Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

All download has virus [Solved]


  • This topic is locked This topic is locked

#16
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Yes I have tried with IE and FF and multiple different download from diff location including the download links you provided in your earlier for rogue and adw.
  • 0

Advertisements


#17
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I am gone for the evening.
I will be able to put 1 hour early tomorow morning.
  • 0

#18
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi saskpc,

Could you please see if you can locate this file on your computer:

C:\Windows\System32\挸ӝ


If so, please go here and upload it for analysis. Let me know when you have done so.
  • 0

#19
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
file has been uploaded
  • 0

#20
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi saskpc,

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#21
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Ok I will be in meeting all day, will get back to you later this afterboob
  • 0

#22
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Posted Image
  • 0

#23
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Still no download on either IE or FF.
I did notice that neither of them are currently set as default browser.
I did not have any issue after first restart (About program beign marked for deletion).
I have not tried anything in safe mode for download yet as I was not instructed to do so.
If you would like me to try, let me know.
I have also noticed that the asian style filename i sent for analysis is still present.
I have ensured that both avg and spybot are deactivated before running combofix, but if you beleive I made a mistake let me know and I will
follow your recommendation.

ComboFix 13-02-26.01 - Garfield 27/02/2013 19:34:47.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.2935.1768 [GMT -6:00]
Running from: c:\users\Garfield\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Spybot - Search and Destroy *Disabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\FilmFanaticEI
c:\program files\TelevisionFanaticEI
c:\users\Garfield\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-01-28 to 2013-02-28 )))))))))))))))))))))))))))))))
.
.
2013-02-26 14:44 . 2013-02-19 09:58 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B9EE7AF4-746E-4AA0-BCE9-A09600F37E7D}\mpengine.dll
2013-02-25 19:10 . 2013-02-25 19:10 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-02-25 19:10 . 2013-02-25 19:10 74136 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2013-02-25 19:10 . 2013-02-25 19:10 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2013-02-25 19:10 . 2013-02-25 19:10 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2013-02-25 19:10 . 2013-02-25 19:10 193168 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2013-02-25 19:10 . 2013-02-25 19:10 115608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2013-02-25 19:10 . 2013-02-25 19:10 96664 ----a-w- c:\program files\Mozilla Firefox\webapprt-stub.exe
2013-02-25 19:10 . 2013-02-25 19:10 157712 ----a-w- c:\program files\Mozilla Firefox\webapp-uninstaller.exe
2013-02-23 18:29 . 2013-02-23 18:29 -------- d-----w- C:\_OTL
2013-02-22 18:17 . 2013-02-22 18:17 -------- d-----w- c:\program files\ESET
2013-02-22 17:57 . 2013-02-22 17:57 -------- d-----w- c:\programdata\Downloaded Installations
2013-02-22 17:54 . 2013-02-22 17:54 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-02-22 17:54 . 2013-02-22 17:54 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-02-22 17:54 . 2013-02-22 17:54 -------- d-----w- c:\users\Garfield\AppData\Roaming\LavasoftStatistics
2013-02-22 17:54 . 2013-02-22 17:54 -------- d-----w- c:\users\Garfield\AppData\Roaming\Ad-Aware Antivirus
2013-02-22 17:38 . 2013-02-28 01:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-02-22 17:30 . 2009-01-25 18:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-02-22 17:30 . 2013-02-22 17:30 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-02-22 16:55 . 2013-02-22 16:55 -------- d-----w- c:\users\Garfield\AppData\Roaming\Malwarebytes
2013-02-22 16:55 . 2013-02-22 16:55 -------- d-----w- c:\programdata\Malwarebytes
2013-02-22 16:55 . 2013-02-22 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-22 16:55 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-22 16:55 . 2013-02-22 16:55 -------- d-----w- c:\users\Garfield\AppData\Local\Programs
2013-02-13 07:05 . 2013-01-04 03:00 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-02-13 07:05 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-13 07:04 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-13 07:04 . 2013-01-03 05:05 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-13 07:04 . 2013-01-03 05:04 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-13 07:04 . 2013-01-04 04:50 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-02-11 17:47 . 2013-02-11 17:47 -------- d-----w- c:\users\Garfield\AppData\Local\Macromedia
2013-02-01 23:44 . 2012-11-22 16:50 92184 ----a-w- c:\programdata\Microsoft\BingDesktop\Updater\BingDesktopRestarter.exe
2013-02-01 23:25 . 2012-08-24 16:57 247808 ----a-w- c:\windows\system32\schannel.dll
2013-02-01 23:25 . 2012-08-24 17:05 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-02-01 23:25 . 2012-08-24 17:02 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2013-02-01 23:25 . 2012-08-24 16:56 1039360 ----a-w- c:\windows\system32\lsasrv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-27 20:57 . 2012-03-29 08:36 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-27 20:57 . 2011-05-19 17:52 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-17 07:28 . 2010-07-14 23:55 232336 ------w- c:\windows\system32\MpSigStub.exe
2012-12-16 14:13 . 2012-12-22 07:38 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-22 07:38 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-07 12:26 . 2013-01-09 04:32 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 12:20 . 2013-01-09 04:32 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-12-07 10:46 . 2013-01-09 04:32 43520 ----a-w- c:\windows\system32\csrr.rs
2012-12-07 10:46 . 2013-01-09 04:32 30720 ----a-w- c:\windows\system32\usk.rs
2012-12-07 10:46 . 2013-01-09 04:32 45568 ----a-w- c:\windows\system32\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 04:32 44544 ----a-w- c:\windows\system32\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 04:32 20480 ----a-w- c:\windows\system32\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 04:32 23552 ----a-w- c:\windows\system32\oflc.rs
2012-12-07 10:46 . 2013-01-09 04:32 20480 ----a-w- c:\windows\system32\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 04:32 46592 ----a-w- c:\windows\system32\fpb.rs
2012-12-07 10:46 . 2013-01-09 04:32 20480 ----a-w- c:\windows\system32\pegi.rs
2012-12-07 10:46 . 2013-01-09 04:32 21504 ----a-w- c:\windows\system32\grb.rs
2012-12-07 10:46 . 2013-01-09 04:32 40960 ----a-w- c:\windows\system32\cob-au.rs
2012-12-07 10:46 . 2013-01-09 04:32 15360 ----a-w- c:\windows\system32\djctq.rs
2012-12-07 10:46 . 2013-01-09 04:32 51712 ----a-w- c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 04:31 55296 ----a-w- c:\windows\system32\cero.rs
2012-11-30 04:47 . 2013-01-09 04:32 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 04:45 . 2013-01-09 04:32 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 02:55 . 2013-01-09 04:32 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:38 . 2013-01-09 04:32 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38 . 2013-01-09 04:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38 . 2013-01-09 04:32 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38 . 2013-01-09 04:32 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-05-04 08:59 . 2012-05-04 08:59 438 ----a-w- c:\program files\0520122590062.bat
2012-05-01 08:29 . 2012-05-01 08:29 432 ----a-w- c:\program files\0520122295136.bat
2012-04-27 00:13 . 2012-04-27 00:13 438 ----a-w- c:\program files\04201218133577.bat
2012-04-05 01:09 . 2012-04-05 01:09 439 ----a-w- c:\program files\04201219093083.bat
2012-03-10 17:37 . 2012-03-10 17:37 437 ----a-w- c:\program files\03201211373175.bat
2012-03-05 04:32 . 2012-03-05 04:32 447 ----a-w- c:\program files\03201222324918.bat
2012-02-22 15:44 . 2012-02-22 15:44 437 ----a-w- c:\program files\0220129445971.bat
2011-11-16 15:30 . 2011-11-16 15:30 467 ----a-w- c:\program files\1120119303080.bat
2011-07-24 17:53 . 2011-07-24 18:14 161760 ----a-w- c:\program files\64res.dll
2011-07-24 17:45 . 2011-06-20 20:24 161752 ----a-w- c:\program files\pares.dll
2013-02-25 19:10 . 2012-04-15 21:55 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-04-22 19:56 2495816 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-04-22 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-04-22 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-01-07 1602856]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-01-05 495708]
"FreeFallProtection"="c:\program files\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2009-11-12 203776]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-03-19 632048]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2011-12-21 229376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 177944]
"BingDesktop"="c:\program files\Microsoft\BingDesktop\BingDesktop.exe" [2013-01-25 2127896]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart\0\0sdnclean.exe
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [x]
R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\Accelerometer\InstallFilterService.exe [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [x]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [x]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_41f81f5ce017c35c\aestsrv.exe [x]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG10\avgfws.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [x]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files\Microsoft\BingDesktop\BingDesktopUpdater.exe [x]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 20:57]
.
2013-02-22 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-02-22 20:08]
.
2013-02-22 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-02-22 20:07]
.
2013-02-22 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-02-22 20:07]
.
.
------- Supplementary Scan -------
.
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
TCP: DhcpNameServer = 192.168.1.253 65.87.230.4 65.87.230.5
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\0i4i7dsx.default\
FF - prefs.js: browser.search.selectedEngine - bing
FF - prefs.js: browser.startup.homepage - hxxp://start.msn.iplay.com/?o=shp
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{F92A9FE4-2850-4198-B9D5-279880E49B16} - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3745198013-423729411-3109601797-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3745198013-423729411-3109601797-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-27 19:41:02
ComboFix-quarantined-files.txt 2013-02-28 01:41
.
Pre-Run: 192,647,319,552 bytes free
Post-Run: 192,548,265,984 bytes free
.
- - End Of File - - 295DF48FEF99D3B613A22D76DF6A5F1C

Edited by Dakeyras, 28 February 2013 - 03:11 PM.
Added actual CF log contents etc...

  • 0

#24
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
There has been a change in behavior, now the computer goes to sleep mode which it wasn't before.
  • 0

#25
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
I am reviewing your log and will get back to you soon.

As for going to sleep, it that what you want it to do? (I mean, are you saying that it is now able to enter sleep mode when it couldn't before, or are you saying that it is going into sleep mode when you don't want it to?)
  • 0

Advertisements


#26
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Before it would not enter sleep mode at all.
Now it does it on its own according to the power settings.
  • 0

#27
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi saskpc,

I have also noticed that the asian style filename i sent for analysis is still present.


Yes, it turned out to be a clean file left over from a program. It's probably not needed, so we'll get rid of it.

Let's make sure your computer is clean, then if downloads still don't work, we'll look deeper into that issue.

Step 1: Run OTL fix.

Start OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Commands
    [createrestorepoint]
    
    :OTL
    [2011/05/20 17:28:12 | 000,000,017 | ---- | M] ()(C:\Windows\System32\??) -- C:\Windows\System32\挸ӝ
    [2011/05/20 17:28:12 | 000,000,017 | ---- | C] ()(C:\Windows\System32\??) -- C:\Windows\System32\挸ӝ
    
    @Alternate Data Stream - 159 bytes -> C:\ProgramData\TEMP:8865824E
    @Alternate Data Stream - 157 bytes -> C:\ProgramData\TEMP:C642810F
    @Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:FDE7A038
    @Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:F4BE8180
    @Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:955A2D2C
    @Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:7B227418
    @Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:22D489B6
    @Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:D5C2DDAE
    @Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:25FF8A61
    @Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:E748547C
    @Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:0768C7C3
    @Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:C7EA4918
    @Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:30C74695
    @Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:A477A19D
    @Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:8F88317C
    @Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:6CFD136C
    @Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:FC289904
    @Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:9C0F8F95
    @Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:20573823
    @Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:418054A0
    @Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:0B352B60
    @Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:901256DA
    @Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:1BA9C8DC
    @Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:A4C49A68
    @Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:65AAB2AD
    @Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:24D72313
    @Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:C5B78274
    @Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:EB4FEEF5
    @Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:DE22D45C
    @Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:BBD6565E
    @Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:04E853D4
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:CBAF0C30
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:0B4227B4
    @Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:CE5C755D
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:FEF919E6
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:E2B0AAB4
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:7991541F
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:B16047B8
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:799B8AA7
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:32B2B431
    @Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:82376CD0
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:902F3E60
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:D4E0D1F1
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:8F09BC2E
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:228B2655
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:EC3A9923
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:108D3361
    @Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:6F1F66C0
    @Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:863F4B04
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:9CAD1FF9
    
    :Files
    c:\program files\64res.dll
    netsh advfirewall reset /c 
    netsh advfirewall set allprofiles state off /c
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Post the log it produces in your next reply. The log should be saved in C:\_OTL\MovedFiles and should be named with numbers describing the date and time it was run.

Step 2: Run MBAM.

  • Open MBAM and update the definitions.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3: Run online scan.

Run Online scan: Please disable your anti-virus before running this scan. Remember to re-enable it afterwards.

  • Please run a Bitdefender Online Virus Scan by following the instructions below:
    [list=1]
  • Click this link to visit the Bitdeneder Online Virus Scan website.
  • Click on the green start scanner button in the middle of the screen.
  • Click the gray Continue button to the left.
  • Click the green Scan now button (you may need to scroll down to see it).
  • A little yellowish bar may pop up at the top of the page to notify you that the website is trying to install an add-on. Click on that yellowish bar and select to install the add-on.
  • If you had to install the add-on, then Internet Explorer will reload the page, and you will be back on step 2. Repeat steps 2 thru 4 again.
  • You may now be presented with a Security Warning popup asking if you want to install something from Bitdefender. Go ahead and click the Install button.
  • You should now be asked to accept the license agreement. You will need to click the I ACCEPT box in the lower-left corner before you can click on the OK button to continue.
  • The scan will begin running. This could take more than a few minutes.
  • Once it is done, it will tell you whether or not it found anything. Avoid removing anything for now, and click on the View report link.
  • Notepad will open with a copy of the report. Please save this on your desktop, and attach it to a reply by clicking on the More Reply Options button to the lower-right of where you type out your reply.

Step 4: Can you download files now? If not, can you do so in safe mode? Could you please take a screenshot of the virus warning dialogue box? (instructions here)

Things I need in your next reply:
  • OTL fix log
  • MBAM log
  • Bitdefender log
  • Answers to my questions above.

  • 0

#28
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
OTL Log:
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
C:\Windows\System32\挸ӝ moved successfully.
File C:\Windows\System32\挸ӝ not found.
ADS C:\ProgramData\TEMP:8865824E deleted successfully.
ADS C:\ProgramData\TEMP:C642810F deleted successfully.
ADS C:\ProgramData\TEMP:FDE7A038 deleted successfully.
ADS C:\ProgramData\TEMP:F4BE8180 deleted successfully.
ADS C:\ProgramData\TEMP:955A2D2C deleted successfully.
ADS C:\ProgramData\TEMP:7B227418 deleted successfully.
ADS C:\ProgramData\TEMP:22D489B6 deleted successfully.
ADS C:\ProgramData\TEMP:D5C2DDAE deleted successfully.
ADS C:\ProgramData\TEMP:25FF8A61 deleted successfully.
ADS C:\ProgramData\TEMP:E748547C deleted successfully.
ADS C:\ProgramData\TEMP:0768C7C3 deleted successfully.
ADS C:\ProgramData\TEMP:C7EA4918 deleted successfully.
ADS C:\ProgramData\TEMP:30C74695 deleted successfully.
ADS C:\ProgramData\TEMP:A477A19D deleted successfully.
ADS C:\ProgramData\TEMP:8F88317C deleted successfully.
ADS C:\ProgramData\TEMP:6CFD136C deleted successfully.
ADS C:\ProgramData\TEMP:FC289904 deleted successfully.
ADS C:\ProgramData\TEMP:9C0F8F95 deleted successfully.
ADS C:\ProgramData\TEMP:20573823 deleted successfully.
ADS C:\ProgramData\TEMP:418054A0 deleted successfully.
ADS C:\ProgramData\TEMP:0B352B60 deleted successfully.
ADS C:\ProgramData\TEMP:901256DA deleted successfully.
ADS C:\ProgramData\TEMP:1BA9C8DC deleted successfully.
ADS C:\ProgramData\TEMP:A4C49A68 deleted successfully.
ADS C:\ProgramData\TEMP:65AAB2AD deleted successfully.
ADS C:\ProgramData\TEMP:24D72313 deleted successfully.
ADS C:\ProgramData\TEMP:C5B78274 deleted successfully.
ADS C:\ProgramData\TEMP:EB4FEEF5 deleted successfully.
ADS C:\ProgramData\TEMP:DE22D45C deleted successfully.
ADS C:\ProgramData\TEMP:BBD6565E deleted successfully.
ADS C:\ProgramData\TEMP:04E853D4 deleted successfully.
ADS C:\ProgramData\TEMP:CBAF0C30 deleted successfully.
ADS C:\ProgramData\TEMP:0B4227B4 deleted successfully.
ADS C:\ProgramData\TEMP:CE5C755D deleted successfully.
ADS C:\ProgramData\TEMP:FEF919E6 deleted successfully.
ADS C:\ProgramData\TEMP:E2B0AAB4 deleted successfully.
ADS C:\ProgramData\TEMP:7991541F deleted successfully.
ADS C:\ProgramData\TEMP:B16047B8 deleted successfully.
ADS C:\ProgramData\TEMP:799B8AA7 deleted successfully.
ADS C:\ProgramData\TEMP:32B2B431 deleted successfully.
ADS C:\ProgramData\TEMP:82376CD0 deleted successfully.
ADS C:\ProgramData\TEMP:902F3E60 deleted successfully.
ADS C:\ProgramData\TEMP:D4E0D1F1 deleted successfully.
ADS C:\ProgramData\TEMP:8F09BC2E deleted successfully.
ADS C:\ProgramData\TEMP:228B2655 deleted successfully.
ADS C:\ProgramData\TEMP:EC3A9923 deleted successfully.
ADS C:\ProgramData\TEMP:108D3361 deleted successfully.
ADS C:\ProgramData\TEMP:6F1F66C0 deleted successfully.
ADS C:\ProgramData\TEMP:863F4B04 deleted successfully.
ADS C:\ProgramData\TEMP:9CAD1FF9 deleted successfully.
========== FILES ==========
c:\program files\64res.dll moved successfully.
< netsh advfirewall reset /c >
Ok.
C:\Users\Garfield\Desktop\cmd.bat deleted successfully.
C:\Users\Garfield\Desktop\cmd.txt deleted successfully.
< netsh advfirewall set allprofiles state off /c >
Ok.
C:\Users\Garfield\Desktop\cmd.bat deleted successfully.
C:\Users\Garfield\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 03022013_093948

MBAM Log:
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.02.07

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Garfield :: GARFIELD-PC [administrator]

02/03/2013 9:43:00 AM
mbam-log-2013-03-02 (09-43-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272772
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I am attaching the screen shot for IE download.
Whe I download for FF, it does not show a warning, the file just get deleted from the download folder before it has a chance to run.

In Safe mode, same thing.
But when I ran the online scan, it warned me that it would be more effective if ran with administrator priviledge.
After the scan, i tested download with IE run as admin, and it downloaded fine, no problem, no warning, no virus.
  • 0

#29
saskpc

saskpc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here is the screenshot.

I am starting to think of doing an in place install.
What do you think?

Attached Thumbnails

  • virus screen shot IE.png

  • 0

#30
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts

I am attaching the screen shot for IE download.
Whe I download for FF, it does not show a warning, the file just get deleted from the download folder before it has a chance to run.

In Safe mode, same thing.
But when I ran the online scan, it warned me that it would be more effective if ran with administrator priviledge.
After the scan, i tested download with IE run as admin, and it downloaded fine, no problem, no warning, no virus.



Do you have the log from the BitDefender scan? Did it find anything?

Can you summarize the current state of downloading for me. FF - does it work or not? IE - does it only work when run as admin? Safe Mode - no difference?

Also, you forgot the attachment.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP