Page 1 of 4 1234 LastLast
Results 1 to 10 of 37

Thread: Infected Computer

  1. #1
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default Infected Computer

    Hello,
    I've recently started having constant alerts from my Avast antivirus saying it has blocked an attempt to connect to a harmful website. It seems to rotate between three different urls. I ran my virus scan on bootup and it found a couple files on my secondary drive that it said were infected, which I removed. I also ran Spybot, which picked up one called Smitfraud-c and eight called SelectionLinks. I also ran Malwarebytes, which found several files relating to something called funmoods, as well as some svhosts, and a trojan.agent file and memory processe that it says it will delete on reboot. However, after reboot, they are still there each time I scan. Everything else seems to be gone, but I continue to get the alerts from my antivirus. Searching for smitfraud-c led me to this thread which sounds similar to my issue: http://forums.spybot.info/showthread.php?t=65510

    I have a jpg of the avast alert if needed. I have my primary HDD, a secondary HDD, and an external HDD.

    I have run ERUNT, and here is the DDS and aswMBR reports:

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.7.2
    Run by Triode at 21:13:49 on 2012-11-26
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.3968 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
    C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    \\.\globalroot\systemroot\svchost.exe -netsvcs
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: {9194649F-7143-4308-90C1-D6A35B0E354E} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{29206791-C83A-43F8-91B4-E93E2DA740D6} : DHCPNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
    TCP: Interfaces\{83DE6050-B21D-42E2-99B8-E9B053DD378C} : DHCPNameServer = 192.168.1.1
    SSODL: WebCheck - <orphaned>
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [CmPCIaudio] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\CMICNFG3.cpl,CMICtrlWnd
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.funmoods.hmpg - false
    FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
    FF - user.js: extensions.funmoods.dfltSrch - false
    FF - user.js: extensions.funmoods.srchPrvdr - Search
    FF - user.js: extensions.funmoods.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - false
    FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
    FF - user.js: extensions.funmoods.tlbrSrchUrl -
    FF - user.js: extensions.funmoods.id - 5e8d518500000000000000241d10b99d
    FF - user.js: extensions.funmoods.instlDay - 15502
    FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
    FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:55:58
    FF - user.js: extensions.funmoods.prtnrId - funmoods
    FF - user.js: extensions.funmoods.prdct - funmoods
    FF - user.js: extensions.funmoods.aflt - adknlg
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods.tlbrId - base
    FF - user.js: extensions.funmoods.instlRef - adknlg
    FF - user.js: extensions.funmoods.dfltLng -
    FF - user.js: extensions.funmoods.excTlbr - false
    FF - user.js: extensions.funmoods.autoRvrt - false
    FF - user.js: extensions.funmoods.envrmnt - production
    FF - user.js: extensions.funmoods.isdcmntcmplt - true
    FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
    user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-7-23 984144]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-7-23 370288]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-11-29 279616]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-27 239616]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-7-23 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-7-23 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-26 44808]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-13 96896]
    R3 danewFltr;NewDeathAdder Mouse;C:\Windows\System32\drivers\danew.sys [2011-7-23 12032]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-7-23 239616]
    R3 VKbms;Virtual HID Minidriver;C:\Windows\System32\drivers\VKbms.sys [2011-7-23 13312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-23 1255736]
    .
    =============== Created Last 30 ================
    .
    2012-11-27 03:46:09 20480 ----a-w- C:\Windows\svchost.exe
    2012-11-27 03:33:08 -------- d-----w- C:\Users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32:54 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-27 03:32:53 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-11-27 03:32:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-24 02:09:08 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{53F3DCBB-EA16-4878-AF02-57B51614C0F4}\mpengine.dll
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
    2012-11-18 06:04:58 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
    2012-11-18 06:04:23 -------- d-----w- C:\Program Files\iPod
    2012-11-18 06:04:21 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2012-11-18 06:04:21 -------- d-----w- C:\Program Files\iTunes
    2012-11-18 06:04:21 -------- d-----w- C:\Program Files (x86)\iTunes
    2012-11-14 14:23:29 9728 ----a-w- C:\Windows\System32\Wdfres.dll
    2012-11-14 14:23:29 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
    2012-11-14 14:23:29 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
    2012-11-14 14:23:29 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
    2012-11-14 14:17:50 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
    2012-11-14 14:17:50 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
    2012-11-14 14:17:46 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
    2012-11-14 14:17:46 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
    2012-11-14 14:17:44 744448 ----a-w- C:\Windows\System32\WUDFx.dll
    2012-11-14 14:17:44 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
    2012-11-14 14:17:44 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
    2012-11-04 19:06:02 -------- d-----w- C:\Users\Triode\AppData\Roaming\wargaming.net
    .
    ==================== Find3M ====================
    .
    2012-11-14 00:54:31 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-11-14 00:54:31 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-10-30 23:51:55 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-10-30 23:51:55 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-10-30 23:51:07 41224 ----a-w- C:\Windows\avastSS.scr
    2012-10-25 10:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys
    2012-10-15 16:59:28 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
    2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
    2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
    2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
    2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
    2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
    2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
    2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
    2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
    2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
    2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
    2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
    2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
    2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
    2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
    2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-09-01 17:07:21 916456 ----a-w- C:\Windows\System32\deployJava1.dll
    2012-09-01 17:07:21 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
    2012-09-01 17:07:21 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2012-09-01 17:05:37 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    2012-09-01 17:05:36 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
    2012-09-01 17:05:36 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
    2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    .
    ============= FINISH: 21:14:22.97 ===============


    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-11-26 21:15:06
    -----------------------------
    21:15:06.560 OS Version: Windows x64 6.1.7601 Service Pack 1
    21:15:06.560 Number of processors: 8 586 0x1A04
    21:15:06.562 ComputerName: TRIODE-PC UserName: Triode
    21:15:09.421 Initialize success
    21:15:10.140 AVAST engine defs: 12112601
    21:15:16.620 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    21:15:16.621 Disk 0 Vendor: ST3500630AS 3.AAK Size: 476938MB BusType: 3
    21:15:16.629 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-a
    21:15:16.631 Disk 1 Vendor: ST3500630AS 3.AHG Size: 476940MB BusType: 3
    21:15:16.635 Device \Driver\atapi -> MajorFunction fffffa8006e695e8
    21:15:16.643 Disk 0 MBR read successfully
    21:15:16.646 Disk 0 MBR scan
    21:15:16.650 Disk 0 Windows 7 default MBR code
    21:15:16.653 Disk 0 MBR hidden
    21:15:16.663 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    21:15:16.676 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476836 MB offset 206848
    21:15:16.696 Disk 0 scanning C:\Windows\system32\drivers
    21:15:24.173 Service scanning
    21:15:35.548 Modules scanning
    21:15:35.558 Disk 0 trace - called modules:
    21:15:35.564 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006e695e8]<<
    21:15:35.569 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006841790]
    21:15:35.574 3 CLASSPNP.SYS[fffff88001b6043f] -> nt!IofCallDriver -> [0xfffffa8006616520]
    21:15:35.579 5 ACPI.sys[fffff88000f5e7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8006618060]
    21:15:35.584 \Driver\atapi[0xfffffa800680d910] -> IRP_MJ_CREATE -> 0xfffffa8006e695e8
    21:15:37.719 AVAST engine scan C:\Windows
    21:15:40.838 AVAST engine scan C:\Windows\system32
    21:17:18.459 AVAST engine scan C:\Windows\system32\drivers
    21:17:26.423 AVAST engine scan C:\Users\Triode
    21:18:32.990 AVAST engine scan C:\ProgramData
    21:20:03.319 Scan finished successfully
    21:20:49.250 Disk 0 MBR has been saved successfully to "C:\Users\Triode\Desktop\MBR.dat"
    21:20:49.254 The log file has been saved successfully to "C:\Users\Triode\Desktop\aswMBR.txt"

    Thank you for your time.

  2. #2
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    An update; I ran TDSSkiller and cured the rootkit.boot.pihar.c it found. Then after restart I ran Malwarebytes and spybot again to clean up the remainder. It appears to have solved my problem. All scans come up clean now, and I no longer receive constant messages that avast has blocked an attempt to connect to a malicious URL.

  3. #3
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode and

    My name is JonTom

    • Malware Logs can sometimes take a lot of time to research and interpret.
    • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
    • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
    • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
    • PLEASE NOTE: If you do not reply after 3 days your thread will be closed.


    I ran TDSSkiller and cured the rootkit.boot.pihar.c it found
    Pihar has password stealing capabilities. If you use this machine for any kind of financial transactions please use an uninfected system to change all of your passwords as soon as you can.

    Please run TDSSKiller again and post the new log for me to review. Do not allow it to remove anything, I only need to see the log at this time.

    Please post the new TDSSKiller log along with a new set of DDS scan logs in your next reply.
    Proud Graduate of the WTT Classroom

  4. #4
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    TDSS didn't come up with anything for me to remove. I can't fit both logs in a post, so the TDSS log is attached.


    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457
    Run by Triode at 11:24:05 on 2012-12-16
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.4323 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
    C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: {9194649F-7143-4308-90C1-D6A35B0E354E} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{29206791-C83A-43F8-91B4-E93E2DA740D6} : DHCPNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
    TCP: Interfaces\{83DE6050-B21D-42E2-99B8-E9B053DD378C} : DHCPNameServer = 192.168.1.1
    SSODL: WebCheck - <orphaned>
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [CmPCIaudio] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\CMICNFG3.cpl,CMICtrlWnd
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.funmoods.hmpg - false
    FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
    FF - user.js: extensions.funmoods.dfltSrch - false
    FF - user.js: extensions.funmoods.srchPrvdr - Search
    FF - user.js: extensions.funmoods.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - false
    FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
    FF - user.js: extensions.funmoods.tlbrSrchUrl -
    FF - user.js: extensions.funmoods.id - 5e8d518500000000000000241d10b99d
    FF - user.js: extensions.funmoods.instlDay - 15502
    FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
    FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:55:58
    FF - user.js: extensions.funmoods.prtnrId - funmoods
    FF - user.js: extensions.funmoods.prdct - funmoods
    FF - user.js: extensions.funmoods.aflt - adknlg
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods.tlbrId - base
    FF - user.js: extensions.funmoods.instlRef - adknlg
    FF - user.js: extensions.funmoods.dfltLng -
    FF - user.js: extensions.funmoods.excTlbr - false
    FF - user.js: extensions.funmoods.autoRvrt - false
    FF - user.js: extensions.funmoods.envrmnt - production
    FF - user.js: extensions.funmoods.isdcmntcmplt - true
    FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
    user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-7-23 984144]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-7-23 370288]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-11-29 279616]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-27 239616]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-7-23 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-7-23 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-26 44808]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-13 96896]
    R3 danewFltr;NewDeathAdder Mouse;C:\Windows\System32\drivers\danew.sys [2011-7-23 12032]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-7-23 239616]
    R3 VKbms;Virtual HID Minidriver;C:\Windows\System32\drivers\VKbms.sys [2011-7-23 13312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-23 1255736]
    .
    =============== Created Last 30 ================
    .
    2012-12-16 18:12:59 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
    2012-12-16 17:57:16 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2012-12-16 17:56:45 -------- d-----w- C:\Windows\System32\appmgmt
    2012-12-15 05:12:51 119296 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\A517.tmp.dat
    2012-12-14 14:27:33 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{16DF9805-9F86-49D5-82B5-F8DE5811E5FA}\mpengine.dll
    2012-12-13 02:52:01 124928 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\4F3A.tmp.dat
    2012-12-12 14:26:53 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2012-12-12 14:26:53 367616 ----a-w- C:\Windows\System32\atmfd.dll
    2012-12-12 14:26:53 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2012-12-12 14:26:53 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2012-12-12 14:26:52 478208 ----a-w- C:\Windows\System32\dpnet.dll
    2012-12-12 14:26:52 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
    2012-12-12 14:26:52 3149824 ----a-w- C:\Windows\System32\win32k.sys
    2012-11-29 05:12:30 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-11-27 03:33:08 -------- d-----w- C:\Users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32:54 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-27 03:32:53 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-11-27 03:32:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
    2012-11-18 06:06:20 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
    2012-11-18 06:04:58 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
    2012-11-18 06:04:23 -------- d-----w- C:\Program Files\iPod
    2012-11-18 06:04:21 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2012-11-18 06:04:21 -------- d-----w- C:\Program Files\iTunes
    2012-11-18 06:04:21 -------- d-----w- C:\Program Files (x86)\iTunes
    .
    ==================== Find3M ====================
    .
    2012-12-16 18:12:42 916456 ----a-w- C:\Windows\System32\deployJava1.dll
    2012-12-16 18:12:42 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2012-12-12 05:20:28 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 05:20:28 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-10-30 23:51:55 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-10-30 23:51:55 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-10-30 23:51:07 41224 ----a-w- C:\Windows\avastSS.scr
    2012-10-25 10:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
    2012-10-15 16:59:28 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
    2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
    2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
    2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
    2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
    2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
    2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
    2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
    2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
    2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
    2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
    2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
    2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
    2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
    2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
    .
    ============= FINISH: 11:24:25.07 ===============

  5. #5
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    Thank you for the logs.

    TDSS didn't come up with anything for me to remove
    That confirms Pihar has been removed

    Lets continue with the following:

    1. Combofix




      • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop


      • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
      • Right click on ComboFix.exe and select "Run as Administrator" to run the program. Follow the prompts.


      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




      • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




      • Click on Yes, to continue scanning for malware.
      • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
      • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
      • Should there be issues with internet afterward:

        In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

        In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
    Proud Graduate of the WTT Classroom

  6. #6
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    I don't really have another computer available to change my banking password from right now. Do you think it's safe to change it from this computer now that Pihar is gone? They haven't emptied my bank account so far.


    ComboFix 12-12-14.01 - Triode 12/16/2012 14:10:55.1.8 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.4239 [GMT -7:00]
    Running from: c:\users\Triode\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\ntuser.dat
    c:\windows\wininit.ini
    F:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-16 to 2012-12-16 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-16 21:18 . 2012-12-16 21:18 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-16 18:13 . 2012-12-16 18:12 289768 ----a-w- c:\windows\system32\javaws.exe
    2012-12-16 18:12 . 2012-12-16 18:12 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
    2012-12-16 18:12 . 2012-12-16 18:12 189416 ----a-w- c:\windows\system32\javaw.exe
    2012-12-16 18:12 . 2012-12-16 18:12 188904 ----a-w- c:\windows\system32\java.exe
    2012-12-16 18:12 . 2012-12-16 18:12 -------- d-----w- c:\program files\Java
    2012-12-16 17:56 . 2012-12-16 17:56 -------- d-----w- c:\windows\system32\appmgmt
    2012-12-15 05:12 . 2012-12-15 05:12 119296 ----a-w- c:\programdata\Microsoft\Windows\DRM\A517.tmp.dat
    2012-12-14 14:27 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{16DF9805-9F86-49D5-82B5-F8DE5811E5FA}\mpengine.dll
    2012-12-13 02:52 . 2012-12-13 02:51 124928 ----a-w- c:\programdata\Microsoft\Windows\DRM\4F3A.tmp.dat
    2012-12-12 14:26 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-12 14:26 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-12 14:26 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-12 14:26 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-12-12 14:26 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
    2012-12-12 14:26 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
    2012-12-12 14:26 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
    2012-11-29 05:12 . 2012-11-29 05:12 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-11-27 04:12 . 2012-11-27 04:12 -------- d-----w- c:\program files (x86)\ERUNT
    2012-11-27 03:33 . 2012-11-27 03:33 -------- d-----w- c:\users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32 . 2012-11-27 03:32 -------- d-----w- c:\programdata\Malwarebytes
    2012-11-27 03:32 . 2012-11-27 03:32 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-11-27 03:32 . 2012-09-30 02:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
    2012-11-18 06:06 . 2012-11-18 06:06 -------- d-----w- c:\program files (x86)\QuickTime
    2012-11-18 06:04 . 2012-08-21 20:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\program files\iPod
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\program files\iTunes
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\program files (x86)\iTunes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-16 18:12 . 2012-08-15 19:42 916456 ----a-w- c:\windows\system32\deployJava1.dll
    2012-12-16 18:12 . 2012-08-15 19:42 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-12-12 14:29 . 2011-07-23 21:59 67413224 ----a-w- c:\windows\system32\MRT.exe
    2012-12-12 05:20 . 2012-07-23 03:10 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 05:20 . 2012-07-23 03:10 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-10-30 23:51 . 2011-07-23 22:17 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-10-30 23:51 . 2011-07-23 22:18 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-10-30 23:51 . 2011-07-23 22:17 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-10-30 23:51 . 2011-07-23 22:17 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-10-30 23:51 . 2011-07-23 22:18 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-10-30 23:51 . 2011-07-23 22:17 41224 ----a-w- c:\windows\avastSS.scr
    2012-10-30 23:50 . 2011-07-23 22:17 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-10-30 23:50 . 2011-07-23 22:17 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-10-16 08:38 . 2012-11-28 14:11 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38 . 2012-11-28 14:11 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39 . 2012-11-28 14:11 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
    2012-10-15 16:59 . 2012-08-15 22:04 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-10-09 18:17 . 2012-11-14 14:16 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
    2012-10-09 18:17 . 2012-11-14 14:16 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
    2012-10-09 17:40 . 2012-11-14 14:16 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40 . 2012-11-14 14:16 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
    2012-10-04 16:40 . 2012-12-12 14:27 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2012-10-03 17:56 . 2012-11-14 14:16 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-10-03 17:44 . 2012-11-14 14:16 303104 ----a-w- c:\windows\system32\nlasvc.dll
    2012-10-03 17:44 . 2012-11-14 14:16 70656 ----a-w- c:\windows\system32\nlaapi.dll
    2012-10-03 17:44 . 2012-11-14 14:16 246272 ----a-w- c:\windows\system32\netcorehc.dll
    2012-10-03 17:44 . 2012-11-14 14:16 18944 ----a-w- c:\windows\system32\netevent.dll
    2012-10-03 17:44 . 2012-11-14 14:16 216576 ----a-w- c:\windows\system32\ncsi.dll
    2012-10-03 17:42 . 2012-11-14 14:16 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-10-03 16:42 . 2012-11-14 14:16 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
    2012-10-03 16:42 . 2012-11-14 14:16 18944 ----a-w- c:\windows\SysWow64\netevent.dll
    2012-10-03 16:42 . 2012-11-14 14:16 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
    2012-10-03 16:07 . 2012-11-14 14:16 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-09-25 22:47 . 2012-11-14 14:16 78336 ----a-w- c:\windows\SysWow64\synceng.dll
    2012-09-25 22:46 . 2012-11-14 14:16 95744 ----a-w- c:\windows\system32\synceng.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-02-19 248320]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-06 642216]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-23 1255736]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-11-30 279616]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-28 239616]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]
    S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-03-23 12032]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
    S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [2010-10-01 13312]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 91065575
    *Deregistered* - 91065575
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-08-16 20:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-16 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-23 05:20]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-10-30 23:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-09-22 8116256]
    "CmPCIaudio"="c:\windows\Syswow64\CMICNFG3.cpl" [2008-04-17 6914048]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: aol.com\free
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: extensions.funmoods.hmpg - false
    FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
    FF - user.js: extensions.funmoods.dfltSrch - false
    FF - user.js: extensions.funmoods.srchPrvdr - Search
    FF - user.js: extensions.funmoods.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - false
    FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
    FF - user.js: extensions.funmoods.tlbrSrchUrl -
    FF - user.js: extensions.funmoods.id - 5e8d518500000000000000241d10b99d
    FF - user.js: extensions.funmoods.instlDay - 15502
    FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
    FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:55
    FF - user.js: extensions.funmoods.prtnrId - funmoods
    FF - user.js: extensions.funmoods.prdct - funmoods
    FF - user.js: extensions.funmoods.aflt - adknlg
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods.tlbrId - base
    FF - user.js: extensions.funmoods.instlRef - adknlg
    FF - user.js: extensions.funmoods.dfltLng -
    FF - user.js: extensions.funmoods.excTlbr - false
    FF - user.js: extensions.funmoods.autoRvrt - false
    FF - user.js: extensions.funmoods.envrmnt - production
    FF - user.js: extensions.funmoods.isdcmntcmplt - true
    FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
    user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{9194649F-7143-4308-90C1-D6A35B0E354E} - (no file)
    SafeBoot-11743317.sys
    AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @Allowed: (B 1 4 5 6) (S-1-5-5-0-162404)
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @Allowed: (B 1 4 5 6) (S-1-5-5-0-162404)
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-12-16 14:20:41
    ComboFix-quarantined-files.txt 2012-12-16 21:20
    .
    Pre-Run: 287,718,891,520 bytes free
    Post-Run: 287,585,837,056 bytes free
    .
    - - End Of File - - 1D5A5BA1715F3A45D919BF60E2B14092

  7. #7
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    Thank you for the log.

    I don't really have another computer available to change my banking password from right now. Do you think it's safe to change it from this computer now that Pihar is gone? They haven't emptied my bank account so far.
    With rootkit infections we are unable to give you a guarantee that the machine will ever be secure after cleaning due to the nature of the infection.

    Many people recommend a reformat and reinstallation of the operating system in the face of a rootkit infection and if you would prefer to take that route I am happy to help. Our primary concern is the safety of our forum members.

    Unfortunately, there is no way for us to tell if your login details have been compromised, so if you are worried that this may indeed be the case, you can always contact your banks and request that they freeze your online banking facilities until you are able to change your passwords. Failing that, a reformat and reinstallation would be your best course of action.

    Changing your passwords is the only failsafe way to ensure that the bad guys do not have access to your accounts.

    Should you wish to continue cleaning this machine, I would like to take a closer look at a couple of files before we continue:


    1. Please scan the following files





      • On the page you'll find a "Choose File" button.
      • Click on the Choose File button.
      • In the File Upload window which opens, copy and paste this into the File Name box.



      c:\programdata\Microsoft\Windows\DRM\A517.tmp.dat


      • Next, click the Open button.
      • Then click the "Scan it" button just below.
      • This will scan the file. Please be patient.
      • If you get a message saying File has already been analyzed: click Reanalyze file now.
      • Once scanned, copy and paste the link to the results page in your next reply.
      • Repeat for the following file:


      c:\programdata\Microsoft\Windows\DRM\4F3A.tmp.dat

      Please copy andf paste the links to the virus total result pages in your next reply.
    Proud Graduate of the WTT Classroom

  8. #8
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    Reformatting is what I was really hoping to avoid.

    I don't really know what those results say, but I see red text. That seems bad.

    c:\programdata\Microsoft\Windows\DRM\4F3A.tmp.dat

    https://www.virustotal.com/file/52bb...is/1355707508/


    c:\programdata\Microsoft\Windows\DRM\A517.tmp.dat

    https://www.virustotal.com/file/9869...is/1355707844/

  9. #9
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    Thank you for the scan data.

    That seems bad
    Those files are infected. We will take care of that now. We need to use Combofix again but this time, we will be running it in a slightly different way:


    1. Please work through the following steps


      • Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad and press Enter then click on "OK").
      • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
      • Copy and Paste the text in the codebox below (including the link) into the open Notepad window:

        Code:
        http://forums.spybot.info/showthread.php?p=434722#post434722
        
        Collect::
        c:\programdata\Microsoft\Windows\DRM\4F3A.tmp.dat
        c:\programdata\Microsoft\Windows\DRM\A517.tmp.dat
        
        DDS::
        Trusted Zone: aol.com\free
        Trusted Zone: clonewarsadventures.com
        Trusted Zone: freerealms.com
        Trusted Zone: soe.com
        Trusted Zone: sony.com
        
        Firefox::
        FF - ProfilePath - c:\users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
        FF - user.js: extensions.funmoods.hmpg - false
        FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
        FF - user.js: extensions.funmoods.dfltSrch - false
        FF - user.js: extensions.funmoods.srchPrvdr - Search
        FF - user.js: extensions.funmoods.dnsErr - true
        FF - user.js: extensions.funmoods_i.newTab - false
        FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzutAtN2Y1L1QzutDtDtByEtC0DtCtD0Bzyzy0FyDtCzzyDtN0D0TzutBtDtCtBtDyCtCtC&cr=775541920
        FF - user.js: extensions.funmoods.tlbrSrchUrl - 
        FF - user.js: extensions.funmoods.id - 5e8d518500000000000000241d10b99d
        FF - user.js: extensions.funmoods.instlDay - 15502
        FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
        FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
        FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:55
        FF - user.js: extensions.funmoods.prtnrId - funmoods
        FF - user.js: extensions.funmoods.prdct - funmoods
        FF - user.js: extensions.funmoods.aflt - adknlg
        FF - user.js: extensions.funmoods_i.smplGrp - none
        FF - user.js: extensions.funmoods.tlbrId - base
        FF - user.js: extensions.funmoods.instlRef - adknlg
        FF - user.js: extensions.funmoods.dfltLng - 
        FF - user.js: extensions.funmoods.excTlbr - false
        FF - user.js: extensions.funmoods.autoRvrt - false
        FF - user.js: extensions.funmoods.envrmnt - production
        FF - user.js: extensions.funmoods.isdcmntcmplt - true
        FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
      • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
      • Close any open browsers.
      • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Refering to the picture below, drag CFScript.txt into ComboFix.exe




      • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
      • Once the log is produced, re-engage your resident anti virus.
      • Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
      • Ensure you are connected to the internet and click OK on the message box.


    2. Junkware Removal Tool

      Please download Junkware Removal Tool to your desktop.

      • Shutdown your antivirus to avoid any conflicts.
      • Right-mouse click JRT.exe and select Run as administrator
      • The tool will open and start scanning your system.
      • Please be patient as this can take a while to complete.
      • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
      • Post the contents of JRT.txt into your next message.


      Please post the Combofix log and the Junkware Removal Tool log in your next reply.
    Proud Graduate of the WTT Classroom

  10. #10
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    ComboFix 12-12-17.02 - Triode 12/17/2012 7:35.2.8 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.4739 [GMT -7:00]
    Running from: c:\users\Triode\Desktop\ComboFix.exe
    Command switches used :: c:\users\Triode\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Windows\DRM\4F3A.tmp.dat
    c:\programdata\Microsoft\Windows\DRM\A517.tmp.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-17 14:40 . 2012-12-17 14:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-16 18:13 . 2012-12-16 18:12 289768 ----a-w- c:\windows\system32\javaws.exe
    2012-12-16 18:12 . 2012-12-16 18:12 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
    2012-12-16 18:12 . 2012-12-16 18:12 189416 ----a-w- c:\windows\system32\javaw.exe
    2012-12-16 18:12 . 2012-12-16 18:12 188904 ----a-w- c:\windows\system32\java.exe
    2012-12-16 18:12 . 2012-12-16 18:12 -------- d-----w- c:\program files\Java
    2012-12-16 17:56 . 2012-12-16 17:56 -------- d-----w- c:\windows\system32\appmgmt
    2012-12-14 14:27 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{16DF9805-9F86-49D5-82B5-F8DE5811E5FA}\mpengine.dll
    2012-12-12 14:26 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-12 14:26 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-12 14:26 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-12 14:26 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-12-12 14:26 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
    2012-12-12 14:26 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
    2012-12-12 14:26 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
    2012-11-29 05:12 . 2012-11-29 05:12 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-11-27 04:12 . 2012-11-27 04:12 -------- d-----w- c:\program files (x86)\ERUNT
    2012-11-27 03:33 . 2012-11-27 03:33 -------- d-----w- c:\users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32 . 2012-11-27 03:32 -------- d-----w- c:\programdata\Malwarebytes
    2012-11-27 03:32 . 2012-11-27 03:32 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-11-27 03:32 . 2012-09-30 02:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
    2012-11-18 06:06 . 2012-11-18 06:06 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
    2012-11-18 06:06 . 2012-11-18 06:06 -------- d-----w- c:\program files (x86)\QuickTime
    2012-11-18 06:04 . 2012-08-21 20:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\program files\iPod
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\program files\iTunes
    2012-11-18 06:04 . 2012-11-18 06:04 -------- d-----w- c:\program files (x86)\iTunes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-16 18:12 . 2012-08-15 19:42 916456 ----a-w- c:\windows\system32\deployJava1.dll
    2012-12-16 18:12 . 2012-08-15 19:42 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-12-12 14:29 . 2011-07-23 21:59 67413224 ----a-w- c:\windows\system32\MRT.exe
    2012-12-12 05:20 . 2012-07-23 03:10 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 05:20 . 2012-07-23 03:10 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-10-30 23:51 . 2011-07-23 22:17 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-10-30 23:51 . 2011-07-23 22:18 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-10-30 23:51 . 2011-07-23 22:17 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-10-30 23:51 . 2011-07-23 22:17 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-10-30 23:51 . 2011-07-23 22:18 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-10-30 23:51 . 2011-07-23 22:17 41224 ----a-w- c:\windows\avastSS.scr
    2012-10-30 23:50 . 2011-07-23 22:17 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-10-30 23:50 . 2011-07-23 22:17 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-10-16 08:38 . 2012-11-28 14:11 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38 . 2012-11-28 14:11 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39 . 2012-11-28 14:11 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
    2012-10-15 16:59 . 2012-08-15 22:04 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-10-09 18:17 . 2012-11-14 14:16 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
    2012-10-09 18:17 . 2012-11-14 14:16 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
    2012-10-09 17:40 . 2012-11-14 14:16 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40 . 2012-11-14 14:16 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
    2012-10-04 16:40 . 2012-12-12 14:27 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2012-10-03 17:56 . 2012-11-14 14:16 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-10-03 17:44 . 2012-11-14 14:16 303104 ----a-w- c:\windows\system32\nlasvc.dll
    2012-10-03 17:44 . 2012-11-14 14:16 70656 ----a-w- c:\windows\system32\nlaapi.dll
    2012-10-03 17:44 . 2012-11-14 14:16 246272 ----a-w- c:\windows\system32\netcorehc.dll
    2012-10-03 17:44 . 2012-11-14 14:16 18944 ----a-w- c:\windows\system32\netevent.dll
    2012-10-03 17:44 . 2012-11-14 14:16 216576 ----a-w- c:\windows\system32\ncsi.dll
    2012-10-03 17:42 . 2012-11-14 14:16 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-10-03 16:42 . 2012-11-14 14:16 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
    2012-10-03 16:42 . 2012-11-14 14:16 18944 ----a-w- c:\windows\SysWow64\netevent.dll
    2012-10-03 16:42 . 2012-11-14 14:16 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
    2012-10-03 16:07 . 2012-11-14 14:16 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-09-25 22:47 . 2012-11-14 14:16 78336 ----a-w- c:\windows\SysWow64\synceng.dll
    2012-09-25 22:46 . 2012-11-14 14:16 95744 ----a-w- c:\windows\system32\synceng.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-02-19 248320]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-06 642216]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-23 1255736]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-11-30 279616]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-28 239616]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]
    S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-03-23 12032]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
    S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
    S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [2010-10-01 13312]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-08-16 20:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-23 05:20]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-10-30 23:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-09-22 8116256]
    "CmPCIaudio"="c:\windows\Syswow64\CMICNFG3.cpl" [2008-04-17 6914048]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{9194649F-7143-4308-90C1-D6A35B0E354E} - (no file)
    AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @Allowed: (B 1 4 5 6) (S-1-5-5-0-162404)
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @Allowed: (B 1 4 5 6) (S-1-5-5-0-162404)
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Completion time: 2012-12-17 07:45:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-12-17 14:45
    ComboFix2.txt 2012-12-16 21:20
    .
    Pre-Run: 288,192,647,168 bytes free
    Post-Run: 287,865,815,040 bytes free
    .
    - - End Of File - - 15AE6BCE4FCA792218EF31156762D74F
    Upload was successful



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.1.7 (12.16.2012:1)
    OS: Windows 7 Professional x64
    Ran by Triode on Mon 12/17/2012 at 18:26:15.35
    Blog: http://thisisudax.blogspot.com
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escort.dll
    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escortapp.dll
    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escorteng.dll
    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escortlbr.dll



    ~~~ Files



    ~~~ Folders



    ~~~ FireFox

    Successfully deleted: [File] C:\Users\Triode\AppData\Roaming\mozilla\firefox\profiles\xy2e13bl.default\user.js
    Successfully deleted the following from C:\Users\Triode\AppData\Roaming\mozilla\firefox\profiles\xy2e13bl.default\prefs.js

    user_pref("extensions.funmoods.cntry", "US");
    user_pref("extensions.funmoods.hdrMd5", "3F8C4EF3A557274AA5CA857727C5D35F");
    user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2217:55:58");
    user_pref("extensions.funmoods.newTab", false);
    user_pref("extensions.funmoods.sg", "none");
    user_pref("extensions.funmoods.smplGrp", "none");
    user_pref("extensions.funmoods.vrsnTs", "1.5.23.2217:55:58");
    user_pref("extensions.wrc.SearchRules.baidu.com.style", ".WRCN {display:none} .result .f .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");
    user_pref("extensions.wrc.SearchRules.baidu.com.url", "^http\\:\\/\\/www\\.baidu\\.com\\/.*");
    user_pref("extensions.wrc.SearchRules.excite.com.style", ".WRCN {display:none} .searchResult .resultTitlePane .WRCN {display:inline !important; background: url(\"IMAGE\") righ
    user_pref("extensions.wrc.SearchRules.excite.com.url", "^http\\:\\/\\/msxml\\.excite\\.com\\/search\\/.*");



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Mon 12/17/2012 at 18:31:20.04
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •