rootkit.0access.h

[enzo11]

Hello, I'm here for help again, unfortunately.

I ran Malware Bytes recently and got three infections; after the quarantine -> delete -> reboot process, one infection, Rootkit.0Access.H was still there.

I'm not noticing any problems or irregular behavior on my computer at all.


I also turned off TeaTimer and ran TDSSKiller (verifying digital signatures and TDLFS) to get extra information on this, here's the log (skipped all of the infections by default).Log on next post because of the text limit.

Hm, looks like the TDSS log is too big to be posted here, so I will just post the other ones, sorry: (Edit: No need to post TDSS unless requested.) ;-)

The DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by E at 10:34:15 on 2012-08-12
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2507 [GMT -3:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\SysWOW64\Rezip.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\Explorer.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Waterfox\waterfox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [bkhu79m9pe] C:\Users\E\bkhu79m9pe.exe
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\Users\E\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
2012-07-27 18:49:28 -------- d-----w- C:\Users\E\AppData\Local\{8DD53C5C-B796-4A22-A5A5-19FC8A03F0E3}
2012-07-27 18:49:16 -------- d-----w- C:\Users\E\AppData\Local\{83F30B5C-71B4-4A46-B6B1-DB0ED8CAF706}
2012-07-26 14:51:44 -------- d-----w- C:\Users\E\AppData\Local\{E7D09EFA-1347-4B16-9C5C-FEF1C4EA655B}
2012-07-26 14:50:43 -------- d-----w- C:\Users\E\AppData\Local\{2271A012-447E-4D82-A789-9D71F39337BF}
2012-07-22 15:52:19 -------- d-----w- C:\Users\E\AppData\Local\{936A3A53-42BB-44BD-89A4-F89AE5E12A0A}
2012-07-22 15:52:07 -------- d-----w- C:\Users\E\AppData\Local\{84FFD483-962F-45E0-8BB7-835A1BE31776}
2012-07-21 15:53:31 -------- d-----w- C:\Users\E\AppData\Local\{4BD8EEB4-88CD-4186-8AC5-26B023258133}
2012-07-21 15:53:19 -------- d-----w- C:\Users\E\AppData\Local\{E58EB009-B144-4173-AFC7-F567B47331D6}
2012-07-17 18:05:16 -------- d-----w- C:\Users\E\AppData\Local\{F202B415-A55F-454D-95E1-326DF7AD1B54}
2012-07-17 18:05:01 -------- d-----w- C:\Users\E\AppData\Local\{C79E91D5-75F8-4BA4-9716-312212E2A4F7}
2012-07-16 18:04:46 -------- d-----w- C:\Users\E\AppData\Local\{9D45AFEE-B8ED-416D-AD59-9CCBCF000AF9}
2012-07-16 18:04:34 -------- d-----w- C:\Users\E\AppData\Local\{746F6216-440D-4F8E-AD9F-F1AF1A58286B}
2012-07-15 01:44:06 -------- d-----w- C:\Users\E\AppData\Local\{961E5217-325B-494C-A789-CAC43F927905}
2012-07-14 19:17:54 -------- d-----w- C:\Users\E\AppData\Roaming\com.doubleperfect.ggpo
2012-07-14 13:43:30 -------- d-----w- C:\Users\E\AppData\Local\{48B5B238-4EA8-44E9-A5BA-8E7DE4D79C53}
2012-07-14 13:43:16 -------- d-----w- C:\Users\E\AppData\Local\{FB6E49EE-7065-4639-B1B2-C41E8103819D}
2012-07-13 16:32:29 -------- d-----w- C:\Users\E\AppData\Local\{61542E56-B79B-46F5-8FDB-81585845DC09}
2012-07-13 16:32:18 -------- d-----w- C:\Users\E\AppData\Local\{319F67B1-76EB-4077-BA0D-BCED0686A5E7}
.
==================== Find3M ====================
.
2012-07-12 14:27:03 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 14:27:03 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-05-15 09:29:47 889664 ----a-w- C:\windows\System32\nvvsvc.exe
2012-05-15 09:29:46 63296 ----a-w- C:\windows\System32\nvshext.dll
2012-05-15 09:29:46 2561856 ----a-w- C:\windows\System32\nvsvcr.dll
2012-05-15 09:29:46 118080 ----a-w- C:\windows\System32\nvmctray.dll
2012-05-15 09:29:25 3149632 ----a-w- C:\windows\System32\nvsvc64.dll
2012-05-15 09:28:42 6151488 ----a-w- C:\windows\System32\nvcpl.dll
.
============= FINISH: 10:35:07,04 ===============


aswMBR log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-12 10:42:53
-----------------------------
10:42:53.453 OS Version: Windows x64 6.1.7601 Service Pack 1
10:42:53.453 Number of processors: 4 586 0x2505
10:42:53.453 ComputerName: PC UserName: E
10:42:54.655 Initialze error C000010E - driver not loaded
10:47:55.817 AVAST engine defs: 12081200
10:51:25.667 Service scanning
10:51:51.750 Modules scanning
10:51:51.750 Disk 0 trace - called modules:
10:51:51.750
10:51:52.998 AVAST engine scan C:\windows
10:51:56.617 AVAST engine scan C:\windows\system32
10:55:32.521 AVAST engine scan C:\windows\system32\drivers
10:55:49.931 AVAST engine scan C:\Users\E
10:58:48.567 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n **INFECTED** Win64:Sirefef-F [Rtk]
10:58:48.614 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@ **INFECTED** Win32:Malware-gen
10:58:48.676 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@ **INFECTED** Win32:Malware-gen
10:58:48.739 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@ **INFECTED** Win32:Trojan-gen
11:11:21.160 AVAST engine scan C:\ProgramData
11:12:41.235 Scan finished successfully
11:14:27.643 The log file has been saved successfully to "C:\Users\E\Desktop\aswMBR.txt"


Here's the log:

Malwarebytes Anti-Malware 1.62.0.1300

Versão da Base de Dados: v2012.08.12.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
E :: PC [administrador]

12/08/2012 09:53:25
mbam-log-2012-08-12 (09-53-25).txt

Tipo de Verificação: Verificação Rápida
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados: 213302
Tempo decorrido: 4 minuto(s), 48 segundo(s)

Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)

Arquivos Detectados: 3
C:\Users\E\AppData\Local\Temp\EA86.tmp (Trojan.Agent.H) -> Enviado para a Quarentena e deletado com sucesso.
C:\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n (Trojan.Sirefef) -> Enviado para a Quarentena e deletado com sucesso.
C:\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@ (RootKit.0Access.H) -> Enviado para a Quarentena e deletado com sucesso.

(fim)

 

[Blade81]

Hi,

Please post the TDSSKiller log you had there.

 

[enzo11]

I'm attaching since it's too big to post.

 

[Blade81]

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[enzo11]

A "system32/icacls.exe" file kept trying to run in the first moments Combfix was running/generating the log:

ComboFix 12-08-18.03 - E 19/08/2012 12:36:14.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2829 [GMT -3:00]
Executando de: c:\users\E\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\@
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@
c:\users\E\bkhu79m9pe.exe
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\@
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@
.
A cópia de c:\windows\system32\services.exe foi encontrada e desinfectada
Cópia restaurada de - c:\windows\ERDNT\cache64\services.exe
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-07-19 to 2012-08-19 ))))))))))))))))))))))))))))
.
.
2012-08-19 15:44 . 2012-08-19 15:44 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-19 15:43 . 2012-08-19 15:43 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-19 15:43 . 2012-08-19 15:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-19 15:43 . 2012-08-19 15:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-12 12:50 . 2012-08-12 12:50 -------- d-----w- c:\users\E\AppData\Roaming\Waterfox Limited
2012-08-01 17:09 . 2012-08-01 17:16 -------- d-----w- c:\users\E\AppData\Roaming\ImgBurn
2012-08-01 16:54 . 2012-08-01 16:56 -------- d-----w- c:\program files (x86)\ImgBurn
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 14:27 . 2012-06-27 01:20 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 14:27 . 2012-06-27 01:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 16:46 . 2011-12-23 13:07 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 15:28 . 2012-06-24 18:13 4145600 ----a-w- c:\windows\SysWow64\GameMon.des
2012-06-03 17:43 . 2012-06-03 17:43 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:19 . 2012-06-23 18:51 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 18:51 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 18:51 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 18:51 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 18:51 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-23 18:51 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 18:51 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 18:19 . 2012-06-23 18:51 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 18:15 . 2012-06-23 18:51 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:\windows\system32\DRIVERS\libusb0.sys [2012-02-19 32768]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 40464]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-12-14 51712]
R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-02 1255736]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-11-29 503352]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-02-22 254528]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 13824]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-01-19 21992]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-04-30 340520]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-04-30 39464]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-bkhu79m9pe - c:\users\E\bkhu79m9pe.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Outros Processos em Execução ------------------------
.
c:\program files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\program files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
.
**************************************************************************
.
Tempo para conclusão: 2012-08-19 12:53:06 - Máquina reiniciou
ComboFix-quarantined-files.txt 2012-08-19 15:53
.
Pré-execução: 45.001.482.240 bytes disponíveis
Pós execução: 44.954.902.528 bytes disponíveis
.
- - End Of File - - 5B3950D2F9F6A75A2053834AB50CB944

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by E at 12:59:25 on 2012-08-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2477 [GMT -3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskeng.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\SysWOW64\Rezip.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files\Waterfox\waterfox.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\sppsvc.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-19 15:55:22 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-19 15:55:02 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-19 15:32:20 98816 ----a-w- C:\windows\sed.exe
2012-08-19 15:32:20 518144 ----a-w- C:\windows\SWREG.exe
2012-08-19 15:32:20 256000 ----a-w- C:\windows\PEV.exe
2012-08-19 15:32:20 208896 ----a-w- C:\windows\MBR.exe
2012-08-15 21:56:03 -------- d-----w- C:\Users\E\AppData\Local\{C238BA74-A336-484E-8546-2A0AFE84AD7D}
2012-08-15 21:55:52 -------- d-----w- C:\Users\E\AppData\Local\{DB37199D-B3F0-40F8-B1BC-CCFC3A2F5E15}
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
2012-07-27 18:49:28 -------- d-----w- C:\Users\E\AppData\Local\{8DD53C5C-B796-4A22-A5A5-19FC8A03F0E3}
2012-07-27 18:49:16 -------- d-----w- C:\Users\E\AppData\Local\{83F30B5C-71B4-4A46-B6B1-DB0ED8CAF706}
2012-07-26 14:51:44 -------- d-----w- C:\Users\E\AppData\Local\{E7D09EFA-1347-4B16-9C5C-FEF1C4EA655B}
2012-07-26 14:50:43 -------- d-----w- C:\Users\E\AppData\Local\{2271A012-447E-4D82-A789-9D71F39337BF}
2012-07-22 15:52:19 -------- d-----w- C:\Users\E\AppData\Local\{936A3A53-42BB-44BD-89A4-F89AE5E12A0A}
2012-07-22 15:52:07 -------- d-----w- C:\Users\E\AppData\Local\{84FFD483-962F-45E0-8BB7-835A1BE31776}
2012-07-21 15:53:31 -------- d-----w- C:\Users\E\AppData\Local\{4BD8EEB4-88CD-4186-8AC5-26B023258133}
2012-07-21 15:53:19 -------- d-----w- C:\Users\E\AppData\Local\{E58EB009-B144-4173-AFC7-F567B47331D6}
.
==================== Find3M ====================
.
2012-07-12 14:27:03 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 14:27:03 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
.
============= FINISH: 13:02:00,39 ===============

 

[Blade81]

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 7 Update 6.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-7u6-windows-i586.exe to install the newest version.

* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

 

[enzo11]

Question: since I use both a 64bit OS and browser, shouldn't I use "jre-7u6-windows-x64.exe" instead of "jre-7u6-windows-i586.exe"?

 

[Blade81]

Hi,

It depends what browser you're using. Firefox and 32-bit version of Internet Explorer need 32-bit Java.

 

[enzo11]

ESET:

C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n.vir Win64/Sirefef.W trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@.vir Win64/Sirefef.AI trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@.vir Win64/Sirefef.AE trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@.vir Win64/Sirefef.AH trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@.vir Win64/Sirefef.AL trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@.vir Win64/Sirefef.AH trojan
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B.Gen trojan

Combofix:

ComboFix 12-08-18.03 - E 19/08/2012 18:58:45.5.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2187 [GMT -3:00]
Executando de: c:\users\E\Downloads\ComboFix.exe
Comandos utilizados :: c:\users\E\Downloads\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-07-19 to 2012-08-19 ))))))))))))))))))))))))))))
.
.
2012-08-19 22:04 . 2012-08-19 22:04 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-19 22:04 . 2012-08-19 22:04 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-19 22:04 . 2012-08-19 22:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-19 15:55 . 2012-08-19 15:55 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-12 12:50 . 2012-08-12 12:50 -------- d-----w- c:\users\E\AppData\Roaming\Waterfox Limited
2012-08-01 17:09 . 2012-08-01 17:16 -------- d-----w- c:\users\E\AppData\Roaming\ImgBurn
2012-08-01 16:54 . 2012-08-01 16:56 -------- d-----w- c:\program files (x86)\ImgBurn
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-19 21:46 . 2012-06-27 01:20 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-19 21:46 . 2012-06-27 01:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 16:46 . 2011-12-23 13:07 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 15:28 . 2012-06-24 18:13 4145600 ----a-w- c:\windows\SysWow64\GameMon.des
2012-06-03 17:43 . 2012-06-03 17:43 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:19 . 2012-06-23 18:51 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 18:51 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 18:51 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 18:51 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 18:51 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-23 18:51 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 18:51 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 18:19 . 2012-06-23 18:51 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 18:15 . 2012-06-23 18:51 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-19_15.44.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-08-19 15:43 . 2012-08-19 15:43 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-08-19 15:54 . 2012-08-19 15:54 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2012-08-19 15:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-19 15:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-19 15:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-19 15:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-19 15:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-19 15:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-19 07:16 . 2012-08-19 15:56 51334 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2010-06-19 07:16 . 2012-08-19 15:46 51334 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-19 15:56 41876 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-20 18:05 . 2012-08-19 15:56 17778 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566226363-914769290-2283136121-1000_UserData.bin
- 2011-02-20 19:00 . 2012-08-19 15:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-20 19:00 . 2012-08-19 21:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-20 19:00 . 2012-08-19 21:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-20 19:00 . 2012-08-19 15:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-08-19 15:43 . 2012-08-19 15:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-19 15:54 . 2012-08-19 15:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-19 15:54 . 2012-08-19 15:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-19 15:43 . 2012-08-19 15:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-19 21:46 . 2012-08-19 21:46 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_Plugin.exe
- 2012-06-27 01:20 . 2012-07-12 14:27 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-06-27 01:20 . 2012-08-19 21:46 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-08-19 21:46 . 2012-08-19 21:46 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_271_Plugin.exe
+ 2009-07-14 05:01 . 2012-08-19 15:54 234216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-19 15:43 234216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-08-19 21:46 . 2012-08-19 21:46 9465032 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
+ 2012-08-19 21:46 . 2012-08-19 21:46 1536712 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
+ 2012-08-19 21:46 . 2012-08-19 21:46 12315336 c:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:\windows\system32\DRIVERS\libusb0.sys [2012-02-19 32768]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 40464]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-12-14 51712]
R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-02 1255736]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-11-29 503352]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-02-22 254528]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 13824]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-01-19 21992]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-04-30 340520]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-04-30 39464]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclusão: 2012-08-19 19:09:09
ComboFix-quarantined-files.txt 2012-08-19 22:09
ComboFix2.txt 2012-08-19 15:53
.
Pré-execução: 45.580.820.480 bytes disponíveis
Pós execução: 45.495.615.488 bytes disponíveis
.
- - End Of File - - E9C5C2B493A8342A80BFC2CC85EEBD02

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by E at 12:59:25 on 2012-08-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2477 [GMT -3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskeng.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\SysWOW64\Rezip.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files\Waterfox\waterfox.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\sppsvc.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-19 15:55:22 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-19 15:55:02 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-19 15:32:20 98816 ----a-w- C:\windows\sed.exe
2012-08-19 15:32:20 518144 ----a-w- C:\windows\SWREG.exe
2012-08-19 15:32:20 256000 ----a-w- C:\windows\PEV.exe
2012-08-19 15:32:20 208896 ----a-w- C:\windows\MBR.exe
2012-08-15 21:56:03 -------- d-----w- C:\Users\E\AppData\Local\{C238BA74-A336-484E-8546-2A0AFE84AD7D}
2012-08-15 21:55:52 -------- d-----w- C:\Users\E\AppData\Local\{DB37199D-B3F0-40F8-B1BC-CCFC3A2F5E15}
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
2012-07-27 18:49:28 -------- d-----w- C:\Users\E\AppData\Local\{8DD53C5C-B796-4A22-A5A5-19FC8A03F0E3}
2012-07-27 18:49:16 -------- d-----w- C:\Users\E\AppData\Local\{83F30B5C-71B4-4A46-B6B1-DB0ED8CAF706}
2012-07-26 14:51:44 -------- d-----w- C:\Users\E\AppData\Local\{E7D09EFA-1347-4B16-9C5C-FEF1C4EA655B}
2012-07-26 14:50:43 -------- d-----w- C:\Users\E\AppData\Local\{2271A012-447E-4D82-A789-9D71F39337BF}
2012-07-22 15:52:19 -------- d-----w- C:\Users\E\AppData\Local\{936A3A53-42BB-44BD-89A4-F89AE5E12A0A}
2012-07-22 15:52:07 -------- d-----w- C:\Users\E\AppData\Local\{84FFD483-962F-45E0-8BB7-835A1BE31776}
2012-07-21 15:53:31 -------- d-----w- C:\Users\E\AppData\Local\{4BD8EEB4-88CD-4186-8AC5-26B023258133}
2012-07-21 15:53:19 -------- d-----w- C:\Users\E\AppData\Local\{E58EB009-B144-4173-AFC7-F567B47331D6}
.
==================== Find3M ====================
.
2012-07-12 14:27:03 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 14:27:03 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
.
============= FINISH: 13:02:00,39 ===============

 

[Blade81]

Hi,

Your logs show old Java still. Did you update it yet?

 

[enzo11]

Yes, I did update it.

 

[Blade81]

Ok then it must have been installed after the posted DDS log. Please post fresh DDS logs + a description of remaining issues (if any).

 

[enzo11]

Just ran it:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by E at 17:55:30 on 2012-08-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2247 [GMT -3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\SysWOW64\Rezip.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskeng.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Waterfox\waterfox.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-27 20:49:19 -------- d-----w- C:\Users\E\AppData\Local\{812390CF-02A1-4DD7-9971-1CEA14086E9F}
2012-08-27 16:26:02 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-26 14:47:29 -------- d-----w- C:\Users\E\AppData\Local\{5E856F48-547C-4659-B7DF-1C3E5C5CA13A}
2012-08-21 21:05:39 -------- d-----w- C:\Program Files (x86)\ESET
2012-08-21 21:00:17 108008 ----a-w- C:\windows\System32\WindowsAccessBridge-64.dll
2012-08-20 19:32:22 -------- d-----w- C:\Users\E\AppData\Local\{D12E89D4-2675-4656-9804-5D7B631B0900}
2012-08-19 22:31:22 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-19 16:30:59 -------- d-----w- C:\Users\E\AppData\Local\{3B66DABE-DF26-47DD-8344-172A9DC87F6A}
2012-08-19 15:32:20 98816 ----a-w- C:\windows\sed.exe
2012-08-19 15:32:20 518144 ----a-w- C:\windows\SWREG.exe
2012-08-19 15:32:20 256000 ----a-w- C:\windows\PEV.exe
2012-08-19 15:32:20 208896 ----a-w- C:\windows\MBR.exe
2012-08-15 21:56:03 -------- d-----w- C:\Users\E\AppData\Local\{C238BA74-A336-484E-8546-2A0AFE84AD7D}
2012-08-15 21:55:52 -------- d-----w- C:\Users\E\AppData\Local\{DB37199D-B3F0-40F8-B1BC-CCFC3A2F5E15}
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
.
==================== Find3M ====================
.
2012-08-21 21:00:03 916456 ----a-w- C:\windows\System32\deployJava1.dll
2012-08-21 21:00:03 1034216 ----a-w- C:\windows\System32\npdeployJava1.dll
2012-08-19 21:46:06 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-19 21:46:06 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
.
============= FINISH: 17:57:02,90 ===============

 

[Blade81]

Hi,

attach.txt log contents is missing.

 

[enzo11]

Oh, sorry!Here it is.

 

[Blade81]

That looks ok Any symptoms left?

 

[enzo11]

Malware Bytes is not detecting anything else and I'm not noticing anything abnormal too.

Thanks for your time Blade! =)

 

[enzo11]

Wait, suddenly ""c:\windows\SysWOW64\cmd.exe" /c (something on AppData)" is trying to run by itself.

Not sure if it's related with the rootkit.

 

[Blade81]

suddenly ""c:\windows\SysWOW64\cmd.exe" /c (something on AppData)" is trying to run by itself.

Do you have exact path what is trying to run from AppData? Were you doing something when that notification popped up?

 

[enzo11]

I couldn't make the Windows notification window show the entire path, unfortunately.It was a folder with random numbers at the start.

I was just browsing a couple of message boards at the time.