I've run Combo fix without the CFScript (accidentally) thought it would install first, however already copied CFSript to desktop :/
Edited by janji, 04 March 2015 - 11:20 AM.
Computer hacked
Started by
janji
, Feb 09 2015 05:42 AM
#152
Posted 04 March 2015 - 11:50 AM
janji
- Topic Starter
-
- Member
-
- 210 posts
Member
Ok, I've run it a second time, this time with CFScript, here is the report. Do you want the log from the first time I ran Combofix (without the CFScript) too?
Combofix did a reboot and then logged report.
ComboFix 15-03-01.01 - User 03/04/2015 18:21:56.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1787.583 [GMT 1:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\windrvNT.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_windrvNT
-------\Service_windrvNT
.
.
((((((((((((((((((((((((( Files Created from 2015-02-04 to 2015-03-04 )))))))))))))))))))))))))))))))
.
.
2015-03-04 17:35 . 2015-03-04 17:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2015-03-04 17:35 . 2015-03-04 17:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-03-04 15:03 . 2015-03-04 15:03 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACA9F26A-E949-4A50-8D72-889B2175FCFD}\offreg.dll
2015-03-04 15:01 . 2015-01-29 09:49 9041640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACA9F26A-E949-4A50-8D72-889B2175FCFD}\mpengine.dll
2015-02-25 20:38 . 2015-02-25 20:38 -------- d-sh--w- c:\users\User\AppData\Local\EmieBrowserModeList
2015-02-25 20:21 . 2015-02-25 20:21 -------- d-----w- c:\programdata\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
2015-02-25 20:21 . 2015-02-25 20:21 -------- d-----w- c:\program files\Common Files\IObit
2015-02-25 20:20 . 2015-02-25 20:20 -------- d-----w- c:\users\User\AppData\Roaming\ProductData
2015-02-25 20:19 . 2015-02-25 20:22 -------- d-----w- c:\programdata\ProductData
2015-02-25 20:19 . 2015-02-25 20:20 -------- d-----w- c:\users\User\AppData\Roaming\IObit
2015-02-10 19:23 . 2015-02-27 13:03 -------- d-----w- c:\program files\SpeedFan
2015-02-10 19:01 . 2015-02-10 19:09 -------- d-----w- c:\users\User\AppData\Local\CrashDumps
2015-02-10 17:30 . 2015-02-11 20:39 -------- d-----w- c:\programdata\RogueKiller
2015-02-10 13:12 . 2015-03-04 16:15 -------- d-----w- C:\FRST
2015-02-09 20:10 . 2015-02-09 20:10 -------- d-----w- c:\users\User\AppData\Roaming\ATI
2015-02-09 20:10 . 2015-02-09 20:10 -------- d-----w- c:\users\User\AppData\Local\ATI
2015-02-09 20:10 . 2015-02-09 20:10 -------- d-----w- c:\programdata\ATI
2015-02-09 20:06 . 2015-02-09 20:06 -------- d-----w- c:\program files\DIFX
2015-02-09 20:06 . 2009-12-22 01:26 30392 ----a-w- c:\windows\system32\drivers\usbfilter.sys
2015-02-09 20:06 . 2015-02-09 20:06 -------- d-----w- c:\program files\AMD
2015-02-09 01:19 . 2015-02-09 01:19 -------- d-----w- c:\program files\Hewlett-Packard
2015-02-09 01:19 . 2015-02-09 01:19 -------- d-----w- c:\program files\Hp
2015-02-06 21:01 . 2015-02-27 12:01 -------- d-----w- c:\program files\Mozilla Maintenance Service
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-26 15:38 . 2013-11-10 14:09 13464 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2015-02-25 22:20 . 2012-07-14 22:55 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-02-25 22:20 . 2012-07-14 22:23 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-02-09 03:08 . 2014-07-16 07:25 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-25 16:10 . 2014-10-16 15:52 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-12-22 23:50 . 2010-10-29 00:05 249488 ------w- c:\windows\system32\MpSigStub.exe
2014-12-19 02:43 . 2015-01-14 10:08 164864 ----a-w- c:\windows\system32\profsvc.dll
2014-12-19 01:34 . 2015-01-14 10:08 116224 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2014-12-13 03:33 . 2014-12-18 16:06 115712 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-12 05:11 . 2015-01-14 10:09 3971512 ----a-w- c:\windows\system32\ntkrnlpa.exe
2014-12-12 05:11 . 2015-01-14 10:09 3916728 ----a-w- c:\windows\system32\ntoskrnl.exe
2014-12-11 17:47 . 2015-01-14 10:08 74240 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-12-06 03:50 . 2015-01-14 10:08 242688 ----a-w- c:\windows\system32\nlasvc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-08-01 13:08 578240 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\User\AppData\Local\Akamai\netsession_win.exe" [2014-10-29 4673432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2014-10-29 4826904]
"Spotify Web Helper"="c:\users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-12-18 1676344]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-12-11 30878816]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2014-12-21 110160]
"Spotify"="c:\users\User\AppData\Roaming\Spotify\Spotify.exe" [2014-12-18 6737976]
"Screen Highlighter"="c:\program files\Screen Highlighter\shl.exe" [2013-12-20 643072]
"KiesPreload"="c:\program files\samsung\kies\kies.exe" [2013-04-23 1561968]
"FreeRAM XP"="c:\program files\yourware solutions\freeram xp pro\freeram xp pro.exe" [2012-11-27 1591808]
"Amazon Music"="c:\users\User\AppData\Local\Amazon Music\Amazon Music Helper.exe" [2014-10-15 6281024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-14 2299176]
"APSDaemon"="c:\program files\common files\apple\apple application support\apsdaemon.exe" [2013-04-21 59720]
"BCSSync"="c:\program files\microsoft office\office14\bcssync.exe" [2012-11-05 89184]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-08-01 4085896]
"DivXMediaServer"="c:\program files\divx\divx media server\divxmediaserver.exe" [2014-11-17 448856]
"DivXUpdate"="c:\program files\divx\divx update\divxupdate.exe" [2014-01-10 1861968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2014-10-26 508744]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2014-10-02 421888]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"KiesTrayAgent"="c:\program files\samsung\kies\kiestrayagent.exe" [2013-04-23 311152]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2015-2-11 42555824]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2013-11-4 565464]
Stay On Top.lnk - c:\windows\Installer\{5C6C0192-BA75-4932-8931-B2FF88346E49}\_16dd6dc4.exe [2014-3-24 10134]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2014-12-11 315496]
R3 CFcatchme;CFcatchme;c:\users\User\AppData\Local\Temp\CFcatchme.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-04-03 83864]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-11-22 102912]
R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv.sys [2012-07-20 34432]
R3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2011-03-07 15896]
R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-07-20 25088]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-10-23 14848]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-10-28 182680]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-11-24 1343400]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [2013-05-22 15672]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-11-22 779536]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-08-01 414520]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [2014-05-17 39624]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2014-08-22 142648]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-17 172032]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-08-01 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-08-01 67824]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-08-01 71944]
S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\cmw_srv.exe [2014-05-16 919040]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2014-05-16 430344]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2013-11-04 1228504]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2013-11-04 660184]
S2 SPDFCreatorReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [2011-10-03 180552]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2013-05-31 209016]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_x86.sys [2013-11-04 16024]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2000-01-01 197736]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [2014-05-17 37064]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-03 20:38 1086280 ----a-w- c:\program files\Google\Chrome\Application\40.0.2214.94\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-14 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
mStart Page = www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = about:blank
IE: &Save the YouTube video as MP3 - c:\users\User\AppData\Roaming\Free YouTube to MP3 Converter Studio\Free YouTube to MP3 Converter Studio.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Customize Menu - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComFillForms.html
IE: Save Forms - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComSavePass.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Show RoboForm Toolbar - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
Trusted Zone: aeriagames.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\rcdgk3lo.default\
FF - prefs.js: browser.startup.homepage - hxxps://my.yahoo.com/
FF - prefs.js: network.proxy.type - 4
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{2B9F5787-88A5-4945-90E7-C4B18563BC5E}"=hex:51,66,7a,6c,4c,1d,38,12,e9,54,8c,
2f,97,c6,2b,0c,ef,f1,87,f1,80,3d,f8,4a
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{D0984FD4-FA9A-46EE-9072-70B0735FF852}"=hex:51,66,7a,6c,4c,1d,38,12,ba,4c,8b,
d4,a8,b4,80,03,ef,64,33,f0,76,01,bc,46
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{03EB0E9C-7A91-4381-A220-9B52B641CDB1}"=hex:51,66,7a,6c,4c,1d,38,12,f2,0d,f8,
07,a3,34,ef,06,dd,36,d8,12,b3,1f,89,a5
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d4,bc,ca,53,e6,73,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,90,80,8c,07,d4,80,43,a6,35,52,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d3,09,0e,18,2d,a9,8c,4b,a7,56,c8,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,90,80,8c,07,d4,80,43,a6,35,52,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2015-03-04 18:43:35 - machine was rebooted
ComboFix-quarantined-files.txt 2015-03-04 17:43
ComboFix2.txt 2015-03-04 17:12
ComboFix3.txt 2015-02-10 20:06
.
Pre-Run: 143,624,654,848 bytes free
Post-Run: 143,411,625,984 bytes free
.
- - End Of File - - B66165271DF860FF1F9AA56DF8207503
A36C5E4F47E84449FF07ED3517B43A31
Edited by janji, 04 March 2015 - 11:54 AM.
#153
Posted 05 March 2015 - 11:09 PM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
Sorry for the delay. Forum was sick yesterday and haven't had much time today.
I don't need the first run of Combofix. The second run appears to have removed the file that wouldn't go away. Did you have any problems after combofix ran?
Let's try
- Download RogueKiller and save it on your desktop.
#154
Posted 06 March 2015 - 08:51 AM
janji
- Topic Starter
-
- Member
-
- 210 posts
Member
Hi Ron, thanks for your patience.
After Combofix computer seems to be working just fine. Here is the RK report.txt.
RogueKiller V10.5.1.0 [Mar 5 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 03/06/2015 15:26:53
¤¤¤ Processes : 4 ¤¤¤
[Suspicious.Path] SpotifyWebHelper.exe(3536) -- C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[7] -> Killed [TermProc]
[Suspicious.Path] Amazon Music Helper.exe(4396) -- C:\Users\User\AppData\Local\Amazon Music\Amazon Music Helper.exe[7] -> Killed [TermProc]
[PUP] (SVC) hshld -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe[-] -> Stopped
[PUP] (SVC) HssWd -- C:\Program Files\Hotspot Shield\bin\hsswd.exe[7] -> Stopped
¤¤¤ Registry : 23 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} (C:\PROGRA~1\COMMON~1\WONDER~1\WONDER~1\WSHelper.exe) -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Run | Spotify Web Helper : "C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Run | Spotify : "C:\Users\User\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Run | Amazon Music : "C:\Users\User\AppData\Local\Amazon Music\Amazon Music Helper.exe" -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CFcatchme (\??\C:\Users\User\AppData\Local\Temp\CFcatchme.sys) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hshld (C:\Program Files\Hotspot Shield\bin\cmw_srv.exe) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssTrayService (C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssWd (C:\Program Files\Hotspot Shield\bin\hsswd.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CFcatchme (\??\C:\Users\User\AppData\Local\Temp\CFcatchme.sys) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hshld (C:\Program Files\Hotspot Shield\bin\cmw_srv.exe) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssTrayService (C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssWd (C:\Program Files\Hotspot Shield\bin\hsswd.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CFcatchme (\??\C:\Users\User\AppData\Local\Temp\CFcatchme.sys) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hshld (C:\Program Files\Hotspot Shield\bin\cmw_srv.exe) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssTrayService (C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE) -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssWd (C:\Program Files\Hotspot Shield\bin\hsswd.exe) -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 2 ¤¤¤
[PUP][FIREFX:Addon] rcdgk3lo.default : Hotspot Shield Extension [[email protected]] -> Found
[PUM.Proxy][FIREFX:Config] rcdgk3lo.default : user_pref("network.proxy.type", 4); -> Found
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9320423AS ATA Device +++++
--- User ---
[MBR] 3c1bb1ccfdd1d0cf2275875b1a13427a
[BSP] c78c6c4c4b493e2099c85c7c34e3fa7e : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 230118 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 471298896 | Size: 75116 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_SCN_02102015_184033.log
#155
Posted 06 March 2015 - 09:08 AM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
Doesn't look like there is anything left. It doesn't like your hotspot shield, Amazon Music, Spotify and Wondershare but they aren't truly evil. Just PUPs (Potentially unwanted Programs) or running from a location other than a folder in Program Files. You have some desktop icons hidden but I assume that's the way you want it.
I guess we can try gmer:
Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
Haven't used it recently so if things have changed let me know.
#156
Posted 06 March 2015 - 09:41 AM
janji
- Topic Starter
-
- Member
-
- 210 posts
Member
Had to run Firefox as admin to download the file.
On the right side is the option of Quick scan or C:\ and G:\, which one should I check?
Edited by janji, 06 March 2015 - 09:42 AM.
#158
Posted 06 March 2015 - 01:31 PM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
click on the c:\ so it checks your whole drive. Won't hurt to also check the G:\ drive. Then press Scan.
#159
Posted 06 March 2015 - 02:02 PM
janji
- Topic Starter
-
- Member
-
- 210 posts
Member
Thanks, here is GMER Results log:
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-03-06 20:55:06
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320423AS rev.0006HPM1 298.09GB
Running: 78yq37hz.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys
---- System - GMER 2.1 ----
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8FA41BA6]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8FA42684]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8FA4E6F8]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8FA4E744]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8FA4E8DE]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8FA4E666]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8FAF8DF0]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8FA4E6AE]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8FAF9080]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8FAF916A]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8FA4E898]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8FA43472]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8FA41C0C]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8FA46C68]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8FA417F8]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8FAF8ED0]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8FA41C72]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8FA4705E]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8FA43F5A]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8FA4E722]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8FA4E766]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8FA4E902]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8FA4E68C]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8FA46560]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8FA4E816]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8FA4E6D6]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8FA4694C]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8FA4E8BC]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8FAF8C6E]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8FA43DCE]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8FA43ADC]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8FA41CD8]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8FA41D3E]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8FAF8FCC]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8FA41892]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8FA41A64]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8FA419F2]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8FA4363C]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8FA4379E]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8FA41AEC]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8FAF8D3C]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8FA432CC]
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8FA41DA4]
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8FAF8BA0]
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRequestWaitReplyPort + 14A5 84283A15 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 842BD372 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 842C45C0 4 Bytes [A6, 1B, A4, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 842C4648 4 Bytes [84, 26, A4, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 842C469C 8 Bytes [F8, E6, A4, 8F, 44, E7, A4, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 842C46A8 4 Bytes [DE, E8, A4, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 842C46C4 4 Bytes [66, E6, A4, 8F]
.text ...
.text ntkrnlpa.exe!ZwRequestWaitReplyPort + 14A5 84283A15 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 842BD372 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 842C45C0 4 Bytes [A6, 1B, A4, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 842C4648 4 Bytes [84, 26, A4, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 842C469C 8 Bytes [F8, E6, A4, 8F, 44, E7, A4, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 842C46A8 4 Bytes [DE, E8, A4, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 842C46C4 4 Bytes [66, E6, A4, 8F]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9163E000, 0x2ED000, 0xE8000020]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9163E000, 0x2ED000, 0xE8000020]
---- User code sections - GMER 2.1 ----
.text C:\Program Files\CCleaner\CCleaner.exe[152] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\CCleaner\CCleaner.exe[152] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[312] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[312] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text
.text ... 76EC6AAC 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 76EAF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 76EAF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Users\User\AppData\Local\Akamai\netsession_win.exe[1516] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Users\User\AppData\Local\Akamai\netsession_win.exe[1516] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1544] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1544] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text ...
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1996] kernel32.dll!SetUnhandledExceptionFilter 76EAF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
.text
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1996] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1996] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\Secunia\PSI\PSIA.exe[2076] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\Secunia\PSI\PSIA.exe[2076] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[2124] kernel32.dll!GetBinaryTypeW + 70 76EC6AAC 1 Byte [62]
.text ...
---- User IAT/EAT - GMER 2.1 ----
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E9249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E75652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E75710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E9251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E8857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E84D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E850D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E851AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E866DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E882D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E88824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E89085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E8E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E84C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E9249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E75652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E75710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E9251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E8857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E84D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E850D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E851AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E866DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E882D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E88824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E89085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E8E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E84C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- Threads - GMER 2.1 ----
Thread System Idle [0:0] 842BD420
Thread System Idle [0:0] 842BD420
Thread System [4:168] 89391C80
Thread System [4:176] 8938C95E
Thread System [4:180] 89836945
Thread System [4:184] 89826001
Thread System [4:188] 8981B2B1
Thread System [4:204] 89BCCEB0
Thread System [4:208] 89BCCEB0
Thread System [4:212] 89BCCEB0
Thread System [4:216] 89BCCEB0
Thread System [4:220] 89BCCEB0
Thread System [4:224] 89BCCEB0
Thread System [4:228] 89BCCEB0
Thread System [4:232] 89BCCEB0
Thread System [4:236] 89BCCEB0
Thread System [4:248] 8FA6D4C8
Thread System [4:252] 8FA6D4C8
Thread System [4:256] 8FA6D4C8
Thread System [4:260] 8FA6D4C8
Thread System [4:264] 8FA6D4C8
Thread System [4:268] 8FA60A74
Thread System [4:272] 8FB05838
Thread System [4:276] 8FB1C10A
Thread System [4:280] 8FAF04AC
Thread System [4:284] 8FB89522
Thread System [4:288] 8EE94932
Thread System [4:292] 8EF59BCB
Thread System [4:296] 908B6E8A
Thread System [4:316] 9097F646
Thread System [4:320] 9096DF39
Thread System [4:324] 91C40650
Thread System [4:328] 91C3A090
Thread System [4:332] 91C3F420
Thread System [4:336] 91C40C80
Thread System [4:340] 9211AE32
Thread System [4:344] 924DF860
Thread System [4:348] 924E2750
Thread System [4:416] 9080243A
Thread System [4:444] 9080124A
Thread System [4:448] 90801180
Thread System [4:452] 91B45CF6
Thread System [4:456] 918443B6
Thread System [4:460] 91670336
Thread System [4:464] 9166F77E
Thread System [4:468] 917A8DE0
Thread System [4:472] 91BD653E
Thread System [4:592] 916901F6
Thread System [4:812] 8EE09740
Thread System [4:816] 8FA05082
Thread System [4:1760] 994CA005
Thread System [4:1764] 994CA005
Thread System [4:1768] 994CA6CB
Thread System [4:1840] 99547FC0
Thread System [4:396] 994CA005
Thread System [4:2408] 9086B268
Thread System [4:2412] 9086B268
Thread System [4:2536] 8EF6AD18
Thread System [4:3040] A3F1D18C
Thread System [4:3044] A3F1D18C
Thread System [4:3060] A3F1D18C
Thread System [4:3064] A3F1D18C
Thread System [4:3068] A3F1D18C
Thread System [4:3072] A3F6F844
Thread System [4:3076] A3F6F844
Thread System [4:3080] A3F6F844
Thread System [4:3084] A3F6F844
Thread System [4:3556] 8EF6AD18
Thread System [4:3560] 8EF6AD18
Thread System [4:668] A3FC7370
Thread csrss.exe [512:568] 98B56C14
Thread csrss.exe [512:572] 98B54950
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247eb4d9f4
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247eb4d9f4
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@57920FF5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active 3596
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@57920FF5 3596
Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{3E5C21CD-5CDD-11E3-84E3-806E6F6E6963} 31308768352
Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{3E5C21CD-5CDD-11E3-84E3-806E6F6E6963} 31308768352
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 Windows 7 default MBR code found via API
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ----
#160
Posted 06 March 2015 - 02:37 PM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
GMER is not finding anything to worry about. It and Avast don't get along that well so it flags a lot of Avast processes and the rest look like programs we already know about.
I've got one more scan we can try:
Please click http://devbuilds.kas...builds/AVPTool/ to download AVP Tool by Kaspersky.
[list]
[*]Save it to your desktop.
[*]Reboot your computer into SafeMode.
[color="#008000"][indent][i]You can do this by restarting your computer and continually tapping the [b]F8[/b] key until a menu appears.
Use your up arrow key to highlight SafeMode then hit [b]enter[/i].[/b][/indent][/color]
[*]Double click the setup file to run it.
[*]Click Next to continue.
[*]It will by default install it to your desktop folder.Click Next.
[*]Hit ok at the prompt for scanning in Safe Mode.
[*]It will then open a box There will be a tab that says Automatic scan.
[*]Under Automatic scan make sure these are checked.
[/list]
[indent] [list][color="#FF0000"]
[*] System Memory
[*]Startup Objects
[*]Disk Boot Sectors.
[*]My Computer.
[*]Also any other drives (Removable that you may have) [/color]
[/list] [/indent]
After that click on [b][i]Security level[/i][/b] then choose [b][i]Customize[/i][/b] then click on the tab that says [b][color="#FF0000"]Heuristic Analyzer[/color][/b] then choose [b][color="#FF0000"]Enable Deep rootkit search[/color][/b] then choose [b]ok[/b].
Then choose OK again then you are back to the main screen.
[list]
[*]Then click on Scan at the to right hand Corner.
[*]It will automatically Neutralize any objects found.
[*]If some objects are left un-neutralized then click the button that says Neutralize all
[*]If it says it cannot be Neutralized then chooose The delete option when prompted.
[*]After that is done click on the reports button at the bottom and save it to file name it [b]Kas[/b].
[*]Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under [b]Detected[/b] post those results in your next reply.
[b][indent][i]Note: This tool will self uninstall when you close it so please save the log before closing it.[/i]
[/list][/indent][/b]
#161
Posted 06 March 2015 - 03:15 PM
janji
- Topic Starter
-
- Member
-
- 210 posts
Member
After selecting run it says that: Extended monitoring driver is required for extended thread detection.
Press' reboot now' button to install driver and reboot, or 'Continue' to run program in standard mode.
I just select continue for now.
Edited by janji, 06 March 2015 - 03:39 PM.
#162
Posted 06 March 2015 - 03:36 PM
janji
- Topic Starter
-
- Member
-
- 210 posts
Member
It's quite different from your description, I can add C:/ drive and G:/ Drive but there's no option for security level/ Heuristic analyser etc. or scanning in Safe Mode etc-
I'm cancelling to wait for your answer to see if I should reboot to install additional driver .
#163
Posted 06 March 2015 - 08:49 PM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
Looks like they have updated the program. Since we are looking for rootkits you need to reboot in order to let it install its driver.
#164
Posted 07 March 2015 - 05:41 AM
janji
- Topic Starter
-
- Member
-
- 210 posts
Member
It reboots, seems to load driver (shows command prompt briefly) then says it's ready to scan. So I turned off computer to start again in Safe Mode, then get pop up window saying it can't perform scan, needs to reboot to load drivers. I let them do the reboot thing and now they want to scan but it's not in Safe Mode.
Edited by janji, 07 March 2015 - 06:14 AM.
#165
Posted 07 March 2015 - 08:32 AM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
OK. Looks like it's broken. I expected better of Kaspersky.
Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).
# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.
Let's also try the bitdefender quickscan.
When it finishes there is a View Report option at the bottom. Click on it and copy and paste the report (even if it says nothing found).
Similar Topics
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
