Exploit.Drop.GS? Removal help?

Solved
By ryhalt
Sep 28, 2012
Topic Status:
Not open for further replies.
  1. The other day I got hit with some form of ransomeware and I hit the switch on my power supply before the page could finish loading, lucky for me I'm on dialup!

    When I rebooted my computer I got some error about a .dll trying to open when I logged into windows. I wasn't sure what had happened at first so I searched online for abit, then I got offline downloaded avast! anti virus at a friends while I ran Malwarebytes.

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.09.06.09

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    Adam :: BALEFIRE [administrator]

    9/25/2012 1:32:19 PM
    mbam-log-2012-09-25 (13-32-19).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 209247
    Time elapsed: 1 minute(s), 44 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run| (Exploit.Drop.GS) -> Data: C:\Users\Adam\AppData\Local\Temp\wpbt0.dll -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\Adam\AppData\Local\Temp\wpbt0.dll (Exploit.Drop.GS) -> Quarantined and deleted successfully.

    (end)

    I ran GMER (as per instruction thread) and it didn't detect anything.

    I ran DDS, here are the logs.

    DDS.txt
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514
    Run by Adam at 9:38:03 on 2012-09-28
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4094.2528 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\DRIVERS\xaudio64.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    uRun: [CPU_Control] C:\Program Files (x86)\CPU-Control\CPU_Control.exe
    mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun-x64: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
    mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\hxb1rxwl.default\
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-9-25 44808]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-9-21 1258856]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-8-30 382312]
    R3 CAXHWCD2;CAXHWCD2;C:\Windows\system32\DRIVERS\CAXHWCD2.sys --> C:\Windows\system32\DRIVERS\CAXHWCD2.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    .
    =============== File Associations ===============
    .
    .txt=Notepad++_file
    .
    =============== Created Last 30 ================
    .
    2012-09-26 10:18:46 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{016210F0-7E56-4605-8CF4-739FF2317252}\offreg.dll
    2012-09-26 01:01:56 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-09-26 01:01:55 969200 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-09-26 01:01:53 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-09-26 01:01:22 41224 ----a-w- C:\Windows\avastSS.scr
    2012-09-26 01:01:12 -------- d-----w- C:\ProgramData\AVAST Software
    2012-09-26 01:01:12 -------- d-----w- C:\Program Files\AVAST Software
    2012-09-25 17:12:50 92160 ----a-w- C:\Windows\System32\ff_vfw.dll
    2012-09-25 17:12:50 203264 ----a-w- C:\Windows\System32\unrar.dll
    2012-09-25 17:12:49 -------- d-----w- C:\Program Files\K-Lite Codec Pack x64
    2012-09-21 15:35:11 891240 ----a-w- C:\Windows\System32\nvvsvc.exe
    2012-09-21 15:35:11 63336 ----a-w- C:\Windows\System32\nvshext.dll
    2012-09-21 15:35:11 6198120 ----a-w- C:\Windows\System32\nvcpl.dll
    2012-09-21 15:35:11 3266920 ----a-w- C:\Windows\System32\nvsvc64.dll
    2012-09-21 15:35:11 118120 ----a-w- C:\Windows\System32\nvmctray.dll
    2012-09-21 15:35:02 60776 ----a-w- C:\Windows\System32\OpenCL.dll
    2012-09-21 15:35:02 52584 ----a-w- C:\Windows\SysWow64\OpenCL.dll
    2012-09-13 19:37:27 -------- d-----w- C:\Users\Adam\AppData\Roaming\NVIDIA
    2012-09-12 05:36:17 -------- d-----w- C:\Users\Adam\AppData\Local\Microsoft Games
    2012-09-11 18:27:53 35328 ----a-w- C:\Windows\System32\drivers\lirsgt.sys
    2012-09-11 18:27:53 303616 ----a-w- C:\Windows\System32\drivers\atksgt.sys
    2012-09-11 18:22:40 733184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
    2012-09-11 18:22:40 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
    2012-09-11 18:22:40 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
    2012-09-11 18:22:40 303236 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
    2012-09-11 18:22:40 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
    2012-09-11 18:22:40 180356 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
    2012-09-11 18:22:40 172032 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
    2012-09-10 13:07:01 -------- d-----w- C:\Program Files\Media Player Classic - Home Cinema
    2012-09-10 05:18:56 -------- d-----w- C:\Users\Adam\AppData\Local\Macromedia
    2012-09-10 05:16:52 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-09-10 05:16:52 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-09-09 04:08:08 -------- d-----w- C:\Windows\pss
    2012-09-09 03:10:14 -------- d-----w- C:\Program Files (x86)\Winamp Detect
    2012-09-09 03:10:09 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
    2012-09-07 17:22:35 -------- d-----w- C:\Users\Adam\AppData\Local\Paint.NET
    2012-09-07 17:22:35 -------- d-----w- C:\Program Files\Paint.NET
    2012-09-07 12:57:48 -------- d-----w- C:\Users\Adam\My Stuff
    2012-09-07 05:23:46 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
    2012-09-07 05:23:46 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
    2012-09-07 05:23:46 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
    2012-09-07 05:23:14 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
    2012-09-07 05:23:14 613888 ----a-w- C:\Windows\System32\psisdecd.dll
    2012-09-07 05:23:14 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
    2012-09-07 05:23:14 108032 ----a-w- C:\Windows\System32\psisrndr.ax
    2012-09-07 05:21:47 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2012-09-07 05:20:40 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-09-07 05:20:29 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
    2012-09-07 05:20:11 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
    2012-09-07 05:20:11 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
    2012-09-07 05:20:11 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
    2012-09-07 05:20:11 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
    2012-09-07 05:20:11 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
    2012-09-07 05:19:58 861696 ----a-w- C:\Windows\System32\oleaut32.dll
    2012-09-07 05:19:58 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
    2012-09-07 05:19:58 331776 ----a-w- C:\Windows\System32\oleacc.dll
    2012-09-07 05:19:58 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
    2012-09-07 05:18:51 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
    2012-09-07 05:18:51 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
    2012-09-07 05:18:51 183296 ----a-w- C:\Windows\System32\dnsrslvr.dll
    2012-09-07 05:17:57 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
    2012-09-07 05:17:57 1110528 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
    2012-09-07 05:17:53 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2012-09-07 05:17:46 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
    2012-09-07 05:17:40 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
    2012-09-07 05:17:35 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
    2012-09-07 05:16:03 77312 ----a-w- C:\Windows\System32\packager.dll
    2012-09-07 05:16:03 67072 ----a-w- C:\Windows\SysWow64\packager.dll
    2012-09-07 04:59:27 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-09-07 04:59:23 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-09-07 04:59:21 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-09-07 04:59:21 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-09-06 19:03:37 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{016210F0-7E56-4605-8CF4-739FF2317252}\mpengine.dll
    2012-09-06 19:03:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-09-05 16:47:43 -------- d-----w- C:\Users\Adam\AppData\Local\Freelancer
    2012-09-05 13:10:55 69632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
    2012-09-05 13:10:55 61440 ----a-w- C:\Windows\SysWow64\ISUSPM.cpl
    2012-09-05 13:10:55 446464 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\agent.exe
    2012-09-05 13:10:55 385024 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\_ispmres.dll
    2012-09-05 13:10:55 368640 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\_isusres.dll
    2012-09-05 13:10:55 204800 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISDM.exe
    2012-09-05 13:10:55 196608 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
    2012-09-05 13:02:40 -------- d-----w- C:\Users\Adam\AppData\Local\Gas Powered Games
    2012-09-05 01:45:27 -------- d-----w- C:\temp
    2012-09-05 01:16:19 -------- d-----w- C:\Users\Adam\AppData\Roaming\Malwarebytes
    2012-09-04 21:03:57 -------- d-----w- C:\Users\Adam\AppData\Local\Mozilla
    2012-09-04 20:54:45 -------- d-----w- C:\Users\Adam\AppData\Local\The Witcher 2
    2012-09-04 20:49:38 -------- d-----w- C:\Users\Adam\AppData\Roaming\XRay Engine
    2012-09-04 20:47:44 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
    2012-09-04 20:23:01 -------- d-----w- C:\Windows\Panther
    2012-09-04 20:22:48 -------- d-sh--w- C:\Boot
    2012-09-04 19:53:59 68104 ----a-w- C:\Windows\System32\XAPOFX1_0.dll
    2012-09-04 19:45:11 -------- d-----w- C:\Games
    2012-09-04 19:39:37 -------- d-----w- C:\Users\Adam\AppData\Roaming\CPUControl
    2012-09-04 19:39:35 -------- d-----w- C:\Program Files (x86)\CPU-Control
    2012-09-04 19:34:09 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-09-04 19:34:08 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-09-04 19:34:08 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-09-04 19:33:47 -------- d-----w- C:\Program Files\CCleaner
    2012-09-04 19:30:09 -------- d-----w- C:\Users\Adam\AppData\Local\Google
    2012-09-04 19:25:15 -------- d-----w- C:\Program Files\CONEXANT
    2012-09-04 19:25:10 740864 ----a-w- C:\Windows\System32\drivers\CAX_CNXT.sys
    2012-09-04 19:25:10 410624 ----a-w- C:\Windows\System32\drivers\XAudio64.exe
    2012-09-04 19:25:10 380928 ----a-w- C:\Windows\System32\drivers\CAXHWCD2.sys
    2012-09-04 19:25:10 299520 ----a-w- C:\Windows\System32\UCI64M19.dll
    2012-09-04 19:25:10 17024 ----a-w- C:\Windows\System32\drivers\mdmxsdk.sys
    2012-09-04 19:25:10 1478656 ----a-w- C:\Windows\System32\drivers\CAX_DPV.sys
    2012-09-04 19:25:10 10240 ----a-w- C:\Windows\System32\drivers\XAudio64.sys
    2012-09-04 19:14:04 -------- d-----w- C:\Users\Adam\AppData\Local\Apps
    2012-09-04 19:05:06 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
    2012-09-04 19:03:56 -------- d-----w- C:\Program Files\NVIDIA Corporation
    2012-09-04 19:03:36 -------- d-----w- C:\NVIDIA
    2012-09-04 18:58:03 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll
    2012-09-04 18:58:03 646248 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
    2012-09-04 18:58:03 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
    2012-09-04 18:58:00 -------- d-----w- C:\Program Files (x86)\Realtek
    2012-09-04 18:17:09 34872 ----a-w- C:\Windows\System32\drivers\usbfilter.sys
    2012-09-04 18:17:09 -------- d-----w- C:\Program Files (x86)\AMD
    2012-09-04 18:16:40 -------- d-sh--w- C:\Windows\Installer
    2012-09-04 18:16:40 -------- d-----w- C:\Program Files\ATI
    2012-09-04 18:16:17 -------- d-----w- C:\Program Files\ATI Technologies
    2012-09-04 18:15:51 16440 ----a-w- C:\Windows\System32\drivers\AtiPcie.sys
    2012-09-04 18:07:02 -------- d-----w- C:\Windows\System32\SPReview
    2012-09-04 17:52:03 2560 ----a-w- C:\Windows\System32\drivers\en-US\rdpwd.sys.mui
    2012-09-04 17:51:59 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
    2012-09-04 17:51:33 6144 ----a-w- C:\Windows\System32\drivers\en-US\IPMIDrv.sys.mui
    2012-09-04 17:51:33 4608 ----a-w- C:\Windows\System32\drivers\en-US\kbdclass.sys.mui
    2012-09-04 17:44:59 94208 ----a-w- C:\Windows\SysWow64\eappgnui.dll
    2012-09-04 17:43:26 -------- d-----w- C:\Windows\System32\EventProviders
    2012-08-30 15:40:14 429416 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
    .
    ==================== Find3M ====================
    .
    2012-09-04 18:03:23 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2012-09-04 18:03:23 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    .
    ============= FINISH: 9:38:26.06 ===============

    and Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/4/2012 12:29:30 PM
    System Uptime: 9/26/2012 2:18:18 AM (55 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA790X-UD4P
    Processor: AMD Phenom(tm) II X3 710 Processor | Socket M2 | 2600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 118.589 GiB free.
    D: is CDROM (CDFS)
    E: is FIXED (NTFS) - 233 GiB total, 179.226 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    «Sigerous Mod v2.2»
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.3
    AMD USB Filter Driver
    avast! Free Antivirus
    CPU-Control
    DS2 All*Saves v2
    Dungeon Siege 2
    Google Talk (remove only)
    Gothic III
    Malwarebytes Anti-Malware version 1.65.0.1400
    Microsoft Game Studios Common Redistributables Pack 1
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft XML Parser
    Mozilla Firefox 14.0.1 (x86 en-US)
    Notepad++
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    S.T.A.L.K.E.R. - Call of Pripyat [v1.6.02]
    Supreme Commander
    The Witcher 2 Enhanced Edition version 3.0
    Vampire - The Masquerade Bloodlines
    Winamp
    Winamp Detector Plug-in
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/26/2012 3:36:22 AM, Error: Service Control Manager [7000] - The lirsgt service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
    9/26/2012 3:36:22 AM, Error: Service Control Manager [7000] - The atksgt service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
    9/25/2012 2:34:55 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    9/25/2012 2:34:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    9/25/2012 2:34:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    9/25/2012 2:34:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    9/25/2012 2:34:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    9/25/2012 2:34:53 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/25/2012 2:34:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/25/2012 2:34:41 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/22/2012 3:02:50 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    9/22/2012 3:02:50 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    9/22/2012 3:02:50 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    9/22/2012 3:02:41 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    9/22/2012 3:02:41 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
    .
    ==== End Of File ===========================

    My goal is to just make sure it's safe for me to backup my private files so I can reformat, I have no intention of leaving this computer un-formatted even if it is clean and safe to use.

    Thanks for any help! Cheers!
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  3. ryhalt

    ryhalt Newcomer, in training Topic Starter

    Aye aye captain!

    # AdwCleaner v2.003 - Logfile created 09/28/2012 at 21:13:01
    # Updated 23/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Adam - BALEFIRE
    # Boot Mode : Normal
    # Running from : C:\Users\Adam\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****


    ***** [Registry] *****


    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.7601.17514

    Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-21-335754449-4038889276-93798832-1002\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v14.0.1 (en-US)

    Profile name : default
    File : C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\hxb1rxwl.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [820 octets] - [28/09/2012 21:12:02]
    AdwCleaner[S1].txt - [1226 octets] - [28/09/2012 21:13:01]

    ########## EOF - C:\AdwCleaner[S1].txt - [1286 octets] ##########
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Scan for malware

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    ===================================

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
  5. ryhalt

    ryhalt Newcomer, in training Topic Starter

    TDSSKiller Log is attached (too many characters to copy & paste) as per instructions.

    Here is the Malwarebytes Log

    Malwarebytes Anti-Malware 1.65.0.1400
    www.malwarebytes.org

    Database version: v2012.09.29.03

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    Adam :: BALEFIRE [administrator]

    9/29/2012 3:15:03 PM
    mbam-log-2012-09-29 (15-15-03).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 212582
    Time elapsed: 1 minute(s), 50 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    Attached Files:

  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  7. ryhalt

    ryhalt Newcomer, in training Topic Starter

    I'm trying to run the ESET online scanner but the virus database update keeps failing with "Unexpected Error 2002". I have avast! disabled while I'm trying to run it so I'll keep trying until told otherwise.

    I haven't really tried using my computer much since I got hit by the malware so I can't really comment on it running slower but I haven't had any of the other things listed, the .dll message I had when I first got it went away after the very first malwarebytes scan I ran (my first post).

    I have a quick question though, my USB drive I connected to my computer to transfer the avast! installer onto it (after the first malwarebytes scan), should I worry about it being infected by anything?
  8. ryhalt

    ryhalt Newcomer, in training Topic Starter

    Sorry for double post, can't seem to find an edit button.

    Got ESET to update after I disabled Windows Defender (dunno how it got turned on) it's scan came up clean with nothing found.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It shouldn't be infected, no.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  10. ryhalt

    ryhalt Newcomer, in training Topic Starter

    Done and done.

    Results of screen317's Security Check version 0.99.51
    Windows 7 Service Pack 1 x64 (UAC is disabled!)
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Windows Firewall Disabled!
    avast! Antivirus
    Antivirus up to date! (On Access scanning disabled!)
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.0.1400
    Adobe Flash Player 11.4.402.265
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox 14.0.1 Firefox out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Firefox update
    Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > About Firefox > Check for Updates.

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
  12. ryhalt

    ryhalt Newcomer, in training Topic Starter

    I will get those programs updated ASAP.

    I wish I had another question to ask, I feel like I should have one but for the life of me I cannot think of one so I suppose I don't. I'm going to backup my personal files and format my hard drives just to give myself a little extra peace of mind.

    Thank you very much for your time and help, sorry for not getting back to you faster on a couple of your replies.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's fine. PM me for any more questions, glad to help. :)

    Topic marked solved.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.