Computer Hope
Software => Computer viruses and spyware => Topic started by: TheBiggestNoob on September 13, 2012, 11:13:53 AM
-
Hello,
I noticed some suspicions Wireshark reports on one of my computers.
While I was not doing anything on that computer(and any program that uses internet was disabled),Wireshark showed some ICMP traffic to random foreign IPs.I attached an example picture.
Full list of IPs are:
99.191.34.205 - USA
78.62.189.39 - Lithuania
89.178.54.81 - Russia
67.212.24.141 - Canada
Is it possible that my computer has been hijacked? What can you tell by looking at that Wireshark report? I used 5 different antiviruses to scan my computer but they didn't detect anything.My computer's local IP is 192.168.1.124, I'm using Windows 7 64bit.
Thanks !
[year+ old attachment deleted by admin]
-
Anything is possible, although not likely if you've ran multiple antivirus and malware detectors. Make sure its not residual by rebooting the computer and not opening any browser window, also where is the computer located home, school, business?
-
It is a home desktop computer.I also have a laptop but it doesn't have the same issue.
Just rebooted the PC with antivirus disabled and browsers closed.I'll wait 1 hour for it to catch some traffic then I'll post the results here.
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner)by Xplode onto your Desktop.
- Double click on AdwCleaner.exe to run the tool.
- Click on Search.
- A logfile will automatically open after the scan has finished.
- Please post the content of that logfile in your reply.
- You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
*********************************************
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
I left the Wireshark running for 2 hours and it didn't pick up any suspicious activity this time.
I will use Check.bat and adwcleaner tools to scan the computer and post the results tomorrow as soon as I get access to that computer.
I've already scanned it with Malwarebytes,Emsisoft,Kaspersky,Spybot,HitmanPro and it came up clean.
Thanks.
-
SecurityCheck.exe results
Results of screen317's Security Check version 0.99.50
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````[/u]
Kaspersky Internet Security
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````[/u]
MVPS Hosts File
Spybot - Search & Destroy
SUPERAntiSpyware
Secunia PSI (2.0.0.3003)
Malwarebytes Anti-Malware version 1.65.0.1400
CCleaner
JavaFX 2.1.1
Java 7 Update 7
Adobe Flash Player 11.4.402.265
Adobe Reader X (10.1.4)
Mozilla Firefox (15.0)
````````Process Check: objlist.exe by Laurent````````[/u]
Kaspersky Lab Kaspersky Internet Security 2012 avp.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]
AdwCleaner results
# AdwCleaner v2.001 - Logfile created 09/14/2012 at 10:38:55
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Dell - DELL-PC
# Boot Mode : Normal
# Running from : C:\Users\Dell\Desktop\adwcleaner.exe
# Option [Search]
***** [Services] *****
***** [Files / Folders] *****
Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
***** [Registry] *****
Key Found : HKCU\Software\AppDataLow\AskToolbarInfo
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
-\\ Mozilla Firefox v15.0 (en-US)
Profile name : default
File : C:\Users\Dell\AppData\Roaming\Mozilla\Firefox\Profiles\nax9o85o.default\prefs.js
[OK] File is clean.
-\\ Opera v [Unable to get version]
File : C:\Users\Dell\AppData\Roaming\Opera\Opera\operaprefs.ini
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [1505 octets] - [14/09/2012 10:38:55]
########## EOF - C:\AdwCleaner[R1].txt - [1565 octets] ##########
-
Ok. We'll run a few more scans just to make sure.
Remove the Adware:
- Please close all open programs and internet browsers.
- Double click on adwcleaner.exe to run the tool.
- Click on Delete.
- Confirm each time with OK
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile in your reply.
- You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
*************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
To prevent your anti-virus application interfering with ComboFix we need to disable it. See here (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.
- Close any open windows and double click ComboFix.exe to run it.
You will see the following image:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)
Click I Agree to start the program.
ComboFix will then extract the necessary files and you will see this:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
-
AdwCleaner results
# AdwCleaner v2.001 - Logfile created 09/14/2012 at 16:18:59
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Dell - DELL-PC
# Boot Mode : Normal
# Running from : C:\Users\Dell\Desktop\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
***** [Registry] *****
Key Deleted : HKCU\Software\AppDataLow\AskToolbarInfo
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-21-585658329-1536808483-3439428019-1011\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
-\\ Mozilla Firefox v15.0 (en-US)
Profile name : default
File : C:\Users\Dell\AppData\Roaming\Mozilla\Firefox\Profiles\nax9o85o.default\prefs.js
[OK] File is clean.
-\\ Opera v [Unable to get version]
File : C:\Users\Dell\AppData\Roaming\Opera\Opera\operaprefs.ini
[OK] File is clean.
*************************
AdwCleaner[S1].txt - [1863 octets] - [14/09/2012 16:18:59]
########## EOF - C:\AdwCleaner[S1].txt - [1923 octets] ##########
ComboFix Results
ComboFix 12-09-14.03 - Dell 09/14/2012 16:26:22.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.2238 [GMT -7:00]
Running from: c:\users\Dell\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
.
.
2012-09-14 23:31 . 2012-09-14 23:32 -------- d-----w- c:\users\Dell\AppData\Local\temp
2012-09-14 23:31 . 2012-09-14 23:31 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-14 23:31 . 2012-09-14 23:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-14 23:31 . 2012-09-14 23:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-12 22:31 . 2012-09-12 22:31 -------- d-----w- c:\users\Dell\AppData\Roaming\Wireshark
2012-09-12 22:11 . 2012-09-12 22:11 -------- d-----w- c:\program files\WinPcap
2012-09-12 22:10 . 2012-09-12 22:11 -------- d-----w- c:\program files\Wireshark
2012-09-12 00:46 . 2012-08-22 17:16 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 00:46 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 00:46 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 00:46 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 00:46 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-12 00:46 . 2012-07-04 19:45 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-08-31 17:22 . 2012-08-31 17:22 -------- d-----w- c:\program files\Common Files\Java
2012-08-31 17:21 . 2012-08-31 17:21 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 17:21 . 2012-08-31 17:21 -------- d-----w- c:\program files\Java
2012-08-25 21:35 . 2012-09-13 17:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-08-25 21:35 . 2012-08-25 21:35 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-08-25 21:12 . 2012-08-26 20:37 -------- d-----w- c:\program files\Microsoft Silverlight
2012-08-24 18:08 . 2012-08-01 22:51 7023536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{35EE3EC2-7845-49CC-80EA-939A1C9C4D3E}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-08 00:04 . 2012-03-24 01:23 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-31 17:21 . 2012-05-05 22:35 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-31 17:21 . 2011-06-07 21:21 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 18:36 . 2012-03-30 20:39 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-24 18:36 . 2011-06-07 21:06 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-09 21:46 . 2012-03-20 23:20 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-07-18 17:47 . 2012-08-14 18:29 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-06 19:23 . 2012-08-14 18:31 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-07-04 21:14 . 2012-08-14 18:29 41984 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 21:14 . 2012-08-14 18:29 102912 ----a-w- c:\windows\system32\browser.dll
2012-06-29 00:16 . 2012-08-14 18:30 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09 . 2012-08-14 18:30 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08 . 2012-08-14 18:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04 . 2012-08-14 18:30 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00 . 2012-08-14 18:30 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-25 23:04 . 2012-06-25 23:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
2012-09-13 17:47 . 2012-09-13 17:47 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-05 6265376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKLM\~\startupfolder\C:^Users^Dell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HDDlife.lnk]
backup=c:\windows\pss\HDDlife.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-27 20:51 35768 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2012-02-13 08:06 3481408 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
2010-10-27 18:44 328992 ----a-w- c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2011-06-06 01:41 222496 ----a-w- c:\programdata\FLEXnet\Connect\11\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-09-08 00:04 981656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 03:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-08-05 00:16 6265376 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 12:17 1174016 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 16:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys
R3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.3.24903.0.sys
R3 FPFZW;FPFZW;
R3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS
R3 YABEZE;YABEZE;
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe
S2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:36]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-28 18:29]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-28 18:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Dell\AppData\Roaming\Mozilla\Firefox\Profiles\nax9o85o.default\
FF - prefs.js: browser.search.selectedEngine - chrome://browser-region/locale/region.properties
FF - prefs.js: browser.startup.homepage - https:\\\\www.google.com
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
.
**************************************************************************
.
Completion time: 2012-09-14 16:35:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-14 23:35
.
Pre-Run: 198,491,979,776 bytes free
Post-Run: 198,361,464,832 bytes free
.
- - End Of File - - 1EEB12B6B078AFE59EFC2F0BE6AC1301
-
Adwcleaner deleted some AskToolbar.Was that a malware? I don't remember installing it.
And ComboFix had false positives I.M.O. it deleted WinPcap driver that is required for Wireshark.It also disinfected userinit.exe file and put the original one in Quarantine folder but when I uploaded the original file to VirusTotal,none of the antiviruses recognized it as a malware.Could this be a false positive too ?
Thanks guys.
-
Here's the information about those IP's. Do they mean anything to you?
99.191.34.205
IP Address: 99.191.34.205
Host of this IP: 99-191-34-205.lightspeed.snfcca.sbcglobal.net
Organization: AT&T U-verse
ISP: AT&T U-verse
City: Canyon Country
Country: United States
State: California
Postal Code: 91387
Timezone: America/Los_Angeles
Local Time: 15.09.2012 11:43:54
78.62.189.39
IP Address: 78.62.189.39
Host of this IP: 78-62-189-39.static.zebra.lt
Organization: TEO LT
ISP: TEO LT
City: Kaunas
Country: Lithuania
State: Kauno Apskritis
Timezone: Europe/Vilnius
Local Time: 15.09.2012 21:45:17
89.178.54.81
IP Address: 89.178.54.81
Host of this IP: *Blocked Russian URL*
Organization: Beeline
ISP: VimpelCom
City: Moscow
Country: Russian Federation
State: Moscow City
Timezone: Europe/Moscow
Local Time: 15.09.2012 22:46:24
67.212.24.141
IP Address: 67.212.24.141
Host of this IP: dsl-67-212-24-141.acanac.net
Organization: Canaca-com
ISP: Canaca-com
City: Toronto
Country: Canada
State: Ontario
Timezone: America/Rainy_River
Local Time: 15.09.2012 13:47:24
Adwcleaner deleted some AskToolbar.Was that a malware? I don't remember installing it.
I strongly recommend that you remove Ask from your computer because it;
•Promotes its toolbars on sites targeted to kids.
•Promotes its toolbars through ads that appear to be part of other companies' sites.
•Promotes its toolbars through other companies' spyware.
•Installs without any disclosure whatsoever and without any consent whatsoever.
•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
See Here (http://www.benedelman.org/spyware/ask-toolbars/) for more info.
If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.
•AskBarDis or anything related to Ask
Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
******************************************************
And ComboFix had false positives I.M.O. it deleted WinPcap driver that is required for Wireshark.It also disinfected userinit.exe file and put the original one in Quarantine folder but when I uploaded the original file to VirusTotal,none of the antiviruses recognized it as a malware.Could this be a false positive too ?
CF is a very trusted program and I trust it's findings.
*****************************************************************
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
The above mentioned IP addresses are not familiar to me that's why I suspected an unauthorized intrusion.
ESET finished the scan with the following results:
Z:\V\username\Nero_7.10.1.0.rar Win32/Toolbar.AskSBar application
Z:\V\username\Audio_Video\converter\Convert from AVI to DVD\Setup_MoviesToDVD.exe Win32/Toolbar.Widgi application
Now I see where the problem came from :)
-
Please run ESET again and remove the infections.
-
Done.
Thanks a lot for your help !
-
Ok. We can do some cleanup.
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
*******************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.
(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup2.jpg)
Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.
(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup.jpg)
This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*****************************************************
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!