PDA

View Full Version : Ads malware / Arabyonline


marko12
2014-06-15, 07:51
Hi guys, I am restarting a new thread doing it right this time

After installing a bad tool I should have never installed, I got infected by arabyonline stuff.
I cleaned it partially with malwarebytes and revert my settings in the different web browsers.

But now I'm having some ads that weren't here before directly in the webpages I visit, I guess everything is not completely clean so I need your help to have a top clean computer.

My system is win7 pro N / 64-bit

Let me know what to do, I am all ears.

Thanks a lot
Mark
-----------------------------------
DDS Report:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16448 BrowserJavaVersion: 10.55.2
Run by mga5 at 9:14:01 on 2014-06-15
Microsoft Windows 7 Professional N 6.1.7601.1.1252.1.1033.18.8064.4526 [GMT 4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files (x86)\Agilent\2100 bioanalyzer\2100 expert\bin\agteventdistributor.exe
C:\Program Files (x86)\Agilent\2100 bioanalyzer\2100 expert\bin\BASecurity.exe
C:\Program Files (x86)\Agilent\2100 bioanalyzer\2100 expert\bin\agtlicenseserver.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Raize\CS4\Bin\CSDispatcher.exe
C:\Program Files (x86)\Symantec\pcAnywhere\AWHPROBE.EXE
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\keyacc32.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Symantec\pcAnywhere\pcaEvents.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\PROGRA~2\PHAROS~1\Core\CTskMstr.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tivoli\TSM\baclient\dsmcad.exe
C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\kass.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files (x86)\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\PeerManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.Helper.exe
C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.AutoUpdate.exe
C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Google\Update\1.3.24.7\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.24.7\GoogleCrashHandler64.exe
C:\Program Files (x86)\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Pharos\bin\popnet.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Altiris\Altiris Agent\Agents\Inventory Agent\SMFDiscoveryOn64BitOS.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uSearch Bar = Preserve
mStart Page = www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [BlackBerryLink.exe] "C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.exe" /minimize
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
mRun: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [RIM PeerManager] "C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: HideSCAHealth = dword:1
uPolicies-System: DisableChangePassword = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: legalnoticecaption = NOTICE: NYU Authorized Use Only!
mPolicies-System: legalnoticetext = Access and use, or causing access and use, of this computer system by anyone other than as permitted by New York University (NYU) is strictly prohibited by NYU and by law. Such use might subject an unauthorized user, including unauthorized employees, to criminal and civil penalties as well as NYU-initiated disciplinary proceedings. The use of this system is routinely monitored and recorded, and anyone accessing this system consents to such monitoring and recording.
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.233.23:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.233.23:4343/officescan/console/html/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.233.23:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://192.168.233.23:4343/officescan/console/html/root/AtxEnc.cab
DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} - hxxp://aduae070-wap-v.ad.nyu.edu/Altiris/NS/NSCap/Bin/Win32/x86/AltirisAgentInstBootstrap.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://192.168.233.23:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
TCP: NameServer = 94.56.130.156 94.56.130.157
TCP: Interfaces\{7404ECB6-E9D5-4D79-A9B9-418A519D5BC3} : DHCPNameServer = 94.56.130.156 94.56.130.157
TCP: Interfaces\{8BFE416D-D346-47F0-92F2-13DAF2713AFF}\55076244F677E6 : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{8BFE416D-D346-47F0-92F2-13DAF2713AFF}\D6162736 : DHCPNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs= KATRACK.DLL AMINIT32.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
LSA: Notification Packages = scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Run: [KeyAccess] kass.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\mga5\AppData\Roaming\Mozilla\Firefox\Profiles\ydvibndf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 192.99.0.172
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll
.
============= SERVICES / DRIVERS ===============
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2013-8-27 22128]
R2 Agilent Event Distributor;Agilent Event Distributor;C:\Program Files (x86)\Agilent\2100 bioanalyzer\2100 expert\bin\agteventdistributor.exe [2005-2-19 196608]
R2 Agilent expert Security Service;Agilent expert Security Service;C:\Program Files (x86)\Agilent\2100 bioanalyzer\2100 expert\bin\BASecurity.exe [2009-9-30 1182208]
R2 Agilent License Server;Agilent License Server;C:\Program Files (x86)\Agilent\2100 bioanalyzer\2100 expert\bin\agtlicenseserver.exe [2009-10-15 262144]
R2 KeyAccess;KeyAccess;C:\Windows\keyacc32.exe [2010-11-20 2013184]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-5-14 1809720]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-5-14 860472]
R2 RIM MDNS;RIM MDNS;C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\mDNSResponder.exe [2013-11-5 389632]
R2 RIM Tunnel Service;BlackBerry Link Communication Manager;C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\tunmgr.exe [2013-11-5 1286656]
R2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmxpflt.sys [2011-7-12 344376]
R2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [2011-7-12 42808]
R2 TSM Client Acceptor;TSM Client Acceptor;C:\Program Files\Tivoli\TSM\baclient\dsmcad.exe [2010-2-21 3408408]
R2 TSM Client Scheduler;TSM Client Scheduler;C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe [2010-2-21 6119960]
R3 AeXAgentSrvHost;AeXAgentSrvHost;C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe [2013-11-20 317312]
R3 BlackBerry Device Manager;BlackBerry Device Manager;C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\BbDevMgr.exe [2013-9-9 585728]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2014-5-27 358896]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-9-20 788760]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-5-14 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-5-14 122584]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-5-14 63704]
R3 rimvndis;BlackBerry Virtual Private Network;C:\Windows\System32\drivers\rimvndis6_AMD64.sys [2013-8-15 17920]
R3 ST_ACCEL;STMicroelectronics Accelerometer Service;C:\Windows\System32\drivers\ST_ACCEL.sys [2012-9-20 68208]
R3 TmProxy;OfficeScan NT Proxy Service;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2011-4-15 918032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 AltirisAgentProvider;AltirisAgentProvider;C:\Program Files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [2012-8-22 408448]
S3 bcbtums;Bluetooth RAM Firmware Download USB Filter;C:\Windows\System32\drivers\bcbtums.sys [2012-9-20 165688]
S3 btwampfl;btwampfl Bluetooth filter driver;C:\Windows\System32\drivers\btwampfl.sys [2013-10-12 598808]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2013-10-12 39976]
S3 ConfigService;Altiris Deployment Solution - System Configuration;C:\Program Files\Altiris\Altiris Agent\Agents\Deployment\Agent\ConfigService.exe [2012-9-27 267408]
S3 cvusbdrv;Dell ControlVault;C:\Windows\System32\drivers\cvusbdrv.sys [2012-8-22 38440]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]
S3 HtcVCom32;HTC Diagnostic Port;C:\Windows\System32\drivers\HtcVComV64.sys [2010-3-8 121800]
S3 O2MDFRDR;O2MDFRDR;C:\Windows\System32\drivers\o2mdfw7x64.sys [2012-8-22 72808]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 StkCMini;Syntek AVStream USB2.0 ATV;C:\Windows\System32\drivers\StkCMini.sys [2014-5-27 1816968]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TSM Remote Client Agent;TSM Remote Client Agent;C:\Program Files\Tivoli\TSM\baclient\dsmagent.exe [2010-2-21 6242840]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 usbrndis6;USB RNDIS6 Adapter;C:\Windows\System32\drivers\usb80236.sys [2009-7-14 19968]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-8-22 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-14 25088]
.
=============== Created Last 30 ================
.
2014-06-05 07:45:32 -------- d-----w- C:\Program Files (x86)\Condor
2014-05-28 06:43:38 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{05607049-1D34-4D68-812E-D54545A97DBB}\mpengine.dll
2014-05-27 11:39:10 358896 ----a-w- C:\Windows\System32\drivers\iusb3hub.sys
2014-05-27 11:35:58 -------- d-----w- C:\Users\mga5\AppData\Local\DriverToolkit
2014-05-27 11:35:55 -------- d-----w- C:\Program Files (x86)\DriverToolkit
2014-05-27 11:26:53 347152 ----a-w- C:\Windows\VideoView.exe
2014-05-27 11:26:52 84616 ----a-w- C:\Windows\StkUnist.exe
2014-05-27 11:26:52 76424 ----a-w- C:\Windows\System32\StkCWIA.dll
2014-05-27 11:26:52 55944 ----a-w- C:\Windows\System32\StkSSrv.dll
2014-05-27 11:26:52 31368 ----a-w- C:\Windows\System32\StkCSrv.exe
2014-05-27 11:26:52 236168 ----a-w- C:\Windows\SysWow64\StkCProp.ax
2014-05-27 11:26:52 219280 ----a-w- C:\Windows\System32\drivers\StkCSF.sys
2014-05-27 11:26:52 113288 ----a-w- C:\Windows\StkC112X.exe
2014-05-27 11:26:51 7751560 ----a-w- C:\Windows\System32\drivers\StkCPipe.sys
2014-05-27 11:26:51 1816968 ----a-w- C:\Windows\System32\drivers\StkCMini.sys
2014-05-22 06:24:06 -------- d-----w- C:\Users\mga5\AppData\Roaming\SketchUp
2014-05-22 05:10:48 -------- d-----w- C:\Program Files (x86)\FTDI
2014-05-21 12:08:57 -------- d-----w- C:\ProgramData\SketchUp
2014-05-21 12:08:56 -------- d-----w- C:\Program Files (x86)\SketchUp
2014-05-18 09:14:10 -------- d-----w- C:\Users\mga5\VirtualBox VMs
2014-05-18 09:13:23 -------- d-----w- C:\Users\mga5\.VirtualBox
2014-05-18 09:04:15 254240 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2014-05-18 09:04:10 128288 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2014-05-18 09:04:07 -------- d-----w- C:\Program Files\Oracle
2014-05-18 07:25:00 -------- d-----w- C:\BaseSpace
2014-05-18 07:24:59 -------- d-----w- C:\Users\mga5\AppData\Local\Illumina_BaseSpace_Downloader
2014-05-18 07:24:16 -------- d-----w- C:\Users\mga5\AppData\Local\Deployment
2014-05-18 07:24:16 -------- d-----w- C:\Users\mga5\AppData\Local\Apps
2014-05-18 06:44:54 -------- d-----w- C:\Program Files (x86)\OpenTX
2014-05-18 05:55:03 -------- d-----w- C:\Program Files (x86)\companion9x
2014-05-18 05:02:49 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-05-16 10:03:30 156448 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2014-05-16 10:03:30 141600 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2014-05-16 10:01:18 204064 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
.
==================== Find3M ====================
.
2014-06-12 11:02:40 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-27 06:36:49 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-27 06:36:49 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-12 03:26:10 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-05-12 03:26:00 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-05-12 03:25:56 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-31 05:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 9:14:40.33 ===============

aswMBR Log:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-06-15 09:20:35
-----------------------------
09:20:35.712 OS Version: Windows x64 6.1.7601 Service Pack 1
09:20:35.712 Number of processors: 4 586 0x3A09
09:20:35.713 ComputerName: ABUSA04147LP-W7 UserName: mak
09:20:36.331 Initialize success
09:23:24.938 AVAST engine defs: 14061401
09:24:13.196 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
09:24:13.197 Disk 0 Vendor: Micron_C400_RealSSD_2.5"_7mm_256GB 070H Size: 244198MB BusType: 11
09:24:13.352 Disk 0 MBR read successfully
09:24:13.354 Disk 0 MBR scan
09:24:13.357 Disk 0 Windows 7 default MBR code
09:24:13.370 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 244191 MB offset 63
09:24:13.512 Disk 0 scanning C:\Windows\system32\drivers
09:24:36.225 Service scanning
09:24:48.027 Service TmFilter C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys **LOCKED** 32
09:24:48.145 Service TmPreFilter C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys **LOCKED** 32
09:24:49.590 Service VSApiNt C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys **LOCKED** 32
09:24:51.177 Modules scanning
09:24:51.188 Disk 0 trace - called modules:
09:24:51.200 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
09:24:51.208 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800778e060]
09:24:51.211 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa80075f0cb0]
09:24:51.214 5 stdcfltn.sys[fffff88001969d12] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80074d2680]
09:24:51.696 AVAST engine scan C:\Windows
09:25:05.233 AVAST engine scan C:\Windows\system32
09:31:32.941 AVAST engine scan C:\Windows\system32\drivers
09:31:49.919 AVAST engine scan C:\Users\mak
09:32:23.914 File: C:\Users\mak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DEOL9PT\Arabgames[1].exe **INFECTED** Win32:Adware-gen [Adw]
09:40:13.092 AVAST engine scan C:\ProgramData
09:40:47.967 Scan finished successfully
09:49:23.009 Disk 0 MBR has been saved successfully to "C:\Users\mak\Desktop\MBR.dat"
09:49:23.014 The log file has been saved successfully to "C:\Users\mak\Desktop\aswMBR.txt"
OCD
2014-06-16, 21:17
Hi marko12,

The below entries are listed in the DDS log you provided. Can you please tell me who owns this computer, and are you authorized to make changes to it?

mPolicies-System: legalnoticecaption = NOTICE: NYU Authorized Use Only!
mPolicies-System: legalnoticetext = Access and use, or causing access and use, of this computer system by anyone other than as permitted by New York University (NYU) is strictly prohibited by NYU and by law. Such use might subject an unauthorized user, including unauthorized employees, to criminal and civil penalties as well as NYU-initiated disciplinary proceedings. The use of this system is routinely monitored and recorded, and anyone accessing this system consents to such monitoring and recording.
marko12
2014-06-17, 07:22
Hi OCD,

It's NYU computer and I am the one using it, and yes I am allowed to access and use this computer.
I understand your reluctance, but I am the one going to make changes on your advices, so if you prefer not to fix my computer no worries.
Cheers
Marko
OCD
2014-06-17, 08:56
Hi marko12,

Please read the information below, it outlines the forums position on giving assistance. Unfortunately, since your computer is the property of NYU I am not authorized to offer assistance.

The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteer analysts.

When the infection is on a Company/Business/Institution/Medical Facility-Health Insurance (HIPAA Privacy Rule) machine or any computer that is or was used in the workplace.

The intention of this forum is not to replace a company's IT department or a private business specialist, helpers cannot anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

Other considerations:

Company information may show in the logs.
More than one machine could be at stake.
If sensitive material has been compromised by an infection, the company could be held liable.

To prevent possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected. If neither are available please consider calling in a local technician who can see the machine/network in person.

It's not that we don't want to help, but there are too many issues that could arise with company machines and/or servers that malware forum volunteers are not experienced in dealing with.

Thank you for your understanding.
marko12
2014-06-17, 09:29
Hi OCD,

Ok I understand, thank you for your time.

You can close/delete this thread then
Marko