Jump to content

Infected PC - random sounds from speaker and now browsers are hijacked - Master Thesis on PC so can't lose data (Urgent)


ssolvason

Recommended Posts

Dear Helpers, I hope you will be able to help sort me out quickly. I'm on different PC now as I can't access your site otherwise.

Yesterday, random radio sounds were playing out of the speakers every 20 minutes or so.

I normally use Microsoft Security Essentials. I checked it, and the service was not even started for some reason. I started it and did a scan. Items were found and removed.

Then I did a MalwareBytes quick scan and removed about 20 items, some upon restart. Now after restart it is even worse. I can't even visit your website. It goes to a fake 'Google' site that says "404 That's an Error, that's all we know" with a picture of a robot. I've tried Chrome, Firefox, and IE. And I tried reinstalling FF and Chrome as well. Also, I went to Facebook and they tried to start a form where I had to enter my credit card info for "security purposes". I know this is fake.

What can I do without losing the data on the computer?

Thank you!

Attach.txt

DDS.txt

Link to post
Share on other sites

Hello ssolvason and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please uninstall: µTorrent

Step 2

We need to transfer some tools and log files, but first - USB flash drive or any other removable media. Next, you should immunize it:

www.pandasecurity.com/homeusers/downloads/usbvaccine/

Step 3

Please download Rkill to your desktop. There are two main different versions. If one of them won't run then download and try to run the other one. You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

  1. Double-click on the Rkill desktop icon to run the tool.
  2. If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  3. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  4. If not, delete the file, then download and use the second RKill version. Do not reboot until instructed. If the tool does not run from any of the links provided, please let me know.
  5. When the scan is done Notepad will open with rKill log. Post it in your next reply.

NOTE: rKill.txt log will also be present on your desktop.

Step 4

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 5

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • RKill log
  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log

Link to post
Share on other sites

Hi Maniac,

Thank you very much for your reply and your help.

How do you know what steps to take when disinfecting a computer? How did you know that I should run the tools you told me to run? Is there any way I can tell by myself in the future?

I still cannot visit this website or others such as the Panda security site, thus I am still using a different computer to post this.

Here are the files you requested:

Rkill log:

Rkill 2.4.3 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/28/2012 11:10:24 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\Simon\AppData\Roaming\Izyvo\ezyxi.exe (PID: 5808) [uP-HEUR]

* C:\Windows\SysWOW64\ACEngSvr.exe (PID: 5544) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:

C:\Users\Simon\Desktop\rkill\rkill-09-28-2012-11-10-29.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]

* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]

* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\ [ZA Dir]

* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\L\ [ZA Dir]

* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\U\ [ZA Dir]

* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\U\00000001.@ [ZA File]

* C:\$Recycle.Bin\S-1-5-21-1459309865-1590611044-2395882671-1001\$648c7366661d8c7ca2b5bfc01b210a94\ [ZA Dir]

* C:\$Recycle.Bin\S-1-5-21-1459309865-1590611044-2395882671-1001\$648c7366661d8c7ca2b5bfc01b210a94\L\ [ZA Dir]

* C:\$Recycle.Bin\S-1-5-21-1459309865-1590611044-2395882671-1001\$648c7366661d8c7ca2b5bfc01b210a94\U\ [ZA Dir]

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.

Startup Type set to: Manual

* BFE [Missing Service]

* BITS [Missing Service]

* iphlpsvc [Missing Service]

* MpsSvc [Missing Service]

* WinDefend [Missing Service]

* wscsvc [Missing Service]

* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 09/28/2012 11:10:38 PM

Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)

MalwareBytes Log

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.28.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Simon :: SIMON-PC [administrator]

Protection: Enabled

28/09/2012 23:13:30

mbam-log-2012-09-28 (23-13-30).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 240631

Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|45253 (Trojan.Agent) -> Data: C:\PROGRA~3\LOCALS~1\Temp\mszfuxa.bat -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

aswMBR Log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-28 23:19:30

-----------------------------

23:19:30.440 OS Version: Windows x64 6.1.7601 Service Pack 1

23:19:30.441 Number of processors: 4 586 0x2A07

23:19:30.441 ComputerName: SIMON-PC UserName: Simon

23:19:31.384 Initialize success

23:21:05.907 AVAST engine defs: 12092800

23:27:44.194 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

23:27:44.196 Disk 0 Vendor: ST975042 0002 Size: 715404MB BusType: 3

23:27:44.216 Disk 0 MBR read successfully

23:27:44.218 Disk 0 MBR scan

23:27:44.262 Disk 0 Windows 7 default MBR code

23:27:44.265 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 25600 MB offset 2048

23:27:44.279 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 286161 MB offset 52430848

23:27:44.298 Disk 0 Partition - 00 0F Extended LBA 403641 MB offset 638488576

23:27:44.326 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 403640 MB offset 638490624

23:27:44.383 Disk 0 scanning C:\Windows\system32\drivers

23:27:56.038 Service scanning

23:28:21.374 Modules scanning

23:28:21.380 Disk 0 trace - called modules:

23:28:21.752 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll

23:28:21.756 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800691c060]

23:28:21.759 3 CLASSPNP.SYS[fffff88001aa643f] -> nt!IofCallDriver -> [0xfffffa80062d48c0]

23:28:21.762 5 ACPI.sys[fffff88000f947a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80062d5050]

23:28:32.851 AVAST engine scan C:\Windows

23:28:35.526 AVAST engine scan C:\Windows\system32

23:32:05.237 AVAST engine scan C:\Windows\system32\drivers

23:32:19.344 AVAST engine scan C:\Users\Simon

23:46:55.319 Disk 0 MBR has been saved successfully to "C:\Users\Simon\Desktop\simontemp\Results\MBR.dat"

23:46:55.367 The log file has been saved successfully to "C:\Users\Simon\Desktop\simontemp\Results\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-28 23:56:39

-----------------------------

23:56:39.501 OS Version: Windows x64 6.1.7601 Service Pack 1

23:56:39.501 Number of processors: 4 586 0x2A07

23:56:39.502 ComputerName: SIMON-PC UserName: Simon

23:56:40.452 Initialize success

23:56:49.614 AVAST engine defs: 12092800

23:56:52.194 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

23:56:52.195 Disk 0 Vendor: ST975042 0002 Size: 715404MB BusType: 3

23:56:52.217 Disk 0 MBR read successfully

23:56:52.218 Disk 0 MBR scan

23:56:52.222 Disk 0 Windows 7 default MBR code

23:56:52.225 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 25600 MB offset 2048

23:56:52.238 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 286161 MB offset 52430848

23:56:52.258 Disk 0 Partition - 00 0F Extended LBA 403641 MB offset 638488576

23:56:52.285 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 403640 MB offset 638490624

23:56:52.363 Disk 0 scanning C:\Windows\system32\drivers

23:57:08.850 Service scanning

23:57:37.765 Modules scanning

23:57:37.771 Disk 0 trace - called modules:

23:57:38.110 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll

23:57:38.114 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800691c060]

23:57:38.118 3 CLASSPNP.SYS[fffff88000c3543f] -> nt!IofCallDriver -> [0xfffffa80062d45c0]

23:57:38.122 5 ACPI.sys[fffff88000f6c7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80062d5050]

23:57:38.941 AVAST engine scan C:\Windows

23:57:42.727 AVAST engine scan C:\Windows\system32

00:01:44.672 AVAST engine scan C:\Windows\system32\drivers

00:02:08.935 AVAST engine scan C:\Users\Simon

00:07:12.814 Disk 0 MBR has been saved successfully to "C:\Users\Simon\Desktop\simontemp\Results\MBR.dat"

00:07:12.878 The log file has been saved successfully to "C:\Users\Simon\Desktop\simontemp\Results\aswMBR.txt"

I didn't finish the Avast scan as you didn't have this in your screenshots.

Fresh DDS Log:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2

Run by Simon at 0:30:06 on 2012-09-29

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.6049.3083 [GMT 2:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\FBAgent.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe

C:\Program Files (x86)\Bluetooth Suite\adminservice.exe

C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Secunia\PSI\PSIA.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Secunia\PSI\sua.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\P4G\BatteryLife.exe

C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe

C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe

C:\Program Files (x86)\ASUS\Splendid\ACMON.exe

C:\Program Files\ASUS\ASUS Secure Delete\ADDEL.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe

C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files (x86)\syncables\syncables desktop\syncables.exe

C:\Program Files (x86)\PoivY.com\PoivY\poivy.exe

C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files (x86)\Google\Drive\googledrivesync.exe

C:\Users\Simon\AppData\Local\Akamai\netsession_win.exe

C:\Users\Simon\AppData\Local\Akamai\netsession_win.exe

C:\Program Files (x86)\syncables\syncables desktop\jre\bin\javaw.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Users\Simon\AppData\Roaming\Izyvo\ezyxi.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\Fresco Logic Inc\Fresco Logic USB3.0 Host Controller\host\FLxHCIm.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe

C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe

C:\Program Files (x86)\ASUS\USBChargerPlus\UsbChargerPlus.exe

C:\Windows\SysWOW64\ACEngSvr.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

C:\Program Files (x86)\Google\Drive\googledrivesync.exe

C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe

C:\Program Files (x86)\syncables\syncables desktop\syncablesMAPI.exe

C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe

C:\Program Files (x86)\MagicDisc\MagicDisc.exe

C:\Windows\AsScrPro.exe

C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Intel\TurboBoost\TurboBoost.exe

C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Users\Simon\Desktop\simontemp\aswMBR.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\splwow64.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://asus.msn.com

uDefault_Page_URL = hxxp://asus.msn.com

mStart Page = hxxp://asus.msn.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: CIESpeechBHO Class: {8d10f6c4-0e01-4bd4-8601-11ac1fdf8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

uRun: [K-Net Utility] "C:\Program Files (x86)\KNet Utility\KNet Utility.exe" -winstart

uRun: [Google Update] "C:\Users\Simon\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [syncables] C:\Program Files (x86)\syncables\syncables desktop\Syncables.exe

uRun: [PoivY] "C:\Program Files (x86)\PoivY.com\PoivY\poivy.exe" -nosplash -minimized

uRun: [spotify Web Helper] "C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"

uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart

uRun: [Akamai NetSession Interface] "C:\Users\Simon\AppData\Local\Akamai\netsession_win.exe"

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [Edamo] C:\Users\Simon\AppData\Roaming\Izyvo\ezyxi.exe

uRun: [Obtemu] C:\Users\Simon\AppData\Roaming\Huiwys\ubmue.exe

mRun: [sonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe

mRun: [FLxHCIm] "C:\Program Files\Fresco Logic Inc\Fresco Logic USB3.0 Host Controller\host\FLxHCIm.exe"

mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe

mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe

mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe

mRun: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe

mRun: [uSBChargerPlusTray] C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe

mRun: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

mRun: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [<NO NAME>]

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mExplorerRun: [45253] C:\PROGRA~3\LOCALS~1\Temp\mszfuxa.bat

StartupFolder: C:\Users\Simon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CODEME~1.LNK - C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe

StartupFolder: C:\Users\Simon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\INTEL(~1.LNK - C:\Program Files (x86)\Intel\TurboBoost\SignalIslandUi.exe

StartupFolder: C:\Users\Simon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FANCYS~1.LNK - C:\Windows\Installer\{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}\_77B5857C27147149171BE7.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{BDDE11BC-7DE0-408F-A4F2-377A950AE1A4} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{BDDE11BC-7DE0-408F-A4F2-377A950AE1A4}\3796D6F6E6 : DhcpNameServer = 192.168.43.1

TCP: Interfaces\{BDDE11BC-7DE0-408F-A4F2-377A950AE1A4}\4646D2772747 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{BDDE11BC-7DE0-408F-A4F2-377A950AE1A4}\E4544574541425 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{E4DA251A-3739-40A0-A433-7BA5118AFD22} : DhcpNameServer = 192.168.1.14

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO-X64: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll

BHO-X64: IESpeakDoc - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

BHO-X64: Google Dictionary Compression sdch - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: SmartSelect - No File

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

mRun-x64: [sonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe

mRun-x64: [FLxHCIm] "C:\Program Files\Fresco Logic Inc\Fresco Logic USB3.0 Host Controller\host\FLxHCIm.exe"

mRun-x64: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe

mRun-x64: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe

mRun-x64: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe

mRun-x64: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe

mRun-x64: [uSBChargerPlusTray] C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe

mRun-x64: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

mRun-x64: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [(Default)]

mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

AppInit_DLLs-X64: C:\Windows\SysWOW64\nvinit.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\7mtp51mz.default\

FF - prefs.js: browser.search.selectedEngine - Google Danmark

FF - prefs.js: browser.startup.homepage - about:home

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Simon\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Users\Simon\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\Simon\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 assd;assd;C:\Windows\system32\drivers\assd.sys --> C:\Windows\system32\drivers\assd.sys [?]

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]

R1 ATKWMIACPIIO_;ATKWMIACPI Driver_;C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2010-7-26 17024]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]

R2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [2011-3-13 138400]

R2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Bluetooth Suite\AdminService.exe [2011-3-13 74912]

R2 CodeMeter.exe;CodeMeter Runtime Server;C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [2010-6-30 2067344]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-27 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-27 676936]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-13 1262400]

R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-7-25 1326176]

R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2012-7-25 681056]

R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-21 2656280]

R3 AiCharger;ASUS Charger Driver;C:\Windows\system32\DRIVERS\AiCharger.sys --> C:\Windows\system32\DRIVERS\AiCharger.sys [?]

R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\system32\DRIVERS\btath_bus.sys --> C:\Windows\system32\DRIVERS\btath_bus.sys [?]

R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;C:\Windows\system32\DRIVERS\FLxHCIc.sys --> C:\Windows\system32\DRIVERS\FLxHCIc.sys [?]

R3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;C:\Windows\system32\DRIVERS\FLxHCIh.sys --> C:\Windows\system32\DRIVERS\FLxHCIh.sys [?]

R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]

R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-11-30 149504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-1 135664]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-9-27 250568]

S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]

S3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\system32\DRIVERS\btath_flt.sys --> C:\Windows\system32\DRIVERS\btath_flt.sys [?]

S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\system32\drivers\btath_a2dp.sys --> C:\Windows\system32\drivers\btath_a2dp.sys [?]

S3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\system32\DRIVERS\btath_hcrp.sys --> C:\Windows\system32\DRIVERS\btath_hcrp.sys [?]

S3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\system32\DRIVERS\btath_lwflt.sys --> C:\Windows\system32\DRIVERS\btath_lwflt.sys [?]

S3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\system32\DRIVERS\btath_rcp.sys --> C:\Windows\system32\DRIVERS\btath_rcp.sys [?]

S3 BtFilter;BtFilter;C:\Windows\system32\DRIVERS\btfilter.sys --> C:\Windows\system32\DRIVERS\btfilter.sys [?]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-1 135664]

S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\system32\DRIVERS\ManyCam_x64.sys --> C:\Windows\system32\DRIVERS\ManyCam_x64.sys [?]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]

.

=============== Created Last 30 ================

.

2012-09-28 21:08:36 -------- d-----w- C:\ProgramData\Panda Security

2012-09-28 21:08:33 -------- d-----w- C:\Program Files (x86)\Panda USB Vaccine

2012-09-27 16:48:14 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FFA772B9-7D2B-47C2-A12C-5D2DFC3BDF2D}\offreg.dll

2012-09-27 15:27:18 -------- d-----w- C:\Users\Simon\AppData\Roaming\Tuut

2012-09-27 15:27:18 -------- d-----w- C:\Users\Simon\AppData\Roaming\Piyx

2012-09-27 15:27:18 -------- d-----w- C:\Users\Simon\AppData\Roaming\Huiwys

2012-09-27 15:05:26 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-27 12:17:07 -------- d-----w- C:\Users\Simon\AppData\Local\Macromedia

2012-09-27 11:53:29 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-09-27 11:47:06 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll

2012-09-27 11:46:51 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll

2012-09-27 11:37:56 -------- d-----w- C:\Users\Simon\AppData\Local\{4A9AF856-6DB0-4A34-85D6-F087A0532A7B}

2012-09-27 11:22:19 -------- d-----w- C:\Users\Simon\AppData\Local\Secunia PSI

2012-09-27 11:19:39 -------- d-----w- C:\Program Files (x86)\Secunia

2012-09-27 08:53:35 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-09-26 18:32:18 824 ----a-w- C:\Windows\System32\drivers\etc\hosts.sys

2012-09-26 18:21:59 -------- d-----w- C:\Users\Simon\AppData\Roaming\Ypisez

2012-09-26 18:21:59 -------- d-----w- C:\Users\Simon\AppData\Roaming\Izyvo

2012-09-26 18:21:59 -------- d-----w- C:\Users\Simon\AppData\Roaming\Dyutfu

2012-09-25 16:08:30 -------- d-----w- C:\Users\Simon\AppData\Local\{130998F0-6B43-4B0B-9FEA-75134762FC3F}

2012-09-25 07:18:13 9308616 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FFA772B9-7D2B-47C2-A12C-5D2DFC3BDF2D}\mpengine.dll

2012-09-23 15:12:48 9308616 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-09-20 10:17:20 300032 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpcpp093.DLL

2012-09-19 19:56:38 -------- d-----w- C:\PC_on_off_time

2012-09-12 05:56:21 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-09-12 05:56:21 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys

2012-09-12 05:56:20 574464 ----a-w- C:\Windows\System32\d3d10level9.dll

2012-09-12 05:56:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll

2012-09-12 05:56:19 376688 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-09-12 05:56:19 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-09-12 05:56:19 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-09-07 08:49:08 16192 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL

2012-08-30 20:03:48 228768 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

.

==================== Find3M ====================

.

2012-09-27 16:48:10 45056 ----a-w- C:\Windows\System32\acovcnt.exe

2012-09-27 11:56:58 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-27 11:46:37 916456 ----a-w- C:\Windows\System32\deployJava1.dll

2012-09-27 08:53:29 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-09-27 08:53:29 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-09-07 15:04:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-08-30 20:03:48 128456 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-06 20:07:42 552960 ----a-w- C:\Windows\System32\drivers\bthport.sys

2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll

2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

.

============= FINISH: 0:32:58.14 ===============

Link to post
Share on other sites

How do you know what steps to take when disinfecting a computer? How did you know that I should run the tools you told me to run? Is there any way I can tell by myself in the future?

The answer is: training program. A good start here:

http://forums.malwarebytes.org/index.php?showtopic=12264

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

Hi Maniac,

Which infection is identified to use a backdoor?

So what does it mean that my computer is compromised? Can I use it for another month or should I rather reformat it now? What can happen if I wait?

Next, I am making backups of all my data on an external disk. How can I be sure that this external disk won't contain the infection? My university uses McAfee virusscan - is running such a scan enough to ensure the trojan is gone?

Also, are other computers in my home network at risk on being infected from this trojan?

Thanks so much for your help!

Link to post
Share on other sites

Which infection is identified to use a backdoor?

This one:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\U\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-18\$648c7366661d8c7ca2b5bfc01b210a94\U\00000001.@ [ZA File]
* C:\$Recycle.Bin\S-1-5-21-1459309865-1590611044-2395882671-1001\$648c7366661d8c7ca2b5bfc01b210a94\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1459309865-1590611044-2395882671-1001\$648c7366661d8c7ca2b5bfc01b210a94\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1459309865-1590611044-2395882671-1001\$648c7366661d8c7ca2b5bfc01b210a94\U\ [ZA Dir]

So what does it mean that my computer is compromised? Can I use it for another month or should I rather reformat it now? What can happen if I wait?

I can definitely say that your system has been compromised. I recommend as soon as possible to format it. You could find out here what a nasty backdoor is that:

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1713

How can I be sure that this external disk won't contain the infection?

With that:

www.pandasecurity.com/homeusers/downloads/usbvaccine/

My university uses McAfee virusscan - is running such a scan enough to ensure the trojan is gone?

If is up-to-date as a database and program version, probably - yes, but I doubt it.

Also, are other computers in my home network at risk on being infected from this trojan?

No, they are safe.

Link to post
Share on other sites

Hi Maniac,

My concern is files on my externalbackup disk being infected. Will they cause a problem when I put them back on my freshly reformatted PC?

My university uses McAfee virusscan - is running such a scan enough to ensure the trojan is gone?

If is up-to-date as a database and program version, probably - yes, but I doubt it.

I am talking about the files from my PC on the external disk. You said "yes, but I doubt it" - does this mean you think there is a chance the trojan will be on the external disk and I will transfer it back to my PC?

I found the following comment in the link you gave me:

When Should I Format, How Should I Reinstall

Re: * Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete. While a good idea in theory, not so good in practice. Some of the newer root kits can infect and hide code in any type of file, including documents, pictures, etc. Restoring backups after a reformat and reinstall, unless made at a point in time prior to when the computer was infected, would almost certainly reintroduce at least part of the infection or a hidden back door. That was my experience and the experience of many others.

From this link, I found the following quote:

Today's Nastiest Viruses

ZeroAccess is so clever that even if you reformat your hard drive and reinstall your system it cannot be deleted. If ZeroAccess has taken hold of your PC the best way to remove it is to do a low-level wipeout of your hard drive — this “zero filling” process writes on every sector of the drive — and then reinitialize the disk.

The USB vaccine is only going to protect me from the virus embedding itself into Autorun, right? How can I ensure that I get rid of it with the reformat?

Finally, my machine has a Recovery Partition for use in reinstalling Windows and I have two partitions on my PC. Am I OK wiping just the C:\ drive and reinstalling windows, or is it necessary to format the entire hard disk and re-create the two partitions?

Thanks again for all you help :)

Link to post
Share on other sites

My concern is files on my externalbackup disk being infected. Will they cause a problem when I put them back on my freshly reformatted PC?

Probably, so that' why you need installed antivirus protection before you do that.

I am talking about the files from my PC on the external disk. You said "yes, but I doubt it" - does this mean you think there is a chance the trojan will be on the external disk and I will transfer it back to my PC?

My comment was about McAfee.

The USB vaccine is only going to protect me from the virus embedding itself into Autorun, right? How can I ensure that I get rid of it with the reformat?

That's right. You can be sure if you install antivirus program and perform a full system scan.

Finally, my machine has a Recovery Partition for use in reinstalling Windows and I have two partitions on my PC. Am I OK wiping just the C:\ drive and reinstalling windows, or is it necessary to format the entire hard disk and re-create the two partitions?

The best you can do is to format the entire hard disc.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.