1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved I need help with very strange Chinese SPAM/Malware

Discussion in 'Malware and Virus Removal Archive' started by bellisimo, 2014/05/25.

Page 1 of 7
  1. 2014/05/25
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    [Solved] I need help with very strange Chinese SPAM/Malware

    I've been having a problem with some Chinese language SPAM. It started several months ago when I first built this Windows 7 64-bit computer with the help of a Chinese computer store owner who sold me all the hardware and helped me to assemble it. He may have downloaded the Asus Motherboard disc from a Chinese website because the one I have is not an original.

    The reason for this is that he told me he could give me a good deal on a new motherboard that one of his customers had just bought and returned, but he didn't return the motherboard disk.

    I'm not sure that this ever-increasing Chinese SPAM (pop-ups) was caused by the above, but it started shortly after I got the new computer up and running.

    Here's the problem:

    When I use Google with Internet Explorer, my search is taken over by a website that seems to be that of a Chinese clothing and fashion accessories company. I draw this conclusion because many of the photographs on the pages are of Asian models modeling clothing lines. The text is all in Chinese Characters with no English except for a URL, which is http://www.duba.com and there are several variations of this URL since the popups are often different variations of the same.

    I've tried searching the addresses, but to no avail. These popups used to be only once in a while and didn't bother me, but now, they're starting to take over my machine almost every time I search the Internet. It even happens when I open my Outlook email account.

    I would format my hard drive and reinstall Windows 7 and all of my programs if I could be certain that the problem isn't on the motherboard disk, but I can't think of anyplace else I could have picked it up. I'm very cautious about surfing the net and I run Malwarebytes and JRT scans every few days.

    I'd really appreciate some help with this problem.

    Thank you.

    Windows 7 Home Premium
    Processor Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz 3.4 GHz
    Installed Memory (RAM) 8.00 GB
    System Type: 64-bit Operating System
    C: Drive SanDisk Solid State 256 G
     
    Last edited: 2014/05/25
    bellisimo,
    #1
  2. 2014/05/26
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,890
    Likes Received:
    387
    PeteC,
    #2


  3. to hide this advert.

  4. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    I need help with very strange Chinese SPAM/Malware

    Thank you, PeteC,

    Attached are the dds.txt and attach.txt files.

    Malwarebytes found nothing but I haven't figured out how to send it to you yet.

    I also ran an updated version of purchased version of AVG Antivirus and after scanning my complete system, it shows no infections.

    Thanks again,

    bellisimo
     

    Attached Files:

    bellisimo,
    #3
  5. 2014/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================

    Please observe forum rules.
    All logs have to be pasted not attached.
     
    broni,
    #4
  6. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Thank you, broni,

    This Chinese malware is still very active. Do I need to post an updated Malwarebytes scan summary?
     
    Last edited: 2014/05/26
    bellisimo,
    #5
  7. 2014/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #6
  8. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Thanks broni,

    Here is the Malwarebytes scan.

    Incidentally, just trying to log on to Windows BBS gets interrupted by the Chinese malware and I have to try again, sometimes two or more times. It just happened this time.
     

    Attached Files:

    Last edited: 2014/05/26
    bellisimo,
    #7
  9. 2014/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're not reading my replies carefully.

    Please observe forum rules.
    All logs have to be pasted not attached.
     
    broni,
    #8
  10. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    My apologies broni,

    Here is the dds file:

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 10.0.9200.16866
    Run by a at 15:46:57 on 2014-05-26
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8142.2871 [GMT -5:00]
    .
    AV: AVG Internet Security 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AVG Internet Security 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
    .
    ============== Running Processes ===============
    .
    c:\PROGRA~2\AVG\AVG2014\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG2014\avgfws.exe
    C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
    C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
    F:\Program Files\MyDrivers\DriverGenius2013\DgService.exe
    C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe
    C:\Windows\system32\IProsetMonitor.exe
    C:\Program Files (x86)\Secunia\PSI\PSIA.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
    C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
    C:\Program Files (x86)\AVG\AVG2014\avgui.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\EMET 4.1\EMET_Agent.exe
    C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
    F:\Program Files\MyDrivers\DriverGenius2013\ksoft\kgeniustray.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\Secunia\PSI\sua.exe
    C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\Windows\System32\MsSpellCheckingFacility.exe
    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://www.google.ca/
    uSearch Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    mSearch Bar = hxxp://www.google.com
    uURLSearchHooks: <No Name>: {06b5b051-1d05-443d-822f-39ab0d05f018} -
    mWinlogon: Userinit = userinit.exe,
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
    BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
    EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
    EB: {28BCCB9A-E66B-463C-82A4-09F320DE94D7} - <orphaned>
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
    mRun: [EMET 4.1 Agent] "C:\Program Files (x86)\EMET 4.1\EMET_agent.exe "
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe "
    mRun: [kxesc] "c:\program files (x86)\kingsoft\kingsoft antiviruskxetray.exe" -autorun
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe "
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - <orphaned>
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    TCP: NameServer = 108.171.182.159,108.171.177.124
    TCP: NameServer = 192.168.2.1
    TCP: Interfaces\{0A40FBDD-0CB3-40AF-B79D-DF9F8FBAD2EB} : NameServer = 108.171.182.159,108.171.177.124
    TCP: Interfaces\{0A40FBDD-0CB3-40AF-B79D-DF9F8FBAD2EB} : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{398F358A-DB6A-4710-80FC-A933143285B5} : NameServer = 108.171.182.159,108.171.177.124
    TCP: Interfaces\{D6519705-1949-4980-9DF6-E96A2938CE7C} : DHCPNameServer = 192.168.2.1
    Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
    SSODL: WebCheck - <orphaned>
    SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - <orphaned>
    x64-mStart Page = hxxp://www.google.com
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre8\bin\ssv.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre8\bin\jp2ssv.dll
    x64-TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
    x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe "
    x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe "
    x64-Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\a\AppData\Roaming\Mozilla\Firefox\Profiles\trvt8chr.default\
    FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2014-5-13 191768]
    R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2014-5-13 323352]
    R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2014-5-13 130328]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2014-5-13 31512]
    R0 bootsafe;bootsafe;C:\Windows\System32\drivers\bootsafe64.sys [2014-4-27 33128]
    R0 DKDFM;Device Filter Manager Driver;C:\Windows\System32\drivers\DKDFM.sys [2013-8-5 40752]
    R0 DKTLFSMF;Telemetry File System Mini Filter Driver;C:\Windows\System32\drivers\DKTLFSMF.sys [2013-8-5 106832]
    R0 fltsrv;Acronis Storage Filter Management;C:\Windows\System32\drivers\fltsrv.sys [2013-9-14 108832]
    R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-7-31 20024]
    R0 KAVBootC;KAVBootC;C:\Windows\System32\drivers\kavbootc64.sys [2014-4-27 31848]
    R0 tib;Acronis TIB Manager;C:\Windows\System32\drivers\tib.sys [2013-9-14 1120032]
    R0 tib_mounter;Acronis TIB Mounter;C:\Windows\System32\drivers\tib_mounter.sys [2013-9-14 183224]
    R0 vididr;Acronis Virtual Disk;C:\Windows\System32\drivers\vididr.sys [2013-9-14 161568]
    R0 vidsflt;Acronis Disk Storage Filter;C:\Windows\System32\drivers\vidsflt.sys [2013-9-14 117024]
    R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2014-5-13 152344]
    R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2013-9-26 57144]
    R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2014-5-13 236312]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2014-5-13 235800]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2014-5-13 273176]
    R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2013-8-7 46368]
    R1 netfilter64;netfilter64;C:\Windows\System32\drivers\netfilter64.sys [2013-12-17 61592]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-11-16 238080]
    R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG2014\avgfws.exe [2014-5-13 1473792]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2014-5-13 3644432]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2014-5-13 292424]
    R2 DGPNPSEV;DriverGenius PNP Service;F:\Program Files\MyDrivers\DriverGenius2013\dgservice.exe [2014-1-27 326000]
    R2 DgSafe;DgSafe;C:\Windows\System32\drivers\DgSafe.sys [2014-2-19 399632]
    R2 DTSAudioSvc;DTSAudioSvc;C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [2013-7-31 240584]
    R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2013-5-9 193288]
    R2 kisknl;kisknl;C:\Windows\System32\drivers\kisknl.sys [2014-4-27 225080]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2013-9-12 72216]
    R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-1-10 993848]
    R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-1-10 399416]
    R2 syncagentsrv;Acronis Sync Agent Service;C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [2013-3-20 7084672]
    R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2012-2-21 130536]
    R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2012-2-21 396776]
    R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-7-31 358456]
    R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-7-31 791608]
    R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-4-19 119512]
    R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-9-1 17976]
    R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
    S3 afcdp;afcdp;C:\Windows\System32\drivers\afcdp.sys [2013-9-14 367200]
    S3 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2013-9-14 3783672]
    S3 DKRtWrt;DKRtWrt;C:\Windows\System32\drivers\DKRtWrt.sys [2013-8-5 52048]
    S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2013-7-31 57840]
    S3 KNBDrv;KNBDrv;C:\Windows\System32\drivers\knbdrv.sys [2014-4-28 102704]
    S3 ksapi64;ksapi64;C:\Windows\System32\drivers\ksapi64.sys [2014-4-27 56680]
    S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2014-2-19 16152]
    S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2014-3-31 5093216]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-8-2 1255736]
    .
    =============== Created Last 30 ================
    .
    2014-05-25 20:42:56 111016 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
    2014-05-18 06:09:15 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2014-05-18 06:09:15 -------- d-----w- C:\Program Files\iTunes
    2014-05-18 06:09:15 -------- d-----w- C:\Program Files\iPod
    2014-05-18 06:09:15 -------- d-----w- C:\Program Files (x86)\iTunes
    2014-05-15 05:21:07 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2014-05-15 05:21:07 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
    2014-05-15 02:28:03 477184 ----a-w- C:\Windows\System32\aepdu.dll
    2014-05-15 02:28:03 424448 ----a-w- C:\Windows\System32\aeinv.dll
    2014-05-13 19:20:26 235800 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
    2014-05-13 19:20:06 273176 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
    2014-05-13 19:06:06 323352 ----a-w- C:\Windows\System32\drivers\avgloga.sys
    2014-05-13 19:05:40 191768 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
    2014-05-13 19:05:08 152344 ----a-w- C:\Windows\System32\drivers\avgdiska.sys
    2014-05-13 19:05:06 130328 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
    2014-05-13 19:04:56 236312 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
    2014-05-13 19:04:30 31512 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
    2014-05-06 05:39:50 -------- d-s---w- C:\Windows\System32\CompatTel
    2014-05-04 19:33:29 -------- d-----w- C:\Users\a\AppData\Local\IAC
    2014-05-01 04:19:36 -------- d-----w- C:\Users\a\AppData\Local\Blockless
    2014-04-28 15:27:43 102704 ----a-w- C:\Windows\System32\drivers\KNBDrv64.sys
    2014-04-28 15:27:43 102704 ----a-w- C:\Windows\System32\drivers\knbdrv.sys
    2014-04-28 15:27:40 -------- d-----w- C:\Users\a\AppData\Local\liebao
    2014-04-28 15:24:08 -------- d-----w- C:\Users\a\AppData\Local\Kingsoft
    .
    ==================== Find3M ====================
    .
    2014-05-26 19:04:35 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
    2014-05-17 16:27:53 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-05-17 16:27:53 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2014-04-28 15:27:43 85352 ----a-w- C:\Windows\System32\drivers\ksapi.sys
    2014-04-27 18:15:19 139576 ----a-w- C:\Windows\System32\drivers\kdhacker.sys
    2014-04-27 18:09:42 33128 ----a-w- C:\Windows\System32\drivers\bootsafe64.sys
    2014-04-27 18:09:41 24936 ----a-w- C:\Windows\System32\drivers\bootsafe.sys
    2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
    2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
    2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
    2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
    2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
    2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
    2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
    2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    2014-04-03 14:51:16 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
    2014-04-03 14:51:04 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
    2014-04-03 14:50:58 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2014-03-13 06:33:30 2238976 ----a-w- C:\Windows\System32\wininet.dll
    2014-03-13 06:32:03 3959808 ----a-w- C:\Windows\System32\jscript9.dll
    2014-03-13 06:31:55 67072 ----a-w- C:\Windows\System32\iesetup.dll
    2014-03-13 06:31:55 136704 ----a-w- C:\Windows\System32\iesysprep.dll
    2014-03-13 05:10:47 1766400 ----a-w- C:\Windows\SysWow64\wininet.dll
    2014-03-13 05:09:43 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2014-03-13 05:09:39 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2014-03-13 05:09:39 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2014-03-13 03:59:47 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
    2014-03-13 03:51:45 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
    2014-03-04 09:47:01 5550016 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
    2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2014-03-04 09:44:20 39936 ----a-w- C:\Windows\System32\wincredprovider.dll
    2014-03-04 09:44:10 210944 ----a-w- C:\Windows\System32\wdigest.dll
    2014-03-04 09:44:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
    2014-03-04 09:44:06 340992 ----a-w- C:\Windows\System32\schannel.dll
    2014-03-04 09:44:03 722944 ----a-w- C:\Windows\System32\objsel.dll
    2014-03-04 09:44:03 314880 ----a-w- C:\Windows\System32\msv1_0.dll
    2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2014-03-04 09:44:00 728064 ----a-w- C:\Windows\System32\kerberos.dll
    2014-03-04 09:44:00 424960 ----a-w- C:\Windows\System32\KernelBase.dll
    2014-03-04 09:43:56 57344 ----a-w- C:\Windows\System32\cngprovider.dll
    2014-03-04 09:43:56 52736 ----a-w- C:\Windows\System32\dpapiprovider.dll
    2014-03-04 09:43:56 44544 ----a-w- C:\Windows\System32\dimsroam.dll
    2014-03-04 09:43:56 22016 ----a-w- C:\Windows\System32\credssp.dll
    2014-03-04 09:43:55 56832 ----a-w- C:\Windows\System32\adprovider.dll
    2014-03-04 09:43:55 53760 ----a-w- C:\Windows\System32\capiprovider.dll
    2014-03-04 09:43:50 455168 ----a-w- C:\Windows\System32\winlogon.exe
    2014-03-04 09:20:11 3969984 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2014-03-04 09:20:11 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2014-03-04 09:16:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
    .
    ============= FINISH: 15:47:13.07 ===============
     
    bellisimo,
    #9
  11. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Here is the attach.txt files:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/31/2013 2:25:40 PM
    System Uptime: 5/26/2014 1:57:45 PM (2 hours ago)
    .
    Motherboard: ASUSTeK COMPUTER INC. | | P8Z77-V PRO
    Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz | LGA1155 | 3401/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 238 GiB total, 183.889 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is FIXED (NTFS) - 466 GiB total, 453.035 GiB free.
    G: is FIXED (NTFS) - 932 GiB total, 862.585 GiB free.
    H: is FIXED (NTFS) - 1863 GiB total, 717.077 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_KDHACKER\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_KDHACKER\0000
    Service:
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_KISNETM\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_KISNETM\0000
    Service:
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_KUSBGUARD\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_KUSBGUARD\0000
    Service:
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_RAPPORTEI64\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_RAPPORTEI64\0000
    Service:
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_RAPPORTPG64\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_RAPPORTPG64\0000
    Service:
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Teredo Tunneling Adapter
    Device ID: ROOT\UNKNOWN\0000
    Manufacturer: Microsoft
    Name: Microsoft Teredo Tunneling Adapter #2
    PNP Device ID: ROOT\UNKNOWN\0000
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Teredo Tunneling Adapter
    Device ID: ROOT\*TEREDO\0000
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TEREDO\0000
    Service: tunnel
    .
    ==== System Restore Points ===================
    .
    RP271: 4/27/2014 7:00:11 PM - Windows Backup
    RP274: 4/30/2014 11:12:36 PM - Installed Blockless
    RP275: 4/30/2014 11:16:32 PM - Installed Netflix Icon Installer
    RP276: 5/1/2014 12:46:26 PM - Revo Uninstaller's restore point - Netflix Icon Installer
    RP277: 5/3/2014 12:39:35 AM - Windows Update
    RP278: 5/4/2014 7:00:17 PM - Windows Backup
    RP279: 5/6/2014 12:38:43 AM - Windows Update
    RP280: 5/9/2014 4:36:25 PM - Revo Uninstaller's restore point - Blockless
    RP281: 5/9/2014 4:36:47 PM - Removed Blockless
    RP282: 5/11/2014 7:01:19 PM - Windows Backup
    RP283: 5/15/2014 12:19:05 AM - Windows Update
    RP284: 5/18/2014 7:00:18 PM - Windows Backup
    RP285: 5/25/2014 3:42:45 PM - Installed Java 8 Update 5 (64-bit)
    RP286: 5/25/2014 7:01:18 PM - Windows Backup
    .
    ==== Installed Programs ======================
    .
    3D Live Snooker
    7-Zip 9.21
    Adobe Acrobat X Pro - English, Français, Deutsch
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 13 ActiveX
    Adobe Photoshop CS5.1
    Adobe Reader XI (11.0.06)
    AMD Accelerated Video Transcoding
    AMD APP SDK Runtime
    AMD Catalyst Install Manager
    AMD Drag and Drop Transcoding
    AMD Media Foundation Decoders
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Asmedia ASM104x USB 3.0 Host Controller Driver
    AVG 2014
    Bonjour
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-utility64
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    CloudReading
    Compatibility Pack for the 2007 Office system
    D3DX10
    Diskeeper 12
    EasyBCD 2.2
    EMET 4.1
    EPSON Scan
    Foxit Reader
    Google Earth
    Google Update Helper
    iCloud
    Intel(R) Network Connections 18.4.59.0
    Intel(R) USB 3.0 eXtensible Host Controller Driver
    iTunes
    Java 8 Update 5 (64-bit)
    Java Auto Updater
    LG Burning Tool
    LG CyberLink BD Advisor
    LG CyberLink Blu-ray Disc Suite
    LG CyberLink MediaEspresso
    LG CyberLink MediaShow
    Malwarebytes Anti-Malware version 2.0.1.1004
    Microsoft .NET Framework 4.5.1
    Microsoft Mouse and Keyboard Center
    Microsoft Office File Validation Add-In
    Microsoft Office Outlook Connector
    Microsoft Office Professional Edition 2003
    Microsoft SkyDrive
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_ATL_x86_x64
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_CRT_x86_x64
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFC_x86_x64
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC80_MFCLOC_x86_x64
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_ATL_x86_x64
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_CRT_x86_x64
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFC_x86_x64
    Microsoft_VC90_MFCLOC_x86
    Microsoft_VC90_MFCLOC_x86_x64
    Movie Maker
    Mozilla Firefox 28.0 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSVCRT_amd64
    MSVCRT110
    MSVCRT110_amd64
    Paint.NET v3.10
    PDF Settings CS5
    Photo Common
    Photo Gallery
    QuickTime 7
    Realtek HDMI Audio Driver for ATI
    Realtek High Definition Audio Driver
    Revo Uninstaller 1.95
    Secunia PSI (2.0.0.3001)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
    SPAMfighter
    SpywareBlaster 5.0
    SUPERAntiSpyware
    TeamViewer 8
    True Image 2013
    Updater
    VC_CRT_x64
    Visual Studio 2010 x64 Redistributables
    Visual Studio 2012 x64 Redistributables
    Visual Studio 2012 x86 Redistributables
    VisualBee for Microsoft PowerPoint
    VLC media player 2.1.2
    VueScan x64
    Windows Live Communications Platform
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinZip 17.5
    WOT for Internet Explorer
    .
    ==== End Of File ===========================
     
    bellisimo,
    #10
  12. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Hi broni,

    There isn't much to this AVG scan but it is a complete computer scan that found no problems:

    Whole Computer Scan
    No infection was found during this scan
    Scanned folders:; "Scan Whole Computer "
    Started:; "5/26/2014, 3:04:18 PM "
    Finished:; "5/26/2014, 3:20:22 PM "
    Scanned items:; "234146 "
    Launched by:; "a "
     
    bellisimo,
    #11
  13. 2014/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    MBAM log?
     
    broni,
    #12
  14. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Sorry broni,

    I thought I'd sent it. Here it is:

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 5/26/2014
    Scan Time: 4:40:57 PM
    Logfile: Malwarebytes scan.txt
    Administrator: Yes

    Version: 2.00.1.1004
    Malware Database: v2014.05.26.03
    Rootkit Database: v2014.05.21.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Chameleon: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: a

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 326982
    Time Elapsed: 6 min, 30 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Shuriken: Enabled
    PUP: Warn
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)
     
    bellisimo,
    #13
  15. 2014/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
    broni,
    #14
  16. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Hi broni,

    Thank you. Here is the Rogue Killer report:

    RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : a [Admin rights]
    Mode : Remove -- Date : 05/26/2014 23:00:22
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 14 ¤¤¤
    [HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
    [Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files (x86)\Internet Explorer\IEShims.dll @ 0x6C301E4B)
    [Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\syswow64\shlwapi.DLL @ 0x76D846E9)
    [Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files (x86)\Internet Explorer\IEShims.dll @ 0x6C301E4B)
    [Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\syswow64\shlwapi.DLL @ 0x76D846E9)

    ¤¤¤ External Hives: ¤¤¤
    -> F:\windows\system32\config\SYSTEM | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
    -> F:\windows\system32\config\SOFTWARE | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
    -> F:\windows\system32\config\SECURITY | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
    -> F:\Documents and Settings\a\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
    -> F:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
    -> F:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
    -> F:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
    -> G:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
    -> G:\Documents and Settings\Bert Bell\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
    -> G:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
    -> G:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
    -> G:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
    -> H:\windows\system32\config\SYSTEM | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
    -> H:\windows\system32\config\SOFTWARE | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
    -> H:\windows\system32\config\SECURITY | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 lmlicenses.wip4.adobe.com
    127.0.0.1 lm.licenses.adobe.com
    127.0.0.1 na1r.services.adobe.com
    127.0.0.1 hlrcv.stage.adobe.com
    127.0.0.1 practivate.adobe.com
    127.0.0.1 activate.adobe.com


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SanDisk SDSSDH2256G ATA Device +++++
    --- User ---
    [MBR] 86b26a104223c5f8e26229c0335f8a08
    [BSP] 478bd86baff27e9a6f1e98527ac07c17 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 244096 MB
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST31000524AS ATA Device +++++
    --- User ---
    [MBR] 488f113d06f47f98a5aaf6f5198ef189
    [BSP] 06f4e51151f20a9a21b7a52578931521 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 MB
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) Hitachi HDS721010DLE630 ATA Device +++++
    --- User ---
    [MBR] 7d2dfedcfd475e7660332ed2771083c9
    [BSP] 36b66c9a3bb76e735c65e325c4c90997 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) WD My Passport 0748 USB Device +++++
    --- User ---
    [MBR] b6d7c2cbe2f993245ca02ead3741ca4e
    [BSP] 06407b54e3dc4a35bb488ba6f00e41b3 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907696 MB
    User = LL1 ... OK!
    Error reading LL2 MBR! ([0x32] The request is not supported. )

    Finished : << RKreport[0]_D_05262014_230022.txt >>
    RKreport[0]_S_05262014_225923.txt
     
    bellisimo,
    #15
  17. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Hi broni,

    The MBAR scan found no malware. I'll run it again to be sure.
     
    bellisimo,
    #16
  18. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Hi broni,

    Second MBAR scan was the same. Scan completed. No malware found.
     
    bellisimo,
    #17
  19. 2014/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
    broni,
    #18
  20. 2014/05/26
    bellisimo Lifetime Subscription

    bellisimo Well-Known Member Thread Starter

    Joined:
    2008/05/26
    Messages:
    456
    Likes Received:
    1
    Hi Broni,

    After I uninstall AVG Security Suite do I need to disable my Windows firewall?
     
    bellisimo,
    #19
  21. 2014/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No. Never disable your firewall.
     
    broni,
    #20
Page 1 of 7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...