Author Topic: [Resolved K] Infected with Rootkit variant  (Read 4374 times)

Offline aga

  • Bronze Member
  • Posts: 7
[Resolved K] Infected with Rootkit variant
« on: August 31, 2012, 07:19:32 AM »
Hello everyone, 2 days ago i was infected with some rootkit variant.
My story so far:
Wednesday night about 21:45, while opening  some random webpage about cooking , my avast alarmed me that it blocked some kind of connection (while the page was already open though).  Seconds later avast notified me about a virus (cant remember the name exactly at the moment, sorry) and while i tried to scroll to "Clean" action, the avast window started going mad (getting bigger/smaller).  Before i manage to press "Clean" four windows notifications about cmd.exe trying to make changes to my computer showed up, one after another. I pressed NO ofcourse to all four of them. I googled the virus name and i found it was some kind of rootkit, read for a few minutes, and i downloaded and ran tdsskiller by kaspersky which found 1 file (which was mentioned in http://support.kaspersky.com/faq/?qid=208283363 but i can't remember exactly which one was it, because I don't have the log anymore), and I "cured" it. Then I looked deeper into the subject, and found some new registry entries were made, trying to turn off the user account control settings, so i deleted them as well. Then i also used Gmer. which found nothing. I did a system restore to a date a few days ago, then i looked into ther temp folder, where i found a syshost.exe which according to my spybot s&d log following up was:

29/8/2012 9:44:58 μμ Allowed (based on user decision) value "syshost32" (new data: "C:\Users\Against\AppData\Local\{6F879427-040B-CEDE-B638-1D3E95D0C221}\syshost.exe") added in System Startup user entry!
29/8/2012 10:41:18 μμ Allowed (based on user decision) value "30100E0D-2A33-4415-9969-7641798D0792" (new data: "cmd.exe /C start /D "C:\Users\Agat\AppData\Local\Temp" /B 30100E0D-2A33-4415-9969-7641798D0792.exe -postboot") added in System Startup global entry!
29/8/2012 10:44:04 μμ Allowed (based on user decision) value "30100E0D-2A33-4415-9969-7641798D0792" (new data: "") deleted in System Startup global entry!

I delelted thisd one as well of course. Then I used OTL, which found nothing as well, and then combofix which only deleted a status.log from an old mIRC client I have (and i read about a similar case elsewhere, but it pointed nowhere). It also found the following entry:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

which i reglock in the  CFScript.txt, as mentioned on various other posts/forums and i re-run combofix, and fixed it.

Question is: do i need to take further actions into the subject or am I fine already? If you need any specific logs posted please let me know.
Sorry for my big post, and sorry if it has any hard to understand spots. I'm not a native English speaker  ;d
Any help appreciated. Thanks in advance. Fil.
« Last Edit: September 01, 2012, 03:39:23 AM by kevinf80 »

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: [Resolved K] Infected with Rootkit variant
« Reply #1 on: August 31, 2012, 07:30:14 AM »
Can you post the DDS logs as requested here    
NEW Instructions! What Do I Do First?


kevinf80

Offline aga

  • Bronze Member
  • Posts: 7
Re: [Resolved K] Infected with Rootkit variant
« Reply #2 on: August 31, 2012, 07:38:52 AM »
Done. Should i just copy/paste the 2 logfiles here?

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: [Resolved K] Infected with Rootkit variant
« Reply #3 on: August 31, 2012, 07:40:01 AM »
Yes please, also list any issues or concerns you may have

Offline aga

  • Bronze Member
  • Posts: 7
Re: [Resolved K] Infected with Rootkit variant
« Reply #4 on: August 31, 2012, 07:47:03 AM »
attach.txt :
.

.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 19/10/2011 8:15:35 μμ
System Uptime: 31/8/2012 12:38:23 μμ (4 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. |  | P35-DS3L
Processor: Intel(R) Core(TM)2 Duo CPU     E6750  @ 2.66GHz | Socket 775 | 2667/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 34 GiB total, 3,349 GiB free.
D: is FIXED (NTFS) - 1863 GiB total, 734,121 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 7,864 GiB free.
F: is CDROM (CDFS)
G: is CDROM ()
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart B110 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart B110 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4d36e980-e325-11ce-bfc1-08002be10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&37C90737&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&37C90737&0&0
Service: flpydisk
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart B110 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart B110 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID:
Description: Network Controller
Device ID: PCI\VEN_13D0&DEV_2103&SUBSYS_210313D0&REV_02\4&30D54F48&0&10F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_13D0&DEV_2103&SUBSYS_210313D0&REV_02\4&30D54F48&0&10F0
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
ACDSee Pro 5
Adobe AIR
Adobe Community Help
Adobe Dreamweaver CS5.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop CS6
Adobe Reader X (10.1.4)
Adobe Widget Browser
ArcSoft TotalMedia 3
Ashampoo UnInstaller 4 v.4.15
ASUS nVidia Driver
AviSynth 2.5
B110
Bing Bar
BS.Player PRO
BufferChm
CDDRV_Installer
DAEMON Tools Lite
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Destinations
DeviceDiscovery
erLT
ESET NOD32 Antivirus
ffdshow v1.1.4052 [2011-11-20]
Haali Media Splitter
Hewlett-Packard ACLM.NET v1.1.0.0
HP Customer Participation Program 14.0
HP Imaging Device Functions 14.0
HP Photosmart Wireless B110 All-In-One Driver Software 14.0 Rel. 7
HP Product Detection
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPAppStudio
HPDiagnosticAlert
HPPhotoGadget
HPProductAssistant
Java Auto Updater
Java(TM) 7 Update 5
JavaFX 2.1.1
KhalInstallWrapper
Logitech SetPoint
Macromedia Fireworks 8
MarketResearch
MediaInfo 0.7.50
Microsoft .NET Framework 4 Client Profile
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access MUI (Greek) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Excel MUI (Greek) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office Groove MUI (Greek) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office InfoPath MUI (Greek) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office OneNote MUI (Greek) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office Outlook MUI (Greek) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint MUI (Greek) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (German) 2010
Microsoft Office Proof (Greek) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing (Greek) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Publisher MUI (Greek) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared MUI (Greek) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office Word MUI (Greek) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft_VC80_CRT_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 15.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Lite
Network
NVIDIA 3D Vision Controller Driver
NVIDIA 3D Vision Controller Driver 301.42
NVIDIA 3D Vision Driver 301.42
NVIDIA Control Panel 301.42
NVIDIA Graphics Driver 301.42
NVIDIA HD Audio Driver 1.3.16.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0213
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.8.15
NVIDIA Update Components
OpenSSL 1.0.0e Light (32-bit)
PDF Settings CS6
Pidgin
Pidgin-Encryption Plugin (remove only)
PlayReady PC Runtime x86
PS_AIO_07_B110_SW_Min
QuickSFV (Remove only)
QuickTransfer
REALTEK DTV USB DEVICE
Realtek High Definition Audio Driver
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553431) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553260) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589322) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
Simfatic Forms 3.2.1.252
Skype™ 5.10
SmartWebPrinting
SolutionCenter
Spybot - Search & Destroy
Status
TeamViewer 7
Toolbox
TotalMedia Setup
TrayApp
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598289) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Virtua Tennis 4™
VLC media player 1.1.11
WebReg
Winamp
Windows Live ID Sign-in Assistant
Windows Media Player Firefox Plugin
Windows Mobile Device Center
WinRAR 4.01 (32-bit)
Xvid Video Codec
.
==== Event Viewer Messages From Past Week ========
.
31/8/2012 2:47:46 μμ, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
31/8/2012 12:50:47 πμ, Error: Microsoft-Windows-HAL [12]  - The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.
30/8/2012 8:57:46 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
30/8/2012 8:56:33 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
30/8/2012 8:46:04 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
30/8/2012 8:44:54 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
30/8/2012 8:20:59 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
30/8/2012 8:19:49 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
30/8/2012 8:13:35 μμ, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.135.1.0).
30/8/2012 8:10:13 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
30/8/2012 8:09:02 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
30/8/2012 8:07:37 μμ, Error: Service Control Manager [7023]  - The Server service terminated with the following error:  The data is invalid.
30/8/2012 8:07:37 μμ, Error: Service Control Manager [7023]  - The HP Network Devices Support service terminated with the following error:  %%-2147467243
30/8/2012 8:07:37 μμ, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  A system shutdown is in progress.
30/8/2012 8:07:28 μμ, Error: Service Control Manager [7022]  - The avast! Antivirus service hung on starting.
30/8/2012 8:07:28 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
30/8/2012 11:50:50 μμ, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
30/8/2012 11:45:30 μμ, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
30/8/2012 11:42:08 μμ, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
30/8/2012 10:50:28 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
30/8/2012 10:38:25 μμ, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
30/8/2012 10:33:02 μμ, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
30/8/2012 10:29:56 μμ, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
29/8/2012 9:56:24 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
29/8/2012 9:55:14 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
29/8/2012 9:55:14 μμ, Error: Service Control Manager [7000]  - The 3127 service failed to start due to the following error:  The system cannot find the file specified.
29/8/2012 7:38:30 μμ, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
29/8/2012 11:43:19 μμ, Error: Microsoft-Windows-HAL [12]  - The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.
29/8/2012 10:44:33 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
29/8/2012 10:43:23 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
29/8/2012 10:43:23 μμ, Error: Service Control Manager [7000]  - The 3127 service failed to start due to the following error:  The system cannot find the file specified.
27/8/2012 6:37:02 μμ, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
27/8/2012 4:01:23 μμ, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
27/8/2012 3:21:22 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
27/8/2012 3:20:08 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
27/8/2012 3:06:46 μμ, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
27/8/2012 3:06:18 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
27/8/2012 3:05:04 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
27/8/2012 11:18:45 μμ, Error: Microsoft-Windows-HAL [12]  - The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.
25/8/2012 8:38:50 μμ, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
25/8/2012 8:37:40 μμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
25/8/2012 10:43:03 μμ, Error: Microsoft-Windows-HAL [12]  - The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.
24/8/2012 11:31:59 πμ, Error: Service Control Manager [7023]  - The Security Center service terminated with the following error:  The authentication service is unknown.
24/8/2012 11:31:59 πμ, Error: Service Control Manager [7023]  - The hpqcxs08 service terminated with the following error:  %%-2147467243
24/8/2012 11:31:59 πμ, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1069" attempting to start the service HPSLPSVC with arguments "" in order to run the server: {10DA4F3C-CC99-4190-BE4D-58330754E882}
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7038]  - The WSearch service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7038]  - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:  The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7038]  - The netprofm service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7038]  - The HPSLPSVC service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not start due to a logon failure.
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7000]  - The Portable Device Enumerator Service service failed to start due to the following error:  A system shutdown is in progress.
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7000]  - The Network List Service service failed to start due to the following error:  The service did not start due to a logon failure.
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7000]  - The Human Interface Device Access service failed to start due to the following error:  A system shutdown is in progress.
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7000]  - The HP Network Devices Support service failed to start due to the following error:  The service did not start due to a logon failure.
24/8/2012 11:31:58 πμ, Error: Service Control Manager [7000]  - The Diagnostic Service Host service failed to start due to the following error:  The service did not start due to a logon failure.
24/8/2012 11:31:58 πμ, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1069" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
24/8/2012 11:31:58 πμ, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1069" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
24/8/2012 11:31:51 πμ, Error: Service Control Manager [7000]  - The ESET Service service failed to start due to the following error:  The system cannot find the file specified.
.
==== End Of File ===========================
 

dds.txt:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 10.5.1
Run by Against at 16:32:08 on 2012-08-31
Microsoft Windows 7 Enterprise   6.1.7601.1.1253.30.1033.18.2046.789 [GMT 3:00]
.
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ACD Systems\ACDSee Pro\5.0\ACDSeeProInTouch2.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller 4\UIWatcher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\Explorer.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\NVIDIA Corporation\Display\NvTray.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\ehome\mcGlidHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [UIWatcher] c:\program files\ashampoo\ashampoo uninstaller 4\UIWatcher.exe
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DVDFab Passkey] "c:\program files\dvdfab passkey\DVDFabPasskey.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ACPW05EN] "c:\program files\acd systems\acdsee pro\5.0\ACDSeeProInTouch2.exe" /pid ACPW05EN
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia 3\TMMonitor.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Απ&οστολή στο OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: Interfaces\{1F76F785-CD88-4DF3-A988-BEAC1A88EE7B} : NameServer = 78.87.0.152,78.87.0.162
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
Hosts: 127.0.0.1   www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\against\appdata\roaming\mozilla\firefox\profiles\tv072prd.default\
FF - prefs.js: network.proxy.http - 81.186.99.108
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-10-20 232512]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2012-3-14 169080]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2012-3-7 913144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2012-3-14 103112]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-8-31 1262400]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-5-15 382272]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-18 2886528]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [2011-12-14 54144]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2012-8-31 148800]
R3 RTL2832U_IRHID;HID Infrared Remote Receiver;c:\windows\system32\drivers\RTL2832U_IRHID.sys [2009-10-5 31872]
R3 RTL2832UBDA;REALTEK 2832U BDA Driver;c:\windows\system32\drivers\RTL2832UBDA.sys [2012-4-7 143264]
R3 RTL2832UUSB;REALTEK 2832U USB Driver;c:\windows\system32\drivers\RTL2832UUSB.sys [2012-4-7 32800]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 114144]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-21 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-20 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]
.
=============== Created Last 30 ================
.
2012-08-31 12:36:49   56200   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{f3cadc2e-7629-400c-8a42-42a967a62d0a}\offreg.dll
2012-08-31 11:57:47   7022536   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{f3cadc2e-7629-400c-8a42-42a967a62d0a}\mpengine.dll
2012-08-30 20:56:41   --------   d-sh--w-   C:\$RECYCLE.BIN
2012-08-30 19:45:13   --------   d-----w-   c:\users\against\appdata\local\temp
2012-08-30 18:05:19   --------   d-----w-   c:\program files\ESET
2012-08-30 17:15:48   941160   ----a-w-   c:\windows\system32\nvdispco322090.dll
2012-08-30 17:15:48   837736   ----a-w-   c:\windows\system32\nvgenco322040.dll
2012-08-30 17:15:32   61248   ----a-w-   c:\windows\system32\OpenCL.dll
2012-08-30 17:15:31   8105280   ----a-w-   c:\windows\system32\nvwgf2um.dll
2012-08-30 17:15:31   5661288   ----a-w-   c:\windows\system32\SETD965.tmp
2012-08-30 17:15:27   15322432   ----a-w-   c:\windows\system32\nvd3dum.dll
2012-08-30 17:15:27   10084968   ----a-w-   c:\windows\system32\SETD0E6.tmp
2012-08-30 17:10:53   73696   ----a-w-   c:\program files\mozilla firefox\breakpadinjector.dll
2012-08-28 15:49:28   2621723   ----a-w-   c:\windows\system32\nvcoproc.bin
2012-08-27 12:17:40   --------   d-----w-   c:\program files\ASUS
2012-08-15 07:50:20   400896   ----a-w-   c:\windows\system32\srcore.dll
2012-08-15 07:50:19   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-08-15 07:50:17   492032   ----a-w-   c:\windows\system32\win32spl.dll
2012-08-15 07:50:17   317440   ----a-w-   c:\windows\system32\spoolsv.exe
2012-08-15 07:50:13   41984   ----a-w-   c:\windows\system32\browcli.dll
2012-08-15 07:50:13   102912   ----a-w-   c:\windows\system32\browser.dll
2012-08-15 07:50:11   769024   ----a-w-   c:\windows\system32\localspl.dll
2012-08-07 19:57:44   --------   d-----w-   c:\program files\Oracle
2012-08-07 19:57:21   772544   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-08-05 16:24:57   --------   d-----w-   c:\windows\system32\xlive
2012-08-05 16:24:29   --------   d-----w-   c:\program files\Microsoft Games for Windows - LIVE
2012-08-05 16:22:59   70992   ----a-w-   c:\windows\system32\XAPOFX1_2.dll
.
==================== Find3M  ====================
.
2012-08-15 14:56:20   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 14:56:20   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-05 19:06:20   687544   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-29 00:16:58   1800704   ----a-w-   c:\windows\system32\jscript9.dll
2012-06-29 00:09:01   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-06-29 00:08:59   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-06 05:49:52   1070152   ----a-w-   c:\windows\system32\MSCOMCTL.OCX
2012-06-06 05:05:52   1390080   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-06 05:05:52   1236992   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-06 05:03:06   805376   ----a-w-   c:\windows\system32\cdosys.dll
2012-06-02 22:12:32   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:12:13   88576   ----a-w-   c:\windows\system32\wudriver.dll
2011-10-20 08:35:52   8192   --sha-w-   c:\windows\system32\srvany.exe
.
============= FINISH: 16:32:41,77 ===============


Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: [Resolved K] Infected with Rootkit variant
« Reply #5 on: August 31, 2012, 08:31:33 AM »
Hello aga and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin. Go Here and follow the instructions specific for your operating system.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
  • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
  • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

I do not see a great deal wrong with your system, your Hosts file is definitely corrupt and will require resetting (will be done with OTM).
Also can you explain this Proxy setting in Firefox:

FF - prefs.js: network.proxy.http - 81.186.99.108
FF - prefs.js: network.proxy.http_port - 3128

Please proceed as follows :-

Step 1

Disable teatimer and leave off for now.
1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol ) and choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Step 2

Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2 
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....
  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]
:Files
ipconfig /flushdns /c
:Commands
[EmptyTemp]
[ResetHosts]
[CreateRestorePoint]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 3

Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
    Please download
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Post those two logs please...

    Kevin

    Offline aga

    • Bronze Member
    • Posts: 7
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #6 on: August 31, 2012, 10:33:33 AM »
    Quote
    I do not see a great deal wrong with your system, your Hosts file is definitely corrupt and will require resetting (will be done with OTM).
    Also can you explain this Proxy setting in Firefox:

    FF - prefs.js: network.proxy.http - 81.186.99.108
    FF - prefs.js: network.proxy.http_port - 3128

    Just some random proxy i used once manually, and its stored in the firefox list in case i want to use it again. Useless.




    08312012_190916.log:

    All processes killed
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Against\Desktop\cmd.bat deleted successfully.
    C:\Users\Against\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========
     
    [EMPTYTEMP]
     
    User: Administrator
    ->Temp folder emptied: 0 bytes
     
    User: Against
    ->Temp folder emptied: 3773038 bytes
    ->Temporary Internet Files folder emptied: 26798185 bytes
    ->Java cache emptied: 348223 bytes
    ->FireFox cache emptied: 124148095 bytes
    ->Flash cache emptied: 161278 bytes
     
    User: All Users
     
    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56475 bytes
     
    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes
     
    User: Public
    ->Temp folder emptied: 0 bytes
     
    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
     
    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 17732408 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 25692 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 96876 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
    RecycleBin emptied: 4741772 bytes
     
    Total Files Cleaned = 170,00 mb
     
    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully
    Restore point Set: OTM Restore Point
     
    OTM by OldTimer - Version 3.1.21.0 log created on 08312012_190916




    mbab.log:
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.31.09

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Against :: [administrator]

    31/8/2012 7:23:06 μμ
    mbam-log-2012-08-31 (19-23-06).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 221782
    Time elapsed: 4 minute(s), 27 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7676
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #7 on: August 31, 2012, 10:43:18 AM »
    Yes I did note the FF proxy was not set, just wondered what it was. It was some kind of Greek origin I think?

    How is your system responding, any issues or concerns?

    Thanks,

    Kevin

    Offline aga

    • Bronze Member
    • Posts: 7
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #8 on: August 31, 2012, 10:51:26 AM »
    Yes it is greek origin indeed.
    Nothing weird noticed, everything looks normal.
    Is that it then? :t

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7676
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #9 on: August 31, 2012, 11:05:03 AM »
    Yes your logs look good to me, do the following:

    Step 1

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click icon to start the program.
      If you are using Vista or Windows 7 accept UAC
    • Then Click the big button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.
    • This will remove tools we have used and itself.


    Any tools/logs remaining on the Desktop can be deleted such as DDS etc.

    Step 2

    Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.
    If Java or Adobe are updated please check under Start > Control Panel >  Programs and Featues, ensure any old versions are removed. <--- Very Important

    Step 3

    If you have turned off teatimer from Spybot s&d that will need turning back on...

    Step 4

    You installed Malwarebytes, if you want to keep the free version it is a very handy tool to have in the fight against malware. Your choice, either UNinstall or keep.

    Step 5

    Download TFC  to your desktop, from either of the following links
    Link 1
    Link 2
    • Save any open work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
    • If prompted, click "Yes" to reboot.
    TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to  complete cleaning process <---- Very Important

    Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc.  Always remember to re-boot after a run, even if not prompted

    Let me know if those steps work ok, let me know of any remaining issues or concerns..

    Thanks,

    Kevin







    Offline aga

    • Bronze Member
    • Posts: 7
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #10 on: August 31, 2012, 01:01:43 PM »
    All steps followed, everything went fine, no problems at all.
    My only question is if I should change my passwords in general, or not?
    Thanks again for your precious help!

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7676
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #11 on: August 31, 2012, 01:22:30 PM »
    Yes i`d recommend the change of all password in general, other than that you should be good to go. Here are some tips to reduce the potential for malware infection in the future:

    Make proper use of your antivirus and firewall

    Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

    You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

    Install and use WinPatrol  This will inform you of any attempted unauthorized changes to your system.

    WinPatrol features explained Here

    Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.
    If Java or Adobe as updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed.
    Use a safer web browser

    Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
     
    Firefox,

    Opera, and

    Chrome.
     
    All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

    These browser add-ons will help to make your browser safer:

    Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

    Available for Firefox and Internet Explorer.

    Green to go,
    Yellow for caution, and
    Red to stop.


    Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

    These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

    Here a couple of links by two security experts that will give some excellent tips and advice.

    So how did I get infected in the first place by Tony Klein

    How to prevent Malware by Miekiemoes

    Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

    Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

    Let me know when you are OK to close out your thread.

    Take care,

    Kevin

    Offline aga

    • Bronze Member
    • Posts: 7
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #12 on: September 01, 2012, 02:41:15 AM »
    Winpatrol & Web of Trust installed.
    Thanks again for everything. You can close this thread  :t

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7676
    Re: [Resolved K] Infected with Rootkit variant
    « Reply #13 on: September 01, 2012, 03:38:49 AM »
    Since this issue appears to be resolved the topic has been closed. Glad we could help.  :t

    If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

    Everyone else please begin a New Topic.

    The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.