Inactive Another victim of Agent4

Status
Not open for further replies.
pasdutra

pasdutra

Guys, I'm sorry to bother you with this, but I'm having real a problem with this specific trojan I can't remove. AVG says it's on shdocvw.dll. The logs will be posted right below on the first replies!
 
DDS REPORT

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537 BrowserJavaVersion: 10.15.2
Run by Pedro at 22:29:51 on 2013-05-26
Microsoft Windows 8 Pro 6.2.9200.0.1252.55.1033.18.6135.4123 [GMT -3:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\system32\atiesrxx.exe
C:\WINDOWS\system32\dwm.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dashost.exe
C:\Program Files\Serviio\bin\ServiioService.exe
C:\Program Files\Serviio\bin\ServiioService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet
C:\WINDOWS\system32\atieclxx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\taskhostex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x64__8wekyb3d8bbwe\LiveComm.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Users\Pedro\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\ASUS\ASUS Ai Charger\AiChargerAP.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\WINDOWS\regedit.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: AugartMedia Toolbar: {df4e216e-948b-43d9-8268-f6e1b73d6c08} - C:\Program Files (x86)\AugartMedia\prxtbAuga.dll
mURLSearchHooks: AugartMedia Toolbar: {df4e216e-948b-43d9-8268-f6e1b73d6c08} - C:\Program Files (x86)\AugartMedia\prxtbAuga.dll
mWinlogon: Userinit = userinit.exe,
BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: AugartMedia Toolbar: {df4e216e-948b-43d9-8268-f6e1b73d6c08} - C:\Program Files (x86)\AugartMedia\prxtbAuga.dll
TB: AugartMedia Toolbar: {DF4E216E-948B-43D9-8268-F6E1B73D6C08} - C:\Program Files (x86)\AugartMedia\prxtbAuga.dll
TB: AugartMedia Toolbar: {df4e216e-948b-43d9-8268-f6e1b73d6c08} - C:\Program Files (x86)\AugartMedia\prxtbAuga.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
uRun: [uTorrent] "C:\Users\Pedro\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
uRun: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [Facebook Update] "C:\Users\Pedro\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [GoogleChromeAutoLaunch_5B5BBE9ED55EE8341A285324EB610E46] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [AdobeBridge] <no file>
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [Auto ShutDown] C:\Program Files (x86)\Auto ShutDown\AutoShutDown.exe
mRun: [ASUS Ai Charger] C:\Program Files (x86)\ASUS\ASUS Ai Charger\AiChargerAP.exe
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Pedro\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FACEBO~1.LNK - C:\Users\Pedro\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe
StartupFolder: C:\Users\Pedro\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Serviio.lnk - C:\Program Files\Serviio\bin\ServiioConsole.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\rvlkl.lnk - C:\ProgramData\rvlkl\rvlkl.exe
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office15\EXCEL.EXE/3000
TCP: NameServer = 189.7.120.16 189.7.120.15
TCP: Interfaces\{0289C6D5-D8FE-46D7-BCC4-8FA041B489D1} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{0289C6D5-D8FE-46D7-BCC4-8FA041B489D1} : DHCPNameServer = 189.7.120.16 189.7.120.15
TCP: Interfaces\{6850ED75-25CA-4910-A23D-8EFFFCA84694} : DHCPNameServer = 189.7.120.16 189.7.120.15 192.168.0.1
TCP: Interfaces\{6850ED75-25CA-4910-A23D-8EFFFCA84694}\E45647D2659627475716D2630343 : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\WINDOWS\System32\Drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\WINDOWS\System32\Drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\WINDOWS\System32\Drivers\avgmfx64.sys [2012-11-15 111968]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\WINDOWS\System32\Drivers\avgrkx64.sys [2012-9-14 40800]
R1 AVGIDSDriver;AVGIDSDriver;C:\WINDOWS\System32\Drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\WINDOWS\System32\Drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgwfpa;AVG Firewall Driver;C:\WINDOWS\System32\Drivers\avgwfpa.sys [2012-11-26 208736]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\WINDOWS\System32\Drivers\dtsoftbus01.sys [2013-1-22 283200]
R2 AMD External Events Utility;AMD External Events Utility;C:\WINDOWS\System32\atiesrxx.exe [2012-10-18 239616]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-15 5814904]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
R2 Serviio;Serviio;C:\Program Files\Serviio\bin\ServiioService.exe [2013-3-1 348160]
R3 RTL8168;Realtek 8168 NT Driver;C:\WINDOWS\System32\Drivers\Rt630x64.sys [2012-6-2 589824]
S0 Avgboota;AVG Early Launch Anti-Malware Driver;C:\WINDOWS\System32\Drivers\avgboota.sys [2012-10-26 20912]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-7 161384]
S2 SwOffScheduler;Airytec Switch Off - Task Scheduler;C:\Program Files\Airytec\Switch Off\swoff.exe -service --> C:\Program Files\Airytec\Switch Off\swoff.exe -service [?]
S2 SwOffWeb;Airytec Switch Off - Web Interface;C:\Program Files\Airytec\Switch Off\swoff.exe -service --> C:\Program Files\Airytec\Switch Off\swoff.exe -service [?]
S3 athur;Qualcomm Atheros AR9271 Wireless Network Adapter Service;C:\WINDOWS\System32\Drivers\athuw8x.sys [2013-2-17 3744256]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\WINDOWS\System32\Drivers\ssudbus.sys [2013-4-15 102936]
S3 FsUsbExDisk;FsUsbExDisk;C:\Windows\SysWOW64\FsUsbExDisk.Sys [2013-4-15 37344]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE [2012-10-1 178824]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\WINDOWS\System32\Drivers\ssudmdm.sys [2013-4-15 203544]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\WINDOWS\System32\Drivers\usbaapl64.sys [2012-12-13 54784]
S3 vmbusr;Virtual Machine Bus Provider;C:\WINDOWS\System32\Drivers\vmbusr.sys [2012-7-25 117248]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\System32\Drivers\wdcsam64.sys [2008-5-6 14464]
S3 WUDFWpdMtp;WUDFWpdMtp;C:\WINDOWS\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
.
=============== Created Last 30 ================
.
2013-05-26 23:20:16--------d-----w-C:\Users\Pedro\AppData\Roaming\Malwarebytes
2013-05-26 23:20:0725928----a-w-C:\WINDOWS\System32\drivers\mbam.sys
2013-05-26 23:20:07--------d-----w-C:\ProgramData\Malwarebytes
2013-05-26 23:20:07--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-24 14:32:30--------d-----w-C:\Users\Pedro\AppData\Roaming\PeaZip
2013-05-24 14:32:18--------d-----w-C:\Program Files (x86)\PeaZip
2013-05-22 21:53:021455368----a-w-C:\WINDOWS\System32\drivers\dxgkrnl.sys
2013-05-22 20:38:58--------d-----w-C:\Program Files\iPod
2013-05-22 20:38:57--------d-----w-C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-05-22 20:38:57--------d-----w-C:\Program Files\iTunes
2013-05-22 20:38:57--------d-----w-C:\Program Files (x86)\iTunes
2013-05-20 23:13:1670144----a-w-C:\WINDOWS\System32\appinfo.dll
2013-05-20 23:13:16112872----a-w-C:\WINDOWS\System32\consent.exe
2013-05-19 02:42:44861184----a-w-C:\WINDOWS\System32\drivers\http.sys
2013-05-15 23:08:536987528----a-w-C:\WINDOWS\System32\ntoskrnl.exe
2013-05-14 23:33:14--------d-----w-C:\ProgramData\regid.1986-12.com.adobe
2013-04-30 20:02:52--------d-----w-C:\Users\Pedro\.receitanet
2013-04-30 19:52:25--------d--h--w-C:\Program Files (x86)\InstallJammer Registry
2013-04-30 19:52:23--------d-----w-C:\Arquivos de Programas RFB
2013-04-30 19:52:11--------d-----w-C:\Program Files (x86)\Programas RFB
2013-04-28 04:14:23--------d-----w-C:\Program Files (x86)\Fried Cookie
2013-04-28 04:13:11--------d-----w-C:\Program Files (x86)\Despertador
2013-04-28 04:13:06249856------w-C:\WINDOWS\Setup1.exe
2013-04-28 04:13:0473216----a-w-C:\WINDOWS\ST6UNST.EXE
2013-04-28 04:06:0514848----a-w-C:\WINDOWS\SysWow64\drivers\AiCharger.sys
2013-04-28 04:06:04--------d-----w-C:\Program Files (x86)\ASUS
2013-04-28 04:06:02225280----a-w-C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2013-04-28 04:06:0177824----a-w-C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2013-04-28 04:06:0132768----a-w-C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2013-04-28 04:06:01176128----a-w-C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2013-04-28 04:05:58614532----a-w-C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
.
==================== Find3M ====================
.
2013-05-07 20:07:5078200----a-w-C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2013-05-07 20:07:50693112----a-w-C:\WINDOWS\SysWow64\FlashPlayerApp.exe
2013-04-09 23:17:442242048----a-w-C:\WINDOWS\System32\wininet.dll
2013-04-09 23:17:36915968----a-w-C:\WINDOWS\System32\uxtheme.dll
2013-04-09 23:16:583958784----a-w-C:\WINDOWS\System32\jscript9.dll
2013-04-09 22:30:261767424----a-w-C:\WINDOWS\SysWow64\wininet.dll
2013-04-09 22:29:442877440----a-w-C:\WINDOWS\SysWow64\jscript9.dll
2013-04-09 05:33:02489576----a-w-C:\WINDOWS\System32\AudioEng.dll
2013-04-09 05:33:02446792----a-w-C:\WINDOWS\System32\AudioSes.dll
2013-04-09 05:33:02253544----a-w-C:\WINDOWS\System32\audiodg.exe
2013-04-09 05:27:43284424----a-w-C:\WINDOWS\System32\drivers\spaceport.sys
2013-04-09 05:20:0286280----a-w-C:\WINDOWS\System32\kdnet.dll
2013-04-09 05:20:02306952----a-w-C:\WINDOWS\System32\kd_02_10ec.dll
2013-04-09 05:18:0577960----a-w-C:\WINDOWS\System32\kdvm.dll
2013-04-09 05:17:571829408----a-w-C:\WINDOWS\System32\ntdll.dll
2013-04-09 04:52:07816128----a-w-C:\WINDOWS\System32\SearchIndexer.exe
2013-04-09 04:52:07373760----a-w-C:\WINDOWS\System32\SearchProtocolHost.exe
2013-04-09 04:52:07197120----a-w-C:\WINDOWS\System32\SearchFilterHost.exe
2013-04-09 04:52:07126464----a-w-C:\WINDOWS\System32\Robocopy.exe
2013-04-09 04:52:06804352----a-w-C:\WINDOWS\System32\RecoveryDrive.exe
2013-04-09 04:51:51367616----a-w-C:\WINDOWS\System32\conhost.exe
2013-04-09 04:51:45523264----a-w-C:\WINDOWS\System32\XpsGdiConverter.dll
2013-04-09 04:51:4199840----a-w-C:\WINDOWS\System32\wscsvc.dll
2013-04-09 04:51:41456704----a-w-C:\WINDOWS\System32\wpncore.dll
2013-04-09 04:51:2013648384----a-w-C:\WINDOWS\System32\Windows.UI.Xaml.dll
2013-04-09 04:51:17595456----a-w-C:\WINDOWS\System32\Windows.Networking.dll
2013-04-09 04:51:17391168----a-w-C:\WINDOWS\System32\Windows.Networking.BackgroundTransfer.dll
2013-04-09 04:51:0510116096----a-w-C:\WINDOWS\System32\twinui.dll
2013-04-09 04:51:033552768----a-w-C:\WINDOWS\System32\tquery.dll
2013-04-09 04:50:53414720----a-w-C:\WINDOWS\System32\GenuineCenter.dll
2013-04-09 04:50:39422400----a-w-C:\WINDOWS\System32\schannel.dll
2013-04-09 04:50:391285632----a-w-C:\WINDOWS\System32\schedsvc.dll
2013-04-09 04:50:0396256----a-w-C:\WINDOWS\System32\mssprxy.dll
2013-04-09 04:50:03745984----a-w-C:\WINDOWS\System32\mssvp.dll
2013-04-09 04:50:032107904----a-w-C:\WINDOWS\System32\mssrch.dll
2013-04-09 04:50:0265024----a-w-C:\WINDOWS\System32\msscntrs.dll
2013-04-09 04:50:02435200----a-w-C:\WINDOWS\System32\mssph.dll
2013-04-09 04:50:0213824----a-w-C:\WINDOWS\System32\msshooks.dll
2013-04-09 04:49:541444864----a-w-C:\WINDOWS\System32\MSAudDecMFT.dll
2013-04-09 04:49:45468992----a-w-C:\WINDOWS\System32\MFMediaEngine.dll
2013-04-09 04:49:45281088----a-w-C:\WINDOWS\System32\mfreadwrite.dll
2013-04-09 04:49:36817152----a-w-C:\WINDOWS\System32\kerberos.dll
2013-04-09 04:49:33210432----a-w-C:\WINDOWS\System32\iuilp.dll
2013-04-09 04:49:1650176----a-w-C:\WINDOWS\System32\fmifs.dll
2013-04-09 04:49:16231936----a-w-C:\WINDOWS\System32\fhengine.dll
2013-04-09 04:49:09172544----a-w-C:\WINDOWS\System32\dwmredir.dll
2013-04-09 04:49:06196096----a-w-C:\WINDOWS\System32\dmvdsitf.dll
2013-04-09 04:48:432303488----a-w-C:\WINDOWS\System32\authui.dll
2013-04-09 04:48:42785408----a-w-C:\WINDOWS\System32\audiosrv.dll
2013-04-09 04:48:42169472----a-w-C:\WINDOWS\System32\AudioEndpointBuilder.dll
2013-04-09 04:48:34419840----a-w-C:\WINDOWS\System32\intl.cpl
2013-04-09 02:35:134038144----a-w-C:\WINDOWS\System32\win32k.sys
2013-04-09 02:34:4983968----a-w-C:\WINDOWS\System32\drivers\hidclass.sys
2013-04-09 02:34:4227648----a-w-C:\WINDOWS\System32\drivers\hidusb.sys
2013-04-09 02:34:3095744----a-w-C:\WINDOWS\System32\drivers\hidbth.sys
2013-04-09 02:33:4160416----a-w-C:\WINDOWS\System32\drivers\ndproxy.sys
2013-04-09 02:33:05623104----a-w-C:\WINDOWS\System32\drivers\srv2.sys
2013-04-09 02:32:02805376----a-w-C:\WINDOWS\System32\drivers\PEAuth.sys
2013-04-09 02:31:14247808----a-w-C:\WINDOWS\System32\drivers\srvnet.sys
2013-04-09 02:31:0183456----a-w-C:\WINDOWS\System32\drivers\wanarp.sys
2013-04-08 23:44:25123880----a-w-C:\WINDOWS\SysWow64\wscapi.dll
2013-04-08 23:39:141408896----a-w-C:\WINDOWS\SysWow64\ntdll.dll
2013-04-08 23:37:29426024----a-w-C:\WINDOWS\SysWow64\AudioEng.dll
2013-04-08 23:37:29324368----a-w-C:\WINDOWS\SysWow64\AudioSes.dll
2013-04-08 21:52:16670208----a-w-C:\WINDOWS\SysWow64\SearchIndexer.exe
2013-04-08 21:52:16302592----a-w-C:\WINDOWS\SysWow64\SearchProtocolHost.exe
2013-04-08 21:52:16171008----a-w-C:\WINDOWS\SysWow64\SearchFilterHost.exe
2013-04-08 21:52:16106496----a-w-C:\WINDOWS\SysWow64\Robocopy.exe
2013-04-08 21:52:06364544----a-w-C:\WINDOWS\SysWow64\XpsGdiConverter.dll
2013-04-04 23:30:17503080----a-w-C:\WINDOWS\System32\ci.dll
2013-03-30 18:16:051403784----a-w-C:\WINDOWS\System32\winload.efi
2013-03-30 18:16:051267424----a-w-C:\WINDOWS\System32\winload.exe
2013-03-28 22:09:091093880----a-w-C:\WINDOWS\System32\winresume.exe
2013-03-28 22:09:041217328----a-w-C:\WINDOWS\System32\winresume.efi
2013-03-20 08:07:18233472----a-w-C:\WINDOWS\SysWow64\FsUsbExService.Exe
2013-03-20 08:07:1637344----a-w-C:\WINDOWS\SysWow64\FsUsbExDisk.Sys
2013-03-15 22:05:34298456----a-w-C:\WINDOWS\System32\rsaenh.dll
2013-03-15 22:05:16252928----a-w-C:\WINDOWS\SysWow64\rsaenh.dll
2013-03-02 10:57:48337128----a-w-C:\WINDOWS\System32\drivers\USBXHCI.SYS
2013-03-02 10:57:4677544----a-w-C:\WINDOWS\System32\drivers\storahci.sys
2013-03-02 10:57:46332520----a-w-C:\WINDOWS\System32\drivers\storport.sys
2013-03-02 10:45:20148712----a-w-C:\WINDOWS\System32\drivers\tpm.sys
2013-03-02 10:45:19194792----a-w-C:\WINDOWS\System32\drivers\sdbus.sys
2013-03-02 10:45:10125160----a-w-C:\WINDOWS\System32\drivers\dumpsd.sys
2013-03-02 10:39:39495336----a-w-C:\WINDOWS\System32\drivers\vhdmp.sys
2013-03-02 10:39:3869864----a-w-C:\WINDOWS\System32\drivers\pdc.sys
2013-03-02 10:39:32327912----a-w-C:\WINDOWS\System32\drivers\Classpnp.sys
2013-03-02 09:59:372231528----a-w-C:\WINDOWS\System32\drivers\tcpip.sys
2013-03-02 09:59:36411880----a-w-C:\WINDOWS\System32\drivers\FWPKCLNT.SYS
2013-03-02 08:24:0834304----a-w-C:\WINDOWS\SysWow64\wuapp.exe
2013-03-02 08:23:4383968----a-w-C:\WINDOWS\SysWow64\wudriver.dll
2013-03-02 08:23:43125952----a-w-C:\WINDOWS\SysWow64\wuwebv.dll
2013-03-02 08:23:30893952----a-w-C:\WINDOWS\SysWow64\winmde.dll
2013-03-02 08:23:301338880----a-w-C:\WINDOWS\SysWow64\WindowsCodecs.dll
2013-03-02 08:23:28601088----a-w-C:\WINDOWS\SysWow64\Windows.Globalization.dll
2013-03-02 08:23:28504320----a-w-C:\WINDOWS\SysWow64\Windows.Security.Authentication.OnlineId.dll
2013-03-02 08:23:19246784----a-w-C:\WINDOWS\SysWow64\ubpm.dll
2013-03-02 08:23:04356352----a-w-C:\WINDOWS\SysWow64\SettingSync.dll
2013-03-02 08:23:04100864----a-w-C:\WINDOWS\SysWow64\SettingSyncInfo.dll
2013-03-02 08:22:36357888----a-w-C:\WINDOWS\SysWow64\netcfgx.dll
.
============= FINISH: 22:30:09,41 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 8 Pro
Boot Device: \Device\HarddiskVolume1
Install Date: 22/01/2013 12:05:59
System Uptime: 26/05/2013 22:05:49 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P7P55D-E
Processor: Intel(R) Core(TM) i5 CPU 760 @ 2.80GHz | LGA1156 | 2801/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 488 GiB total, 278,021 GiB free.
D: is CDROM (UDF)
E: is CDROM ()
Z: is FIXED (NTFS) - 443 GiB total, 237,797 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP24: 05/05/2013 23:01:36 - Scheduled Checkpoint
RP25: 13/05/2013 20:41:31 - Scheduled Checkpoint
RP26: 20/05/2013 22:27:22 - Windows Update
RP27: 24/05/2013 11:39:11 - Windows Update
.
==== Installed Programs ======================
.
Adobe Photoshop CS6
Airytec Switch Off
Apple Mobile Device Support
Apple Software Update
ASUS Ai Charger
µTorrent
Audacity 2.0.3
Augart Video Converter 2.4.3
AugartMedia Toolbar
Auto ShutDown 1.0
AVG 2013
Bonjour
Conduit Engine
DAEMON Tools Lite
Definition Update for Microsoft Office 2013 (KB2760587) 64-Bit Edition
Despertador
Facebook Messenger 2.1.4814.0
Facebook Video Calling 1.2.0.287
Foxit Reader
Fried Cookie MultiClock
GIMP 2.8.4
Google Chrome
Google Drive
Google Update Helper
Hitman Absolution
IRPF2013 - Declaração de Ajuste Anual, Final de Espólio e Saída Definitiva do País
iTunes
Java 7 Update 15
Java Auto Updater
Java(TM) 7 Update 5 (64-bit)
LAME v3.99.3 (for Windows)
League of Legends
Legendas 2.26
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Access MUI (English) 2013
Microsoft Access Setup Metadata MUI (English) 2013
Microsoft DCF MUI (English) 2013
Microsoft Excel MUI (English) 2013
Microsoft Groove MUI (English) 2013
Microsoft InfoPath MUI (English) 2013
Microsoft Lync MUI (English) 2013
Microsoft Office 32-bit Components 2013
Microsoft Office OSM MUI (English) 2013
Microsoft Office OSM UX MUI (English) 2013
Microsoft Office Professional Plus 2013
Microsoft Office Proofing (English) 2013
Microsoft Office Proofing Tools 2013 - English
Microsoft Office Proofing Tools 2013 - Español
Microsoft Office Shared 32-bit MUI (English) 2013
Microsoft Office Shared MUI (English) 2013
Microsoft Office Shared Setup Metadata MUI (English) 2013
Microsoft OneNote MUI (English) 2013
Microsoft Outlook MUI (English) 2013
Microsoft PowerPoint MUI (English) 2013
Microsoft Publisher MUI (English) 2013
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Word MUI (English) 2013
Microsoft_VC80_CRT_x86
Microsoft_VC90_CRT_x86
MultiClock 1.0
MyFreeCodec
Origin
Outils de vérification linguistique 2013 de Microsoft Office - Français
Pando Media Booster
PDF Settings CS6
PeaZip 4.9.2
Receitanet
Rylstim Screen Recorder
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Serviio
Skype™ 6.2
Songr
Steam
Suporte para Aplicativos Apple
System Requirements Lab CYRI
TeamSpeak 3 Client
Tombraider
TUGZip 3.5
Update for Microsoft Access 2013 (KB2760350) 64-Bit Edition
Update for Microsoft Excel 2013 (KB2760339) 64-Bit Edition
Update for Microsoft Lync 2013 (KB2768004) 64-Bit Edition
Update for Microsoft Office 2013 (KB2726954) 64-Bit Edition
Update for Microsoft Office 2013 (KB2726961) 64-Bit Edition
Update for Microsoft Office 2013 (KB2726996) 64-Bit Edition
Update for Microsoft Office 2013 (KB2737954) 64-Bit Edition
Update for Microsoft Office 2013 (KB2752025) 64-Bit Edition
Update for Microsoft Office 2013 (KB2752094) 64-Bit Edition
Update for Microsoft Office 2013 (KB2752101) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760224) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760343) 64-Bit Edition
Update for Microsoft Office 2013 (KB2767845) 64-Bit Edition
Update for Microsoft Office 2013 (KB2767860) 64-Bit Edition
Update for Microsoft Office 2013 (KB2768016) 64-Bit Edition
Update for Microsoft Office 2013 (KB2768333) 64-Bit Edition
Update for Microsoft Office 2013 (KB2768349) 64-Bit Edition
Update for Microsoft Office 2013 (KB2768355) 64-Bit Edition
Update for Microsoft Office 2013 (KB2810010) 64-Bit Edition
Update for Microsoft OneNote 2013 (KB2760334) 64-Bit Edition
Update for Microsoft Outlook 2013 (KB2810015) 64-Bit Edition
Update for Microsoft PowerPoint 2013 (KB2726947) 64-Bit Edition
Update for Microsoft PowerPoint 2013 (KB2727013) 64-Bit Edition
Update for Microsoft SkyDrive Pro (KB2810019) 64-Bit Edition
Update for Microsoft Visio 2013 (KB2810008) 64-Bit Edition
Update for Microsoft Visio Viewer 2013 (KB2768338) 64-Bit Edition
Update for Microsoft Word 2013 (KB2768007) 64-Bit Edition
Update for Microsoft Word 2013 (KB2768337) 64-Bit Edition
Visual Studio 2010 x64 Redistributables
VLC media player 2.0.5
XviD Video Codec (remove only)
.
==== Event Viewer Messages From Past Week ========
.
26/05/2013 22:07:05, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
26/05/2013 21:31:46, Error: Schannel [36888] - A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.
26/05/2013 01:30:10, Error: Ntfs [55] - A corruption was discovered in the file system structure on volume ??. The exact nature of the corruption is unknown. The file system structures need to be scanned online.
26/05/2013 01:30:06, Error: Ntfs [55] - A corruption was discovered in the file system structure on volume ??. A corruption was found in a file system index structure. The file reference number is 0x500000004702e. The name of the file is "\Windows\servicing\Packages". The corrupted index attribute is ":$I30:$INDEX_ALLOCATION".
25/05/2013 23:39:32, Error: Ntfs [55] - A corruption was discovered in the file system structure on volume ??. The Master File Table (MFT) contains a corrupted file record. The file reference number is 0xb00000001038e. The name of the file is "<unable to determine file name>".
.
==== End Of File ===========================
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.26.06

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16580
Pedro :: DESKTOP [administrator]

26/05/2013 20:21:29
mbam-log-2013-05-26 (20-21-29).txt

Scan type: Full scan (C:\|Z:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 575775
Time elapsed: 1 hour(s), 41 minute(s), 35 second(s)

Memory Processes Detected: 1
C:\ProgramData\rvlkl\rvlkl.exe (Keylogger.Logixoft) -> 1844 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detecsted)

Files Detected: 8
C:\ProgramData\rvlkl\rvlkl.exe (Keylogger.Logixoft) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)\AMTLib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Pedro\Downloads\AutoShutDownSetup.exe (PUP.Bundle.Installer.BT) -> Quarantined and deleted successfully.
C:\Users\Pedro\Downloads\rkfree_setup.exe (Keylogger.Logixoft) -> Quarantined and deleted successfully.
C:\Users\Pedro\Downloads\Adobe Photoshop CS6 Extended Crack .DLL Files\Patch\32bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Pedro\Downloads\Adobe Photoshop CS6 Extended Crack .DLL Files\Patch\64bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Windows.old\Users\pasdu_000\AppData\Local\Temp\Temp1_Windows Loader v2.1.8.zip\Windows Loader\Windows Loader.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Z:\School\2ª Série\Fisiologia\Arquivos e Livros\ECG interactive\ECG interactive\daemon411-lite-x86.exe (Adware.Vomba) -> Quarantined and deleted successfully.

(end)
 
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================

redtarget.gif
Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
Status
Not open for further replies.

Similar threads

midian182
HPE fell victim to the same Russian hackers that breached Microsoft
Replies
1
Views
169
ZedRM
ZedRM
M
Virus warning popup
Replies
1
Views
541
Mark Fuller
M
dcovalencia
Solved Downloaded a .exe file from a copy of a website
Replies
23
Views
3K
Broni
Broni

Latest posts

Back