TrojanDownloader:Win32/AdLoad.DA virus

[s.winter]

hi :
I need a serious help, its been 2 days that my windows7 shows the message "Remove the TrojanDownloader:Win32/AdLoad.DA virus" in my action center.

till now I tried scanning my computer by "TDSSKiller" , "Malwarebytes Anti-Malware" and "HitmanPro" but non of them detect or delete this Trojan and the message is still in my action center.
I have ESET Nod32 antivirus on my system, I always update it. even scanning with Nod32 and Nod32 online scan didn't find this trojan.

I'm desperate, can anyone please help me ? what should I do ?

[Will Watts]

Hello and Welcome to TSF.

Before we can begin, we need to see some logs to help us diagnose and remove the problem. Please follow the instructions outlined below.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------

[s.winter]

thanks ,here is my DDS content


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by sonia at 14:31:00 on 2012-06-16
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2743.1538 [GMT 4.5:30]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\aestsrv.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\rundll32.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Users\sonia\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Macromed\Flash\FlashUtil10v_ActiveX.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\program files\searchpredict\SearchPredict.dll
BHO: DigitalPersona Fingerprint Software Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SBCONVERT Class: {92a9acf4-9333-43ae-9698-db283326f87f} - e:\programfiles\speedbit video downloader\toolbar\tbcore3.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - e:\programfiles\speedbit video downloader\toolbar\grabber.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - e:\programfiles\speedbit video downloader\toolbar\tbcore3.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [googletalk] c:\users\sonia\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Google Update] "c:\users\sonia\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [TortoiseHgOverlayIconServer] c:\program files\tortoisehg\TortoiseHgOverlayServer.exe
mRun: [OLPSYNCH] e:\programfiles\offline course player\OlpSynch.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\sonia\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
Trusted Zone: Google
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} - hxxp://74.43.219.99/rcm/webcontrols/vnc/viewerx_static.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E3AE57E6-2547-43A2-9BF5-72599CDB6E51} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E3AE57E6-2547-43A2-9BF5-72599CDB6E51}\254533035323F51405 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E3AE57E6-2547-43A2-9BF5-72599CDB6E51}\35D434 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{E3AE57E6-2547-43A2-9BF5-72599CDB6E51}\377686 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E3AE57E6-2547-43A2-9BF5-72599CDB6E51}\3786162796164797E21636E29627 : DhcpNameServer = 192.168.33.3 192.168.33.2
TCP: Interfaces\{E3AE57E6-2547-43A2-9BF5-72599CDB6E51}\4435C4D22373330355 : DhcpNameServer = 192.168.1.1 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli DPPWDFLT
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sonia\appdata\roaming\mozilla\firefox\profiles\f6eh07vr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8580
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8580
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8580
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8580
FF - prefs.js: network.proxy.type - 4
FF - component: e:\programfiles\speedbit video downloader\spfirefox\components\Engine.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOlp32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\sonia\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\sonia\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\sonia\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: SearchPredict: searchpredict@speedbit.com - c:\program files\searchpredict\PRFireFox
FF - Ext: SPEEDbit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - e:\programfiles\speedbit video downloader\SPFireFox
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;Panda Boot Driver;c:\windows\system32\drivers\pavboot.sys [2012-2-22 28552]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2010-10-27 17648]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_f39a6924a795ad94\AEstSrv.exe [2010-10-28 81920]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2011-2-4 224256]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-5-14 93312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-14 654408]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2010-10-27 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-6-4 1664304]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-10-27 43888]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-10-27 29472]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-10-28 125696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-14 22344]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2012-2-4 22016]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-10-28 105576]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-10-28 277536]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-10-27 134144]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-10-27 143968]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-15 129976]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2012-2-4 22016]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-10-28 171520]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
.
=============== File Associations ===============
.
.txt=emeditor.txt
.
=============== Created Last 30 ================
.
2012-06-13 20:53:16 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-13 20:37:11 -------- d-----w- c:\programdata\HitmanPro
2012-06-13 2022 2342400 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 19:58:16 -------- d-----w- c:\users\sonia\appdata\roaming\Malwarebytes
2012-06-13 19:58:07 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 19:58:07 -------- d-----w- c:\programdata\Malwarebytes
2012-06-13 19:58:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-13 11:22:35 6737808 ------w- c:\programdata\microsoft\windows defender\definition updates\{c13383aa-c5bb-4c36-aca1-33da459e7473}\mpengine.dll
2012-05-25 09:53:22 -------- d-----w- c:\users\sonia\ShareVirtualBox
2012-05-25 09:28:05 158736 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-05-25 09:26:35 42960 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-05-21 13:46:25 -------- d-----w- c:\users\sonia\VirtualBox VMs
2012-05-19 13:29:21 -------- d-----w- c:\users\sonia\.VirtualBox
.
==================== Find3M ====================
.
2012-05-15 03:08:48 981504 ----a-w- c:\windows\system32\wininet.dll
2012-04-20 05:05:47 44544 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-20 03:58:07 386048 ----a-w- c:\windows\system32\html.iec
2012-04-20 03:24:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 14:32:09.19 ===============

[Will Watts]

Hi s.winter,

There isn't much showing in the logs, we'll use Combofix to get a deeper look. Are you experiencing any other symptoms, or just the action center message?

Try to carry out the next set of instructions using Normal mode. If you cannot, be sure to boot into Safe Mode with Networking

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   
3. Double click on combofix.exe & follow the prompts.
   
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[s.winter]

From the time this message appeared in my action center, my ubuntu OS in my "virtual box" doesn't work any more, my computer has halted 1 time,and my explorer.exe stopped working 1 time.

I attached the result of ComboFix.

[s.winter]

Good news
I just updated my system and now the message in the action center is gone .
non of scanning till now have found anything, I don't know how that happened!!!
I don't know if the Trojan is removed completely or not? how can I be sure if it is still in my system or not?

by the way thanks a lot for your help

[Will Watts]

Hi s.winter, apologies for the delay - I was away from my computer for longer than expected.

Combofix detected a couple of malware files, but nothing serious. There is just some cleaning up to do now. There are a couple of proxy settings on your computer, have these been manually set?

Quote:

FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8580
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8580
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8580
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8580
FF - prefs.js: network.proxy.type - 4

Does the computer use any type of proxy to connect to the internet?

Your Java is out of date.

Java(TM) can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. Let me know if it does not.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

--------------------------------------

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

------------------------------------------------------

[s.winter]

thanks a lot for your reply
most of the times I use proxy to connect to internet, and I set them manually .
I 'm now scanning my computer with Nod32 online scan I'll send the log after its finished.
unfortunately I have problem updating Java, it gives HTTP error 403 and say maybe the problem is with proxy, firewall or ... .

[s.winter]

here is the Log of the Nod32 , I should say that these applications set proxy for browsers to connect to internet.

E:\MyDw\U1015.exe Win32/UltraReach application
E:\MyDw\U1017.exe Win32/UltraReach application
E:\MyDw\U1103.exe Win32/UltraReach application
------------------------------------------------------

[Will Watts]

Hi s.winter,

Manually uninstall Java, and downloading the latest version from here: Java 7.5

How is the computer behaving now? Are there any remaining problems?

[s.winter]

Hi someguy201

Thank you So much for your help, finally I updated my Java and removed temporary files.caution about the Trojan is not anymore in my action center,so I hope its removed completely.

I have just a little problem, I don't know exactly if it's related to my last problems or not!!, today when I started my computer It went to the page containing "safe mode" ,"safe mode with network connection" and "start normally" .
(In this case I cannot change the selected item by arrow keys or event enter key) so it automatically goes to "start normally" and after that ask for system restore, and I didn't restore my system.

should I be worried?

[Will Watts]

Hi s.winter,

Please Reboot your computer. At what point does the System Restore message appear? Are you able to view your desktop, or are you forced into the Windows Recovery Environment? Are you completely unable too boot the PC?

Were any other changes made prior to the message first appearing, e.g. a driver update or running a tool such as a registry cleaner or Malware tool?

[s.winter]

I reboot my system, this time with No problem.

last time, I was forced to "windows recovery environment" and in the middle of recovery it asked me to run system restore or not. after I pressed cancel. it takes a while and then went to Login page and my desktop.

before I ask for your help,as I said before I ran "Malwarebytes Anti-Malware", and "Windows update".
Malwarebytes found one Trojan.agent in "C:\Windows\System32\qdlldirectx64.ocx" I can restore it in Malwarebyte's Quarantine tab.

I can mention that I have "Dell Vostro 3300" laptop.

[Will Watts]

Hi s.winter,

It's hard to say what caused the System Restore prompt, if it's no longer happening we can ignore it for now as it doesn't appear to be directly related. If it starts happening again, or your PC fails to boot, I would advise you to post in the Windows 7 section of the forums with details.

There are a couple of deletions that may be false positives, these were deleted by Combofix. Before we restore these, please scan the following files at Virus Total.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Copy/paste the following bolded text into the File name: field one at a time
  
  
  C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll
  C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\1033\SDKAddonLangVer.dll
  C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll
  C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\addons\SDKAddonVer.dll
  C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\SDKFilesVer.dll
  
  
  
• Click open, then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If the file is analyzed before click Reanalyse button.
• Wait until the file is analyzed.
• Once scanned, copy and paste the link to the results page in your next reply.

--------------------------------------

[s.winter]

Thanks a lot,I scanned the files, so you think that maybe the problem is not caused by any trojan and my system is now free of trojan ?

here is the result links:

https://www.virustotal.com/file/5e56...is/1340128613/

https://www.virustotal.com/file/e5fc...is/1340128903/

https://www.virustotal.com/file/5e56...is/1340129202/

https://www.virustotal.com/file/e5fc...is/1340129275/

https://www.virustotal.com/file/5e56...is/1340129376/

[Will Watts]

Hi s.winter,

Combofix originally removed some malware on your system, there was nothing serious on board and your logs are looking clean now. Other problems on the machine may be coincidental and unrelated, now that the action center message is gone there is nothing indicating a deeper infection.

We'll de-quarantine those files before we finish up.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll.vir
C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\1033\SDKAddonLangVer.dll.vir
C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll.vir
C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\addons\SDKAddonVer.dll.vir
C:\Qoobox\Quarantine\c\programdata\Microsoft\corecon\1.0\SDKFilesVer.dll.vir
QUIT::

Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

Combofix may request an update, click Yes to allow it.

When finished, please post the C:\ComboFix.txt for further review.

[s.winter]

I do as you said ,and it gives me a text file named "DeQuarantine.txt" which I attached, is it right?

[Will Watts]

That's great.

We can finish up here now, your logs are clean.

Disconnect from the internet and disable your AntiVirus temporarily.

Go to Start -> copy/paste the following single line command into the Search box and press Enter:

ComboFix /Uninstall

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.
------------------------------------------------------

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SOFTWARE
You need an antivirus that is continually updated and a good firewall. In Windows Vista and 7, the Windows inbuilt firewall is usually sufficient, but XP users are recommended to have a good 3rd party firewall. However, be very wary with any security software that is advertised in popups. They are not only usually of no use, but often have malware in them. If you ever have doubts about the legitimacy of an anti-spyware or anti-virus program, it is best to post your question in our General Security forum.

Remember never to install more than one AntiVirus program as they will conflict with each other.

• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam, and helps to protect your computer against online threats when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  
  • Green to go
  • Yellow for caution
  • Red to stop
  
  WOT and has an add-on available for all major browsers.
  
  
• Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. The Plus Version has more features, and you can read Winpatrol's FAQ if you run into any problems.
  
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Windows Vista users see here, and Windows 7 users see here. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.
  
  
• ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.
  
  Vista/Windows 7 users - see this link for proper setup of Erunt Automatically Backup your Windows Vista Registry daily using ERUNT - The Winhelponline Blog

SPYWARE PREVENTION

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?
Think Prevention

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Please respond to this thread one more time so we can mark this issue as resolved.

[s.winter]

someguy201 Thanks you so much for your help and advices , I can't find words to thank you enough.

[Will Watts]

You're welcome.