Jump to content

Computer acting strange, accounts hacked


Recommended Posts

Hello! Lately i've been having problems with my pc. It's running really slow at times and sometimes it completely freezes up. I'm having performance issues when playing games aswell.

I ran mbam, it found 2 files wich i deleted. I've also had lots of weird error messages coming up the system. Would really like some help

Here are the DDS txt's:

dds.txt

attach.txt

Link to post
Share on other sites

Hello Ehoxha and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

  • Download on the desktop RogueKiller
  • Quit all programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • RogueKiller log
  • aswMBR log
  • a new fresh DDS log

Link to post
Share on other sites

Hey! Thanks for your answer and sorry for answering so late, strangely i didn't get a notification even though i checked the follow box. the aswMBR showed one yellow and one red line, also it took a longer time on some files then others. C:/users went faster then C:/windows for example. Also, why did roguekiller create a quarantine with 2.txt and 2 .dat files?

Here's the roguekiller log:

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version

Started in : Normal mode

User : Edmond [Admin rights]

Mode : Scan -- Date : 04/17/2013 16:33:41

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000ABYS-01TNA0 ATA Device +++++

--- User ---

[MBR] e34b20ea4a39c2548db55b27dd5f15f4

[bSP] ddada3217191b269a3db11dd0a5608c6 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 66228 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 135636795 | Size: 410708 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000ABYS-01TNA0 ATA Device +++++

--- User ---

[MBR] 03ae9c5e751cb190ab1c8c7187d6bb6e

[bSP] f973842e3ddc011e1c3dc1817bc5886a : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_S_04172013_02d1633.txt >>

RKreport[1]_S_04172013_02d1630.txt ; RKreport[2]_S_04172013_02d1633.txt

aswMBR log:

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-04-17 16:36:32

-----------------------------

16:36:32.265 OS Version: Windows x64 6.0.6002 Service Pack 2

16:36:32.265 Number of processors: 4 586 0xF0B

16:36:32.265 ComputerName: CREATIVE UserName: Edmond

16:36:33.776 Initialize success

16:36:37.832 AVAST engine defs: 13041700

16:36:46.032 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2

16:36:46.034 Disk 0 Vendor: WDC_WD5000ABYS-01TNA0 12.01C01 Size: 476938MB BusType: 3

16:36:46.035 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-4

16:36:46.036 Disk 1 Vendor: WDC_WD5000ABYS-01TNA0 12.01C01 Size: 476940MB BusType: 3

16:36:46.049 Disk 0 MBR read successfully

16:36:46.051 Disk 0 MBR scan

16:36:46.053 Disk 0 Windows VISTA default MBR code

16:36:46.054 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 66228 MB offset 63

16:36:46.065 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 410708 MB offset 135636795

16:36:46.084 Disk 0 scanning C:\Windows\system32\drivers

16:36:51.836 Service scanning

16:37:01.339 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32

16:37:05.055 Modules scanning

16:37:05.059 Disk 0 trace - called modules:

16:37:05.071 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys >>UNKNOWN [0xfffffa8004b9f2c0]<<spxz.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys

16:37:05.075 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005d83430]

16:37:05.079 3 CLASSPNP.SYS[fffffa60011d2c33] -> nt!IofCallDriver -> [0xfffffa8004d5d760]

16:37:05.082 5 acpi.sys[fffffa6000b74fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004d4d940]

16:37:05.086 \Driver\atapi[0xfffffa8004ce7380] -> IRP_MJ_CREATE -> 0xfffffa8004b9f2c0

16:37:05.450 AVAST engine scan C:\Windows

16:37:12.688 AVAST engine scan C:\Windows\system32

16:38:53.131 AVAST engine scan C:\Windows\system32\drivers

16:39:00.369 AVAST engine scan C:\Users\Edmond

16:50:49.719 AVAST engine scan C:\ProgramData

16:54:52.909 Scan finished successfully

16:56:16.235 Disk 0 MBR has been saved successfully to "C:\Users\Edmond\Desktop\MBR.dat"

16:56:16.238 The log file has been saved successfully to "C:\Users\Edmond\Desktop\aswMBR.txt"

Fresh DDS log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 10.17.2

Run by Edmond at 17:01:43 on 2013-04-17

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.46.1053.18.4094.2004 [GMT 2:00]

.

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

E:\Program\GameTracker\GSInGameService.exe

E:\Spel\Smite\HiPatchService.exe

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\conime.exe

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe

C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe

C:\Users\Edmond\AppData\Local\Google\Update\1.3.21.135\GoogleCrashHandler.exe

C:\Users\Edmond\AppData\Local\Google\Update\1.3.21.135\GoogleCrashHandler64.exe

C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe

C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

E:\Program\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Edmond\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.daemon-search.com/startpage

.

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program\Realplayer\rpbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: smartdownloader Class: {F1AF26F8-1828-4279-ABCE-074EF3235BD7} - LocalServer32 - <no file>

BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - LocalServer32 - <no file>

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

uRun: [spotify Web Helper] "E:\Program\Spotify\Data\SpotifyWebHelper.exe"

mRun: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"

mRun: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

TCP: NameServer = 192.168.1.1 192.168.1.1

TCP: Interfaces\{7F5390FB-8F89-4705-B209-B8F5E616D9B2} : DHCPNameServer = 192.168.42.129

TCP: Interfaces\{D7DC02E6-92FB-4B2B-92F3-80A3C479F9C2} : NameServer = 8.8.4.4,8.8.8.8

TCP: Interfaces\{D7DC02E6-92FB-4B2B-92F3-80A3C479F9C2} : DHCPNameServer = 192.168.1.1 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\Program\Skyperecord\Skype4COM.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll

x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide

x64-Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe

x64-mPolicies-Explorer: NoActiveDesktop = dword:1

x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1

x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

x64-mPolicies-System: EnableUIADesktopToggle = dword:0

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - LocalServer32 - <no file>

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;E:\Spel\Smite\HiPatchService.exe [2012-7-15 8704]

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2011-4-1 69376]

R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-3-23 1025808]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2008-3-31 377920]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2008-3-31 33400]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2007-12-16 80816]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-5-1 45248]

R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-22 27648]

R2 GS In-Game Service;GS In-Game Service;E:\Program\GameTracker\GSInGameService.exe [2010-4-9 1643872]

R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-12-10 2465712]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe [2013-1-31 2402080]

R3 Razerlow;Razer Pro|Solutions;C:\Windows\System32\drivers\DB3G.sys [2009-2-25 21120]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys [2012-11-16 11880]

R3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [2012-11-13 14544]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2012-5-23 99384]

S3 easytether;easytether;C:\Windows\System32\drivers\easytthr.sys [2012-5-22 20752]

S3 nmwcdcx64;Nokia USB Generic;C:\Windows\System32\drivers\ccdcmbox64.sys [2009-2-9 25088]

S3 nmwcdnsucx64;Nokia USB Flashing Generic;C:\Windows\System32\drivers\nmwcdnsucx64.sys [2009-3-19 12288]

S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\System32\drivers\nmwcdnsux64.sys [2009-3-19 172544]

S3 nmwcdx64;Nokia USB Phone Parent;C:\Windows\System32\drivers\ccdcmbx64.sys [2009-2-9 18944]

S3 PerfHost;Värd för prestandaräknar-DLL;C:\Windows\SysWOW64\perfhost.exe [2008-4-22 19968]

S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2012-5-23 203320]

S3 teamviewervpn;TeamViewer VPN Adapter;C:\Windows\System32\drivers\teamviewervpn.sys [2009-11-9 35112]

S3 USBMULCD;USB Multi-Channel Audio Device Interface;C:\Windows\System32\drivers\CM10664.sys [2009-3-24 1290240]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-21 89920]

S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2008-7-29 4737024]

.

=============== File Associations ===============

.

FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [userChoice]

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2013-04-04 12:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-03-23 21:52:43 72013344 ----a-w- C:\Windows\System32\mrt.exe

2013-03-17 13:41:57 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-17 13:41:57 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-03-16 16:49:30 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-16 16:49:25 262560 ----a-w- C:\Windows\SysWow64\javaws.exe

2013-03-16 16:49:25 174496 ----a-w- C:\Windows\SysWow64\javaw.exe

2013-03-16 16:49:25 174496 ----a-w- C:\Windows\SysWow64\java.exe

2013-03-16 16:49:24 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-03-16 16:49:24 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-03-11 23:10:56 282744 ------w- C:\Windows\System32\MpSigStub.exe

2013-03-06 22:33:21 68920 ----a-w- C:\Windows\System32\drivers\aswTdi.sys

2013-03-06 22:33:21 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys

2013-03-06 22:33:21 377920 ----a-w- C:\Windows\System32\drivers\aswSP.sys

2013-03-06 22:33:21 178624 ----a-w- C:\Windows\System32\drivers\aswVmm.sys

2013-03-06 22:33:21 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2013-03-06 22:33:20 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2013-03-06 22:33:20 59144 ----a-w- C:\Windows\System32\drivers\aswRdr.sys

2013-03-06 22:33:20 33400 ----a-w- C:\Windows\System32\drivers\aswFsBlk.sys

2013-03-06 22:32:51 41664 ----a-w- C:\Windows\avastSS.scr

2013-03-06 22:32:22 287840 ----a-w- C:\Windows\System32\aswBoot.exe

2013-02-12 02:18:19 19456 ----a-w- C:\Windows\System32\drivers\usb8023x.sys

2013-02-12 02:18:19 19456 ----a-w- C:\Windows\System32\drivers\usb8023.sys

2013-02-10 01:04:31 6393120 ----a-w- C:\Windows\System32\nvcpl.dll

2013-02-10 01:04:31 3472672 ----a-w- C:\Windows\System32\nvsvc64.dll

2013-02-10 01:04:29 877856 ----a-w- C:\Windows\System32\nvvsvc.exe

2013-02-10 01:04:29 63776 ----a-w- C:\Windows\System32\nvshext.dll

2013-02-10 01:04:29 2555680 ----a-w- C:\Windows\System32\nvsvcr.dll

2013-02-10 01:04:29 237856 ----a-w- C:\Windows\System32\nvmctray.dll

2013-02-01 04:09:32 1032192 ----a-w- C:\Windows\System32\wininet.dll

2013-02-01 04:09:20 1428992 ----a-w- C:\Windows\System32\urlmon.dll

2013-02-01 04:09:20 108544 ----a-w- C:\Windows\System32\url.dll

2013-02-01 04:08:03 1129984 ----a-w- C:\Windows\System32\mstime.dll

2013-02-01 04:07:55 761856 ----a-w- C:\Windows\System32\mshtmled.dll

2013-02-01 04:07:55 623616 ----a-w- C:\Windows\System32\msfeeds.dll

2013-02-01 04:07:55 5725696 ----a-w- C:\Windows\System32\mshtml.dll

2013-02-01 04:07:29 32256 ----a-w- C:\Windows\System32\jsproxy.dll

2013-02-01 04:07:18 224768 ----a-w- C:\Windows\System32\ieui.dll

2013-02-01 04:07:17 7050752 ----a-w- C:\Windows\System32\ieframe.dll

2013-02-01 04:07:17 375808 ----a-w- C:\Windows\System32\iertutil.dll

2013-02-01 04:07:17 249856 ----a-w- C:\Windows\System32\iepeers.dll

2013-02-01 04:07:16 422400 ----a-w- C:\Windows\System32\ieapfltr.dll

2013-02-01 03:51:59 834048 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-02-01 03:51:49 1176576 ----a-w- C:\Windows\SysWow64\urlmon.dll

2013-02-01 03:51:49 106496 ----a-w- C:\Windows\SysWow64\url.dll

2013-02-01 03:50:26 671232 ----a-w- C:\Windows\SysWow64\mstime.dll

2013-02-01 03:50:15 479232 ----a-w- C:\Windows\SysWow64\mshtmled.dll

2013-02-01 03:50:14 3621888 ----a-w- C:\Windows\SysWow64\mshtml.dll

2013-02-01 03:50:13 498688 ----a-w- C:\Windows\SysWow64\msfeeds.dll

2013-02-01 03:49:53 27648 ----a-w- C:\Windows\SysWow64\jsproxy.dll

2013-02-01 03:49:44 6118400 ----a-w- C:\Windows\SysWow64\ieframe.dll

2013-02-01 03:49:44 380928 ----a-w- C:\Windows\SysWow64\ieapfltr.dll

2013-02-01 03:49:44 270336 ----a-w- C:\Windows\SysWow64\iertutil.dll

2013-02-01 03:49:44 193024 ----a-w- C:\Windows\SysWow64\iepeers.dll

2013-02-01 03:49:44 180736 ----a-w- C:\Windows\SysWow64\ieui.dll

2013-02-01 02:51:51 485376 ----a-w- C:\Windows\System32\html.iec

2013-02-01 02:14:02 1383424 ----a-w- C:\Windows\System32\mshtml.tlb

2013-02-01 02:13:09 389632 ----a-w- C:\Windows\SysWow64\html.iec

2013-02-01 01:48:04 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-01-31 08:35:54 35104 ----a-w- C:\Windows\System32\TURegOpt.exe

2013-01-31 08:35:48 26400 ----a-w- C:\Windows\System32\authuitu.dll

2013-01-31 08:35:48 21792 ----a-w- C:\Windows\SysWow64\authuitu.dll

2013-01-22 22:18:00 261310 ----a-w- C:\Windows\QLPrism Uninstaller.exe

.

============= FINISH: 17:01:55,62 ===============

Link to post
Share on other sites

Looks normal.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • ESET Online Scanner log

Link to post
Share on other sites

Alright:) Why was there a yellow and a red line when running roguekiller? or was it the other one? One of them showed colored lines:P I also want to tell you that my accounts have all been hacked by the same dude from China. Customer support from various games and the fact that the name allways gets changed to Zhang show this. Also, often i have to ctrl-alt-delete to unhang the computer.

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.17.07

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 7.0.6002.18005

Edmond :: CREATIVE [administrator]

2013-04-17 17:44:22

mbam-log-2013-04-17 (17-44-22).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 239298

Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Eset online scanner page doesn't work right now, it's asking me to come back later. I'll post the eset log as soon as the website is up

Link to post
Share on other sites

Here is the Eset log, it did find 12 threats, 11deleted. Also, i haven't updated internet explorer for a LONG time so i downloaded it using google chrome, is that going to be a problem?

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=436ad2c791ee0e488958a3d0f39d5dc8

# engine=13639

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2013-04-17 06:28:16

# local_time=2013-04-17 08:28:16 (+0100, Västeuropa, sommartid)

# country="Sweden"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=770 16774141 100 97 1194195 142936770 0 0

# compatibility_mode=5892 16776573 100 100 66652 203747202 0 0

# scanned=343229

# found=12

# cleaned=11

# scan_time=7258

sh=5CA319EBA10412E2FF4A47FD20624385C11A0C2A ft=1 fh=8ad6e907be4811df vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"

sh=5CA319EBA10412E2FF4A47FD20624385C11A0C2A ft=1 fh=8ad6e907be4811df vn="a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined)" ac=C fn="C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"

sh=3FDFB7AEAAC76DBA4DC8C77B452E9AC015B659B4 ft=1 fh=e43d2002ef17bac7 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\.frostwire5\updates\frostwire-5.3.2.windows.exe"

sh=27407C9D799188355237DC2A4318D87CF1A60869 ft=1 fh=f0120e31dc4df6d1 vn="Win32/OpenCandy application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\AppData\Roaming\OpenCandy\OpenCandy_A9740C23295D4AA18E017145ECC1AC99\DLMgr_3_1.6.87.exe"

sh=9D8A4BE929E04CBB09856943FF3401CE1FBA9002 ft=1 fh=8b3e42d45326a400 vn="a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\AppData\Roaming\OpenCandy\OpenCandy_A9740C23295D4AA18E017145ECC1AC99\registrybooster32.exe"

sh=728F515AB73EB772788F1D8ACF59BF61E57EFD2B ft=1 fh=bfec4c72175eec0e vn="Win32/RegistryBooster application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\AppData\Roaming\Uniblue\RegistryBooster\_temp\ub.exe"

sh=1626078AFAA3FE1EA87F2620E7285BA391668E3C ft=1 fh=7c84ba8e0fc5996e vn="Win32/InstallMate application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\Desktop\till sacka\DownloadSetup.exe"

sh=D35ED6E76014996357AC012E14383DEC94B2BA81 ft=1 fh=eaff10c14be64842 vn="a variant of Win32/ELEX application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\Desktop\till sacka\gb3-setup.exe"

sh=BA660D4CB6607CCDFA62CC238850E4FFF90A5BD2 ft=1 fh=d9cafc153ef6d8b0 vn="Win32/Toolbar.Babylon application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\Desktop\till sacka\installer_adobe_flash_player_Swedish.exe"

sh=3C04AC609DAA5FFCB202F72B6827B8C1C3E0DCC8 ft=1 fh=5bc1267b88c42d53 vn="a variant of MSIL/Spy.Agent.BH trojan (cleaned by deleting - quarantined)" ac=C fn="D:\Antec\BFBC2Beta\svchost.exe"

sh=92C332A025753F94E0339B82EBE0E54AD3CEC7BD ft=1 fh=eaaa106be2e16059 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="D:\Downloads\CheatEngine561.exe"

sh=B0C4B41D23C0DE9B6991A6EA96298A236BEC370B ft=1 fh=397f41671853c80e vn="a variant of Win32/Tool.ServiceRunner application (cleaned by deleting - quarantined)" ac=C fn="D:\Filmer\Bulletproof FTP Server 2.3.1.26\Bulletproof FTP Server v2.3.1.26 Setup.exe"

Link to post
Share on other sites

No, it is not a problem at all. Please proceed:

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

avpsettings.gif

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

Link to post
Share on other sites

I started it a second time and it found another threat, the first one was spyagent and this one something else. posting log

Status: Deleted (events: 2)

2013-04-18 20:15:27 Deleted Trojan program Trojan.Win32.Agent.dikv E:\Spel\Fallout 3\Fallout.3.FinalFix.Skullptura.rar//Fallout.3.FinalFix.Skullptura/Data/extract.exe High

2013-04-18 20:15:27 Deleted Trojan program Trojan.Win32.Agent.dikv E:\Spel\Fallout 3\Fallout.3.FinalFix.Skullptura.rar High

This was the second scan using avp first time it crashed.

Roguekiller:

Mode : Scan -- Date : 04/18/2013 20:26:42

| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤

[bLACKLIST] setup_11.0.0.1245.x01_2013_04_18_00_16.exe -- E:\Temporary\setup_11.0.0.1245.x01_2013_04_18_00_16.exe [7] -> KILLED [TermProc]

[ROGUE ST] 2589532.exe -- C:\Users\Edmond\AppData\Local\Temp\RarSFX0\2589532.exe [7] -> KILLED [TermThr]

[ROGUE ST] 2589532.exe -- C:\Users\Edmond\AppData\Local\Temp\8179062\2589532.exe [x] -> KILLED [TermThr]

[sUSP PATH] hyperdesktop.exe -- C:\Users\Edmond\AppData\Roaming\Hyperdesktop\hyperdesktop.exe [-] -> KILLED [TermThr]

¤¤¤ Registry Entries : 5 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000ABYS-01TNA0 ATA Device +++++

--- User ---

[MBR] e34b20ea4a39c2548db55b27dd5f15f4

[bSP] ddada3217191b269a3db11dd0a5608c6 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 66228 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 135636795 | Size: 410708 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000ABYS-01TNA0 ATA Device +++++

--- User ---

[MBR] 03ae9c5e751cb190ab1c8c7187d6bb6e

[bSP] f973842e3ddc011e1c3dc1817bc5886a : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_04182013_02d2026.txt >>

RKreport[1]_S_04182013_02d2026.txt

Link to post
Share on other sites

Did we find the source of the account hacks?

It is a very difficult to say categorically without analys of all of these samples, but:

sh=3C04AC609DAA5FFCB202F72B6827B8C1C3E0DCC8 ft=1 fh=5bc1267b88c42d53 vn="a variant of MSIL/Spy.Agent.BH trojan (cleaned by deleting - quarantined)" ac=C fn="D:\Antec\BFBC2Beta\svchost.exe"

This is a real problem for sure, because is a spyware. Their main goal is to collect your personal data (like passwords).

sh=92C332A025753F94E0339B82EBE0E54AD3CEC7BD ft=1 fh=eaaa106be2e16059 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="D:\Downloads\CheatEngine561.exe"

sh=3FDFB7AEAAC76DBA4DC8C77B452E9AC015B659B4 ft=1 fh=e43d2002ef17bac7 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Edmond\.frostwire5\updates\frostwire-5.3.2.windows.exe"

Cheat Engine and this ForstWire (P2P) are one of the main sources of infections.

Is there anything else to do?

Last steps:

Step 1

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Step 2

Please uninstall ESET Online Scanner and manually delete Kaspersky AVP.

Step 3

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Finally, manually delete this tool.

Take some preventions for further infections:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing! :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.