Hi
The computer of one of mychildren has gone very slow na displays pages with sections out of place.
I ran Eset and it crashed 25% through, Then I ran Malwarebytes and it found some 50odd PUPs. Ran again Eset: it found 3 PUPs but did not get rid of them; on a 3r try it hung after finding the same 3 PUPs: all 3 to do with
C:\Program Files\Mobogenie\DaemonProcess.exe a variant of Win32/Mobogenie.A potentially unwanted application
Now I ran gner and it crashed before finishing.
I am pasting the ds.txt and attaching the attach.txt
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17041 BrowserJavaVersion: 10.25.2
Run by Katerina at 11:31:57 on 2014-05-09
Microsoft Windows 7 Starter 6.1.7601.1.1252.44.2070.18.2011.830 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\STacSV.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\aestsrv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\MyPC Backup\BackupStack.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\SPLASH.SYS\config\DVMExportService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mobogenie\DaemonProcess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Users\Katerina\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Katerina\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\MyPC Backup\MyPC Backup.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Windows\system32\conhost.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_206_ActiveX.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mobogenie\mgusb.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: {ff19b72a-36ed-4066-8865-a580ae938cce} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ArcPluginIEBHO Class: {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} - c:\program files\perfect world entertainment\arc\plugins\ArcPluginIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows 7 Starter Helper: {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\HPNetworkCheckPlugin.dll
uRun: [Akamai NetSession Interface] "c:\users\katerina\appdata\local\akamai\netsession_win.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mobilegeni daemon] c:\program files\mobogenie\DaemonProcess.exe
mRun: [NCUpdateHelper] c:\program files\ncwest\nclauncher\NCUpdateHelper.exe
mRunOnce: [NCPluginUpdater] "c:\program files\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update
StartupFolder: c:\users\katerina\appdata\roaming\micros~1\windows\startm~1\programs\startup\mypcba~1.lnk - c:\program files\mypc backup\MyPC Backup.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office11\EXCEL.EXE/3000
IE: E&xportar para o Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - ExitReality
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\NCLauncherFromIE.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: aeriagames.com
Trusted Zone: aeriagames.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Virtual%20Families/Images/stg_drm.ocx
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Virtual%20Families/Images/armhelper.ocx
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\1456E616F5B4572696 : DHCPNameServer = 10.81.224.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\2656C6B696E6E233369346 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\354534 : DHCPNameServer = 195.46.116.1 195.46.96.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\E4544574541425 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\F45696271637 : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.131\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\katerina\appdata\roaming\mozilla\firefox\profiles\1x9iu66r.default\
FF - prefs.js: browser.search.selectedEngine -
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\perfect world entertainment\arc\plugins\npArcPluginFF.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\1\NP_wtapp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_206.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2014-04-29 11:20; ffxtlbr@ividi.com; c:\users\katerina\appdata\roaming\mozilla\firefox\profiles\1x9iu66r.default\extensions\ffxtlbr@ividi.com
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - fe41dc7c000000000000c417fe86d979
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15857
FF - user.js: extensions.delta.vrsn - 1.8.21.5
FF - user.js: extensions.delta.vrsni - 1.8.21.5
FF - user.js: extensions.delta.vrsnTs - 1.8.21.522:01:22
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta_i.babTrack - affID=119779&tt=gc_
FF - user.js: extensions.delta_i.babExt -
FF - user.js: extensions.delta_i.srcExt - ss
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
FF - user.js: extensions.ividi.tlbrSrchUrl - hxxp://search.ividi.org/?src=tbsp&id=fe41dc7c000000000000c417fe86d979&affilt=3&q=
FF - user.js: extensions.ividi.id - fe41dc7c000000000000c417fe86d979
FF - user.js: extensions.ividi.appId - {685F23D9-FCFD-475C-B56A-362645945C5A}
FF - user.js: extensions.ividi.instlDay - 15985
FF - user.js: extensions.ividi.vrsn - 1.8.23.0
FF - user.js: extensions.ividi.vrsni - 1.8.23.0
FF - user.js: extensions.ividi.vrsnTs - 1.8.23.021:40:55
FF - user.js: extensions.ividi.prtnrId - ividi
FF - user.js: extensions.ividi.prdct - ividi
FF - user.js: extensions.ividi.aflt - 3
FF - user.js: extensions.ividi.smplGrp - none
FF - user.js: extensions.ividi.tlbrId - base
FF - user.js: extensions.ividi.instlRef -
FF - user.js: extensions.ividi.dfltLng -
FF - user.js: extensions.ividi.excTlbr - true
FF - user.js: extensions.ividi.ffxUnstlRst - false
FF - user.js: extensions.ividi.admin - false
FF - user.js: extensions.ividi.autoRvrt - false
FF - user.js: extensions.ividi.rvrt - false
FF - user.js: extensions.ividi.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R1 DVMIO;DVMIO;c:\splash.sys\config\dvmio.sys [2009-9-29 17624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_5576240ee6baaa25\AEstSrv.exe [2010-2-5 81920]
R2 BackupStack;Computer Backup (MyPC Backup);c:\program files\mypc backup\BackupStack.exe [2013-9-20 38440]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\splash.sys\config\DVMExportService.exe [2009-7-8 323584]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2013-11-4 92160]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104264]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-12-13 228408]
R3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 ArcService;Arc Service;c:\program files\perfect world entertainment\arc\ArcService.exe [2014-1-24 88400]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 GamesAppIntegrationService;GamesAppIntegrationService;c:\program files\wildtangent games\app\GamesAppIntegrationService.exe [2013-11-9 227936]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-4-23 108032]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-12-9 14848]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-2-5 174592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-2-5 204288]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-12-9 49664]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
.
=============== Created Last 30 ================
.
2014-05-08 19:50:13 765968 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8da771fd-7595-41a9-b6d1-c70069b6a404}\gapaengine.dll
2014-05-08 19:47:41 8050496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ed9bc70f-5afb-496a-b116-30a4b48131ac}\mpengine.dll
2014-05-08 17:17:52 -------- d-----w- c:\program files\ESET
2014-05-08 16:53:32 -------- d-sh--w- c:\users\katerina\appdata\local\EmieUserList
2014-05-08 16:53:32 -------- d-sh--w- c:\users\katerina\appdata\local\EmieSiteList
2014-05-07 19:37:34 8050496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-05-03 08:28:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-02 09:03:20 -------- d-s---w- c:\windows\system32\CompatTel
2014-04-30 08:02:39 361984 ----a-w- c:\windows\system32\aepdu.dll
2014-04-30 08:02:39 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-04-27 12:52:50 -------- d-----w- c:\program files\SubaGames
2014-04-23 07:29:28 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-04-23 07:29:26 257536 ----a-w- c:\program files\internet explorer\IEShims.dll
2014-04-23 07:29:00 235216 ----a-w- c:\program files\internet explorer\sqmapi.dll
2014-04-23 07:28:15 271360 ----a-w- c:\program files\internet explorer\ieproxy.dll
2014-04-23 07:28:13 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-04-23 07:28:12 37888 ----a-w- c:\program files\internet explorer\DiagnosticsHub_is.dll
2014-04-23 07:27:17 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-04-23 07:27:15 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-04-23 07:27:05 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-04-23 07:27:01 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-04-23 07:27:00 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-04-23 07:25:56 4254720 ----a-w- c:\windows\system32\jscript9.dll
2014-04-09 09:50:49 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-04-09 09:50:49 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-04-09 09:50:49 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-04-09 09:50:48 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-04-09 09:50:40 1212352 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
==================== Find3M ====================
.
2014-04-28 20:41:56 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-28 20:41:55 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 07:52:30 104264 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-06 07:38:10 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-06 07:28:01 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 06:40:39 1967104 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 05:41:49 1789440 ----a-w- c:\windows\system32\wininet.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 6.1.7601 Disk: TOSHIBA_ rev.LH00 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x81C37000]<< >>UNKNOWN [0x88A48000]<< >>UNKNOWN [0x8990C000]<< >>UNKNOWN [0x888A5000]<< >>UNKNOWN [0x81C00000]<< >>UNKNOWN [0x88C30000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x81C6DBBA] -> \Device\Harddisk0\DR0[0x85F8F030]
\Driver\Disk[0x85F8EB90] -> IRP_MJ_CREATE -> 0x88A4C39F
3 [0x88A4C59E] -> ntkrnlpa!IofCallDriver[0x81C6DBBA] -> [0x85528958]
\Driver\ACPI[0x848867A0] -> IRP_MJ_CREATE -> 0x888AE4CC
5 [0x888AE3D4] -> ntkrnlpa!IofCallDriver[0x81C6DBBA] -> \Device\Ide\IAAStorageDevice-0[0x8552C028]
\Driver\iaStor[0x855163C0] -> IRP_MJ_CREATE -> 0x88C7492E
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV ES, AX; MOV DS, AX; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x660; }
user & kernel MBR OK
copy of MBR has been found in sector 2 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:35:11.40 ===============
The computer of one of mychildren has gone very slow na displays pages with sections out of place.
I ran Eset and it crashed 25% through, Then I ran Malwarebytes and it found some 50odd PUPs. Ran again Eset: it found 3 PUPs but did not get rid of them; on a 3r try it hung after finding the same 3 PUPs: all 3 to do with
C:\Program Files\Mobogenie\DaemonProcess.exe a variant of Win32/Mobogenie.A potentially unwanted application
Now I ran gner and it crashed before finishing.
I am pasting the ds.txt and attaching the attach.txt
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17041 BrowserJavaVersion: 10.25.2
Run by Katerina at 11:31:57 on 2014-05-09
Microsoft Windows 7 Starter 6.1.7601.1.1252.44.2070.18.2011.830 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\STacSV.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\aestsrv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\MyPC Backup\BackupStack.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\SPLASH.SYS\config\DVMExportService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mobogenie\DaemonProcess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Users\Katerina\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Katerina\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\MyPC Backup\MyPC Backup.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Windows\system32\conhost.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_206_ActiveX.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mobogenie\mgusb.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: {ff19b72a-36ed-4066-8865-a580ae938cce} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ArcPluginIEBHO Class: {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} - c:\program files\perfect world entertainment\arc\plugins\ArcPluginIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows 7 Starter Helper: {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\HPNetworkCheckPlugin.dll
uRun: [Akamai NetSession Interface] "c:\users\katerina\appdata\local\akamai\netsession_win.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mobilegeni daemon] c:\program files\mobogenie\DaemonProcess.exe
mRun: [NCUpdateHelper] c:\program files\ncwest\nclauncher\NCUpdateHelper.exe
mRunOnce: [NCPluginUpdater] "c:\program files\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update
StartupFolder: c:\users\katerina\appdata\roaming\micros~1\windows\startm~1\programs\startup\mypcba~1.lnk - c:\program files\mypc backup\MyPC Backup.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office11\EXCEL.EXE/3000
IE: E&xportar para o Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - ExitReality
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\NCLauncherFromIE.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: aeriagames.com
Trusted Zone: aeriagames.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Virtual%20Families/Images/stg_drm.ocx
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Virtual%20Families/Images/armhelper.ocx
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\1456E616F5B4572696 : DHCPNameServer = 10.81.224.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\2656C6B696E6E233369346 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\354534 : DHCPNameServer = 195.46.116.1 195.46.96.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\E4544574541425 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{0A5D503A-D8C4-4484-B5B5-F1F19A879051}\F45696271637 : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.131\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\katerina\appdata\roaming\mozilla\firefox\profiles\1x9iu66r.default\
FF - prefs.js: browser.search.selectedEngine -
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\perfect world entertainment\arc\plugins\npArcPluginFF.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\1\NP_wtapp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_206.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2014-04-29 11:20; ffxtlbr@ividi.com; c:\users\katerina\appdata\roaming\mozilla\firefox\profiles\1x9iu66r.default\extensions\ffxtlbr@ividi.com
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - fe41dc7c000000000000c417fe86d979
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15857
FF - user.js: extensions.delta.vrsn - 1.8.21.5
FF - user.js: extensions.delta.vrsni - 1.8.21.5
FF - user.js: extensions.delta.vrsnTs - 1.8.21.522:01:22
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta_i.babTrack - affID=119779&tt=gc_
FF - user.js: extensions.delta_i.babExt -
FF - user.js: extensions.delta_i.srcExt - ss
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
FF - user.js: extensions.ividi.tlbrSrchUrl - hxxp://search.ividi.org/?src=tbsp&id=fe41dc7c000000000000c417fe86d979&affilt=3&q=
FF - user.js: extensions.ividi.id - fe41dc7c000000000000c417fe86d979
FF - user.js: extensions.ividi.appId - {685F23D9-FCFD-475C-B56A-362645945C5A}
FF - user.js: extensions.ividi.instlDay - 15985
FF - user.js: extensions.ividi.vrsn - 1.8.23.0
FF - user.js: extensions.ividi.vrsni - 1.8.23.0
FF - user.js: extensions.ividi.vrsnTs - 1.8.23.021:40:55
FF - user.js: extensions.ividi.prtnrId - ividi
FF - user.js: extensions.ividi.prdct - ividi
FF - user.js: extensions.ividi.aflt - 3
FF - user.js: extensions.ividi.smplGrp - none
FF - user.js: extensions.ividi.tlbrId - base
FF - user.js: extensions.ividi.instlRef -
FF - user.js: extensions.ividi.dfltLng -
FF - user.js: extensions.ividi.excTlbr - true
FF - user.js: extensions.ividi.ffxUnstlRst - false
FF - user.js: extensions.ividi.admin - false
FF - user.js: extensions.ividi.autoRvrt - false
FF - user.js: extensions.ividi.rvrt - false
FF - user.js: extensions.ividi.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R1 DVMIO;DVMIO;c:\splash.sys\config\dvmio.sys [2009-9-29 17624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_5576240ee6baaa25\AEstSrv.exe [2010-2-5 81920]
R2 BackupStack;Computer Backup (MyPC Backup);c:\program files\mypc backup\BackupStack.exe [2013-9-20 38440]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\splash.sys\config\DVMExportService.exe [2009-7-8 323584]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2013-11-4 92160]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104264]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-12-13 228408]
R3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 ArcService;Arc Service;c:\program files\perfect world entertainment\arc\ArcService.exe [2014-1-24 88400]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 GamesAppIntegrationService;GamesAppIntegrationService;c:\program files\wildtangent games\app\GamesAppIntegrationService.exe [2013-11-9 227936]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-4-23 108032]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-12-9 14848]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-2-5 174592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-2-5 204288]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-12-9 49664]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
.
=============== Created Last 30 ================
.
2014-05-08 19:50:13 765968 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8da771fd-7595-41a9-b6d1-c70069b6a404}\gapaengine.dll
2014-05-08 19:47:41 8050496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ed9bc70f-5afb-496a-b116-30a4b48131ac}\mpengine.dll
2014-05-08 17:17:52 -------- d-----w- c:\program files\ESET
2014-05-08 16:53:32 -------- d-sh--w- c:\users\katerina\appdata\local\EmieUserList
2014-05-08 16:53:32 -------- d-sh--w- c:\users\katerina\appdata\local\EmieSiteList
2014-05-07 19:37:34 8050496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-05-03 08:28:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-02 09:03:20 -------- d-s---w- c:\windows\system32\CompatTel
2014-04-30 08:02:39 361984 ----a-w- c:\windows\system32\aepdu.dll
2014-04-30 08:02:39 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-04-27 12:52:50 -------- d-----w- c:\program files\SubaGames
2014-04-23 07:29:28 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-04-23 07:29:26 257536 ----a-w- c:\program files\internet explorer\IEShims.dll
2014-04-23 07:29:00 235216 ----a-w- c:\program files\internet explorer\sqmapi.dll
2014-04-23 07:28:15 271360 ----a-w- c:\program files\internet explorer\ieproxy.dll
2014-04-23 07:28:13 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-04-23 07:28:12 37888 ----a-w- c:\program files\internet explorer\DiagnosticsHub_is.dll
2014-04-23 07:27:17 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-04-23 07:27:15 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-04-23 07:27:05 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-04-23 07:27:01 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-04-23 07:27:00 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-04-23 07:25:56 4254720 ----a-w- c:\windows\system32\jscript9.dll
2014-04-09 09:50:49 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-04-09 09:50:49 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-04-09 09:50:49 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-04-09 09:50:48 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-04-09 09:50:40 1212352 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
==================== Find3M ====================
.
2014-04-28 20:41:56 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-28 20:41:55 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 07:52:30 104264 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-06 07:38:10 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-06 07:28:01 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 06:40:39 1967104 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 05:41:49 1789440 ----a-w- c:\windows\system32\wininet.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 6.1.7601 Disk: TOSHIBA_ rev.LH00 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x81C37000]<< >>UNKNOWN [0x88A48000]<< >>UNKNOWN [0x8990C000]<< >>UNKNOWN [0x888A5000]<< >>UNKNOWN [0x81C00000]<< >>UNKNOWN [0x88C30000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x81C6DBBA] -> \Device\Harddisk0\DR0[0x85F8F030]
\Driver\Disk[0x85F8EB90] -> IRP_MJ_CREATE -> 0x88A4C39F
3 [0x88A4C59E] -> ntkrnlpa!IofCallDriver[0x81C6DBBA] -> [0x85528958]
\Driver\ACPI[0x848867A0] -> IRP_MJ_CREATE -> 0x888AE4CC
5 [0x888AE3D4] -> ntkrnlpa!IofCallDriver[0x81C6DBBA] -> \Device\Ide\IAAStorageDevice-0[0x8552C028]
\Driver\iaStor[0x855163C0] -> IRP_MJ_CREATE -> 0x88C7492E
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV ES, AX; MOV DS, AX; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x660; }
user & kernel MBR OK
copy of MBR has been found in sector 2 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:35:11.40 ===============