Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

permently remove BackDoor:Win32/Fynloski.A

This is a discussion on permently remove BackDoor:Win32/Fynloski.A within the Resolved HJT Threads forums, part of the Tech Support Forum category. I have a virus that seems to keep returning to my computer despite MS Security Essentials claiming it has been


 
 
Thread Tools Search this Thread
Old 12-03-2012, 09:51 AM   #1
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



I have a virus that seems to keep returning to my computer despite MS Security Essentials claiming it has been removed... the virus is BackDoor:Win32/Fynloski.A in a file named "process:pid:3996" the information on the virus from MS Security Essentials is here Encyclopedia entry: Backdoor:Win32/Fynloski.A - Learn more about malware - Microsoft Malware Protection Center


my AV has so called removed the virus 10 times but it keeps returning!!! can someone help me permanently remove it???

__________________
moltres_rider is offline  
Old 12-03-2012, 07:42 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,518
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------

If your machine is 64-bit...

Please download aswMBR.exe to your desktop.
  • Double-click aswMBR.exe to run it.
  • When prompted to download the latest Avast! virus definitions, please choose Yes
  • Click the Scan button to start scan.
  • Wait until it says, 'Scan finished successfully'. ( Note - do not select any Fix at this time)
  • Click Save log, and save it to your desktop.
  • Click Exit.
  • Please post the contents of that log, aswMBR.txt, in your next reply.
There shall also be a file on your desktop named MBR.dat. Right-click that file and select Send To > Compressed (zipped) folder. Please attach that zipped file in your next reply.

------------------------------------------------------

When you run this tool, remember to choose 'Skip' not 'Cure' if it finds something. We just want a scan, not a fix.

Download tdsskiller.exe and Save it to your Desktop.

Double-click tdsskiller.exe and click 'Run'

Click 'Start scan'.

If no infection is found, click 'Close' and let me know.

If an infection is found, select 'Skip' from the dropdown menu under 'Cure' then click 'Continue' > 'Close' > 'Close'.

It will produce a log here > C:\TDSSKiller.2.8.15.0_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-04-2012, 05:46 AM   #3
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



here's all the logs...

I did have an issue where gmer.exe REALLY slowed down my system during it's can!!! even normal error sounds were slow distorted because of how much gmer.exe slowed my system down!!! and if I had a dollar for every time gmer.exe scanned a file it already scanned, I'd be rich!!! even after the scan, my system was still pretty slow... not as slow but not up to par...

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_37
Run by Justin RPG at 5:45:53 on 2012-12-04
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3574.1745 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Steam\Steam.exe
C:\Users\Justin RPG\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Users\Justin RPG\AppData\Roaming\Microsoft\Windows\Templates\spsreng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\Windows\system32\srvany.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\KMService.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\STacSV.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Users\Justin RPG\AppData\Local\Temp\dmview.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\naturalsoft\naturalreader9\NaturalReader95.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\explorer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version8\TeamViewer.exe
C:\Program Files\TeamViewer\Version8\tv_w32.exe
C:\Program Files\Screaming Bee\MorphVOX Pro\MorphVOXPro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\bb\bbw.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-tyc9
uSearch Bar = Preserve
mStart Page = hxxp://www.yahoo.com/?ilc=8
mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
uProxyServer = hxxp=;ftp=;https=;
uURLSearchHooks: {bde6f3a2-2ce8-4430-94e0-cd4ce39eeb0d} - <orphaned>
mURLSearchHooks: {f2c43291-151e-499c-98a7-923c120b88fa} - <orphaned>
mWinlogon: Userinit = c:\windows\system32\userinit.exe,c:\users\justin rpg\documents\msdcsc\msdcsc.exe
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Show Naturalreader Bar: {127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0} - c:\windows\system32\msiexec.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {f2c43291-151e-499c-98a7-923c120b88fa} - <orphaned>
TB: <No Name>: - LocalServer32 - <no file>
TB: Naturalsoft IE Bar V9: {ae07101b-46d4-4a98-af68-0333ea26e113} -
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: TextAloud: {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - c:\program files\textaloud\TAForIE.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [Google Update] "c:\users\justin rpg\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Activex Application Updater] c:\users\justin rpg\appdata\roaming\microsoft\windows\templates\spsreng.exe
uRun: [MicroUpdate] c:\users\justin rpg\documents\msdcsc\msdcsc.exe
uRun: [winlogon] c:\users\justin rpg\appdata\local\temp\winogon.exe
uRun: [cftmon.exe] c:\users\justin~1\appdata\local\temp\jre_setup2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Bomgar_Cleanup_ZD1669671774] cmd.exe /C rd /S /Q "c:\programdata\bomgar-scc-4ff387f3" & reg delete hkcu\software\microsoft\windows\currentversion\Run /v Bomgar_Cleanup_ZD1669671774 /f
StartupFolder: c:\users\justin rpg\appdata\roaming\microsoft\windows\start menu\programs\startup\Pokémon.txt
StartupFolder: c:\users\justin~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\powerm~1.lnk - c:\program files\powermenu\PowerMenu.exe
StartupFolder: c:\users\justin~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\teamvi~2.lnk - c:\program files\teamviewer\version8\TeamViewer.exe
uPolicies-Explorer: NoDriveAutorun = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Free YouTube Download - c:\users\justin rpg\appdata\roaming\dvdvideosoftiehelpers\freeytvdownloader.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} - hxxp://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{49CD04F5-14EE-4D2B-9AEB-1507ED9ECC14} : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{49CD04F5-14EE-4D2B-9AEB-1507ED9ECC14}\050544943545C49424F5055726C69636 : DHCPNameServer = 208.25.96.18 208.25.96.3
TCP: Interfaces\{49CD04F5-14EE-4D2B-9AEB-1507ED9ECC14}\2456C6B696E6F5E4B2F5141363230383 : DHCPNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{49CD04F5-14EE-4D2B-9AEB-1507ED9ECC14}\4556E64616 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{49CD04F5-14EE-4D2B-9AEB-1507ED9ECC14}\4586164734F66666565605C6163656 : DHCPNameServer = 208.25.96.18 208.25.96.3
TCP: Interfaces\{49CD04F5-14EE-4D2B-9AEB-1507ED9ECC14}\84F4D454D293347383 : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{49CD04F5-14EE-4D2B-9AEB-1507ED9ECC14}\C696E6B6379737 : DHCPNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\justin rpg\appdata\roaming\mozilla\firefox\profiles\yjykorwg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/home.php
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\justin rpg\appdata\local\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\users\justin rpg\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - ExtSQL: 2012-10-09 22:04; rsDownloader@163.com; c:\users\justin rpg\appdata\roaming\mozilla\firefox\profiles\yjykorwg.default\extensions\rsDownloader@163.com.xpi
FF - ExtSQL: 2012-10-22 06:56; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-10-25 23:14; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\users\justin rpg\appdata\roaming\mozilla\firefox\profiles\yjykorwg.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - );user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(general.useragent.extra.zencast,
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_24288096a5cd99f6\AEstSrv.exe [2011-1-9 73728]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2012-6-20 8192]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2012-7-13 769432]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 99272]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-21 20080]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2011-7-15 17792]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 nginxForMuseum;Museum HTTP Interface;"c:\museum\svc\nginxsvc.exe" --> c:\museum\svc\nginxSvc.exe [?]
S2 phpCgiForMuseum;PHP-CGI for Museum;"c:\museum\svc\phpcgisvc.exe" --> c:\museum\svc\phpCgiSvc.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2010-3-26 319488]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2010-3-26 51456]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2010-9-29 410976]
S3 DIFMBUS;Franklin EVDO USB Modem Composite Device Driver;c:\windows\system32\drivers\DIFMBUS.sys [2010-4-28 56392]
S3 DIFMCVsp;Franklin EVDO USB Modem CM Port;c:\windows\system32\drivers\DIFMCVsp.sys [2010-4-28 164552]
S3 DIFMMdm;Franklin EVDO USB Modem;c:\windows\system32\drivers\DIFMMdm.sys [2010-4-28 164552]
S3 DIFMNET;Franklin EVDO USB Modem Network Adapter;c:\windows\system32\drivers\DIFMNET.sys [2010-5-4 105544]
S3 DIFMNVsp;Franklin EVDO USB Modem NMEA Port Serial Port;c:\windows\system32\drivers\DIFMNVsp.sys [2010-4-28 164552]
S3 DIFMVsp;Franklin EVDO USB Modem Diagnostics Port;c:\windows\system32\drivers\DIFMVsp.sys [2010-4-28 164552]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2011-10-6 29184]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2010-6-8 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2010-6-8 174720]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-11 15872]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-8-2 27192]
S3 sc4stupmngrService;SimCity4 Startup Manager Service;c:\program files\simcity4 startupmanager\sumservice.exe [2007-6-2 133120]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2012-6-14 10112]
S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-11 52224]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-5-22 82776]
S4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-22 1343400]
.
=============== File Associations ===============
.
FileExt: .scr: scrfile="%1" %*
FileExt: .reg: regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2012-12-03 18:15:16 6812136 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c0a8387d-dede-4695-8c57-329c96bfb212}\mpengine.dll
2012-12-02 18:14:45 6812136 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-12-01 14:36:17 -------- dc----w- c:\users\justin rpg\New folder
2012-11-29 20:56:14 -------- dc----w- c:\program files\PowerMenu
2012-11-29 01:42:30 740840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8d3c88f4-96e0-4ad2-82c8-e8145a883724}\gapaengine.dll
2012-11-28 21:12:50 -------- dc----w- c:\users\justin rpg\appdata\roaming\VS Revo Group
2012-11-27 17:10:42 -------- d-----w- C:\VRML
2012-11-26 02:42:46 120376 -c--a-w- c:\users\justin rpg\appdata\roaming\microsoft\Audiodg.exe
2012-11-14 07:13:20 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-11-14 07:13:19 78336 ----a-w- c:\windows\system32\synceng.dll
2012-11-12 20:59:26 -------- dc----w- c:\program files\Nero
2012-11-12 20:58:56 -------- dc----w- c:\programdata\Nero
2012-11-12 20:24:40 57344 ----a-w- c:\windows\system32\Wnaspint.dll
2012-11-12 20:24:40 32768 ----a-w- c:\windows\system32\Wnaspi32.dll
2012-11-12 20:24:37 -------- dc----w- c:\users\justin rpg\appdata\roaming\Acoustica
2012-11-12 20:12:55 -------- dc----w- c:\program files\Ultra MP3 CD Burner
2012-11-12 19:52:06 -------- dc----w- c:\program files\Audio CD Burner Studio
2012-11-10 15:53:34 1065984 -c--a-w- c:\users\justin rpg\appdata\roaming\JPGImg3992ma9gf94loap.exe
.
==================== Find3M ====================
.
2012-11-14 20:29:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-14 20:29:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-01 18:02:16 12465134 ----a-w- c:\windows\system32\Still Obligated To Lick Rydia's Vagina.scr
2012-10-24 17:23:59 503808 -c--a-w- c:\windows\system32\msvcp71.dll
2012-10-19 10:04:35 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B084E6B54B1.sys
2012-10-11 01:07:19 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B0854E81EB0.sys
2012-10-10 18:20:40 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B08B82D4E27.sys
2012-10-10 18:19:46 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B082C7AD373.sys
2012-10-10 18:19:07 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B08D2AEB6BA.sys
2012-10-10 18:13:14 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B0820077819.sys
2012-10-08 07:56:24 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-10-07 12:11:41 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B08FAA8DB40.sys
2012-10-07 12:09:46 0 -c-ha-w- c:\users\justin rpg\appdata\roaming\.24422B08FAA8DB3F.sys
2012-10-07 02:34:34 2892 ----a-w- c:\windows\system32\audcon.sys
2012-10-07 02:26:10 2249 ----a-w- C:\FLVDirect.exe
2012-10-06 00:26:09 20221646 ----a-w- c:\windows\system32\Dragoness sex.scr
2012-10-06 00:24:37 14087538 ----a-w- c:\windows\system32\dragoness sex first person.scr
2012-09-30 21:35:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-09-24 19:32:24 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 19:32:20 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-14 18:28:53 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-07 22:38:28 116056 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2012-09-07 22:38:28 104792 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2012-09-07 22:38:26 91992 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-09-07 22:38:26 158552 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-09-07 22:38:24 135512 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2012-07-12 08:28:44 2174976 -c--a-w- c:\program files\common files\atimpenc.dll
.
============= FINISH: 5:48:37.64 ===============
Attached Files
File Type: zip attach.zip (45.7 KB, 13 views)
__________________
moltres_rider is offline  
Old 12-04-2012, 09:21 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,518
OS: XP SP3; Win7 32/64-bit



Hello again, moltres_rider.

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please reboot your machine.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-04-2012, 06:00 PM   #5
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



ok, I ran combofix... it backed up my registry, but NOTHING HAPPENS afterwards!!!! no log, no scan of ANY sort!!!
__________________
moltres_rider is offline  
Old 12-04-2012, 06:26 PM   #6
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



combofix popped during my editing of my last post and closed Firefox... was going to say that combofix started after I submitted the message... I had to run combofix twice... here is the log...

ComboFix 12-12-04.01 - Justin RPG 12/04/2012 20:02:39.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3574.1759 [GMT -5:00]
Running from: c:\users\Justin RPG\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\Arturia.exe
c:\data\set.exe
c:\program files\Common Files\Logo.ico
c:\users\Justin RPG\AppData\Roaming\JPGImg3992ma9gf94loap.exe
c:\users\Justin RPG\AppData\Roaming\Justin RPGlog.dat
c:\users\Justin RPG\AppData\Roaming\Microsoft\Audiodg.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-05 to 2012-12-05 )))))))))))))))))))))))))))))))
.
.
2012-12-05 01:16 . 2012-12-05 01:17 -------- dc----w- c:\users\Justin RPG\AppData\Local\temp
2012-12-05 01:16 . 2012-12-05 01:16 -------- dc----w- c:\users\Default\AppData\Local\temp
2012-12-04 21:57 . 2012-12-04 21:57 -------- dc----w- c:\program files\iPod
2012-12-04 21:57 . 2012-12-04 21:58 -------- dc----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-04 21:57 . 2012-12-04 21:58 -------- dc----w- c:\program files\iTunes
2012-12-04 18:14 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{75A973B3-B3B6-48AC-8AA0-FDBE92C27173}\mpengine.dll
2012-12-03 18:15 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-01 14:36 . 2012-12-01 14:36 -------- dc----w- c:\users\Justin RPG\New folder
2012-11-29 20:56 . 2012-11-29 20:56 -------- dc----w- c:\program files\PowerMenu
2012-11-29 01:42 . 2012-11-29 01:20 740840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D3C88F4-96E0-4AD2-82C8-E8145A883724}\gapaengine.dll
2012-11-28 21:12 . 2012-11-28 21:12 -------- dc----w- c:\users\Justin RPG\AppData\Roaming\VS Revo Group
2012-11-27 17:10 . 2012-11-27 17:10 -------- d-----w- C:\VRML
2012-11-14 07:13 . 2012-10-18 17:59 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-11-14 07:13 . 2012-09-25 22:47 78336 ----a-w- c:\windows\system32\synceng.dll
2012-11-12 21:02 . 2012-11-12 21:04 -------- dc----w- c:\users\Justin RPG\AppData\Roaming\Nero
2012-11-12 20:59 . 2012-11-12 21:01 -------- dc----w- c:\program files\Common Files\Nero
2012-11-12 20:59 . 2012-11-12 21:01 -------- dc----w- c:\program files\Nero
2012-11-12 20:58 . 2012-11-12 21:02 -------- dc----w- c:\programdata\Nero
2012-11-12 20:24 . 2007-08-07 16:32 57344 ----a-w- c:\windows\system32\Wnaspint.dll
2012-11-12 20:24 . 2007-08-07 15:58 32768 ----a-w- c:\windows\system32\Wnaspi32.dll
2012-11-12 20:24 . 2012-11-12 20:24 -------- dc----w- c:\users\Justin RPG\AppData\Roaming\Acoustica
2012-11-12 20:12 . 2012-11-12 20:19 -------- dc----w- c:\program files\Ultra MP3 CD Burner
2012-11-12 19:52 . 2012-11-12 20:04 -------- dc----w- c:\program files\Audio CD Burner Studio
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-14 20:29 . 2012-07-08 18:48 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-14 20:29 . 2012-07-08 18:48 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-01 18:02 . 2012-11-01 18:17 12465134 ----a-w- c:\windows\system32\Still Obligated To Lick Rydia's Vagina.scr
2012-10-27 11:27 . 2012-10-27 11:27 9216 -c-h--r- c:\users\Justin RPG\AppData\Roaming\Microsoft\Windows\Templates\spsreng.exe
2012-10-24 17:23 . 2012-08-30 17:26 503808 -c--a-w- c:\windows\system32\msvcp71.dll
2012-10-19 10:04 . 2012-10-19 10:04 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B084E6B54B1.sys
2012-10-11 01:07 . 2012-10-11 01:07 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B0854E81EB0.sys
2012-10-10 18:20 . 2012-10-10 18:20 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B08B82D4E27.sys
2012-10-10 18:19 . 2012-10-10 18:19 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B082C7AD373.sys
2012-10-10 18:19 . 2012-10-10 18:19 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B08D2AEB6BA.sys
2012-10-10 18:13 . 2012-10-10 18:13 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B0820077819.sys
2012-10-07 12:11 . 2012-10-07 12:11 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B08FAA8DB40.sys
2012-10-07 12:09 . 2012-10-07 12:09 0 -c-ha-w- c:\users\Justin RPG\AppData\Roaming\.24422B08FAA8DB3F.sys
2012-10-07 02:34 . 2012-10-07 02:34 2892 ----a-w- c:\windows\system32\audcon.sys
2012-10-06 00:26 . 2012-10-06 00:35 20221646 ----a-w- c:\windows\system32\Dragoness sex.scr
2012-10-06 00:24 . 2012-10-06 00:35 14087538 ----a-w- c:\windows\system32\dragoness sex first person.scr
2012-10-03 18:22 . 2011-01-28 00:24 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-30 21:35 . 2011-11-28 17:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-09-24 19:32 . 2012-06-28 11:57 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 19:32 . 2010-08-11 02:23 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-14 18:28 . 2012-10-10 13:56 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-07 22:38 . 2012-09-07 22:38 116056 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2012-09-07 22:38 . 2012-09-07 22:38 104792 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2012-09-07 22:38 . 2012-09-08 22:37 158552 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-09-07 22:38 . 2012-09-08 22:37 91992 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-09-07 22:38 . 2012-09-07 22:38 135512 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2012-07-12 08:28 . 2012-07-12 08:28 2174976 -c--a-w- c:\program files\Common Files\atimpenc.dll
2012-12-01 23:52 . 2012-12-01 23:51 262112 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-03-05 22:08 . 2012-12-01 23:51 49664 -c--a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0}]
2010-11-20 12:17 73216 ----a-w- c:\windows\System32\msiexec.exe
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-06-30 1652736]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1866864]
"Steam"="c:\program files\Steam\Steam.exe" [2012-08-05 1353080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-02-15 405504]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-05 288040]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2012-09-30 296096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Bomgar_Cleanup_ZD1669671774"="rd" [X]
.
c:\users\Justin RPG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Pokémon.txt [2011-12-15 18]
PowerMenu.lnk - c:\program files\PowerMenu\PowerMenu.exe [2002-12-19 57344]
TeamViewer 8.lnk - c:\program files\TeamViewer\Version8\TeamViewer.exe [2012-12-3 9873320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Justin RPG^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^info.lnk]
path=c:\users\Justin RPG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.lnk
backup=c:\windows\pss\info.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-11-24 04:05 6497592 -c--a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-07-01 19:16 399736 -c--a-w- c:\program files\uTorrent\uTorrent.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\JUSTIN~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\JUSTIN~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 nginxForMuseum;Museum HTTP Interface;c:\museum\svc\nginxSvc.exe [x]
R2 phpCgiForMuseum;PHP-CGI for Museum;c:\museum\svc\phpCgiSvc.exe [x]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314.sys [x]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [x]
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [x]
R3 DIFMBUS;Franklin EVDO USB Modem Composite Device Driver;c:\windows\system32\DRIVERS\DIFMBUS.sys [x]
R3 DIFMCVsp;Franklin EVDO USB Modem CM Port;c:\windows\system32\DRIVERS\DIFMCVsp.sys [x]
R3 DIFMMdm;Franklin EVDO USB Modem;c:\windows\system32\DRIVERS\DIFMMdm.sys [x]
R3 DIFMNET;Franklin EVDO USB Modem Network Adapter;c:\windows\system32\DRIVERS\DIFMNET.sys [x]
R3 DIFMNVsp;Franklin EVDO USB Modem NMEA Port Serial Port;c:\windows\system32\DRIVERS\DIFMNVsp.sys [x]
R3 DIFMVsp;Franklin EVDO USB Modem Diagnostics Port;c:\windows\system32\DRIVERS\DIFMVsp.sys [x]
R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\Drivers\dsiarhwprog.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\40C0.tmp [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [x]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 sc4stupmngrService;SimCity4 Startup Manager Service;c:\program files\SimCity4 StartupManager\sumservice.exe [x]
R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [x]
S2 KMService;KMService;c:\windows\system32\srvany.exe [x]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [x]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [x]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 36050736
*NewlyCreated* - PXDIIFOC
*Deregistered* - 36050736
*Deregistered* - pxdiifoc
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 20:29]
.
2012-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-18 02:18]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-18 02:18]
.
2012-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2591293009-346408578-2920319941-1000Core.job
- c:\users\Justin RPG\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-07 23:45]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2591293009-346408578-2920319941-1000UA.job
- c:\users\Justin RPG\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-07 23:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-tyc9
mStart Page = hxxp://www.yahoo.com/?ilc=8
uInternet Settings,ProxyServer = http=;ftp=;https=;
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Justin RPG\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Justin RPG\AppData\Roaming\Mozilla\Firefox\Profiles\yjykorwg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/home.php
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-09 22:04; rsDownloader@163.com; c:\users\Justin RPG\AppData\Roaming\Mozilla\Firefox\Profiles\yjykorwg.default\extensions\rsDownloader@163.com.xpi
FF - ExtSQL: 2012-10-22 06:56; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-10-25 23:14; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\users\Justin RPG\AppData\Roaming\Mozilla\Firefox\Profiles\yjykorwg.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi
FF - user.js: general.useragent.extra.zencast - );user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(general.useragent.extra.zencast,
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bde6f3a2-2ce8-4430-94e0-cd4ce39eeb0d} - (no file)
BHO-{f2c43291-151e-499c-98a7-923c120b88fa} - (no file)
Toolbar-{f2c43291-151e-499c-98a7-923c120b88fa} - (no file)
WebBrowser-{F2C43291-151E-499C-98A7-923C120B88FA} - (no file)
MSConfigStartUp-PhotoJoy - c:\program files\PhotoJoy\bin\PhotoJoy.exe
MSConfigStartUp-Policies - c:\users\Justin RPG\AppData\Roaming\System32\dwm.exe
MSConfigStartUp-Spotify - c:\users\Justin RPG\AppData\Roaming\Spotify\Spotify.exe
AddRemove-Audacity 1.3 Beta (Unicode)_is1 - c:\program files\Audacity 1.3 Beta (Unicode)\unins000.exe
AddRemove-Colossus Addon Mod - c:\users\Justin RPG\Documents\SimCity 4\Plugins\a_CAM\uninst.exe
AddRemove-CS-80V2_is1 - c:\program files\Arturia\CS-80V2\unins000.exe
AddRemove-Cycledog Tree Mod - c:\users\Justin RPG\Documents\SimCity 4\Plugins\uninst2.exe
AddRemove-Modular Amusement Park Pack (MAPP) - Ancillary Buildings - Essentials - c:\users\Justin RPG\Documents\SimCity 4\Plugins\Modular Amusement Park Pack\uninst.exe
AddRemove-Modular Amusement Park Pack (MAPP) - Classic Rides - c:\users\Justin RPG\Documents\SimCity 4\Plugins\Modular Amusement Park Pack\uninst.exe
AddRemove-Modular Amusement Park Pack (MAPP) - Coasters - c:\users\Justin RPG\Documents\SimCity 4\Plugins\Modular Amusement Park Pack\uninst.exe
AddRemove-Museum - c:\museum\uninst.exe
AddRemove-Royal Games - c:\users\Justin RPG\Documents\SimCity 4\Plugins\Uninstal.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
AddRemove-{0CD8A170-E470-11DB-3D6C-00D529464AE1} - c:\program files\Notation\Uninst_Notation Musician 2.6.3
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\40C0.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.download\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariDownload"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (S-1-5-21-2591293009-346408578-2920319941-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (S-1-5-21-2591293009-346408578-2920319941-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.safariextz\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariExtension"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (S-1-5-21-2591293009-346408578-2920319941-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webarchive\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (S-1-5-21-2591293009-346408578-2920319941-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (S-1-5-21-2591293009-346408578-2920319941-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2591293009-346408578-2920319941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2591293009-346408578-2920319941-1000)
"Progid"="SafariHTML"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-04 20:20:22
ComboFix-quarantined-files.txt 2012-12-05 01:20
.
Pre-Run: 29,837,135,872 bytes free
Post-Run: 32,768,671,744 bytes free
.
- - End Of File - - 219DDAB16C48E9660C7EBE6B7FB8B11B
Attached Files
File Type: txt ComboFix.txt (22.4 KB, 33 views)
__________________
moltres_rider is offline  
Old 12-04-2012, 06:36 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,518
OS: XP SP3; Win7 32/64-bit



Hello again, moltres_rider. How is the machine behaving? Any improvement?

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

-----------------------------------------------------

Ashampoo WinOptimizer

We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling them via Programs and Features in your Control Panel.

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

------------------------------------------------------

I see you have Weatherbug installed on your system. This application is not spyware but is ad-supported, containing both banner and pop-up ads. Please read here

Although this is entirely up to you, we recommend uninstalling it and downloading an ad-free alternative from here or here

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Right-click mbam-setup.exe and choose 'Run as administrator' to install it.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-04-2012, 06:50 PM   #8
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



I have used malwarebytes before but struggled with false positives showing up, but I'll post a log after scan...


EDIT: I didn't notice you said 'quick scan'... ok...
__________________
moltres_rider is offline  
Old 12-04-2012, 07:02 PM   #9
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



while I am waiting for Malwarebytes to scan... can you tell me more about the files Combofix deleted, what they are and what they do??? I noticed one had my username in it!!!
__________________
moltres_rider is offline  
Old 12-04-2012, 07:16 PM   #10
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



ran Malwarebytes and removed all detected items...

NOTE: THE MALWAREBYTES RESTART CAUSED A BSOD WITH IRQL_NOT_LESS_THAN_OR_EQUAL


Malwarebytes Anti-Malware 1.65.1.1000
Malwarebytes : Free anti-malware download

Database version: v2012.12.05.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Justin RPG :: JUSTINRPGSPC [administrator]

12/4/2012 8:52:00 PM
mbam-log-2012-12-04 (20-52-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219930
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Detected: 1
C:\Windows\KMService.exe (RiskWare.Tool.CK) -> 9196 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Justin RPG\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 27
C:\Windows\KMService.exe (RiskWare.Tool.CK) -> Delete on reboot.
C:\Users\Justin RPG\Documents\MSDCSC\msdcsc.exe (Backdoor.Agent.DC) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\My Documents\MSDCSC\msdcsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-10-27-7.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-25-1.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-09-6.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-10-7.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-11-1.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-14-4.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-15-5.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-16-6.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-17-7.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-18-1.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-19-2.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-20-3.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-21-4.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-22-5.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-23-6.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-24-7.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-27-3.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-28-4.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-29-5.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-11-30-6.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-12-01-7.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-12-02-1.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\AppData\Roaming\dclogs\2012-12-03-2.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\Justin RPG\Templates\spsreng.exe (Backdoor.Agent.DC) -> Quarantined and deleted successfully.

(end)
__________________
moltres_rider is offline  
Old 12-04-2012, 08:23 PM   #11
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



is it me or did the call drop??? I see the helpers actively involved in "other" threads in this forum!!!
__________________
moltres_rider is offline  
Old 12-04-2012, 08:41 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,518
OS: XP SP3; Win7 32/64-bit



Hello again, moltres_rider. No need to quote my posts in your replies. Thanks.

Quote:
is it me or did the call drop??? I see the helpers actively involved in "other" threads in this forum!!!
Sorry, but we don't always reply in real time here. We do have regular jobs. This will be my last post for tonight.

How is the machine behaving? Any improvement?

------------------------------------------------------

Uninstall the following via the Programs and Features Panel (Start->(Settings)->Control Panel->Programs->Programs and Features):

Java(TM) 6 Update 37

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Go here and follow the prompts to install the latest Java > java.com: Java + You

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as Administrator command.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-04-2012, 09:09 PM   #13
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



Quote:
Originally Posted by chemist View Post
  • After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.

CACHED APPLICATIONS AND APPLETS + INSTALLED APPLICATIONS AND APPLETS ARE BOTH GRAYED OUT!!!!! I CANNOT DELETE THEM!!!!!!!!
__________________
moltres_rider is offline  
Old 12-04-2012, 09:25 PM   #14
Registered User
 
Join Date: Nov 2012
Posts: 25
OS: Windows 7 SP1



and also it may take awhile as I have a 2TB external drive...
__________________
moltres_rider is offline  
Old 12-05-2012, 07:39 AM   #15
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,057
OS: XP Pro; XP Home; Win7 x86 & x64



Previous posts deleted. Topic closed. Member banned for trolling.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:
Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. Also please note that there are many more people in need of assistance than there are trained staff members who may assist. Patience for this free assistance is required. If there is an immediate need, please take the machine to a local technician.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Cannot remove printer device
We have a printer showing up on our computer that we no longer have, and when I remove it, it comes right back. Well I found out this is because it has pending jobs from over a year ago. I tried canceling them and it says "error completing command". How can I remove these jobs so that I cannot...
ClemsonSCJ Windows 7 Support, Windows Vista Support 5 11-23-2012 03:26 AM
How to remove a "windows" folder and its files?
hi guys. totally new here. i just had to format my HDD and it's win XP and it's about time i install win 7. the windows i got from the tech guy at the computer shop was win 7 64 bit. i thought it was 32 bit, as a matter of fact. for reasons i won't tell here, just because it's...
topeira Windows 7 Support, Windows Vista Support 5 01-05-2011 12:48 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 02:42 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts