Page 1 of 4 1234 LastLast
Results 1 to 10 of 39

Thread: Infected by malware

  1. #1
    Junior Member
    Join Date
    Mar 2013
    Posts
    22

    Default Infected by malware

    On every site i enter a frame (iframe) with ad is injected in my browser. The frame is in every browser (IE, FF, CHROME) and it is placed in the bottom-left corner of each page. I have had this infection for 3 months




    DDS LOG:

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 8.0.7601.17514
    Run by dperezfadon at 14:36:48 on 2013-03-08
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.34.3082.18.8142.5288 [GMT 1:00]
    .
    AV: Antivirus de Trend Micro OfficeScan *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
    SP: Antispyware de Trend Micro OfficeScan *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\vcsFPService.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k NetworkService
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files\LSI SoftModem\agr64svc.exe
    C:\Bluetooth Software\btwdins.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files (x86)\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
    C:\Windows\system32\svchost.exe -k regsvc
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\Wacom_Tablet.exe
    C:\Windows\SysWow64\ArcVCapRender\uArcCapture.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\SysWOW64\CCM\CcmExec.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\sysWOW64\wbem\wmiprvse.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\WTablet\Wacom_TabletUser.exe
    C:\Windows\system32\Wacom_Tablet.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\aetcrss1.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files (x86)\PrintScreen\PrintScreen.exe
    C:\Windows\splwow64.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe
    C:\Program Files (x86)\Samsung\Kies\Kies.exe
    C:\Bluetooth Software\BTTray.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files (x86)\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
    C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe
    C:\Program Files (x86)\SAP\SapSetup\setup\Updater\NwSapSetupUserNotificationTool.exe
    C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
    C:\Program Files (x86)\Hewlett-Packard\OrderReminder\OrderReminder.exe
    C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    C:\Users\dperezfadon\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
    C:\Windows\SysWOW64\RunDll32.exe
    C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
    C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Windows\sysWOW64\wbem\wmiprvse.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Microsoft Lync\communicator.exe
    C:\Program Files (x86)\Microsoft Lync\UcMapi.exe
    C:\xampp\xampp-control.exe
    C:\xampp\apache\bin\httpd.exe
    C:\xampp\apache\bin\httpd.exe
    C:\Program Files (x86)\EditPlus 3\editplus.exe
    C:\Users\dperezfadon\AppData\Roaming\Juniper Networks\Host Checker\dsHostChecker.exe
    C:\Program Files (x86)\Juniper Networks\Network Connect 7.3.1\dsNetworkConnect.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
    C:\Users\dperezfadon\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\dperezfadon\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\dperezfadon\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = www.google.com
    uSearch Bar = Preserve
    mStart Page = www.google.com
    uProxyServer = proxy.indra.es:8080
    uProxyOverride = *indra.es;*.indrabmb.es;*.indra.es;10.*;172.*;192.168.*;ux.ssrl-mov;ux.ssrl-mov-cliente;ux.ssrl-pantallas;<local>
    mWinlogon: Userinit = userinit.exe
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
    BHO: dynaTrace AJAX Edition Agent: {54CCF170-0056-48d1-B959-055C5B98DC88} - C:\Program Files (x86)\dynaTrace AJAX Edition 4.0\client\lib\dtieagent.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Aplicación auxiliar de inicio de sesión de Windows Live ID: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: IE Developer Toolbar BHO: {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files (x86)\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
    TB: dynaTrace AJAX Edition Toolbar: {42EC68EF-4494-4041-9993-A5789BF7750B} - C:\Program Files (x86)\dynaTrace AJAX Edition 4.0\client\lib\dtieagent.dll
    EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
    EB: IE Developer Toolbar: {A202B231-EF71-4a08-BDB9-4CE5AE8BDE0A} - C:\Program Files (x86)\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    uRun: [Gadwin PrintScreen] C:\Program Files (x86)\PrintScreen\PrintScreen.exe /nosplash
    uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    uRun: [AdobeBridge] <no file>
    mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
    mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
    mRun: [NUSB3MON] "C:\Program Files (x86)\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
    mRun: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
    mRun: [SAP_WUS_UNT] "C:\Program Files (x86)\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe"
    mRun: [Supervisor de OfficeScanNT] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [OrderReminder] C:\Program Files (x86)\Hewlett-Packard\OrderReminder\OrderReminder.exe
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
    mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
    mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
    StartupFolder: C:\Users\DPEREZ~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\dperezfadon\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\Users\DPEREZ~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RECORT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Bluetooth Software\BTTray.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    mPolicies-Windows\System: UseOemBackground = dword:1
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
    IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - C:\Program Files (x86)\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Bluetooth Software\btsendto_ie.htm
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://madansantvir01.indra.es:4343/officescan/console/html/ClientInstall/WinNTChk.cab
    DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://madansantvir01.indra.es:4343/officescan/console/html/ClientInstall/setupini.cab
    DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://madansantvir01.indra.es:4343/officescan/console/html/ClientInstall/setup.cab
    DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://madansantvir01.indra.es:4343/officescan/console/html/root/AtxEnc.cab
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://194.140.78.1/CACHE/webvpn/stc/1/binaries/vpnweb.cab
    DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://madansantvir01.indra.es:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://miproyecto.indra.es/dana-cached/sc/JuniperSetupClient.cab
    TCP: NameServer = 172.22.204.219 172.22.204.220
    TCP: Interfaces\{1D41A6DC-2C14-4E37-9243-12EE66732604} : DHCPNameServer = 80.58.61.250 80.58.61.254
    TCP: Interfaces\{36C3762B-C596-4FCF-8757-51A5C8236527} : DHCPNameServer = 172.22.204.219 172.22.204.220
    TCP: Interfaces\{8D862ABB-E784-4AB3-ADDD-7C46F788C188} : DHCPNameServer = 192.168.10.2 192.168.10.1
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL
    Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL
    Notify: SDWinLogon - SDWinLogon.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    mASetup: aetsprov - C:\Windows\SysWOW64\regsvr32.exe /s C:\Windows\SysWOW64\aetsprov.dll
    x64-mStart Page = www.google.com
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [CertificateRegistration] aetcrss1.exe
    x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Bluetooth Software\btsendto_ie.htm
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc64.cab
    x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    x64-DPF: {AA570693-00E2-4907-B6F1-60A1199B030C} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
    x64-DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
    x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
    x64-Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - <orphaned>
    x64-Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 149.5.18.172 www.google-analytics.com.
    Hosts: 149.5.18.172 ad-emea.doubleclick.net.
    Hosts: 149.5.18.172 www.statcounter.com.
    Hosts: 108.163.215.51 www.google-analytics.com.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\dperezfadon\AppData\Roaming\Mozilla\Firefox\Profiles\zmdxyoi7.default\
    FF - prefs.js: browser.search.defaulturl - www.Google.com
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - prefs.js: keyword.URL - hxxps://www.google.com/search?q=
    FF - prefs.js: network.proxy.ftp - proxy.indra.es
    FF - prefs.js: network.proxy.ftp_port - 8080
    FF - prefs.js: network.proxy.http - proxy.indra.es
    FF - prefs.js: network.proxy.http_port - 8080
    FF - prefs.js: network.proxy.socks - proxy.indra.es
    FF - prefs.js: network.proxy.socks_port - 8080
    FF - prefs.js: network.proxy.ssl - proxy.indra.es
    FF - prefs.js: network.proxy.ssl_port - 8080
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Foxit Reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.50826.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
    FF - plugin: C:\Users\dperezfadon\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll
    FF - plugin: C:\Users\dperezfadon\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - ExtSQL: 2013-02-26 09:08; aeffagent@dynatrace.com; C:\Program Files (x86)\dynaTrace AJAX Edition 4.0\client\lib\aeffagent@dynatrace.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2010-7-14 87600]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-11-16 270912]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-7-4 89600]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-7-4 203776]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
    R2 hpHotkeyMonitor;hpHotkeyMonitor;C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2011-1-28 281656]
    R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-1-26 30520]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-4 13336]
    R2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;C:\Program Files (x86)\SAP\SapSetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe [2011-7-12 251248]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-3-8 1103392]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-3-8 1369624]
    R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-3-8 168384]
    R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\System32\Wacom_Tablet.exe [2012-1-9 3580712]
    R2 tmevtmgr;tmevtmgr;C:\Windows\System32\drivers\tmevtmgr.sys [2012-10-10 65872]
    R2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmxpflt.sys [2011-7-12 344376]
    R2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [2011-7-12 42808]
    R2 uArcCapture;ArcCapture;C:\Windows\SysWOW64\ArcVCapRender\uArcCapture.exe [2011-7-5 502464]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-7-5 2656280]
    R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2011-1-21 3154224]
    R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2011-5-23 465872]
    R3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;C:\Windows\System32\drivers\ArcSoftVCapture.sys [2011-7-5 32192]
    R3 GKUPRO2D;GKUPRO2D;C:\Windows\System32\drivers\GKUPRO2D.sys [2005-2-18 120704]
    R3 hpCMSrv;HP Connection Manager 4 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-4-5 1094712]
    R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2011-7-4 174168]
    R3 johci;JMicron 1394 Filter Driver;C:\Windows\System32\drivers\johci.sys [2011-7-4 26712]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-12-10 80384]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-12-10 181248]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 OpenSSHd;OpenSSH Server;C:\Program Files (x86)\OpenSSH\bin\cygrunsrv.exe [2004-4-18 36864]
    S3 acsock;acsock;C:\Windows\System32\drivers\acsock64.sys [2011-5-23 94864]
    S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2011-7-4 344616]
    S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-7-4 39464]
    S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2012-7-30 102240]
    S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-1 33736]
    S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\System32\drivers\nmwcdnsux64.sys [2012-1-9 171008]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-7-5 20992]
    S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2012-7-30 203104]
    S3 StorSvc;Servicio de almacenamiento;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
    S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TmProxy;OfficeScan NT Proxy Service;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2013-2-12 918064]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-5 59392]
    S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2012-1-9 18216]
    S3 WatAdminSvc;Servicio de tecnologías de activación de Windows;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-5 1255736]
    .
    =============== File Associations ===============
    .
    FileExt: .txt: Applications\editplus.exe=C:\PROGRA~2\EDITPL~1\EDITPLUS.EXE "%1" [UserChoice]
    ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe", "%1"
    .
    =============== Created Last 30 ================
    .
    2013-03-08 08:07:36 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
    2013-03-08 08:07:32 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-03-08 08:06:50 -------- d-----w- C:\Users\dperezfadon\AppData\Local\Programs
    2013-02-26 08:09:26 -------- d-----w- C:\Users\dperezfadon\.dynaTrace
    2013-02-26 08:08:28 -------- d-----w- C:\Program Files (x86)\dynaTrace AJAX Edition 4.0
    2013-02-15 14:08:20 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2013-02-15 14:08:19 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2013-02-15 14:08:19 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2013-02-15 14:07:43 3153408 ----a-w- C:\Windows\System32\win32k.sys
    2013-02-15 14:03:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2013-02-15 14:03:52 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2013-02-15 14:03:52 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2013-02-15 14:03:52 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2013-02-15 14:03:52 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2013-02-15 14:03:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2013-02-15 14:03:48 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
    2013-02-15 14:03:48 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2013-02-15 14:03:43 760320 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
    2013-02-15 14:03:43 1111040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
    2013-02-07 09:34:48 -------- d-----w- C:\Program Files (x86)\Opera Mobile Emulator
    .
    ==================== Find3M ====================
    .
    2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2012-12-20 13:59:36 1188864 ----a-w- C:\Windows\System32\wininet.dll
    2012-12-20 12:53:51 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-12-20 12:02:26 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-12-20 11:20:29 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
    2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2010-01-26 09:11:08 444283 ----a-w- C:\Program Files (x86)\Common Files\WinPcapNmap.exe
    .
    ============= FINISH: 14:37:17,09 ===============








    aswMBR LOG :
    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2013-03-08 14:39:08
    -----------------------------
    14:39:08.065 OS Version: Windows x64 6.1.7601 Service Pack 1
    14:39:08.065 Number of processors: 4 586 0x2A07
    14:39:08.066 ComputerName: DPEREZFADONPW7 UserName: dperezfadon
    14:39:08.761 Initialize success
    14:42:10.745 AVAST engine defs: 13030800
    14:43:00.286 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    14:43:00.288 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
    14:43:00.326 Disk 0 MBR read successfully
    14:43:00.332 Disk 0 MBR scan
    14:43:00.351 Disk 0 Windows 7 default MBR code
    14:43:00.356 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 101 MB offset 2048
    14:43:00.389 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 102900 MB offset 208896
    14:43:00.412 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 202242 MB offset 210948096
    14:43:00.447 Disk 0 scanning C:\Windows\system32\drivers
    14:43:13.411 Service scanning
    14:43:37.272 Service TmFilter C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys **LOCKED** 32
    14:43:37.453 Service TmPreFilter C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys **LOCKED** 32
    14:43:41.262 Service VSApiNt C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys **LOCKED** 32
    14:43:44.644 Modules scanning
    14:43:44.668 Disk 0 trace - called modules:
    14:43:44.688 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys iaStor.sys hal.dll
    14:43:44.696 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80096df060]
    14:43:44.702 3 CLASSPNP.SYS[fffff88001a6843f] -> nt!IofCallDriver -> [0xfffffa8007902890]
    14:43:44.709 5 hpdskflt.sys[fffff88001438361] -> nt!IofCallDriver -> [0xfffffa800777e800]
    14:43:44.719 7 ACPI.sys[fffff88000d627a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007784050]
    14:43:45.226 AVAST engine scan C:\Windows
    14:43:48.951 AVAST engine scan C:\Windows\system32
    14:48:22.050 AVAST engine scan C:\Windows\system32\drivers
    14:48:49.023 AVAST engine scan C:\Users\dperezfadon
    14:50:37.590 Disk 0 MBR has been saved successfully to "D:\BIBLIOTECA\MALWARE_REMOVAL\MBR.dat"
    14:50:37.595 The log file has been saved successfully to "D:\BIBLIOTECA\MALWARE_REMOVAL\aswMBR.txt"

  2. #2
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hello and welcome to Safer-Networking

    I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

    Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

    To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

    Please be patient with me during this time.
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  3. #3
    Junior Member
    Join Date
    Mar 2013
    Posts
    22

    Default

    Thanks!
    subscribed...

  4. #4
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi and Welcome!! dperezfa

    My name is Robybel.

    I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
    • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for the issues on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.


    IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.


    Vista and Windows 7 users:

    These tools MUST be run from the executable. (.exe) every time you run them
    with Admin Rights (Right click, choose "Run as Administrator")


    Stay with this topic until I give you the all clean post.

    Having said that....Let's get going!!

    ========================================



    P2P Programs:

    P2P programs are a major source of Malware infections.
    From your log I see you have uTorrent and jDownloader We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
    The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
    If you wish to keep the program(s), please do not use them until your computer is cleaned.

    Information regarding the risk of using these programs can be found from here and here




    ==========================


    AdwCleaner

    • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.


    ============ Next ==============


    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    On your next reply please post :
    • AdwCleaner log
    • JRT.txt

    Let me know if you have any problems in performing with the steps above or any questions you may have.

    Good Day!
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  5. #5
    Junior Member
    Join Date
    Mar 2013
    Posts
    22

    Default

    Ok, thanks Robybel!!
    Gmail was treating Safer-Networking Forums mails as spam so i didnt know you reply ...

    i ran AdwCleaner and JRT. AdwCleaner log has been created in spanish (because i'm spanish and my computer language is set in spanish i suppose). I hope this does not bring you too much trouble.

    The ads frame at the bottom left in every browser are still there.



    ------------------------------------------------- AdwCleaner[S1].txt :

    # AdwCleaner v2.114 - Fichero creado el 14/03/2013 a 08:31:38
    # Actualizado el 05/03/2013 por Xplode
    # Sistema operativo : Windows 7 Enterprise Service Pack 1 (64 bits)
    # Usuario : dperezfadon - DPEREZFADONPW7
    # Modo de inicio : Normal
    # Ejecutado desde : D:\BIBLIOTECA\MALWARE_REMOVAL\adwcleaner.exe
    # Opción [Supresión]


    ***** [Servicios] *****


    ***** [Ficheros / Carpetas] *****

    Carpeta Suprimido : C:\Users\dperezfadon\AppData\Local\APN
    Fichero Suprimido : C:\Users\dperezfadon\AppData\Roaming\Mozilla\Firefox\Profiles\zmdxyoi7.default\searchplugins\Askcom.xml

    ***** [Registro] *****

    Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Clave Supprimida : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
    Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
    Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Clave Supprimida : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Valor Supprimida : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    ***** [Navegadores] *****

    -\\ Internet Explorer v8.0.7601.17514

    [OK] El registro no contiene ninguna entrada ilegítima.

    -\\ Mozilla Firefox v13.0.1 (es-ES)

    Fichero : C:\Users\dperezfadon\AppData\Roaming\Mozilla\Firefox\Profiles\zmdxyoi7.default\prefs.js

    [OK] El fichero no contiene ninguna entrada ilegítima.

    -\\ Google Chrome v25.0.1364.172

    Fichero : C:\Users\dperezfadon\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] El fichero no contiene ninguna entrada ilegítima.

    -\\ Opera v [Imposible obtener la versión]

    Fichero : C:\Users\dperezfadon\AppData\Roaming\Opera\Opera\operaprefs.ini

    [OK] El fichero no contiene ninguna entrada ilegítima.

    *************************

    AdwCleaner[R1].txt - [2516 octets] - [14/03/2013 08:31:05]
    AdwCleaner[S1].txt - [2472 octets] - [14/03/2013 08:31:38]

    ########## EOF - C:\AdwCleaner[S1].txt - [2532 octets] ##########






    ------------------------------------------------- JRT.txt :

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.7.1 (03.12.2013:1)
    OS: Windows 7 Enterprise x64
    Ran by dperezfadon on 14/03/2013 at 8:40:30,87
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys



    ~~~ Files



    ~~~ Folders



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 14/03/2013 at 8:47:49,42
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  6. #6
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi dperezfa

    Gmail was treating Safer-Networking Forums mails as spam so i didnt know you reply ...
    This is very strange if you have subscribed to this thread.

    Let me know if Gmai still treat Safer Networking as Spam

    i ran AdwCleaner and JRT. AdwCleaner log has been created in spanish (because i'm spanish and my computer language is set in spanish i suppose)
    Of course!!

    I hope this does not bring you too much trouble.
    Do not worry, I will work to adapt me to the situation

    The ads frame at the bottom left in every browser are still there.
    Still stay with me




    Download Security Check by screen317 from here or here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    ============ Next ==============



    • Download RogueKiller and save it to your desktop.
    • Quit all other programs
    • Start RogueKiller.exe
    • Wait until the Prescan has finished ...
    • Click on Scan
    • Wait for the end of the scan
    • A report will be created on your desktop.
    • Click on the Delete button
    • Next click on the ShortcutsFix
    • another report will be created on your desktop.


    Please post: All RKreport.txt text files located on your desktop.
    Last edited by Robybel; 2013-03-14 at 10:39.
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  7. #7
    Junior Member
    Join Date
    Mar 2013
    Posts
    22

    Default

    Quote Originally Posted by Robybel View Post
    Of course!!
    --> lol


    -------------- checkup.txt :

    UNSUPPORTED OPERATING SYSTEM! ABORTED!





    ------------- RKreport[1]_S_03142013_02d1409.txt


    RogueKiller V8.5.3 _x64_ [Mar 13 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : dperezfadon [Admin rights]
    Mode : Scan -- Date : 03/14/2013 14:09:38
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 10 ¤¤¤
    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy.indra.es:8080) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost
    127.0.0.1 ux.ssrl-mov
    127.0.0.1 ux.ssrl-mov-cliente
    127.0.0.1 ux.ssrl-pantallas
    127.0.0.1 ux.ssrl-mov-test
    127.0.0.1 ux.EntrevistaFinAsignacionWeb
    149.5.18.172 www.google-analytics.com.
    149.5.18.172 ad-emea.doubleclick.net.
    149.5.18.172 www.statcounter.com.
    108.163.215.51 www.google-analytics.com.
    108.163.215.51 ad-emea.doubleclick.net.
    108.163.215.51 www.statcounter.com.
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD3200BEKT-60PVMT0 +++++
    --- User ---
    [MBR] 76b8c01b0112762377ef7f778af1b059
    [BSP] cd27ed3eb96aab5c994ff939e1f9cca6 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 101 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208896 | Size: 102900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 210948096 | Size: 202242 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_03142013_02d1409.txt >>
    RKreport[1]_S_03142013_02d1409.txt



    ------------- RKreport[2]_D_03142013_02d1410.txt


    RogueKiller V8.5.3 _x64_ [Mar 13 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : dperezfadon [Admin rights]
    Mode : Remove -- Date : 03/14/2013 14:10:53
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 8 ¤¤¤
    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy.indra.es:8080) -> NOT REMOVED, USE PROXYFIX
    [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost
    127.0.0.1 ux.ssrl-mov
    127.0.0.1 ux.ssrl-mov-cliente
    127.0.0.1 ux.ssrl-pantallas
    127.0.0.1 ux.ssrl-mov-test
    127.0.0.1 ux.EntrevistaFinAsignacionWeb
    149.5.18.172 www.google-analytics.com.
    149.5.18.172 ad-emea.doubleclick.net.
    149.5.18.172 www.statcounter.com.
    108.163.215.51 www.google-analytics.com.
    108.163.215.51 ad-emea.doubleclick.net.
    108.163.215.51 www.statcounter.com.
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD3200BEKT-60PVMT0 +++++
    --- User ---
    [MBR] 76b8c01b0112762377ef7f778af1b059
    [BSP] cd27ed3eb96aab5c994ff939e1f9cca6 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 101 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208896 | Size: 102900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 210948096 | Size: 202242 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2]_D_03142013_02d1410.txt >>
    RKreport[1]_S_03142013_02d1409.txt ; RKreport[2]_D_03142013_02d1410.txt



    ------------- RKreport[3]_SC_03142013_02d1419.txt


    RogueKiller V8.5.3 _x64_ [Mar 13 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : dperezfadon [Admin rights]
    Mode : Shortcuts HJfix -- Date : 03/14/2013 14:19:28
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 1 / Fail 0
    Quick launch: Success 1 / Fail 0
    Programs: Success 43 / Fail 0
    Start menu: Success 1 / Fail 0
    User folder: Success 122 / Fail 0
    My documents: Success 3 / Fail 3
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 308 / Fail 0
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [E:] \Device\CdRom0 -- 0x5 --> Skipped
    [F:] \Device\CdRom1 -- 0x5 --> Skipped

    Finished : << RKreport[3]_SC_03142013_02d1419.txt >>
    RKreport[1]_S_03142013_02d1409.txt ; RKreport[2]_D_03142013_02d1410.txt ; RKreport[3]_SC_03142013_02d1419.txt

  8. #8
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi dperezfa

    Good job

    Please read through these instructions to familarize yourself with what to expect when this tool runs

    Refer to the ComboFix User's Guide


    Download ComboFix from one of these locations:

    Link 1
    Link 2



    * IMPORTANT- Save ComboFix.exe to your Desktop

    ====================================================


    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


    ====================================================


    Double click on combofix.exe & follow the prompts.


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  9. #9
    Junior Member
    Join Date
    Mar 2013
    Posts
    22

    Default

    I'm having trouble trying to disable trend micro officescan... i'm still investigating how to do it.

  10. #10
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi dperezfa

    I'm having trouble trying to disable trend micro officescan... i'm still investigating how to do it.
    • Right click on Trend Micro Antivirus icon near the clock.
    • Select Unload OfficeScan.
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •