e77a4e5.sys [x]

R1 MpKsl2b19f26a;MpKsl2b19f26a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DA368DB-8CB4-4A7A-82B3-1FD00885056A}\MpKsl2b19f26a.sys [x]

R1 MpKsl2b1b42c5;MpKsl2b1b42c5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{656706F6-550E-4C05-A235-97091B4E331B}\MpKsl2b1b42c5.sys [x]

R1 MpKsl3187d279;MpKsl3187d279;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{53008FDC-DC1D-405D-8B87-7A8B64901926}\MpKsl3187d279.sys [x]

R1 MpKsl3e248ffe;MpKsl3e248ffe;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{53008FDC-DC1D-405D-8B87-7A8B64901926}\MpKsl3e248ffe.sys [x]

R1 MpKsl3f74bcc6;MpKsl3f74bcc6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{10C80844-1B39-408C-B5D4-414CA1DC5862}\MpKsl3f74bcc6.sys [x]

R1 MpKsl40f45084;MpKsl40f45084;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3CA3828-6B4C-4444-9FF5-F62D2AAA9161}\MpKsl40f45084.sys [x]

R1 MpKsl497b5275;MpKsl497b5275;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4F6E7F3C-5905-4983-8350-94BCA0D4B0C6}\MpKsl497b5275.sys [x]

R1 MpKsl4f20121c;MpKsl4f20121c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1214FDB1-5468-4068-AF55-E59447620509}\MpKsl4f20121c.sys [x]

R1 MpKsl4f3cd768;MpKsl4f3cd768;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FC63D866-358A-49C1-88DD-19C51CC3FB46}\MpKsl4f3cd768.sys [x]

R1 MpKsl5325ba79;MpKsl5325ba79;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{21414B7C-CB31-4185-B363-B0D3916667D6}\MpKsl5325ba79.sys [x]

R1 MpKsl536af4cb;MpKsl536af4cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{656706F6-550E-4C05-A235-97091B4E331B}\MpKsl536af4cb.sys [x]

R1 MpKsl59a5d027;MpKsl59a5d027;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3D9C23EF-186D-4E1A-A8BF-79C11F39ED40}\MpKsl59a5d027.sys [x]

R1 MpKsl59e97655;MpKsl59e97655;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{61A9A561-93AE-4B6E-B3A3-6855DF8A48A5}\MpKsl59e97655.sys [x]

R1 MpKsl6b2cd43f;MpKsl6b2cd43f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2EF4A062-5F3D-4B1B-99C1-A9635652EC70}\MpKsl6b2cd43f.sys [x]

R1 MpKsl6ed32402;MpKsl6ed32402;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E2F7E8A4-BAED-4A31-94DA-AE7FD6D93047}\MpKsl6ed32402.sys [x]

R1 MpKsl6f783024;MpKsl6f783024;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1B4AF124-EC19-403D-A233-1CBF8EE67AA3}\MpKsl6f783024.sys [x]

R1 MpKsl71d11c36;MpKsl71d11c36;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3D688226-2F0F-440B-BAD3-7B262B440FF3}\MpKsl71d11c36.sys [x]

R1 MpKsl834d2246;MpKsl834d2246;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B908EC48-4682-4E88-A390-4EFC8A2A1422}\MpKsl834d2246.sys [x]

R1 MpKsl8694d6d7;MpKsl8694d6d7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{656208F3-7B22-4A4F-8DF0-5397B364B740}\MpKsl8694d6d7.sys [x]

R1 MpKsl8849eb39;MpKsl8849eb39;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E16D2EEC-6012-4D28-88A3-41BEAB1636B9}\MpKsl8849eb39.sys [x]

R1 MpKsl887f55a2;MpKsl887f55a2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D8CA1FC-A1D1-4983-AE98-8F0A982CFC3D}\MpKsl887f55a2.sys [x]

R1 MpKsl88c5c32f;MpKsl88c5c32f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{857A6CFE-1025-4354-8797-4E40918A65DB}\MpKsl88c5c32f.sys [x]

R1 MpKsl8bdaf749;MpKsl8bdaf749;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3FF67A64-3A41-4F9A-8C99-94BC3301F248}\MpKsl8bdaf749.sys [x]

R1 MpKsl943ff2de;MpKsl943ff2de;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D4E7AD7-48C5-4245-96F0-07DE2355C6A0}\MpKsl943ff2de.sys [x]

R1 MpKsl9b297571;MpKsl9b297571;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B1957C2-5770-4D77-8C2B-4FBB5BBF7BCD}\MpKsl9b297571.sys [x]

R1 MpKsl9e1ded3e;MpKsl9e1ded3e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F9369271-634C-4243-8CED-9BF3FA5C4A69}\MpKsl9e1ded3e.sys [x]

R1 MpKsla8f0bc28;MpKsla8f0bc28;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E16D2EEC-6012-4D28-88A3-41BEAB1636B9}\MpKsla8f0bc28.sys [x]

R1 MpKslabb68c0d;MpKslabb68c0d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{10C80844-1B39-408C-B5D4-414CA1DC5862}\MpKslabb68c0d.sys [x]

R1 MpKslad7c8a5a;MpKslad7c8a5a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C03A30C6-7C56-4727-954B-A1B08C53A59A}\MpKslad7c8a5a.sys [x]

R1 MpKslae3f8b72;MpKslae3f8b72;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3D688226-2F0F-440B-BAD3-7B262B440FF3}\MpKslae3f8b72.sys [x]

R1 MpKslc2033767;MpKslc2033767;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{92B7A84A-50F3-46E6-B76B-0D56233AF652}\MpKslc2033767.sys [x]

R1 MpKsld2e06498;MpKsld2e06498;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5BEB9BF8-A6EF-4248-A9A7-A8F3870AD486}\MpKsld2e06498.sys [x]

R1 MpKsldcd77778;MpKsldcd77778;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{70E410DE-5C36-43FA-8EEF-4192B5DB6F72}\MpKsldcd77778.sys [x]

R1 MpKsle1dccb19;MpKsle1dccb19;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9D98C551-D6DD-4A06-B9B5-DA4DA0B1FAD8}\MpKsle1dccb19.sys [x]

R1 MpKslf50f24fb;MpKslf50f24fb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37DFA17B-EDAB-43AB-ADE3-670FE2D96C49}\MpKslf50f24fb.sys [x]

R1 MpKslf9de6607;MpKslf9de6607;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{834D35AC-85B8-4BEA-9959-8A051DE4BEF5}\MpKslf9de6607.sys [x]

R1 MpKslfda92908;MpKslfda92908;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4F6E7F3C-5905-4983-8350-94BCA0D4B0C6}\MpKslfda92908.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]

R3 ec;ec;c:\w309bf54\ecdriver.sys [x]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-03-21 362600]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-16 1343400]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-12 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]

S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2010-10-11 5120]

S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

S3 VSTHWATI;VSTHWATI;c:\windows\system32\DRIVERS\VSTATI3.SYS [2009-07-13 236032]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\Katherine\AppData\Roaming\Mozilla\Firefox\Profiles\lvs0gjc3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: network.proxy.ftp - ;https=;

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60061

FF - prefs.js: network.proxy.ssl - ;

FF - prefs.js: network.proxy.type - 0

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-07-30 14:33:18

ComboFix-quarantined-files.txt 2011-07-30 20:33

.

Pre-Run: 95,032,610,816 bytes free

Post-Run: 95,954,640,896 bytes free

.

- - End Of File - - 351DB44D421F554A75F69723B56C0E9D

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7328

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

7/30/2011 2:01:28 PM

mbam-log-2011-07-30 (14-01-28).txt

Scan type: Quick scan

Objects scanned: 185749

Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_27

Run by Katherine at 14:14:40 on 2011-07-30

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1022.165 [GMT -6:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\SynTPStart.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ca/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{C9FA4103-3F1F-4CF0-9B72-7301F6CF3CAF} : DhcpNameServer = 192.168.1.254

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\katherine\appdata\roaming\mozilla\firefox\profiles\lvs0gjc3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: network.proxy.ftp - ;https=;

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60061

FF - prefs.js: network.proxy.ssl - ;

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-7-27 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-7-27 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-7-27 66616]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.sys [2010-10-11 5120]

R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 VSTHWATI;VSTHWATI;c:\windows\system32\drivers\VSTATI3.SYS [2009-7-13 236032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-3-16 15872]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-4-27 362600]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-16 52224]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-16 1343400]

.

=============== Created Last 30 ================

.

2011-07-30 01:37:03 6881616 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1ef5f323-bb46-4220-8654-b1154b6707b0}\mpengine.dll

2011-07-28 22:41:00 -------- d-----w- c:\users\katherine\appdata\roaming\SUPERAntiSpyware.com

2011-07-28 22:41:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-07-28 22:40:50 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-07-27 19:42:23 -------- d-----w- c:\users\katherine\appdata\roaming\Avira

2011-07-27 19:41:03 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-27 19:41:00 -------- d-----w- c:\programdata\Avira

2011-07-27 19:41:00 -------- d-----w- c:\program files\Avira

2011-07-27 19:40:47 388096 ----a-r- c:\users\katherine\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-07-27 19:40:45 -------- d-----w- c:\program files\Trend Micro

2011-07-27 19:22:44 -------- d-----w- c:\program files\CCleaner

2011-07-27 01:30:00 -------- d-----w- c:\program files\Lavasoft

2011-07-27 01:14:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-07-27 01:14:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-26 21:16:26 -------- dc----w- c:\programdata\~0

2011-07-26 21:16:08 -------- d-----w- c:\program files\AntiLogger

2011-07-26 14:52:41 -------- d-----w- c:\programdata\AMMYY

2011-07-18 23:06:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-16 22:30:48 -------- d-sh--w- C:\$RECYCLE.BIN

2011-07-15 20:35:02 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-07-15 20:35:02 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-07-15 20:35:02 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-07-15 20:35:01 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-07-15 20:35:01 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-07-15 20:35:01 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-06-30 21:35:59 293376 ----a-w- c:\windows\system32\umpnpmgr.dll

2011-06-30 21:35:56 1401344 ----a-w- c:\windows\system32\mssrch.dll

2011-06-30 21:35:55 427520 ----a-w- c:\windows\system32\SearchIndexer.exe

2011-06-30 21:35:55 1549312 ----a-w- c:\windows\system32\tquery.dll

2011-06-30 21:35:54 337408 ----a-w- c:\windows\system32\mssph.dll

2011-06-30 21:35:54 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe

2011-06-30 21:35:53 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe

2011-06-30 21:35:53 666624 ----a-w- c:\windows\system32\mssvp.dll

2011-06-30 21:35:53 197120 ----a-w- c:\windows\system32\mssphtb.dll

2011-06-30 21:35:52 59392 ----a-w- c:\windows\system32\msscntrs.dll

.

==================== Find3M ====================

.

2011-07-27 01:33:37 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-07 01:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 01:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe

2011-06-24 19:01:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-11 02:29:25 2334208 ----a-w- c:\windows\system32\win32k.sys

2011-06-03 06:01:04 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-06-03 05:56:57 271872 ----a-w- c:\windows\system32\conhost.exe

2011-05-14 06:26:31 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-05-14 04:15:39 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-05-14 04:15:38 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-05-14 04:15:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-05-14 04:15:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-05-03 04:30:02 741376 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 14:15:43.75 ===============

I see that they installed something from AMMYY site she went on.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
Dieselwrangler

Dieselwrangler

Posted
  • Author
Posted

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=196f3a177084454eb212a6cec8692f05

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-05 11:04:38

# local_time=2011-08-05 05:04:38 (-0700, Mountain Daylight Time)

# country="United States"

# lang=9

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 698702 698702 0 0

# compatibility_mode=1797 16775165 100 94 0 49002096 0 0

# compatibility_mode=5893 16776574 100 94 11395669 64125538 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=87868

# found=3

# cleaned=3

# scan_time=4728

C:\MyBootCD\Hiren's.BootCD.13.1.iso.iso Win32/PSWTool.KonBoot.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\MyBootCD\CD\HBCD\konboot.gz Win32/PSWTool.KonBoot.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\MyBootCD\Hirens.BootCD.13.1\Hiren's.BootCD.13.1.iso Win32/PSWTool.KonBoot.A application (deleted - quarantined) 00000000000000000000000000000000 C

Results of screen317's Security Check version 0.99.18

Windows 7 Service Pack 1 (UAC is disabled!)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

MVPS Hosts File

Malwarebytes' Anti-Malware

CCleaner

Java 7

Adobe Flash Player 10.3.181.34

Adobe Reader X (10.1.0)

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

Everything appears as it should be, I've deleted the directory that showed as a problem. My thanks for all your help.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Great!

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Restart your computer.

Let me know what issues remain.

-screen317

Link to post
Share on other sites
  • 3 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.