Possible infection

View previous topic View next topic Go down

Possible infection

Post by Voods on 20th November 2011, 10:23 pm

Hi there

I think I may be infected again, after a long period of time. I have run all the scans aformentioned, and have the logs ready to post.

My computer has been, slow, programs have been crashing all the time, and even programs starting on their own accord. Firefox has been crashing constantly, thought this, I think is due to incompatible add-ons, which I have disabled, but still have crashes.. I noticed in the scan logs it shows my firefox is version 3.6.17.. This is not correct, as I have version 7.0.1
The only reason I have not upgraded this, is due to the fingerpint reader I use, and no update for the plugin required as of yet.

Regards


Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 21st November 2011, 8:08 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download [You must be registered and logged in to see this link.]
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
***************************************************
Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.]
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
****************************************************
Download DDS from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control [You must be registered and logged in to see this link.].Then post your DDS logs. (DDS.txt and Attach.txt )

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 21st November 2011, 9:49 pm

Malwarebytes' Anti-Malware 1.51.2.1300
[You must be registered and logged in to see this link.]

Database version: 8211

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

21/11/2011 21:32:57
mbam-log-2011-11-21 (00-00-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 219004
Time elapsed: 23 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 21st November 2011, 9:50 pm

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 11/21/2011 at 20:36 PM

Application Version : 5.0.1136

Core Rules Database Version : 7968
Trace Rules Database Version: 5780

Scan type : Complete Scan
Total Scan Time : 00:34:49

Operating System Information
Windows 7 Professional 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 774
Memory threats detected : 0
Registry items scanned : 36865
Registry threats detected : 0
File items scanned : 101853
File threats detected : 7

Adware.Tracking Cookie
C:\Users\voodoo\AppData\Roaming\Microsoft\Windows\Cookies\4QA1P9YY.txt [ /ero-advertising.com ]
C:\Users\voodoo\AppData\Roaming\Microsoft\Windows\Cookies\SBLISU1E.txt [ /rambler.ru ]
C:\Users\voodoo\AppData\Roaming\Microsoft\Windows\Cookies\UFJ8Z9TW.txt [ /stats.ilivid.com ]
C:\Users\voodoo\AppData\Roaming\Microsoft\Windows\Cookies\7SAAMVWN.txt [ /yadro.ru ]
C:\USERS\VOODOO\Cookies\4QA1P9YY.txt [ Cookie:voodoo@ero-advertising.com/ ]
C:\USERS\VOODOO\Cookies\UFJ8Z9TW.txt [ Cookie:voodoo@stats.ilivid.com/ ]
C:\USERS\VOODOO\Cookies\7SAAMVWN.txt [ Cookie:voodoo@yadro.ru/ ]

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 21st November 2011, 9:51 pm

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.1.0
Run by voodoo at 21:41:00 on 2011-11-21
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3574.1914 [GMT 0:00]
.
AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\USB Safely Remove\USBSRService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Protector Suite\upeksvr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Easy-Hide-IP\services\EasyHideIp.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Easy-Hide-IP\services\EasyHideIP-Server2\Easy-Hide-IPS2.exe
C:\Program Files\Easy-Hide-IP\services\EasyHideIP-Server2\EasyHideIP-Server2.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Easy-Hide-IP\services\EasyHideIP-Server1\EasyHideIP-Server1.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Creative\Sound Blaster X-Fi Go Pro\Volume Panel\VolPanlu.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Spyware Terminator\st_rsser.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=;ftp=;https=;
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Directory Opus Desktop Dblclk] "c:\program files\gpsoftware\directory opus\dopusrt.exe" /dblclk
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_Plugin.exe -update plugin
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi go pro\volume panel\VolPanlu.exe" /r
mRun: [SpywareTerminatorShield] c:\program files\spyware terminator\SpywareTerminatorShield.exe
mRun: [SpywareTerminatorUpdater] c:\program files\spyware terminator\SpywareTerminatorUpdate.exe
uPolicies-explorer: = 1519c7f4eecdb62e335357a37293da94
uPolicies-explorer: DisallowRun = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - [You must be registered and logged in to see this link.]
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - [You must be registered and logged in to see this link.]
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - [You must be registered and logged in to see this link.]
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{483F3E33-C511-4DA6-8D30-A573F90C25E4} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{483F3E33-C511-4DA6-8D30-A573F90C25E4}\F42377962756C656373723031313 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{483F3E33-C511-4DA6-8D30-A573F90C25E4}\F42716E67656546493635463 : DhcpNameServer = 192.168.1.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\program files\protector suite\psqlpwd.dll
SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - c:\program files\gpsoftware\directory opus\dopuslib.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\program files\protector suite\psqlpwd.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\voodoo\appdata\roaming\mozilla\firefox\profiles\pl73f8rm.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - component: c:\users\voodoo\appdata\roaming\mozilla\firefox\profiles\pl73f8rm.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\voodoo\appdata\roaming\mozilla\firefox\profiles\pl73f8rm.default\extensions\passwordbank@upek.com\components\pbgk1_92.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
FF - plugin: c:\program files\nitro pdf\reader\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader\npnitromozilla.dll
FF - plugin: c:\users\voodoo\appdata\roaming\mozilla\firefox\profiles\pl73f8rm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-7-1 16024]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-8-10 232512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 sp_rsdrv2;Spyware Terminator 2012 Realtime Shield Driver;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-11-15 32768]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-7-19 116608]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-6-24 136120]
R2 EasyHideIP;EasyHideIP;c:\program files\easy-hide-ip\services\EasyHideIp.exe [2011-9-4 45056]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-6-24 810144]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-4-28 41312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-13 366152]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService2.exe [2011-6-21 196912]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2011-7-1 220824]
R2 ST2012_Svc;Spyware Terminator 2012 Realtime Shield Service;c:\program files\spyware terminator\st_rsser.exe [2011-11-15 482992]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb safely remove\USBSRService.exe [2011-5-10 251736]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 btmhsf;btmhsf;c:\windows\system32\drivers\btmhsf.sys [2011-7-19 225280]
R3 iBtFltCoex;iBtFltCoex;c:\windows\system32\drivers\iBtFltCoex.sys [2011-7-20 47104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-8 22216]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-1-12 125672]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-16 135664]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2011-7-14 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-7-14 79360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-16 135664]
S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2011-7-14 1254400]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-5-3 9216]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-11 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-8 1343400]
.
=============== Created Last 30 ================
.
2011-11-21 00:26:14 -------- d-----w- c:\users\voodoo\appdata\local\{E68C9731-BE1A-4631-8726-44F7C7DD1070}
2011-11-21 00:26:02 -------- d-----w- c:\users\voodoo\appdata\local\{FB061F4F-A5FC-442F-99E3-FFD6E1B62E9F}
2011-11-20 12:25:48 -------- d-----w- c:\users\voodoo\appdata\local\{47CF9C68-9529-44C3-BD6B-B54207E1C7DB}
2011-11-20 12:25:35 -------- d-----w- c:\users\voodoo\appdata\local\{88CE1673-6337-4C09-9723-9A50A4855A53}
2011-11-19 13:59:48 -------- d-----w- c:\users\voodoo\appdata\local\{8332B355-8568-4395-A819-B9899D770E6B}
2011-11-19 13:59:36 -------- d-----w- c:\users\voodoo\appdata\local\{962AD84C-D246-424E-B10F-64B9C7B2E204}
2011-11-19 11:00:06 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9ec4b43b-70d9-47c3-99db-6b27ad1458e8}\offreg.dll
2011-11-19 11:00:03 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9ec4b43b-70d9-47c3-99db-6b27ad1458e8}\mpengine.dll
2011-11-19 01:59:11 -------- d-----w- c:\users\voodoo\appdata\local\{A6A0CDB3-267E-4BE5-8F54-2D494B15CA8C}
2011-11-19 01:58:33 -------- d-----w- c:\users\voodoo\appdata\local\{FC2FD695-0BB2-4C68-A5F5-72258CB8B087}
2011-11-18 12:09:20 -------- d-----w- c:\users\voodoo\appdata\local\{0BD25494-C727-44AD-B8E1-E807BDE46DAC}
2011-11-18 12:09:08 -------- d-----w- c:\users\voodoo\appdata\local\{FFC3A4A8-D538-45EF-A6DB-316543F4AED7}
2011-11-17 12:52:15 -------- d-----w- c:\users\voodoo\appdata\local\{90233B95-4C57-487D-A752-79E3594B0770}
2011-11-16 15:02:19 -------- d-----w- c:\users\voodoo\appdata\local\{4D7F14F4-E3E5-432D-86BA-64B7E77A4AC2}
2011-11-16 15:02:06 -------- d-----w- c:\users\voodoo\appdata\local\{0DFF8769-45AF-448F-AAE3-CD3ED97072B5}
2011-11-15 19:14:40 -------- d-----w- c:\users\voodoo\appdata\local\{39923705-078A-4C2B-BCE2-36C38DF4A390}
2011-11-15 19:14:28 -------- d-----w- c:\users\voodoo\appdata\local\{48A9706F-06FF-4CC6-B205-5CFD2301C0C5}
2011-11-15 07:14:27 -------- d-----w- c:\users\voodoo\appdata\local\{C6B206F4-5265-4CCB-A206-5BAA933F9627}
2011-11-15 01:53:49 -------- d-----w- c:\users\voodoo\appdata\roaming\Spyware Terminator
2011-11-15 01:53:49 -------- d-----w- c:\programdata\Spyware Terminator
2011-11-15 01:53:46 -------- d-----w- c:\program files\Spyware Terminator
2011-11-15 01:32:55 32768 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-11-14 19:14:01 -------- d-----w- c:\users\voodoo\appdata\local\{47B4ADDB-C24F-4DCF-8949-1C53BBCF639F}
2011-11-14 19:13:43 -------- d-----w- c:\users\voodoo\appdata\local\{B394550F-1056-4684-B12A-D6F7683650F6}
2011-11-12 00:34:50 -------- d-----w- c:\users\voodoo\appdata\local\{2F0F669D-A68F-4689-AAD6-A1EB203F6B67}
2011-11-12 00:34:39 -------- d-----w- c:\users\voodoo\appdata\local\{ED4F1AA9-D483-462A-B0FE-F750F891E3C2}
2011-11-11 12:34:13 -------- d-----w- c:\users\voodoo\appdata\local\{84903DEC-F908-401E-B44C-E888D136C5AF}
2011-11-11 12:34:00 -------- d-----w- c:\users\voodoo\appdata\local\{8D88482E-EC7D-43AB-8F04-A7F16259A7AA}
2011-11-10 11:02:09 -------- d-----w- c:\users\voodoo\appdata\local\{EF0CF381-DFD0-4882-8A33-E6EF2F6DB8B7}
2011-11-10 10:59:00 -------- d-----w- c:\users\voodoo\appdata\local\{C618B157-D841-47BC-8BD2-E1C0F18E779D}
2011-11-09 17:47:17 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 17:47:16 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 17:47:15 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 15:47:21 -------- d-----w- c:\users\voodoo\appdata\local\{BBEB8089-843C-4583-9BE9-8728B4F23B44}
2011-11-09 15:47:10 -------- d-----w- c:\users\voodoo\appdata\local\{16048FF7-3D04-4080-BC3A-87182508DBDE}
2011-11-08 18:03:58 -------- d-----w- c:\users\voodoo\appdata\local\{F915B88E-61B4-40FF-9519-66609F2706A7}
2011-11-08 18:03:46 -------- d-----w- c:\users\voodoo\appdata\local\{260E6513-6342-416B-92F4-50F10BE8A7FF}
2011-11-07 22:55:45 152 ----a-w- c:\windows\system32\sysplog2.dll
2011-11-07 22:55:42 152 ----a-w- c:\windows\system32\sysplog.dll
2011-11-07 22:53:11 -------- d-----w- c:\program files\Auslogics
2011-11-07 22:38:14 -------- d-----w- c:\users\voodoo\appdata\local\{262D80D3-0AA9-4995-AFDC-7B38B0879F5C}
2011-11-07 22:37:56 -------- d-----w- c:\users\voodoo\appdata\local\{B79ACF03-8D24-4340-AFB6-19447780770C}
2011-11-07 20:43:03 67376 ------w- c:\windows\system32\SYSINFO.OCX
2011-11-07 20:43:03 260096 ------w- c:\windows\system32\RICHTX32.OCX
2011-11-07 20:43:03 244416 ------w- c:\windows\system32\MSFLXGRD.OCX
2011-11-07 20:43:03 152848 ------w- c:\windows\system32\COMDLG32.OCX
2011-11-07 20:43:03 132880 ------w- c:\windows\system32\MSINET.OCX
2011-11-07 20:42:51 -------- d-----w- c:\program files\Personal Chess Trainer 2007
2011-11-07 20:42:50 -------- d-----w- c:\programdata\Tarma Installer
2011-11-07 20:38:29 -------- d-----w- c:\program files\Kasparov Chessmate
2011-11-07 20:38:15 -------- d-----w- c:\program files\ReflexiveArcade
2011-11-07 18:43:26 -------- d-----w- c:\users\voodoo\appdata\local\{9FDAED04-04AD-4E2E-B0BC-9938D3B507A3}
2011-11-06 21:28:14 -------- d-----w- c:\program files\vShare.tv plugin
2011-11-06 19:38:18 -------- d-----w- c:\program files\WinDirStat
2011-11-06 15:19:11 -------- d-----w- c:\users\voodoo\appdata\local\{8A330A52-4E22-4F1A-8EB7-D20F38CBC659}
2011-11-06 15:18:59 -------- d-----w- c:\users\voodoo\appdata\local\{1A7D4B23-DA2A-4B29-B1C3-395483821A8C}
2011-11-06 03:18:43 -------- d-----w- c:\users\voodoo\appdata\local\{791999E5-248F-4C3C-8D61-862C980768E8}
2011-11-06 03:18:27 -------- d-----w- c:\users\voodoo\appdata\local\{250CEF3E-8193-4ADB-97E2-BB922C9EDFE5}
2011-11-05 11:30:04 -------- d-----w- c:\users\voodoo\appdata\local\{8E8B7CCC-CD0F-4FA0-925F-D4D2FDEC5180}
2011-11-05 11:29:52 -------- d-----w- c:\users\voodoo\appdata\local\{C64EB99D-D55F-40B9-BA29-3D11FC9EB12C}
2011-11-04 22:20:13 -------- d-----w- c:\users\voodoo\appdata\local\{3A9C5B0B-5DB3-49BA-930A-15534F57DD53}
2011-11-04 22:20:01 -------- d-----w- c:\users\voodoo\appdata\local\{01EE31FA-0BDB-48AF-B32F-DBFB0F02558E}
2011-11-04 10:19:43 -------- d-----w- c:\users\voodoo\appdata\local\{059EA6A7-73EF-4AE8-8683-C72B20E260FE}
2011-11-03 21:51:48 -------- d-----w- c:\users\voodoo\appdata\local\{725A7DD5-2144-4B78-BBDE-2C819C6261C4}
2011-11-03 20:33:14 -------- d-----w- c:\program files\SopCast
2011-11-03 09:51:20 -------- d-----w- c:\users\voodoo\appdata\local\{B625CD2B-0E6E-4FE1-A12D-1ECCE6A64531}
2011-11-03 09:51:08 -------- d-----w- c:\users\voodoo\appdata\local\{1358D814-8FD2-4189-841B-E1218D571952}
2011-11-02 19:13:46 -------- d-----w- c:\users\voodoo\appdata\local\{85ADE004-BA8F-4DE4-AB12-92340648A6BF}
2011-11-02 19:13:34 -------- d-----w- c:\users\voodoo\appdata\local\{B97DF925-37E0-41C3-877A-C0868A8C74F3}
2011-11-01 18:13:53 -------- d-----w- c:\windows\pss
2011-11-01 14:27:19 -------- d-----w- c:\users\voodoo\appdata\local\{5F7DD2DB-5C07-487C-8DFF-64A89ADD8636}
2011-11-01 14:27:02 -------- d-----w- c:\users\voodoo\appdata\local\{6EB04D1B-091E-4B4C-BE7F-B671F9A9A7DB}
2011-10-31 17:57:29 -------- d-----w- c:\users\voodoo\appdata\local\{8988F736-451A-4288-B397-522029EADA81}
2011-10-31 17:57:17 -------- d-----w- c:\users\voodoo\appdata\local\{FC195B6C-BDD0-41A6-8710-DF4633B67C18}
2011-10-31 14:56:57 -------- d-----w- c:\users\voodoo\appdata\roaming\Spotify
2011-10-31 14:56:57 -------- d-----w- c:\users\voodoo\appdata\local\Spotify
2011-10-31 14:56:55 -------- d-----w- c:\program files\Spotify
2011-10-30 23:31:28 -------- d-----w- c:\users\voodoo\appdata\local\{321E5DE0-4D22-4D19-AE87-5C2F1A974FAA}
2011-10-30 23:31:16 -------- d-----w- c:\users\voodoo\appdata\local\{CEBA4C86-4384-446D-9647-C1CC98DEB5F2}
2011-10-30 11:31:03 -------- d-----w- c:\users\voodoo\appdata\local\{73B27D04-2E3D-4D23-9014-735C2D39E906}
2011-10-30 11:30:51 -------- d-----w- c:\users\voodoo\appdata\local\{53FF44C7-D050-4206-BF64-15A178252B74}
2011-10-29 23:30:38 -------- d-----w- c:\users\voodoo\appdata\local\{EFDE27F3-0209-4CCC-B8F5-454114AB5892}
2011-10-29 23:30:27 -------- d-----w- c:\users\voodoo\appdata\local\{BCD50E96-961C-4791-8E47-42BFCB8E5295}
2011-10-29 12:24:27 -------- d-----w- C:\Restoration
2011-10-29 12:07:20 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver
2011-10-29 11:30:00 -------- d-----w- c:\users\voodoo\appdata\local\{D8720BB0-6BDD-4F93-836E-F3A7BF7B4614}
2011-10-29 11:29:48 -------- d-----w- c:\users\voodoo\appdata\local\{6BC3863E-6CC8-4F3D-ABFC-14595537AD6A}
2011-10-28 23:29:35 -------- d-----w- c:\users\voodoo\appdata\local\{96AD6D17-A85A-4FE0-94E6-5307954EE330}
2011-10-28 23:29:24 -------- d-----w- c:\users\voodoo\appdata\local\{D7B011B7-F990-47C5-A934-287DC7F5C696}
2011-10-28 11:29:11 -------- d-----w- c:\users\voodoo\appdata\local\{6837B9F4-89CC-419F-9572-0F102ED7B0FD}
2011-10-28 11:28:59 -------- d-----w- c:\users\voodoo\appdata\local\{F58E0239-858A-4224-B363-178C846FE518}
2011-10-27 23:08:47 -------- d-----w- c:\users\voodoo\appdata\local\{F7402628-5E47-4B3C-99D5-59FAC4EFF41C}
2011-10-27 23:08:35 -------- d-----w- c:\users\voodoo\appdata\local\{24D7A021-1C88-4174-B716-6E415771478D}
2011-10-27 11:08:01 -------- d-----w- c:\users\voodoo\appdata\local\{D0065B91-1700-4399-95C1-2D1D241637C2}
2011-10-27 11:07:40 -------- d-----w- c:\users\voodoo\appdata\local\{C1EACFCE-7A56-4F6F-9775-359205A61E2C}
2011-10-26 16:59:20 -------- d-----w- c:\users\voodoo\appdata\local\{BE111257-3518-4337-BD9D-1D23B7C28048}
2011-10-26 16:59:02 -------- d-----w- c:\users\voodoo\appdata\local\{A95F9060-4BA1-4A74-8A66-68FC0DF022B2}
2011-10-26 12:34:05 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-10-25 15:08:43 -------- d-----w- c:\users\voodoo\appdata\local\{60A3F06F-D5A8-45AD-821D-3DFC7AE4695D}
2011-10-25 15:08:00 -------- d-----w- c:\users\voodoo\appdata\local\{5C79F2F5-B5BE-4046-AEF6-FD1323129ECE}
2011-10-24 22:29:52 -------- d-----w- c:\users\voodoo\appdata\local\{BFCF2F61-3115-439B-AD3E-89E94F159242}
2011-10-24 22:29:40 -------- d-----w- c:\users\voodoo\appdata\local\{BDC9127B-8AE3-4325-9B09-2E591B128239}
2011-10-24 10:29:10 -------- d-----w- c:\users\voodoo\appdata\local\{53168631-91E9-4CD1-A8BC-7985E98F74A6}
2011-10-23 17:56:10 -------- d-----w- c:\users\voodoo\appdata\roaming\desksware
2011-10-23 17:56:10 -------- d-----w- c:\program files\desksware
2011-10-23 12:48:15 -------- d-----w- c:\users\voodoo\appdata\local\{27CC8A2B-867D-4502-9822-C8BD512E5B67}
2011-10-23 12:48:04 -------- d-----w- c:\users\voodoo\appdata\local\{5A0DB1FB-FA4A-49FC-88C1-74C92ECCBF3B}
.
==================== Find3M ====================
.
2011-10-25 00:05:46 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-13 16:15:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-21 11:10:11 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-27 04:26:27 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll
.
============= FINISH: 21:41:47.45 ===============

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 21st November 2011, 9:52 pm

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 08/04/2011 15:03:18
System Uptime: 16/11/2011 22:47:08 (119 hours ago)
.
Motherboard: Dell Inc. | | 0KU184
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 6.25 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP165: 20/11/2011 22:05:10 - OTL Restore Point - 20/11/2011 22:05:10
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player 11.6
Apple Application Support
Apple Software Update
Auslogics Disk Defrag
AvaCam v3.2.0
Bandicam
Bandisoft MPEG-1 Decoder
CameraHelperMsi
CCleaner
Cheetah DVD Burner
Cisco Network Magic
Conduit Engine
Creative System Information
D3DX10
DAEMON Tools Lite
Defraggler
Desktop iCalendar Lite 1.9.3.0
Doom Rails
Driving Test Success - All Tests 2011 Edition (Update 1)
Easy-Hide-IP 1.6
Easy DVD Rip
erLT
ESET Smart Security
Express Burn Disc Burning Software
Express Rip
Extreme Picture Finder 3.13.2
FaceGen Modeller 3.4
FileHippo.com Update Checker
FLV Player
foobar2000 v1.1.9
Foxit Reader
Foxit Toolbar
Free Registry Defrag
Freecorder 4
Freecorder Toolbar
Google Book Downloader
Google Update Helper
GPSoftware Directory Opus
HD Tune 2.55
HiJackThis
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 26
Java(TM) 7 Update 1
Kasparov Chessmate
Logitech Vid HD
Logitech Webcam Software
Logitech Webcam Software Driver Package
LOOXIS Faceworx 1.0
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Macrium Reflect - Free Edition
Malwarebytes' Anti-Malware version 1.51.2.1300
Marble Blast
MediaMonkey 3.2
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.2
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Minigolf Adventures
MixPad Audio Mixer
Mozilla Firefox (3.6.17)
MSVCRT
Network Magic
Nitro PDF Reader 2
OpenOffice.org 3.3
Orbit Downloader
Oz776 SCR Driver V1.1.4.2
Paint Shop Pro 6.02 EVAL
Personal Chess Trainer 2007 3.02
Pidgin
Platinum Hide IP
Power Tab Editor 1.7
PrimoPDF -- brought to you by Nitro PDF Software
Protector Suite 2011
Pure Networks Platform
QuickTime
RapidShare Manager
RecordPad Sound Recorder
Recuva
Riva FLV Encoder 2.0
Sandboxie 3.52
Seamless3d 2.171
SeaTools for Windows
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Slice Audio File Splitter
SopCast 2.0.4
Sound Blaster X-Fi Go! Pro
Speccy
Spider Player 2.5.3
Spotify
Spyware Terminator 2012
SpywareBlaster 4.4
SUPERAntiSpyware
Switch Sound File Converter
swMSM
TablEdit 2.69
TEFView 2.71
UltraPlayer
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
USB Safely Remove 4.5
Virtual Pool 3 DL
VisDir Free Disk Space Finder v 1.5
VLC media player 1.1.9
vShare.tv plugin 1.3
WavePad Sound Editor
WinDirStat 1.1.2
Windows Essentials Media Codec Pack 3.4 [32-Bit]
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin
WinRAR 4.00 (32-bit)
XviD & MP3 Codec Pack (remove only)
XviD MPEG-4 Video Codec
ZTE_1.2059.0.8
.
==== Event Viewer Messages From Past Week ========
.
21/11/2011 15:53:23, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
19/11/2011 04:06:05, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
.
==== End Of File ===========================

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 21st November 2011, 11:26 pm

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click [You must be registered and logged in to see this link.] to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix login your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 22nd November 2011, 1:06 am

ComboFix 11-11-21.01 - voodoo 22/11/2011 0:51.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3574.2613 [GMT 0:00]
Running from: c:\users\voodoo\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\_Setup.dll
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.dat
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.exe
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.ico
c:\windows\host32.exe
c:\windows\system32\ntos.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sysplog.dll
c:\windows\system32\sysplog2.dll
c:\windows\system32\twext.exe
c:\windows\system32\vid_conv2.dll
c:\windows\system32\vid_core2.dll
c:\windows\system32\vid_format2.dll
c:\windows\system32\vid_multi2.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
.
.
2011-11-22 00:59 . 2011-11-22 00:59 -------- d-----w- c:\users\voodoo\AppData\Local\temp
2011-11-19 11:00 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9EC4B43B-70D9-47C3-99DB-6B27AD1458E8}\mpengine.dll
2011-11-15 01:53 . 2011-11-21 11:52 -------- d-----w- c:\programdata\Spyware Terminator
2011-11-15 01:53 . 2011-11-15 01:53 -------- d-----w- c:\users\voodoo\AppData\Roaming\Spyware Terminator
2011-11-15 01:53 . 2011-11-16 10:40 -------- d-----w- c:\program files\Spyware Terminator
2011-11-15 01:32 . 2011-06-21 11:24 32768 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-11-09 17:47 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 17:47 . 2011-10-01 04:37 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 17:47 . 2011-09-29 03:37 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-07 22:53 . 2011-11-07 22:53 -------- d-----w- c:\program files\Auslogics
2011-11-07 20:43 . 2004-03-09 18:45 152848 ------w- c:\windows\system32\COMDLG32.OCX
2011-11-07 20:43 . 2004-03-09 18:45 132880 ------w- c:\windows\system32\MSINET.OCX
2011-11-07 20:43 . 2003-04-10 09:46 260096 ------w- c:\windows\system32\RICHTX32.OCX
2011-11-07 20:43 . 2000-05-22 04:00 244416 ------w- c:\windows\system32\MSFLXGRD.OCX
2011-11-07 20:43 . 1998-06-24 03:00 67376 ------w- c:\windows\system32\SYSINFO.OCX
2011-11-07 20:42 . 2011-11-07 22:55 -------- d-----w- c:\program files\Personal Chess Trainer 2007
2011-11-07 20:38 . 2011-11-14 22:04 -------- d-----w- c:\program files\Kasparov Chessmate
2011-11-07 20:38 . 2011-11-07 20:38 -------- d-----w- c:\program files\ReflexiveArcade
2011-11-06 21:28 . 2011-11-07 18:40 -------- d-----w- c:\program files\vShare.tv plugin
2011-11-06 19:38 . 2011-11-06 19:38 -------- d-----w- c:\program files\WinDirStat
2011-11-03 20:33 . 2011-11-03 20:33 -------- d-----w- c:\program files\SopCast
2011-10-31 15:02 . 2011-10-31 15:02 -------- d-----w- c:\users\voodoo\AppData\Roaming\Recordpad
2011-10-31 14:56 . 2011-11-01 17:31 -------- d-----w- c:\users\voodoo\AppData\Roaming\Spotify
2011-10-31 14:56 . 2011-11-01 17:27 -------- d-----w- c:\users\voodoo\AppData\Local\Spotify
2011-10-31 14:56 . 2011-10-31 14:56 -------- d-----w- c:\program files\Spotify
2011-10-29 12:34 . 2011-10-29 12:34 -------- d-----w- c:\program files\Recuva
2011-10-29 12:24 . 2011-10-29 12:24 -------- d-----w- C:\Restoration
2011-10-29 12:07 . 2011-10-29 12:07 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver
2011-10-26 12:34 . 2011-08-13 04:18 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-23 17:56 . 2011-10-23 17:56 -------- d-----w- c:\users\voodoo\AppData\Roaming\desksware
2011-10-23 17:56 . 2011-10-23 17:56 -------- d-----w- c:\program files\desksware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-25 00:05 . 2011-04-08 22:26 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-13 16:15 . 2011-05-20 14:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-06 13:57 . 2011-10-06 13:57 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-01 02:42 . 2011-10-12 13:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-21 11:10 . 2011-09-21 11:10 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-31 16:00 . 2011-04-08 22:09 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-27 04:26 . 2011-10-12 13:32 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:26 . 2011-10-12 13:32 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-28 11:43 . 2011-06-23 11:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-05-11 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2011-04-07 23:01 5066568 ----a-w- c:\program files\Protector Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2011-04-07 23:01 5066568 ----a-w- c:\program files\Protector Suite\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2011-05-13 4283256]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2010-10-12 271840]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-06-24 2202704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi Go Pro\Volume Panel\VolPanlu.exe" [2010-02-18 241789]
"SpywareTerminatorShield"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2011-09-28 2775728]
"SpywareTerminatorUpdater"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2011-09-28 3609776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
""= 1519c7f4eecdb62e335357a37293da94
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2010-10-12 837592]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2011-04-07 22:45 101192 ----a-w- c:\program files\Protector Suite\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\Protector Suite\psqlpwd.dll
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Users^voodoo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\voodoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative SB Monitoring Utility]
2010-08-03 04:28 104448 ----a-w- c:\windows\System32\SBAVMon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Software Update]
2009-06-19 09:26 623416 ------w- c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler]
2006-11-17 09:42 53341 ------w- c:\program files\Creative\Shared Files\CTSched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-08-02 07:33 4910912 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop iCalendar Lite.exe]
2010-07-21 14:07 962048 ----a-w- c:\program files\desksware\Desktop iCalendar Lite\Desktop iCalendar Lite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Directory Opus Desktop Dblclk]
2010-10-12 12:35 271840 ----a-w- c:\program files\GPSoftware\Directory Opus\dopusrt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileHippo.com]
2010-08-09 12:47 248832 ----a-w- c:\program files\FileHippo.com\UpdateChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2011-03-24 06:11 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-07 17:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2011-05-13 15:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2011-06-25 14:54 472112 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 13:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 18:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2011-04-07 21:39 55624 ----a-w- c:\program files\Protector Suite\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2011-10-31 15:01 1240068 ----a-w- c:\program files\NCH Software\Recordpad\recordpad.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2011-01-12 14:35 405736 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 12:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-11-16 01:24 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Safely Remove]
2011-01-28 01:12 1802584 ----a-w- c:\program files\USB Safely Remove\USBSafelyRemove.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 EasyHideIP;EasyHideIP;c:\program files\Easy-Hide-IP\services\EasyHideIp.exe [2007-01-09 45056]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 135664]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-07-14 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-07-14 79360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 135664]
R3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2010-08-11 1254400]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-01-19 9216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-08 1343400]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2011-07-01 16024]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-08-10 232512]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-04-28 114984]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 sp_rsdrv2;Spyware Terminator 2012 Realtime Shield Driver;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-06-21 32768]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-09-05 116608]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-06-24 136120]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2010-06-24 810144]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-04-28 41312]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe [2011-06-21 196912]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2011-07-01 220824]
S2 ST2012_Svc;Spyware Terminator 2012 Realtime Shield Service;c:\program files\Spyware Terminator\st_rsser.exe [2011-09-28 482992]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-04-01 428640]
S2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2011-01-28 251736]
S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-07-19 225280]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-07-20 47104]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 17:15]
.
2011-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 17:15]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\voodoo\AppData\Roaming\Mozilla\Firefox\Profiles\pl73f8rm.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-{7514BBA2-951B-45A0-BA2B-CA259968C9ED} - c:\progra~2\TARMAI~1\{7514B~1\Setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0016\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(520)
c:\program files\Protector Suite\psqlpwd.dll
c:\program files\Protector Suite\homefus2.dll
c:\program files\Protector Suite\infql2.dll
.
Completion time: 2011-11-22 01:02:05
ComboFix-quarantined-files.txt 2011-11-22 01:02
.
Pre-Run: 6,704,185,344 bytes free
Post-Run: 6,497,677,312 bytes free
.
- - End Of File - - F509A49EF8FE63BB3F52947A14885A9D

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 24th November 2011, 11:33 pm

Hi

It's been a few days since a reply. I'm still having problems after the combofox scan. It seemed to find many rootkits. Are they gone now?
A hell of a lot of files from my ProgramData folder have gone, and I seem to have no restore points.

Regards

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 25th November 2011, 6:36 pm

Sorry for being so late. Something's not working correctly with the notifications. I check this site about three times a day.

It seemed to find many rootkits. Are they gone now?
Where do you see the rootkits?

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 26th November 2011, 7:31 pm

Hi there


No, problem... The Rootkits were located in

c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\_Setup.dll
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.dat
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.exe
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.ico
c:\windows\host32.exe
c:\windows\system32\ntos.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sysplog.dll
c:\windows\system32\sysplog2.dll
c:\windows\system32\twext.exe

Here is the log foy Sysprot

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 9ADF5000
Module End: 9AE00000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 9AC00000
Module End: 9AC09000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 9AC09000
Module End: 9AC1A000
Hidden: Yes

Module Name: \??\C:\Users\voodoo\AppData\Local\Temp\aswMBR.sys
Service Name: aswMBR
Module Base: 9CF1F000
Module End: 9CF2A000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\downloads\temp mp3\Alice Ortt\01 12 Etudes d'exe´cution transcendante, S.139_ No.1 Pre´lude (Presto).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\02 12 Etudes d'exe´cution transcendante, S.139_ No.2 Molto vivace.flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\03 12 Etudes d'exe´cution transcendante, S.139_ No.3 Paysage (Poco adagio).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\04 12 Etudes d'exe´cution transcendante, S.139_ No.4 Mazeppa (Presto).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\05 12 Etudes d'exe´cution transcendante, S.139_ No.5 Feux follets (Allegretto).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\06 12 Etudes d'exe´cution transcendante, S.139_ No.6 Vision (Lento).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\07 12 Etudes d'exe´cution transcendante, S.139_ No.7 Eroica (Allegro).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\08 12 Etudes d'exe´cution transcendante, S.139_ No.8 Wilde Jagd (Presto furioso).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\09 12 Etudes d'exe´cution transcendante, S.139_ No.9 Ricordanza (Andantino).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\10 12 Etudes d'exe´cution transcendante, S.139_ No.10 Allegro agitato molto.flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\11 12 Etudes d'exe´cution transcendante, S.139_ No.11 Harmonies du soir (Andantino).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\12 12 Etudes d'exe´cution transcendante, S.139_ No.12 Chasse neige (Andante con moto).flac
Status: Hidden

Object: C:\My Documents\My Pictures\Helium Music Manager\Album Pictures\Jeno Jandó, piano - FRANZ LISZT_ Complete Piano Music, Vol. 12 - Hungarian Rhapsodies, Volume 1 _ Jeno Jandó.jpg
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache
Status: Access denied

Object: C:\Users\voodoo\AppData\Local\FLVService\YouTube - ?Chopin 24 Preludes Op 28, No 8??.bin
Status: Hidden

Object: C:\Users\voodoo\Downloads\????????????!_2.mp4
Status: Hidden

Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied




.

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 26th November 2011, 7:47 pm

What makes you think those are rootkits? They were removed by ComboFix.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 27th November 2011, 1:43 pm

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a1d20a23ab10f469208b1d7d061f1d3
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-26 09:14:57
# local_time=2011-11-26 09:14:57 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 15578132 15578132 0 0
# compatibility_mode=5893 16776573 100 94 98817 74803980 0 0
# compatibility_mode=8206 39157117 100 93 28468 5644755 0 0
# scanned=176203
# found=0
# cleaned=0
# scan_time=4508
# nod_component=V3 Build:0x30000000
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a1d20a23ab10f469208b1d7d061f1d3
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-26 09:17:45
# local_time=2011-11-26 09:17:45 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 15582804 15582804 0 0
# compatibility_mode=5893 16776573 100 94 103489 74808652 0 0
# compatibility_mode=8206 39157117 100 93 33140 5649427 0 0
# scanned=191
# found=0
# cleaned=0
# scan_time=4
# nod_component=V3 Build:0x30000000
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a1d20a23ab10f469208b1d7d061f1d3
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-27 01:37:48
# local_time=2011-11-27 01:37:48 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 15632719 15632719 0 0
# compatibility_mode=5893 16776573 100 94 153404 74858567 0 0
# compatibility_mode=8206 39157117 100 93 83055 5699342 0 0
# scanned=177749
# found=0
# cleaned=0
# scan_time=8892

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 27th November 2011, 7:02 pm

How's the computer working now? Any other issues?

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 27th November 2011, 10:00 pm

Still Sluggish..

I've had to do three forced restarts today, due to complete system hangs.
How or what information would of been comprimised with those supposed rootkits?
Obviously Eset isn't up to the job.!

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 28th November 2011, 1:59 am

How or what information would of been comprimised with those supposed rootkits?
That's nearly impossible to determine but there were no rootkits found on your computer.

Download Security Check by screen317 from one of the following links and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*******************************************************
Download BlueScreenView to your desktop.
[You must be registered and logged in to see this link.]
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 28th November 2011, 3:41 pm

Results of screen317's Security Check version 0.99.28
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
ESET Smart Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 26
Java(TM) 7 Update 1
Adobe Flash Player 11.0.1.152
Mozilla Firefox ((3.6.17)) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````





The results here regarding versions of Firefox and Eset are false, as I have the latest versions of both

There are no *.dmp files either located in the usual locations, and no crashes shown.

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 28th November 2011, 8:26 pm

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First [You must be registered and logged in to see this link.]

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the [You must be registered and logged in to see this link.].

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download [You must be registered and logged in to see this link.] and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*******************************************************
You only have 6.25 Gb of free space on your harddrive. Windows requires at least 15% (11.1 Gb) in order to function properly. This could be causing you problems. You should try to free up some space on the C drive. You can do this by uninstall programs you no longer use or need and transferring videos, music and pictures to DVD's or an external drive

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Voods on 28th November 2011, 11:11 pm

Hi

I have checked, and it says the latest version of Java is installed.
I have freed up some diskspace too.

Do you want the JavaRa Log? There were some errors reported

Regards


Last edited by Voods on 28th November 2011, 11:15 pm; edited 1 time in total (Reason for editing : Missed out details)

Voods
Senior
Senior

Posts Posts : 229
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Windows 7 Professional
Protection Protection : Eset Smart Security 4
Points Points : 31484
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible infection

Post by Superdave on 29th November 2011, 12:06 am

I have checked, and it says the latest version of Java is installed.
You can remove/uninstall the older versions.
I have freed up some diskspace too.
Just be sure to keep 12 Gb of free space.
Do you want the JavaRa Log? There were some errors reported
No. I don't need to see it.
If there are no other issues, we can do some cleanup.


To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

****************************************************
Clean out your temporary internet files and temp files.

Download [You must be registered and logged in to see this link.] to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
****************************************************
Go to [You must be registered and logged in to see this link.] and get all critical updates.

----------

I suggest using [You must be registered and logged in to see this link.]. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

[You must be registered and logged in to see this link.]- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* [You must be registered and logged in to see this link.] from Spyware and Malware
* If you don't know what ActiveX controls are, see [You must be registered and logged in to see this link.]

Protect yourself against spyware using the Immunize feature in [You must be registered and logged in to see this link.] Guide: [You must be registered and logged in to see this link.] to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. [You must be registered and logged in to see this link.]

Check out [You must be registered and logged in to see this link.] for tips and free tools to help keep you safe in the future.

Also see [You must be registered and logged in to see this link.] for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83211
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum