Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 37

Thread: Mediashifting Browser Hijacker

  1. #11
    Junior Member
    Join Date
    Dec 2011
    Location
    Dubai
    Posts
    20

    Default

    Good news, it seems the browser redirections stopped that is great. Is there a way to know if there is still any malware hidden somewhere? Great job though, looks as if I do not need to reinstall the OS (phew...)

    Here the latest ComboFix Log:


    ComboFix 11-12-31.02 - marjan 12/31/2011 17:42:59.5.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1256.981.1033.18.3959.2030 [GMT 3.5:30]
    Running from: c:\users\marjan\Desktop\ComboFix.exe
    Command switches used :: c:\users\marjan\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "h:\backup\Documents\U1014.exe"
    "h:\backup\Documents\U1016.exe"
    "h:\backup\Documents\U1102.exe"
    "h:\backup\Downloads\Software\2nd\ZoneAlarm Pro 9.3.014.000\Keygen\Keygen.exe"
    "h:\backup\Downloads\Software\2nd\ZoneAlarm Pro 9.3.014.000\Keygen\Keygen.rar"
    "h:\backup\Downloads\Software\3rd\Adobe\Acrobat 9.0 Pro\Crack\Keygen.rar"
    "h:\backup\Downloads\Software\3rd\PDF\Nitro.PDF.Professional.6.1.2.1x86\Keygen-EMBRACE\keygen.exe"
    "h:\backup\Downloads\Software\3rd\PDF\Nitro.PDF.Professional.6.1.2.1x86\Keygen-EMBRACE\keygen.rar"
    "h:\backup\Downloads\Software\4th\IDM\IDM 5.15 Build 5\Crack.rar"
    "h:\backup\Downloads\Software\4th\IDM\IDM 5.15 Build 5\Keygen.exe"
    "h:\backup\Downloads\Software\6th\TextAloud\NextUp TextAloud v2.303\Keygen\keygen.exe"
    "h:\backup\Downloads\Software\6th\TextAloud\NextUp TextAloud v2.303\Keygen\keygen.rar"
    "h:\backup\Downloads\Software\Etc\Convertor\WinAVI_Video_Converter_9.0\keygen.exe"
    "h:\backup\Downloads\Software\Etc\Internet\IDM\_Internet Download Manager.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    h:\backup\Documents\U1014.exe
    h:\backup\Documents\U1016.exe
    h:\backup\Documents\U1102.exe
    h:\backup\Downloads\Software\2nd\ZoneAlarm Pro 9.3.014.000\Keygen\Keygen.exe
    h:\backup\Downloads\Software\2nd\ZoneAlarm Pro 9.3.014.000\Keygen\Keygen.rar
    h:\backup\Downloads\Software\3rd\Adobe\Acrobat 9.0 Pro\Crack\Keygen.rar
    h:\backup\Downloads\Software\3rd\PDF\Nitro.PDF.Professional.6.1.2.1x86\Keygen-EMBRACE\keygen.exe
    h:\backup\Downloads\Software\3rd\PDF\Nitro.PDF.Professional.6.1.2.1x86\Keygen-EMBRACE\keygen.rar
    h:\backup\Downloads\Software\4th\IDM\IDM 5.15 Build 5\Crack.rar
    h:\backup\Downloads\Software\4th\IDM\IDM 5.15 Build 5\Keygen.exe
    h:\backup\Downloads\Software\6th\TextAloud\NextUp TextAloud v2.303\Keygen\keygen.exe
    h:\backup\Downloads\Software\6th\TextAloud\NextUp TextAloud v2.303\Keygen\keygen.rar
    h:\backup\Downloads\Software\Etc\Convertor\WinAVI_Video_Converter_9.0\keygen.exe
    h:\backup\Downloads\Software\Etc\Internet\IDM\_Internet Download Manager.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-31 14:17 . 2011-12-31 14:17 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-31 14:08 . 2011-12-31 14:08 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2B637412-62DD-46BD-AD57-EE928541C0A5}\offreg.dll
    2011-12-30 15:22 . 2011-12-30 15:22 -------- d-----w- c:\users\marjan\AppData\Roaming\Malwarebytes
    2011-12-30 15:22 . 2011-12-30 15:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-30 15:22 . 2011-12-30 15:22 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-30 15:22 . 2011-12-10 11:54 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-29 12:26 . 2011-11-29 22:51 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2B637412-62DD-46BD-AD57-EE928541C0A5}\mpengine.dll
    2011-12-25 08:17 . 2010-03-04 04:40 184832 ----a-w- c:\windows\system32\drivers\usbvideo.sys
    2011-12-25 08:17 . 2010-03-04 04:32 243712 ----a-w- c:\windows\system32\drivers\ks.sys
    2011-12-24 14:11 . 2011-12-24 14:11 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2011-12-24 14:11 . 2011-12-24 14:11 -------- d-----w- c:\program files\Microsoft Security Client
    2011-12-24 14:10 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
    2011-12-24 14:10 . 2010-04-09 11:06 1898376 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-12-24 13:13 . 2011-12-24 13:13 145224 ----a-w- c:\windows\system32\LnkProtect.dll
    2011-12-24 13:12 . 2011-12-24 13:13 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2011-12-24 12:50 . 2011-12-24 12:50 -------- d-----w- c:\program files\HitmanPro
    2011-12-24 12:33 . 2011-09-02 18:59 19936 ----a-w- c:\windows\system32\pwdrvio.sys
    2011-12-24 12:33 . 2011-09-02 18:59 13280 ----a-w- c:\windows\system32\pwdspio.sys
    2011-12-24 12:33 . 2011-09-02 18:59 1002056 ----a-w- c:\windows\system32\pwNative.exe
    2011-12-24 12:33 . 2011-12-24 12:33 -------- d-----w- c:\program files (x86)\MiniTool Partition Wizard Home Edition 7.0
    2011-12-24 12:03 . 2011-12-24 14:13 25160 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2011-12-24 12:02 . 2011-12-24 13:13 -------- d-----w- c:\programdata\HitmanPro
    2011-12-23 09:02 . 2011-12-23 09:02 -------- d-----w- C:\ProcAlyzer Dumps
    2011-12-22 15:18 . 2011-12-24 13:11 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-02 20:09 . 2011-12-02 20:09 -------- d-----w- c:\users\marjan\AppData\Local\AresXZ
    2011-12-02 20:07 . 2011-12-17 18:18 -------- d-----w- c:\users\marjan\AppData\Roaming\LimeRunner
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-28_06.17.33 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2011-12-28 06:17 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2011-12-31 14:08 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2011-12-31 14:08 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-28 06:17 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-12-31 14:08 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-28 06:17 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-27 00:36 . 2011-12-31 14:10 62964 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-12-31 14:10 36136 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-12-20 20:00 . 2011-12-31 14:10 15090 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1262258138-1812289448-2036564788-1003_UserData.bin
    + 2011-01-17 14:57 . 2011-12-31 14:09 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-01-17 14:57 . 2011-12-28 05:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:46 . 2011-12-28 06:19 80352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2011-01-17 14:57 . 2011-12-31 14:09 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-17 14:57 . 2011-12-28 05:55 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-01-17 14:57 . 2011-12-31 14:09 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-01-17 14:57 . 2011-12-28 05:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-01-06 20:06 . 2011-12-31 14:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-01-06 20:06 . 2011-12-28 05:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-01-06 20:06 . 2011-12-31 14:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-01-06 20:06 . 2011-12-28 05:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-12-28 06:17 . 2011-12-28 06:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-31 14:08 . 2011-12-31 14:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-31 14:08 . 2011-12-31 14:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-12-28 06:17 . 2011-12-28 06:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-12-22 20:26 . 2011-12-31 14:04 252534 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2009-07-14 02:36 . 2011-12-24 14:11 667670 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-12-30 15:31 667670 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-12-30 15:31 126960 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2011-12-24 14:11 126960 c:\windows\system32\perfc009.dat
    + 2010-12-21 05:56 . 2011-12-31 14:10 147456 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-12-21 05:56 . 2011-12-28 06:18 147456 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2011-12-28 05:57 278528 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2011-12-31 14:10 278528 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 05:01 . 2011-12-28 06:16 465188 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-12-28 11:25 465188 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 02:34 . 2011-12-31 09:46 9437184 c:\windows\system32\SMI\Store\Machine\schema.dat
    - 2009-07-14 02:34 . 2011-12-28 06:10 9437184 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2010-12-21 05:56 . 2011-12-31 14:10 3031040 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-12-21 05:56 . 2011-12-28 05:57 3031040 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-06 12:08 . 2011-12-28 06:16 6236988 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1262258138-1812289448-2036564788-1003-12288.dat
    + 2011-01-06 12:08 . 2011-12-28 11:25 6236988 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1262258138-1812289448-2036564788-1003-12288.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
    "Elbserver"="c:\program files (x86)\Sony\Media Gallery\ElbServer.exe" [2009-10-15 72192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
    "ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2009-08-27 320880]
    "PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2009-10-24 597792]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "SHTtray.exe"="c:\program files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe" [2009-10-16 99624]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 1081632]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2009-12-01 03:20 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
    "<NO NAME>"=
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    "UpdateReminder"=c:\program files (x86)\Eset\UpdateReminder.exe
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    .
    R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-31 362992]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [x]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
    R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
    R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
    R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-31 313840]
    R3 SampleCollector;Intel(R) Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2009-09-17 167424]
    R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-10-14 994360]
    R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2009-09-09 110960]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\DRIVERS\shpf.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
    S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
    S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
    S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
    S2 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2009-10-16 120104]
    S2 SOHDBSvr;VAIO Media plus Database Manager;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [2009-10-16 70952]
    S2 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2009-10-16 427304]
    S2 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2009-10-16 75048]
    S2 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [2009-10-16 91432]
    S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-11-03 2358656]
    S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
    S2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2009-09-15 642416]
    S2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2009-09-16 480624]
    S2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2009-09-02 361840]
    S2 VSNService;VSNService;c:\program files\Sony\VAIO Smart Network\VSNService.exe [2009-11-26 821760]
    S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
    S3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2009-12-01 571248]
    S3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update Common\VUAgent.exe [2011-10-27 1429608]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-02 16395880]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-07 9636896]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = 127.0.0.1
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.0.1
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\SampleCollector]
    "ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\SetID\Internal]
    @Denied: (A 2) (LocalSystem)
    "DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />"
    "Device"="yM29zbvPzMnLvrm+x8fPzce+zro="
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-12-31 17:49:13
    ComboFix-quarantined-files.txt 2011-12-31 14:19
    ComboFix2.txt 2011-12-30 15:20
    ComboFix3.txt 2011-12-29 05:38
    ComboFix4.txt 2011-12-28 06:21
    .
    Pre-Run: 27,492,491,264 bytes free
    Post-Run: 27,446,210,560 bytes free
    .
    - - End Of File - - 6F13AED2C369C0D3E20BB9D435285549

  2. #12
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi sruefer,

    I am glad to hear things are running better.
    ----------

    Is there a way to know if there is still any malware hidden somewhere?
    I can't give any absolute guarantees but the logs that are being shown now are not showing anything plus with your symptoms not being around any longer is good.
    -----------


    You have an older version of Adobe Reader. You can download the current version HERE

    You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

    Visit their support forum
    Foxit Forum

    In either case you should uninstall Adobe Reader 9.4.6 first. Be sure to move any PDF documents to another folder first though.
    ----------

    Please download JavaRa to your desktop and unzip it to its own
    folder
    • Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
      click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
      Java Runtime Environment (JRE) version for your computer.

    ----------

    Please run a new scan with DDS and post both of the logs that are created into your next reply.

  3. #13
    Junior Member
    Join Date
    Dec 2011
    Location
    Dubai
    Posts
    20

    Default

    I uninstalled Adobe Reader, without installing a newer version or an alternative so far. Also I removed the old JRE, but downloading the new one for some reason takes a very long time, so I did not do it yet.
    I updated MSE and run a full scan, and I got a message of potential threats. I attached a screenshot; I did not do anything else so far.

  4. #14
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi sruefer,

    I got a message of potential threats. I attached a screenshot; I did not do anything else so far.
    Those are actually already quarantined in ComboFix and will be removed when we uninstall ComboFix itself. Good lookin out though.
    -------------

    Sometimes it can take some time to download and install Java...especially when you are removing all other parts of it.

    When you get that done be sure to run DDS and post both of the logs into your next reply.

  5. #15
    Junior Member
    Join Date
    Dec 2011
    Location
    Dubai
    Posts
    20

    Default

    Hi Jeff,

    DDS log below, and the attach.txt log is attached as zip. How does it look?



    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
    Run by marjan at 17:51:17 on 2012-01-01
    Microsoft Windows 7 Home Premium 6.1.7600.0.1256.981.1033.18.3959.2225 [GMT 3.5:30]
    .
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Sony\VAIO Gate\VAIO Gate.exe
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Program Files\Sony\VAIO Care\VAIOCareService.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
    C:\Program Files (x86)\SONY\VAIO Event Service\VESMgr.exe
    C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
    C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
    C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe
    C:\Program Files\Sony\VAIO Smart Network\VSNService.exe
    C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe
    C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe
    C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe
    C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files (x86)\SONY\Media Gallery\ElbServer.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files (x86)\TeamViewer\Version6\TeamViewer.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Sony\VAIO Power Management\SPMService.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files (x86)\SONY\ISB Utility\ISBMgr.exe
    C:\Program Files (x86)\SONY\PMB\PMBVolumeWatcher.exe
    C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe
    C:\Program Files\Sony\VAIO Care\VCsystray.exe
    C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
    C:\Program Files\Sony\VAIO Update Common\VUAgent.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = 127.0.0.1
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - C:\PROGRA~2\IDM\QUICKF~1\PlugIns\IEHelp.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    uRun: [Elbserver] C:\Program Files (x86)\Sony\Media Gallery\ElbServer.exe /Stay
    mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
    mRun: [PMBVolumeWatcher] c:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [SHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
    mPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{8B2AE300-2433-4536-A446-71F6F6147159} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{8E7545A4-4DFB-47CC-8F6D-6A135714B9EF} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{8E7545A4-4DFB-47CC-8F6D-6A135714B9EF}\353514F575966496 : DhcpNameServer = 192.168.2.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~4\Office12\GRA32A~1.DLL
    Notify: VESWinlogon - VESWinlogon.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
    BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    BHO-X64: Search Helper - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
    BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: QUICKfind BHO Object: {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~2\IDM\QUICKF~1\PlugIns\IEHelp.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
    mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun-x64: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
    mRun-x64: [PMBVolumeWatcher] c:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
    mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun-x64: [SHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~4\Office12\GR469A~1.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R0 shpf;Sony HDD Protection Filter Driver;C:\Windows\system32\DRIVERS\shpf.sys --> C:\Windows\system32\DRIVERS\shpf.sys [?]
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-11-27 13336]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-30 652872]
    R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\SONY\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
    R2 rimspci;rimspci;C:\Windows\system32\drivers\rimssne64.sys --> C:\Windows\system32\drivers\rimssne64.sys [?]
    R2 risdsnpe;risdsnpe;C:\Windows\system32\drivers\risdsne64.sys --> C:\Windows\system32\drivers\risdsne64.sys [?]
    R2 SOHCImp;VAIO Media plus Content Importer;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-12-21 120104]
    R2 SOHDBSvr;VAIO Media plus Database Manager;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [2010-12-21 70952]
    R2 SOHDms;VAIO Media plus Digital Media Server;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-12-21 427304]
    R2 SOHDs;VAIO Media plus Device Searcher;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-12-21 75048]
    R2 SOHPlMgr;VAIO Media plus Playlist Manager;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [2010-12-21 91432]
    R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-11-25 2358656]
    R2 uCamMonitor;CamMonitor;C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2010-12-21 104960]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-27 2314240]
    R2 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2009-9-15 642416]
    R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-12-21 480624]
    R2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-12-21 361840]
    R2 VSNService;VSNService;C:\Program Files\Sony\VAIO Smart Network\VSNService.exe [2010-12-21 821760]
    R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys --> C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [?]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\drivers\HECIx64.sys --> C:\Windows\system32\drivers\HECIx64.sys [?]
    R3 Impcd;Impcd;C:\Windows\system32\drivers\Impcd.sys --> C:\Windows\system32\drivers\Impcd.sys [?]
    R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\drivers\SFEP.sys --> C:\Windows\system32\drivers\SFEP.sys [?]
    R3 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2010-12-21 571248]
    R3 VUAgent;VUAgent;C:\Program Files\Sony\VAIO Update Common\VUAgent.exe [2011-10-27 1429608]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S2 Roxio Upnp Server 10;Roxio Upnp Server 10;C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-8-31 362992]
    S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
    S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;\??\C:\Windows\system32\drivers\hitmanpro36.sys --> C:\Windows\system32\drivers\hitmanpro36.sys [?]
    S3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
    S3 pwdrvio;pwdrvio;\??\C:\Windows\system32\pwdrvio.sys --> C:\Windows\system32\pwdrvio.sys [?]
    S3 pwdspio;pwdspio;\??\C:\Windows\system32\pwdspio.sys --> C:\Windows\system32\pwdspio.sys [?]
    S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-8-31 313840]
    S3 SampleCollector;Intel(R) Sample Collector;C:\Program Files\Sony\VAIO Care\collsvc.exe [2010-12-21 167424]
    S3 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
    S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-12-21 110960]
    .
    =============== Created Last 30 ================
    .
    2012-01-01 14:19:37 637848 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
    2012-01-01 14:19:37 567184 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-12-31 22:07:58 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{52FA524D-4703-48C6-8620-2427BBE4BD27}\offreg.dll
    2011-12-31 22:07:54 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{52FA524D-4703-48C6-8620-2427BBE4BD27}\mpengine.dll
    2011-12-31 15:24:34 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BB6AAA81-69DC-46C0-9B53-07F305EB5388}\gapaengine.dll
    2011-12-31 15:24:34 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-12-31 14:39:10 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-12-30 15:22:19 -------- d-----w- C:\Users\marjan\AppData\Roaming\Malwarebytes
    2011-12-30 15:22:04 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-12-30 15:22:04 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-30 15:22:04 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-28 06:11:25 98816 ----a-w- C:\Windows\sed.exe
    2011-12-28 06:11:25 518144 ----a-w- C:\Windows\SWREG.exe
    2011-12-28 06:11:25 256000 ----a-w- C:\Windows\PEV.exe
    2011-12-28 06:11:25 208896 ----a-w- C:\Windows\MBR.exe
    2011-12-25 08:17:31 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
    2011-12-25 08:17:31 184832 ----a-w- C:\Windows\System32\drivers\usbvideo.sys
    2011-12-24 14:11:16 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2011-12-24 14:11:09 -------- d-----w- C:\Program Files\Microsoft Security Client
    2011-12-24 14:10:58 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
    2011-12-24 14:10:57 1898376 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2011-12-24 13:13:47 145224 ----a-w- C:\Windows\System32\LnkProtect.dll
    2011-12-24 13:12:53 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
    2011-12-24 12:50:00 -------- d-----w- C:\Program Files\HitmanPro
    2011-12-24 12:33:43 19936 ----a-w- C:\Windows\System32\pwdrvio.sys
    2011-12-24 12:33:43 13280 ----a-w- C:\Windows\System32\pwdspio.sys
    2011-12-24 12:33:43 1002056 ----a-w- C:\Windows\System32\pwNative.exe
    2011-12-24 12:33:33 -------- d-----w- C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 7.0
    2011-12-24 12:03:54 25160 ----a-w- C:\Windows\System32\drivers\hitmanpro36.sys
    2011-12-24 12:02:49 -------- d-----w- C:\ProgramData\HitmanPro
    2011-12-23 09:02:48 -------- d-----w- C:\ProcAlyzer Dumps
    2011-12-22 15:18:57 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2011-12-02 20:09:21 -------- d-----w- C:\Users\marjan\AppData\Local\AresXZ
    2011-12-02 20:07:12 -------- d-----w- C:\Users\marjan\AppData\Roaming\LimeRunner
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 17:51:46.50 ===============

  6. #16
    Junior Member
    Join Date
    Dec 2011
    Location
    Dubai
    Posts
    20

    Default

    Another thing I noticed: when I want to set the Windows Firewall to its default setting, it comes up with an error message, saying:

    "Windows Firewall can't change some of your settings: Error code 0x80070424"

    Not sure if that is because of the Trojans or it has any other reasons :(

  7. #17
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    Happy New Year!

    This was a really bad infection that you had so there could be something still lurking. Run ESET again and see what comes up. Post the new ESET log into your next reply.

  8. #18
    Junior Member
    Join Date
    Dec 2011
    Location
    Dubai
    Posts
    20

    Default

    Happy New Year, too I kind of forgot

    ESET Log:


    C:\Qoobox\Quarantine\H\av4.zip multiple threats
    C:\Qoobox\Quarantine\H\Backup\Documents\U1014.exe.vir a variant of Win32/Packed.Themida application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\2nd\ZoneAlarm Pro 9.3.014.000\Keygen\Keygen.exe.vir a variant of Win32/Keygen.BJ application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\2nd\ZoneAlarm Pro 9.3.014.000\Keygen\Keygen.rar.vir a variant of Win32/Keygen.BJ application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\3rd\Adobe\Acrobat 9.0 Pro\Crack\Keygen.rar.vir probably a variant of Win32/Agent.DQPHVKD trojan
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\3rd\PDF\Nitro.PDF.Professional.6.1.2.1x86\Keygen-EMBRACE\keygen.exe.vir a variant of Win32/Keygen.BK application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\3rd\PDF\Nitro.PDF.Professional.6.1.2.1x86\Keygen-EMBRACE\keygen.rar.vir a variant of Win32/Keygen.BK application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\4th\IDM\IDM 5.15 Build 5\Crack.rar.vir a variant of Win32/Keygen.AS application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\4th\IDM\IDM 5.15 Build 5\Keygen.exe.vir a variant of Win32/Keygen.AS application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\6th\TextAloud\NextUp TextAloud v2.303\Keygen\keygen.exe.vir a variant of Win32/Keygen.AM application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\6th\TextAloud\NextUp TextAloud v2.303\Keygen\keygen.rar.vir a variant of Win32/Keygen.AM application
    C:\Qoobox\Quarantine\H\Backup\Downloads\Software\Etc\Internet\IDM\_Internet Download Manager.exe.vir probably a variant of Win32/Agent.MRTOEKM trojan

  9. #19
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    ESET looks good.

    Please go here and follow the instructions provided and see if that helps. I don't thing that this is malware related but maybe an effect of what has happened on the system because of it.

    Let me know if that fixed it. If not there are other things we can try.

  10. #20
    Junior Member
    Join Date
    Dec 2011
    Location
    Dubai
    Posts
    20

    Default

    Hi Jeff,

    no, the Firewall seems to be bust. I also tried the instructions from:

    http://support.microsoft.com/kb/2530126

    which includes running a repair.bat file, but still the same issue. Maybe the malware changed something in the windows registry concerning the firewall service, but I do not know enough about it to check.

    Alternatively, I would install a third-party firewall instead.

    MSE keeps complaining about the quarantined files, should I delete its folder?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •