Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TrojWare.Win32.Kryptik.MNM@293542018 ? [Solved]


  • This topic is locked This topic is locked

#1
dingbat

dingbat

    New Member

  • Member
  • Pip
  • 6 posts
Hi Guys,

This just popped up by Comodo as a malicious file. It asked me if I wanted it cleaned (TrojWare.Win32.Kryptik.MNM@293542018) and I said yes and it has quarantined the .exe file which it says can be found in found C:\Program Files\Intel\IntelDH\CCU\IntelDH.exe

Would appreciate if someone could help me determine if this is malicious and if so to help me remove it. Thanks

dingbat
  • 0

Advertisements


#2
tom982

tom982

    Member 1K

  • Member
  • PipPipPipPip
  • 1,183 posts
Hello dingbat and :welcome:

Sorry for the delay!

Before we continue, I would like you to read the following text:

  • Some of my instructions may be carried out in safe mode, where you will not have access to GeeksToGo, I suggest you save or print my instructions for later reference
  • Please do not attach your logs to your post, instead I would like you to copy and paste the contents into your post
  • Please do NOT use any other tools, fixes or scripts unless instructed to do so by myself. Not only could this damage your system, but it will make it harder for me to fix your problem
  • If you do not understand any of my instructions, then feel free to ask me and I will explain in further detail
  • Please be patient. Malware removal is a long process and requires many steps, if you stick with me, I'll help you get through this
  • Stay with me until I deem your computer clean. A lack of symptoms does not always mean that the system is clean
  • Please make sure you have read and understood my instructions before continuing with them, spelling errors in the scripts etc. could cause adverse effects to your system
  • If you do not hear a reply from me in 36 hours, then simply post "bump" on the thread
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed

Can you upload the file in question to VirusTotal then send me the report link please:

http://www.virustotal.com

OTL

  • Download OTL to your Desktop
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Run Scan button.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.

Tom
  • 0

#3
dingbat

dingbat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tom,

Thanks for coming to help.

I got Comodo to quarantine the file before posting the first time, as I thought that was safest. To be able to upload it to VirusTotal would mean restoring the file. I am nervous in doing that, but will if you direct me to do so then I will?

I have tried to run OTL, all versions and it always gets hooked up on "scanning firefox settings" and won't budge from there. It always results in the program "not responding" at this point. So it does start the scan ok but always at the same point it appears to stall and won't go any further.

I look forward to your reply and further direction. Thanks.

mike
  • 0

#4
tom982

tom982

    Member 1K

  • Member
  • PipPipPipPip
  • 1,183 posts
Hi Mike,

I'm fairly confident that this file is a false positive as the detection name is very generic and I've found no previous history of this filename ever being used maliciously.

Do you know how to disable Comodo temporarily? If so, I would like you to disable the protection, restore the file, upload it to VirusTotal then re-enable the protection and quarantine the file again. This is to prevent Comodo from removing the file as soon as it is restored.

Thank you for letting me know about OTL. Can you try running it from Safe Mode:

Boot Into Safe Mode

  • Save any work and close all open windows
  • Restart your computer
  • When your computer has shutdown and is just starting to boot again (on the BIOS screen that usually has the manufacturer’s logo on it) press F8
  • Using the arrow keys, select Safe Mode with Networking and press enter
  • When safe mode launches, try scanning with OTL again:

    OTL
  • Run OTL. Make sure all other windows are closed and to let it run uninterrupted.
  • Change Extra Registry > All then click the Run Scan button.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.

When you have completed this, reboot into normal mode.

Tom
  • 0

#5
dingbat

dingbat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tom,

Thanks for your direction.

Unfortunately, I have not come up with the goods. Let me explain.

I did as instructed and disabled Comodo and restored the file. I then went back to the location in accordance with the path given and the file was not there. I searched for the file using start>search files and folders and came up empty handed. The strange thing is that IntelDH.exe file is shown as being quarantined in comodo a *second* time (all details exactly the same) at an earlier time/date . This entry is still there but I have done nothing with it.

I then went into safe mode and did as instructed and exactly the same thing happens the OTL scanner stalls when it gets to scanning the "firefox settings" and as usual had to use task manager to end the process as it was "not responding".

I look forward to your further help. Thanks

regards
Mike
  • 0

#6
tom982

tom982

    Member 1K

  • Member
  • PipPipPipPip
  • 1,183 posts
Hi Mike,

Can I ask you to try one more time please? Just to confirm whether it was just Comodo throwing a wobbly or there is something else going on.

Thank you for letting me know about OTL. We'll ditch it for now and use another tool:

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#7
dingbat

dingbat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tom,

Thanks for your reply.

Link to VirusTotal report: https://www.virustot...sis/1363639243/

Does that mean I should restore the file?

DDS dis not quite work as you directed below:-
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When double clicking the tool it went straight into silent mode and there was no way I could change that. DDS.txt did open a tab in my browser and also save on the desktop (as did the other file attached) but I could not see anywhere to click yes at the next prompt. I just double clicked on the DDS icon and it produced both files on the desktop and browser.

As requested please find Attach.txt attachedAttached File  attach.txt   12.25KB   93 downloads and DDS.txt pasted below:-

Regards
Mike


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19401 BrowserJavaVersion: 10.17.2
Run by Owner at 20:12:49 on 2013-03-18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.846 [GMT 0:00]
.
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\ProgramData\MobileBrServ\mbbservice.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2737658
uWindow Title = Microsoft Internet Explorer
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Presario&pf=desktop
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoViewOnDrive = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: (PopUpCop) Allow images... - c:\progra~1\popupcop\PopUpCop.dll/allowimages
IE: (PopUpCop) Block images... - c:\progra~1\popupcop\PopUpCop.dll/blockimages
IE: (PopUpCop) Open In New Window - c:\progra~1\popupcop\PopUpCop.dll/imagenew
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print 2.0\smartprintsetup.exe
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks basic edition\norton cleanup\WCQuick.lnk
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{0CE44B3E-E9E8-4A86-96AF-1476663693B4} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{7FB3A9A0-C30F-48AF-A78E-2ECFD323B61F} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B50789B9-768B-45B8-90CA-35B141BAEC5B} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{B50789B9-768B-45B8-90CA-35B141BAEC5B} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{BD721D7E-A2B6-43CB-A5E3-BC1CA1D2415C} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{BD721D7E-A2B6-43CB-A5E3-BC1CA1D2415C} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{C267CB23-E322-4FDF-AB4E-F0EA305187D0} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{C267CB23-E322-4FDF-AB4E-F0EA305187D0} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{CED2FAE8-5864-40E3-89E0-13F681F2A359} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{FE809D54-3974-4B1C-8886-0EE71F9FC561} : NameServer = 8.26.56.26,156.154.70.22
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~2\wincert\win32c~1.dll c:\windows\system32\guard32.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\jfshg8e9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\jfshg8e9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\jfshg8e9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-02-02 22:38; {f34c9277-6577-4dff-b2d7-7d58092f272f}; c:\users\owner\appdata\roaming\mozilla\firefox\profiles\jfshg8e9.default\extensions\{f34c9277-6577-4dff-b2d7-7d58092f272f}
FF - ExtSQL: !HIDDEN! 2009-08-17 21:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2011-07-02 14:13; {3112ca9c-de6d-4884-a869-9855de68056c}; c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2011-10-22 39560]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2011-10-22 43656]
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2010-12-9 64608]
R1 CFRPD;CFRPD;c:\windows\system32\drivers\CFRPD.sys [2010-12-9 33744]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-6-1 19632]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 494416]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 42264]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2011-10-22 17032]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2011-10-22 185480]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2011-8-1 45288]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-3-11 21104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-11-11 39272]
S3 WN4501HLFZZ(Technology Corporation);802.11g Wireless USB Adapter(Technology Corporation);c:\windows\system32\drivers\O4501U.sys [2010-10-25 408064]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\firefox.exe="c:\program files\mozilla firefox\firefox.exe" "%1" [UserChoice]
FileExt: .chm: Applications\ieuser.exe - HKCR\Unknown\Shell=c:\windows\system32\rundll32.exe c:\windows\system32\shell32.dll,OpenAs_RunDLL %1 [UserChoice] [default=openas]
.
=============== Created Last 30 ================
.
2013-03-17 12:21:03 -------- d-----w- c:\users\owner\appdata\roaming\DriverCure
2013-03-17 12:21:00 -------- d-----w- c:\users\owner\appdata\roaming\SpeedyPC Software
2013-03-17 12:19:31 -------- d-----w- c:\programdata\SpeedyPC Software
2013-03-17 12:19:31 -------- d-----w- c:\program files\common files\SpeedyPC Software
2013-03-15 17:52:55 -------- d-----w- c:\program files\CamStudio 2.7
2013-03-11 20:45:49 -------- d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2013-03-11 20:45:43 -------- d-----w- c:\programdata\Malwarebytes
2013-03-11 20:45:41 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-11 20:45:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-06 13:30:53 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-24 00:12:14 -------- d-----w- c:\program files\Market Samurai
.
==================== Find3M ====================
.
2013-03-17 23:16:25 23939 ----a-w- c:\windows\cscmondump.bin
2013-03-14 16:32:59 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-14 16:32:59 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-06 13:30:35 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-06 13:30:35 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-28 02:49:23 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-02 09:18:13 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-02 09:12:40 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-02 09:12:13 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-02 09:11:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2013-02-02 09:11:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-02-02 07:37:34 385024 ----a-w- c:\windows\system32\html.iec
2013-02-02 05:52:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2013-01-17 01:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-05 05:26:01 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:26:01 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 11:28:18 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-04 01:38:50 2048512 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:15:46.20 ===============
  • 0

#8
tom982

tom982

    Member 1K

  • Member
  • PipPipPipPip
  • 1,183 posts
Hi Mike,

Your log isn't showing any malware which is great. There is, however, a registry setting that needs changing as it is currently set to a spyware related site.

Registry Backup

Please download RegBak (by AceLogix Software) from the link below and save it to your Desktop.

Download Mirror #1


  • Right-click > Extract all... and extract the files to your Desktop

    For 32-bit (x86) editions of Windows, double-click on regbak.exe
    For 64-bit (x64) editions of Windows, double-click on regbak64.exe


    If you are unsure whether you have x86 or x64 Windows, see here

  • Without changing any options, click Next. RegBak will now backup all of your registry hives.

Registry Modifications

  • Go to Start > Run to bring up the run box
  • In the box, type notepad.exe and press OK to open Notepad
  • Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Start Page"="http://www.google.co.uk/"
  • Go to File > Save As... and save it to your Desktop named Fix.reg. Make sure you change the Save as type to All Files (*.*)
  • Locate Fix.reg on your Desktop and double-click on it to merge it with your registry
  • Answer Yes when prompted about merging with the registry

There is also a registry cleaner installed, SpeedyPC Software, that I would highly recommend you remove. Registry cleaners often do a lot more harm then good and it really isn't worth the risk as you will experience no performance gains whatsoever. I dealt with a thread a few months ago where a registry cleaner completely killed Windows Update and caused over 2,000 errors!

I also notice that you are running the Windows Sidebar which is highly unadvisable due to the security risks. If you aren't aware of this, have a read here: http://nakedsecurity...idebar-gadgets/

Disable the sidebar by running the FixIt on this page: http://support.micro....com/kb/2719662

Tom
  • 0

#9
dingbat

dingbat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tom,

Thanks for all that.

Also should the IntelDH.exe file quarantined at the start be restored?

Yes, I had already removed the cleaner...thanks

Just regarding the gadgets. I have had these gadgets on the pc for years. I do have one third party gadget, although it is trusted

If only gadgets are being used that come from the pc i.e not from online and are not third party like clock, cpu and calendar is it still advised to disable the side bar with these gadgets i.e. is the potential threat already in the gadget or is it that the attacker can get into the pc and hide in the gadgets. The directive from MS seems to refer to gadgets from untrusted sources. I take it that when you right click on the side bar and it gives you access to the clock, cpu etc these are trusted or not?

I would appreciate your take on this.

Thanks very much

Mike
  • 0

#10
tom982

tom982

    Member 1K

  • Member
  • PipPipPipPip
  • 1,183 posts
Hi Mike,

Sorry for the delay, you completely fell off my radar :blush:

Yes, restore IntelDH.exe as it is a false positive. You might have to tell Comodo to ignore this file to stop it from removing it again.

In that case I don't think the Sidebar will be an issue for you as long as you stick to those gadgets. I would avoid installing any more gadgets though, just in case - it's better to be safe than sorry.

Tom
  • 0

#11
dingbat

dingbat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tom,

Thanks very much for your help!

Regards

Mike
  • 0

#12
tom982

tom982

    Member 1K

  • Member
  • PipPipPipPip
  • 1,183 posts
Hi Mike,

No problem; happy to help!

Tom
  • 0

#13
tom982

tom982

    Member 1K

  • Member
  • PipPipPipPip
  • 1,183 posts
Hi Mike,

So sorry about this, but I completely forgot to clean up after myself. If you haven't already deleted OTL, DDS and their subsequent logs, here's how to do so:

OTL CleanUp

  • Open OTL
  • Click CleanUp
This will remove all of the tools that we have used (and their subsequent logs) from your system, leaving you as good as new.

I would also recommend clearing your restore points and starting over:

System Restore

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive i.e. C
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete
You are now done

When you have done this, you're all good to go. Would you find any online safety advice useful?

Tom
  • 0

#14
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP