Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Backdoor.Agent Problem

  1. #11
    Junior Member
    Join Date
    Dec 2011
    Posts
    25

    Default

    ESET:
    C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\X.vir Win64/Sirefef.K trojan
    C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\U\80000000.@.vir Win64/Sirefef.P trojan
    C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\U\800000cb.@.vir Win64/Sirefef.M trojan
    C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\U\800000cf.@.vir Win64/Sirefef.O trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3 Java/TrojanDownloader.OpenStream.NCM trojan
    C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805 probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan
    Malware:
    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Versão da Base de Dados: v2012.01.01.03

    Windows 7 x64 NTFS
    Internet Explorer 8.0.7600.16385
    E :: PC [administrador]

    01/01/2012 20:28:08
    mbam-log-2012-01-01 (20-28-08).txt

    Tipo de Verificação: Verificação Rápida
    Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
    Opções de verificação desativadas: P2P
    Objetos escaneados: 190278
    Tempo decorrido: 1 minuto(s), 51 segundo(s)

    Processos de Memória Detectados: 0
    (Não foram detectados ítens maliciosos)

    Módulos de Memória Detectados: 0
    (Não foram detectados ítens maliciosos)

    Chaves de Registro Detectadas: 0
    (Não foram detectados ítens maliciosos)

    Valores de Registro Detectadas: 0
    (Não foram detectados ítens maliciosos)

    Itens de Dados no Registro Detectadas: 0
    (Não foram detectados ítens maliciosos)

    Pastas Detectadas: 0
    (Não foram detectados ítens maliciosos)

    Arquivos Detectados: 0
    (Não foram detectados ítens maliciosos)

    (fim)

  2. #12
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      File::
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8	
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781	
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64	
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836	
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7	
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525	
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3	
      C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    When you originally ran DDS there was a log created named Attach.txt. If you still have that please post that log as well as the new ComboFix log into your next reply. Also let me know how your system is running now?

  3. #13
    Junior Member
    Join Date
    Dec 2011
    Posts
    25

    Default

    Combofix gave me a warning about the script already being used in another process, then updated and did a scan, resulting in this log:
    ComboFix 12-01-02.02 - E 02/01/2012 23:40:08.3.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.55.1046.18.3957.2770 [GMT -2:00]
    Executando de: c:\users\E\Desktop\ComboFix.exe
    Comandos utilizados :: c:\users\E\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Criado um novo ponto de restauração
    .
    FILE ::
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8"
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781"
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64"
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836"
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7"
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525"
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3"
    "c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805"
    .
    .
    ((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3
    c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805
    .
    .
    (((((((((((((((( Arquivos/Ficheiros criados de 2011-12-03 to 2012-01-03 ))))))))))))))))))))))))))))
    .
    .
    2012-01-03 01:45 . 2012-01-03 01:45 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\users\E\AppData\Roaming\Malwarebytes
    2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-23 13:07 . 2012-01-01 22:23 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-23 13:07 . 2011-12-10 17:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\users\UpdatusUser
    2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA
    2011-12-20 16:25 . 2011-10-15 08:53 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
    2011-12-20 16:25 . 2011-10-15 08:53 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
    2011-12-20 16:25 . 2011-10-15 08:53 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
    2011-12-20 16:25 . 2011-10-15 08:53 222528 ----a-w- c:\windows\system32\nvmctray.dll
    2011-12-20 16:25 . 2011-10-15 08:53 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-12-20 16:25 . 2011-10-15 08:53 137536 ----a-w- c:\windows\system32\nvshext.dll
    2011-12-20 16:25 . 2011-10-15 08:53 10406208 ----a-w- c:\windows\system32\nvcpl.dll
    2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA Corporation
    2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\windows\SysWow64\xlive
    2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-19 15:44 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
    2011-12-19 15:44 . 2009-07-13 23:54 2851328 ----a-w- c:\windows\system32\themeui.dll
    2011-12-19 15:44 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
    2011-12-04 13:24 . 2011-06-18 01:26 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-29 20:28 . 2011-11-29 20:28 503352 ----a-w- c:\windows\system32\drivers\sptd.sys
    2011-10-10 19:49 . 2011-10-10 19:49 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
    2011-10-10 19:33 . 2011-08-19 15:22 1367232 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-11-10 . 2BB457EDBA37215C7EBC0057674A5E48 . 3206144 . . [6.1.7600.16385] .. c:\windows\explorer.exe
    [7] 2009-10-31 . B8EC4BD49CE8F6FC457721BFC210B67F . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
    [7] 2009-10-31 . 9AAAEC8DAC27AA17B053E6352AD233AE . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
    [7] 2009-08-03 . 700073016DAC1C3D2E7E2CE4223334B6 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
    [7] 2009-08-03 . F170B4A061C9E026437B193B4D571799 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
    [7] 2009-07-14 . C235A51CB740E45FFA0EBFB9BAFCDA64 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-30_16.34.09 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-01-02 17:02 . 2012-01-02 17:02 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    - 2011-12-29 03:26 . 2011-12-29 03:26 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    - 2009-07-14 04:54 . 2011-12-30 16:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-01-03 00:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-01-03 00:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-30 16:15 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-30 16:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-01-03 00:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-06-19 07:16 . 2011-12-30 16:17 47642 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2010-06-19 07:16 . 2012-01-03 00:37 47642 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 05:10 . 2011-12-30 16:17 41168 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-01-03 00:37 41168 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-02-20 18:05 . 2012-01-03 00:37 14292 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566226363-914769290-2283136121-1000_UserData.bin
    - 2011-02-20 19:00 . 2011-12-30 16:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-02-20 19:00 . 2012-01-03 01:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-02-20 19:00 . 2011-12-30 16:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-02-20 19:00 . 2012-01-03 01:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-01-03 00:35 . 2012-01-03 00:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-12-30 16:15 . 2011-12-30 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-12-30 16:15 . 2011-12-30 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-01-03 00:35 . 2012-01-03 00:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-11-10 11:35 . 2012-01-01 21:52 293298 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2009-07-14 05:01 . 2011-12-29 03:26 243036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-01-02 17:02 243036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 02:34 . 2011-12-30 16:30 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2009-07-14 02:34 . 2012-01-03 00:45 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2011-05-18 19:40 . 2012-01-02 17:02 22235784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2566226363-914769290-2283136121-1000-8192.dat
    .
    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* entradas vazias e legítimas por padrão não são apresentadas.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
    S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
    S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    .
    ------- Scan Suplementar -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
    .
    - - - - ORFÃOS REMOVIDOS - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Tempo para conclusão: 2012-01-02 23:47:28
    ComboFix-quarantined-files.txt 2012-01-03 01:47
    ComboFix2.txt 2011-12-31 20:22
    ComboFix3.txt 2011-12-30 16:36
    .
    Pré-execução: 78.345.531.392 bytes disponíveis
    Pós execução: 78.205.067.264 bytes disponíveis
    .
    - - End Of File - - 62E230C91C7012C6163F570A5329F948
    Sorry, I accidentally deleted the Attach.txt while reorganizing my desktop this morning (bunch of .exes and logs there now) =/

    Today I had no mediashift redirects (yesterday I had though), and Windows is taking 3-5 extra seconds to boot (what I think I can fix with a defragmentation).

    Thanks to all your time doing this during New Year jeff =)

  4. #14
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    I am glad to hear things are running better.

    Please run a new scan with DDS and then post both of the logs that are created into your next reply.

    Stick with me we are almost done.

  5. #15
    Junior Member
    Join Date
    Dec 2011
    Posts
    25

    Default

    Ok, here it is:
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
    Run by E at 13:51:25 on 2012-01-03
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.55.1046.18.3957.2788 [GMT -2:00]
    .
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\nvvsvc.exe
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\WLANExt.exe
    C:\windows\system32\conhost.exe
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\windows\System32\svchost.exe -k HPZ12
    C:\windows\System32\svchost.exe -k HPZ12
    C:\windows\SysWOW64\Rezip.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\windows\system32\nvvsvc.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\windows\system32\taskhost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\taskeng.exe
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
    C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
    C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
    C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files (x86)\Rainmeter\Rainmeter.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\windows\system32\DllHost.exe
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\windows\system32\wuauclt.exe
    C:\windows\system32\DllHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\conhost.exe
    C:\windows\SysWOW64\cscript.exe
    C:\windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
    uInternet Settings,ProxyOverride = *.local
    BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    {9030D464-4C02-4ABF-8ECC-5164760863C6}
    {DBC80044-A445-435b-BC74-9C25C1C588A9}
    EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
    mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
    IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\E\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: C:\Users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
    FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
    R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
    R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2253120]
    R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
    R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
    R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
    R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
    R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
    R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
    R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
    S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-01-03 14:56:53 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-12-30 16:25:56 98816 ----a-w- C:\windows\sed.exe
    2011-12-30 16:25:56 518144 ----a-w- C:\windows\SWREG.exe
    2011-12-30 16:25:56 256000 ----a-w- C:\windows\PEV.exe
    2011-12-30 16:25:56 208896 ----a-w- C:\windows\MBR.exe
    2011-12-28 23:15:40 -------- d-----w- C:\Users\E\AppData\Local\{365BF5C9-BDB1-47C4-9496-E2CD86B09724}
    2011-12-28 23:15:28 -------- d-----w- C:\Users\E\AppData\Local\{526CF1AE-03D0-4F3D-93CE-5AD0829E209E}
    2011-12-24 15:46:06 -------- d-----w- C:\Users\E\AppData\Local\{81538477-4E11-463B-8289-16C410DF29D4}
    2011-12-24 15:45:54 -------- d-----w- C:\Users\E\AppData\Local\{553E1D99-0358-4099-A1B3-705D570DF8C9}
    2011-12-23 13:07:18 -------- d-----w- C:\Users\E\AppData\Roaming\Malwarebytes
    2011-12-23 13:07:13 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-23 13:07:10 23152 ----a-w- C:\windows\System32\drivers\mbam.sys
    2011-12-23 13:07:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-20 16:25:34 837952 ----a-w- C:\windows\System32\easyupdatusapiu64.dll
    2011-12-20 16:25:34 5067584 ----a-w- C:\windows\System32\nvsvc64.dll
    2011-12-20 16:25:34 3074368 ----a-w- C:\windows\System32\nvsvcr.dll
    2011-12-20 16:25:34 222528 ----a-w- C:\windows\System32\nvmctray.dll
    2011-12-20 16:25:34 1640768 ----a-w- C:\windows\System32\nvvsvc.exe
    2011-12-20 16:25:34 137536 ----a-w- C:\windows\System32\nvshext.dll
    2011-12-20 16:25:34 10406208 ----a-w- C:\windows\System32\nvcpl.dll
    2011-12-20 16:25:28 -------- d-----w- C:\ProgramData\NVIDIA Corporation
    2011-12-20 14:33:09 -------- d-----w- C:\windows\SysWow64\xlive
    2011-12-20 14:33:09 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
    .
    ==================== Find3M ====================
    .
    2011-12-19 15:44:04 332288 ----a-w- C:\windows\System32\uxtheme.dll
    2011-12-19 15:44:03 2851328 ----a-w- C:\windows\System32\themeui.dll
    2011-12-19 15:44:01 44544 ----a-w- C:\windows\System32\themeservice.dll
    2011-12-04 13:24:23 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-29 20:28:23 503352 ----a-w- C:\windows\System32\drivers\sptd.sys
    .
    ============= FINISH: 13:52:09,83 ===============

  6. #16
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi enzo11,

    P2P - I see you have P2P software µTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Programs and Features.
    ----------

    Please download JavaRa to your desktop and unzip it to its own
    folder
    • Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
      click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
      Java Runtime Environment (JRE) version for your computer.

    ----------

    Let me know when you have this completed and if you had any problems with the instructions.

  7. #17
    Junior Member
    Join Date
    Dec 2011
    Posts
    25

    Default

    JavaRa produced an empty log and I updated JRE (jre-7u2 from Sun's site).

  8. #18
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Sounds good. Providing there are no more problems I think we can clean up.
    -------

    IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

    This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
    ----------

    The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
    Combofix /Uninstall
    (Note: There is a space between the ..X and the /U that needs to be there.)


    ----------

    Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

    Here are some tips to reduce the potential for spyware infection in the future:

    1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
    • Open Internet Explorer
    • Click on Tools > Internet Options
    • Press Security tab
    • Select Internet zone then place check next to Enable Protected Mode if not already done
    • Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
    • Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

    3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

    4. Firewall
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
    Online Armor Free
    Agnitum Outpost Firewall Free

    5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

    6. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
    Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

    7. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

    8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

    Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

  9. #19
    Junior Member
    Join Date
    Dec 2011
    Posts
    25

    Default

    Ok, thank you a lot jeff.

    I'm looking into MVPS Hosts right now.And I think I don't need to worry about ActiveX since Firefox doesn't support it right?

    Thanks for all your time again =)

  10. #20
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    I don't need to worry about ActiveX since Firefox doesn't support it right?
    Correct.
    ----------

    You are more than welcome.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •