Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

Threat Found in Memory! Unable to Clean

This is a discussion on Threat Found in Memory! Unable to Clean within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi there. I am running windows 7 professional. My ESET NOD32 antivirus keeps reporting this: Threat Found in Memory! Object:Operating


 
 
Thread Tools Search this Thread
Old 06-09-2012, 01:51 PM   #1
Registered Member
 
Join Date: Jun 2012
Posts: 3
OS: Windows 7 professional service pack 1



Hi there.

I am running windows 7 professional.
My ESET NOD32 antivirus keeps reporting this:

Threat Found in Memory!

Object:Operating Memory >> svchost.exe(1036)

Threat: A Variant of win32/sirefef.FA trojan

Information: Unable to clean.

Help? How do I get rid of this?

Cheers.

Also! DDS (Ver_2011-09-30.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421
Run by User at 8:29:32 on 2012-06-09
#Option MBR scan is disabled.
#Option Extended Search is enabled.
Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.3037.1618 [GMT 12:00]
.
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\atiesrxx.exe
C:\windows\system32\atieclxx.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\windows\system32\msiexec.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
C:\windows\system32\sppsvc.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\old_chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\old_chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\old_chrome.exe
C:\windows\system32\rundll32.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\old_chrome.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe" /MINIMIZED
uRun: [cpanmg] rundll32.exe "c:\users\user\appdata\roaming\cpanmg.dll",ShowDeviceParameters
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [HSON] c:\program files\toshiba\tbs\HSON.exe
mRun: [SmoothView] c:\program files\toshiba\smoothview\SmoothView.exe
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ITSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /START
mRun: [SmartFaceVWatcher] c:\program files\toshiba\smartfacev\SmartFaceVWatcher.exe
mRun: [Teco] "c:\program files\toshiba\teco\Teco.exe" /r
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60
mRun: [TosWaitSrv] c:\program files\toshiba\tphm\TosWaitSrv.exe
mRun: [TWebCamera] "c:\program files\toshiba\toshiba web camera application\TWebCamera.exe" autorun
mRun: [TosNC] c:\program files\toshiba\bulletinboard\TosNcCore.exe
mRun: [TosReelTimeMonitor] c:\program files\toshiba\reeltime\TosReelTimeMonitor.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{4AC099D0-50A7-49FB-9888-98B044AC8117} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
============= SERVICES / DRIVERS ===============
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-10-7 35168]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-4-18 176128]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-7-18 181616]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-11 46448]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-10-7 472280]
R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-7-8 62832]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-5-30 3048136]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 181616]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-20 12920]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2012-4-18 24064]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-4-18 167936]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2012-4-18 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-4 111960]
R3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-7 685424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-5-12 135664]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-4-5 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-4 257696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-5-12 135664]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-5-15 4231680]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2012-4-18 171520]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-4-21 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-4-20 1343400]
.
=============== Created Last 60 ================
.
2012-06-08 20:24:59 -------- d-----w- c:\windows\system32\appmgmt
2012-06-03 22:48:58 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-03 22:48:58 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-03 22:48:26 142336 ----a-w- c:\users\user\appdata\roaming\cpanmg.dll
2012-06-01 05:40:13 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1bd5a8d4-0412-4a01-9bde-065c301bdabb}\mpengine.dll
2012-05-31 12:19:28 -------- d-----w- c:\users\user\Tracing
2012-05-31 12:18:21 -------- d-----w- c:\windows\en
2012-05-31 12:15:15 -------- d-----w- c:\users\user\appdata\roaming\HandBrake
2012-05-31 12:14:36 -------- d-----w- c:\program files\Handbrake
2012-05-31 12:11:35 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-05-31 12:11:35 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2012-05-31 12:11:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2012-05-31 12:10:11 89944 ----a-w- c:\program files\common files\windows live\.cache\52a3160a1cd3f2603\DSETUP.dll
2012-05-31 12:10:11 537432 ----a-w- c:\program files\common files\windows live\.cache\52a3160a1cd3f2603\DXSETUP.exe
2012-05-31 12:10:11 1801048 ----a-w- c:\program files\common files\windows live\.cache\52a3160a1cd3f2603\dsetup32.dll
2012-05-31 12:10:01 94040 ----a-w- c:\program files\common files\windows live\.cache\495d23f81cd3f2602\DSETUP.dll
2012-05-31 12:10:01 525656 ----a-w- c:\program files\common files\windows live\.cache\495d23f81cd3f2602\DXSETUP.exe
2012-05-31 12:10:01 1691480 ----a-w- c:\program files\common files\windows live\.cache\495d23f81cd3f2602\dsetup32.dll
2012-05-31 12:09:21 -------- d-----w- c:\users\user\appdata\local\Windows Live
2012-05-31 12:02:27 -------- d-----w- C:\OutputFolder
2012-05-31 12:02:11 -------- d-----w- c:\program files\Digiarty
2012-05-31 01:36:13 -------- d-----w- c:\users\user\appdata\local\Downloaded Installations
2012-05-19 12:25:36 -------- d-----w- c:\users\user\appdata\local\ESET
2012-05-19 03:01:28 163048 ----a-w- c:\programdata\microsoft\windows\sqm\manifest\Sqm10141.bin
2012-05-17 22:24:58 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-17 22:24:58 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-17 21:41:58 -------- d-----w- c:\windows\system32\SPReview
2012-05-17 21:40:50 -------- d-----w- c:\windows\system32\EventProviders
2012-05-16 08:47:23 -------- d-----w- c:\users\user\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-05-14 06:16:25 -------- d-----w- c:\users\user\appdata\roaming\Xilisoft
2012-05-14 06:15:39 -------- d-----w- c:\programdata\Xilisoft
2012-05-14 06:15:39 -------- d-----w- c:\program files\Xilisoft
2012-05-12 03:34:47 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-12 03:34:40 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-12 03:34:40 1785344 ----a-w- c:\program files\windows journal\Journal.exe
2012-05-12 03:34:39 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-12 03:34:38 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-12 03:34:38 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-12 03:34:09 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 03:34:08 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 03:34:06 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 03:34:05 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-12 03:34:02 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-07 07:12:35 -------- d-----w- c:\users\user\appdata\roaming\WildTangent
2012-04-29 19:33:27 -------- d-----w- c:\program files\MSXML 4.0
2012-04-29 07:44:21 86016 ----a-w- c:\windows\unvise32.exe
2012-04-29 04:07:07 -------- d-----w- c:\program files\BitTorrent
2012-04-29 0427 -------- d-----w- c:\users\user\appdata\roaming\BitTorrent
2012-04-28 03:51:33 -------- d-----w- c:\programdata\Age of Empires 3
2012-04-28 03:50:18 -------- d-----w- c:\program files\common files\Microsoft Games
2012-04-28 03:36:11 -------- d-----w- c:\program files\Microsoft Games
2012-04-21 06:25:10 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-04-21 06:25:05 52224 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2012-04-21 06:25:05 11776 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2012-04-21 06:25:04 3215872 ----a-w- c:\windows\system32\mstscax.dll
2012-04-21 06:25:00 1171456 ----a-w- c:\windows\system32\d3d10warp.dll
2012-04-21 06:23:59 80384 ----a-w- c:\windows\system32\davclnt.dll
2012-04-21 06:22:59 94208 ----a-w- c:\windows\system32\eappgnui.dll
2012-04-21 06:05:09 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-04-21 06:04:15 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2012-04-21 06:04:15 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2012-04-21 06:04:15 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2012-04-21 06:04:14 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-04-21 06:04:14 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2012-04-21 06:04:14 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2012-04-21 06:04:13 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2012-04-21 06:04:03 1699328 ----a-w- c:\windows\system32\esent.dll
2012-04-21 06:04:03 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2012-04-21 06:03:56 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-04-21 06:03:55 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2012-04-21 06:03:54 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2012-04-21 06:03:54 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2012-04-21 06:03:53 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2012-04-21 06:03:52 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2012-04-21 06:03:51 74240 ----a-w- c:\windows\system32\fsutil.exe
2012-04-20 08:22:30 -------- d-----w- c:\users\user\appdata\local\Apple Computer
2012-04-20 08:22:22 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-04-20 08:22:22 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-04-20 08:21:46 -------- d-----w- c:\program files\iPod
2012-04-20 08:21:45 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-04-20 08:21:44 -------- d-----w- c:\program files\iTunes
2012-04-20 08:20:52 -------- d-----w- c:\users\user\appdata\local\Apple
2012-04-20 08:20:25 -------- d-----w- c:\program files\Bonjour
2012-04-20 03:44:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-20 03:44:11 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-20 03:44:11 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-20 03:44:10 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-20 03:41:09 -------- d-----w- c:\users\user\appdata\local\Adobe
2012-04-20 03:33:07 -------- d-----w- c:\windows\system32\Wat
2012-04-19 22:47:29 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-04-19 00:16:46 -------- d-----w- c:\programdata\boost_interprocess
2012-04-19 00:16:21 -------- d-----r- c:\program files\Skype
2012-04-18 21:49:38 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2012-04-18 21:49:38 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2012-04-18 21:49:38 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2012-04-18 21:49:32 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-18 21:49:32 187776 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-04-18 21:49:27 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-04-18 21:49:27 -------- d-sh--w- c:\users\user\appdata\local\{7e690af0-f0e0-7462-9813-62ecf539a4b0}
2012-04-18 21:49:06 31232 ----a-w- c:\windows\system32\prevhost.exe
2012-04-18 21:48:45 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2012-04-18 21:48:45 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2012-04-18 21:48:44 70656 ----a-w- c:\windows\system32\fontsub.dll
2012-04-18 21:48:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-04-18 21:48:44 294912 ----a-w- c:\windows\system32\atmfd.dll
2012-04-18 21:48:43 708608 ----a-w- c:\program files\common files\system\wab32.dll
2012-04-18 21:48:00 75776 ----a-w- c:\windows\system32\psisrndr.ax
2012-04-18 21:46:39 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-04-18 21:45:59 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-04-18 21:45:19 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-04-18 21:45:12 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2012-04-18 21:45:12 1137664 ----a-w- c:\windows\system32\mfc42.dll
2012-04-18 21:45:08 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-04-18 21:45:04 123904 ----a-w- c:\windows\system32\poqexec.exe
2012-04-18 21:45:03 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-04-18 21:31:34 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-04-18 21:31:33 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2012-04-18 21:31:33 107520 ----a-w- c:\windows\system32\cdd.dll
2012-04-18 08:23:39 61440 ----a-r- c:\users\user\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2012-04-18 08:23:39 61440 ----a-r- c:\users\user\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\ARPPRODUCTICON.exe
2012-04-18 08:23:39 106496 ----a-r- c:\users\user\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2012-04-18 08:23:39 106496 ----a-r- c:\users\user\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2012-04-18 08:23:39 106496 ----a-r- c:\users\user\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2012-04-18 08:23:38 -------- d-----w- c:\program files\common files\Tencent
2012-04-18 08:23:29 -------- d-----w- c:\program files\Tencent
2012-04-18 08:23:06 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
2012-04-18 08:23:06 -------- d-----w- c:\users\user\appdata\roaming\Tencent
2012-04-18 05:29:11 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-18 05:25:02 -------- d-----w- c:\users\user\appdata\local\Apps
2012-04-18 05:25:01 -------- d-----w- c:\users\user\appdata\local\Deployment
2012-04-18 05:24:08 -------- d-----w- c:\users\user\appdata\local\Google
2012-04-18 05:07:32 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-18 05:07:31 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-04-18 05:07:31 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-18 05:07:31 18432 ----a-w- c:\windows\system32\drivers\tdpipe.sys
2012-04-18 05:07:30 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-18 04:58:52 -------- d-----w- c:\program files\ESET
2012-04-18 04:57:03 -------- d-----w- c:\users\user\appdata\roaming\HTML Executable
2012-04-18 04:54:45 -------- d-----w- c:\users\user\appdata\local\Microsoft Help
2012-04-18 01:02:50 -------- d-----w- c:\program files\TOSHIBA Games
2012-04-18 01:02:49 -------- d-----w- c:\programdata\WildTangent
2012-04-18 01:01:25 -------- d-----w- c:\programdata\Norton
2012-04-18 01:01:22 -------- d-----w- c:\programdata\NortonInstaller
2012-04-18 00:59:52 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant
2012-04-18 00:59:08 -------- d-----w- c:\program files\Microsoft Small Business
2012-04-18 00:55:44 -------- d-----w- c:\program files\Microsoft SQL Server
2012-04-18 00:49:57 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-04-18 00:49:21 -------- d-----w- c:\program files\Microsoft
2012-04-18 00:48:42 -------- d-----w- c:\windows\PCHEALTH
2012-04-18 00:48:09 -------- d-----w- c:\program files\common files\Windows Live
2012-04-18 00:47:50 -------- d-----w- c:\programdata\Partner
2012-04-18 00:43:07 128344 ----a-w- c:\windows\system32\TODDSrv.exe
2012-04-18 00:42:12 -------- d-----w- c:\programdata\InterVideo
2012-04-18 00:42:10 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2012-04-18 00:40:49 -------- d-----w- c:\program files\common files\Ulead Systems
2012-04-18 00:39:59 -------- d-----w- c:\program files\Corel
2012-04-18 00:37:43 -------- d-----w- c:\program files\common files\Toshiba Shared
2012-04-18 00:37:40 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2012-04-18 00:37:40 275536 ----a-w- c:\windows\system32\drivers\tos_sps32.sys
2012-04-18 00:37:27 24064 ----a-w- c:\windows\system32\drivers\PGEffect.sys
2012-04-18 00:36:36 -------- d-----w- c:\windows\system32\SDA
2012-04-18 00:35:40 -------- d-----w- c:\windows\Downloaded Installations
2012-04-18 00:34:36 7360512 ----a-w- c:\windows\system32\RTSUSTORicon.dll
2012-04-18 00:34:33 270336 ----a-w- c:\windows\system32\RtsUStor.dll
2012-04-18 00:34:33 171520 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
2012-04-18 00:34:04 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2012-04-18 00:34:04 167936 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2012-04-18 00:33:17 58888 ------w- c:\windows\system32\agrsmdel.exe
2012-04-18 00:33:17 -------- d-----w- c:\program files\ltmoh
2012-04-18 00:33:15 -------- d-----w- c:\program files\LSI SoftModem
2012-04-18 00:33:12 -------- d-----w- c:\windows\Options
2012-04-18 00:32:33 -------- d-----w- c:\program files\Synaptics
2012-04-18 00:27:19 24576 ----a-w- c:\windows\system32\TSCI.dll
2012-04-18 00:27:19 24576 ----a-w- c:\windows\system32\THCI.dll
2012-04-18 00:26:46 45056 ------w- c:\windows\system32\HWS_Ctrl.dll
2012-04-18 00:26:46 24576 ------w- c:\windows\system32\TSBWLS.dll
2012-04-18 00:26:21 -------- d-----w- c:\windows\system32\Microsoft.VC80.MFC
2012-04-18 00:26:20 -------- d-----w- c:\programdata\XP
2012-04-18 00:26:20 -------- d-----w- c:\programdata\win7_64
2012-04-18 00:26:20 -------- d-----w- c:\programdata\win7_32
2012-04-18 00:26:20 -------- d-----w- c:\programdata\Vista64
2012-04-18 00:26:20 -------- d-----w- c:\programdata\Vista32
2012-04-18 00:22:10 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
2012-04-18 00:20:35 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-04-18 00:19:59 -------- d-----w- C:\TOSHIBA
2012-04-17 2216 -------- d-----w- c:\users\user\appdata\local\TOSHIBA_Corporation
2012-04-17 22:05:24 -------- d-----w- C:\MCDiags
2012-04-17 21:39:56 -------- d-----w- c:\users\user\appdata\local\Toshiba
2012-04-17 21:39:43 -------- d-----w- c:\users\user\appdata\local\ATI
.
==================== Find6M ====================
.
2012-05-17 21:55:58 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-04-19 22:54:03 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-04-19 22:54:02 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-04-19 22:54:02 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-04-19 22:54:02 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-04-19 22:54:02 161792 ----a-w- c:\windows\system32\msls31.dll
2012-04-19 22:54:02 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-04-19 22:54:01 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-04-19 22:47:29 367104 ----a-w- c:\windows\system32\html.iec
2012-04-19 22:47:28 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-04-19 22:47:28 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-19 22:47:28 152064 ----a-w- c:\windows\system32\wextract.exe
2012-04-19 22:47:28 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-04-19 22:47:27 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-04-19 22:47:27 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-04-19 22:47:27 11776 ----a-w- c:\windows\system32\mshta.exe
2012-04-19 22:47:27 101888 ----a-w- c:\windows\system32\admparse.dll
2012-04-01 06:20:24 421888 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-03-08 06:50:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2012-03-08 06:37:20 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-14 23:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-14 23:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-30 05:27:56 478720 ----a-w- c:\windows\system32\timedate.cpl
.
============= FINISH: 8:30:12.54 ===============
Attached Files
File Type: txt ark.txt (21.1 KB, 8 views)
File Type: txt attach.txt (9.3 KB, 12 views)

__________________
omjb is offline  
Old 06-12-2012, 01:00 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,776
OS: XP Win7 Ubuntu 10.10



Hello and welcome to TSF.

Your system is infected with what's commonly known as ZeroAccess, which is a nasty backdoor trojan. Please note that more than one round may be needed to properly eradicate malware. In co-operation with the cleaning process, please:
  • do not uninstall/install any programs unless asked to do so, to make it easier on us as it is more difficult when files/programs are appearing in/disappearing from the logs;
  • do not run any tools or scans other than those requested;
  • follow all instructions in the order they are presented;
  • if you have problems with or do not understand the instructions, ask before continuing;
  • stay with this thread until given the All Clear, as absence of symptoms does not always mean the machine is clean;
  • do not attach any logs/reports, etc.. unless specifically requested to do so.
  • All logs/reports, etc.. must be posted in Notepad making sure the word wrap is unchecked. (In notepad click format, uncheck word wrap if it is checked.)
Also note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

============================
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. If you don't know how, please see the link below:

    How to Disable Your Security Applications

  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

__________________

amateur is offline  
Old 06-12-2012, 03:05 AM   #3
Registered Member
 
Join Date: Jun 2012
Posts: 3
OS: Windows 7 professional service pack 1



Hi. Cheers for the reply.
Attached copy of report. Also posted it here.
Generated this report:

ComboFix 12-06-07.04 - User 12/06/2012 21:43:23.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.3037.1983 [GMT 12:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\User\AppData\Roaming\cpanmg.dll
c:\users\User\Desktop\Backup\User\Documents\New Movies\The Bucket List (2007)\_desktop.ini
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\@
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\L\00000004.@
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\L\00000008.@
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\n
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\U\00000004.@
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\U\00000008.@
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\U\000000cb.@
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\U\80000000.@
c:\windows\Installer\{7e690af0-f0e0-7462-9813-62ecf539a4b0}\U\80000032.@
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-05-12 to 2012-06-12 )))))))))))))))))))))))))))))))
.
.
2012-06-03 22:48 . 2012-06-03 22:48 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-03 22:48 . 2012-06-03 22:48 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-01 05:40 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1BD5A8D4-0412-4A01-9BDE-065C301BDABB}\mpengine.dll
2012-05-31 12:19 . 2012-05-31 12:19 -------- d-----w- c:\users\User\Tracing
2012-05-31 12:18 . 2012-05-31 12:18 -------- d-----w- c:\windows\en
2012-05-31 12:15 . 2012-06-09 01:24 -------- d-----w- c:\users\User\AppData\Roaming\HandBrake
2012-05-31 12:14 . 2012-05-31 12:14 -------- d-----w- c:\program files\Handbrake
2012-05-31 12:11 . 2009-09-04 05:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-05-31 12:11 . 2009-09-04 05:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2012-05-31 12:11 . 2009-09-04 05:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2012-05-31 12:10 . 2012-05-31 12:10 89944 ----a-w- c:\program files\Common Files\Windows Live\.cache\52a3160a1cd3f2603\DSETUP.dll
2012-05-31 12:10 . 2012-05-31 12:10 537432 ----a-w- c:\program files\Common Files\Windows Live\.cache\52a3160a1cd3f2603\DXSETUP.exe
2012-05-31 12:10 . 2012-05-31 12:10 1801048 ----a-w- c:\program files\Common Files\Windows Live\.cache\52a3160a1cd3f2603\dsetup32.dll
2012-05-31 12:10 . 2012-05-31 12:10 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\495d23f81cd3f2602\DSETUP.dll
2012-05-31 12:10 . 2012-05-31 12:10 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\495d23f81cd3f2602\DXSETUP.exe
2012-05-31 12:10 . 2012-05-31 12:10 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\495d23f81cd3f2602\dsetup32.dll
2012-05-31 12:09 . 2012-05-31 12:19 -------- d-----w- c:\users\User\AppData\Local\Windows Live
2012-05-31 12:02 . 2012-05-31 12:02 -------- d-----w- C:\OutputFolder
2012-05-31 12:02 . 2012-05-31 12:02 -------- d-----w- c:\program files\Digiarty
2012-05-31 01:36 . 2012-05-31 01:36 -------- d-----w- c:\users\User\AppData\Local\Downloaded Installations
2012-05-19 12:25 . 2012-05-19 12:25 -------- d-----w- c:\users\User\AppData\Local\ESET
2012-05-19 03:01 . 2012-05-19 03:01 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-17 22:24 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-17 22:24 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-17 21:41 . 2012-05-17 21:41 -------- d-----w- c:\windows\system32\SPReview
2012-05-17 21:40 . 2012-05-17 21:40 -------- d-----w- c:\windows\system32\EventProviders
2012-05-16 08:47 . 2012-05-16 08:47 -------- d-----w- c:\users\User\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-05-14 06:16 . 2012-05-14 06:16 -------- d-----w- c:\users\User\AppData\Roaming\Xilisoft
2012-05-14 06:15 . 2012-05-14 06:15 -------- d-----w- c:\programdata\Xilisoft
2012-05-14 06:15 . 2012-05-14 06:15 -------- d-----w- c:\program files\Xilisoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 12:12 . 2011-03-28 06:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-05-17 21:55 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-04-19 22:54 . 2012-04-19 22:54 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-04-19 22:54 . 2012-04-19 22:54 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-04-19 22:54 . 2012-04-19 22:54 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-04-19 22:54 . 2012-04-19 22:54 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-04-19 22:54 . 2012-04-19 22:54 161792 ----a-w- c:\windows\system32\msls31.dll
2012-04-19 22:54 . 2012-04-19 22:54 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-04-19 22:54 . 2012-04-19 22:54 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-04-19 22:47 . 2012-04-19 22:47 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-04-19 22:47 . 2012-04-19 22:47 367104 ----a-w- c:\windows\system32\html.iec
2012-04-19 22:47 . 2012-04-19 22:47 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-04-19 22:47 . 2012-04-19 22:47 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-19 22:47 . 2012-04-19 22:47 152064 ----a-w- c:\windows\system32\wextract.exe
2012-04-19 22:47 . 2012-04-19 22:47 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-04-19 22:47 . 2012-04-19 22:47 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-04-19 22:47 . 2012-04-19 22:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-04-19 22:47 . 2012-04-19 22:47 11776 ----a-w- c:\windows\system32\mshta.exe
2012-04-19 22:47 . 2012-04-19 22:47 101888 ----a-w- c:\windows\system32\admparse.dll
2012-04-18 08:23 . 2012-04-18 08:23 61440 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2012-04-18 08:23 . 2012-04-18 08:23 61440 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\ARPPRODUCTICON.exe
2012-04-18 08:23 . 2012-04-18 08:23 106496 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2012-04-18 08:23 . 2012-04-18 08:23 106496 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2012-04-18 08:23 . 2012-04-18 08:23 106496 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2012-04-18 08:23 . 2012-04-18 08:23 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
2012-04-01 06:20 . 2012-04-01 06:20 421888 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-03-31 04:39 . 2012-05-12 03:34 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-12 03:34 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 02:36 . 2012-05-12 03:34 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 10:23 . 2012-05-12 03:34 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-17 07:27 . 2012-05-12 03:34 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-04-18 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-05-02 17355912]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2012-04-29 6379888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-08-10 1324384]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"TosWaitSrv"="c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe" [2009-08-07 611672]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2009-08-06 466792]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2009-08-06 29528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-06 1461080]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-26 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-7 2680160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 135664]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-04-04 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-03 257696]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 135664]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-05-14 4231680]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-31 171520]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-19 1343400]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-10-06 35168]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-30 176128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-07-18 181616]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-10-06 472280]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 62832]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-05-30 3048136]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-08-10 181616]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 12920]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-08-07 685424]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-03 22:48]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 12:40]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 12:40]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1073669500-3249634009-2592816823-1004Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-18 05:25]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1073669500-3249634009-2592816823-1004UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-18 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-cpanmg - c:\users\User\AppData\Roaming\cpanmg.dll
AddRemove-TOSHIBA Software Modem - c:\windows\agrsmdel
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\System32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosHdpProc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtProc.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\windows\System32\rundll32.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-06-12 21:58:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-12 09:58
.
Pre-Run: 163,889,295,360 bytes free
Post-Run: 163,881,807,872 bytes free
.
- - End Of File - - D82BB02D8923F453ECE32DE79CC0F3B7
Attached Files
File Type: txt combifix report.txt (18.2 KB, 7 views)
__________________
omjb is offline  
Old 06-12-2012, 03:28 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,776
OS: XP Win7 Ubuntu 10.10



Hi,

That looks good. The major infection seems to be nabbed by Combofix. However, Combofix has recently been updated to cover other aspects of the infection. So, please delete the present copy of Combofix from your desktop. Download a fresh copy from the same link above, disable ESET, and run it one more time. Post the resultant log in your next reply and let me know how the system is behaving now.
__________________

amateur is offline  
Old 06-12-2012, 03:09 PM   #5
Registered Member
 
Join Date: Jun 2012
Posts: 3
OS: Windows 7 professional service pack 1



Just ran the updated combofix log. System seems to be running back to normal! Thanks for all your help :)

here is the log:

ComboFix 12-06-12.03 - User 13/06/2012 9:57.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.3037.1730 [GMT 12:00]
Running from: c:\users\User\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-12 to 2012-06-12 )))))))))))))))))))))))))))))))
.
.
2012-06-12 22:03 . 2012-06-12 22:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-03 22:48 . 2012-06-03 22:48 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-03 22:48 . 2012-06-03 22:48 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-01 05:40 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1BD5A8D4-0412-4A01-9BDE-065C301BDABB}\mpengine.dll
2012-05-31 12:19 . 2012-05-31 12:19 -------- d-----w- c:\users\User\Tracing
2012-05-31 12:18 . 2012-05-31 12:18 -------- d-----w- c:\windows\en
2012-05-31 12:15 . 2012-06-09 01:24 -------- d-----w- c:\users\User\AppData\Roaming\HandBrake
2012-05-31 12:14 . 2012-05-31 12:14 -------- d-----w- c:\program files\Handbrake
2012-05-31 12:11 . 2009-09-04 05:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-05-31 12:11 . 2009-09-04 05:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2012-05-31 12:11 . 2009-09-04 05:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2012-05-31 12:10 . 2012-05-31 12:10 89944 ----a-w- c:\program files\Common Files\Windows Live\.cache\52a3160a1cd3f2603\DSETUP.dll
2012-05-31 12:10 . 2012-05-31 12:10 537432 ----a-w- c:\program files\Common Files\Windows Live\.cache\52a3160a1cd3f2603\DXSETUP.exe
2012-05-31 12:10 . 2012-05-31 12:10 1801048 ----a-w- c:\program files\Common Files\Windows Live\.cache\52a3160a1cd3f2603\dsetup32.dll
2012-05-31 12:10 . 2012-05-31 12:10 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\495d23f81cd3f2602\DSETUP.dll
2012-05-31 12:10 . 2012-05-31 12:10 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\495d23f81cd3f2602\DXSETUP.exe
2012-05-31 12:10 . 2012-05-31 12:10 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\495d23f81cd3f2602\dsetup32.dll
2012-05-31 12:09 . 2012-05-31 12:19 -------- d-----w- c:\users\User\AppData\Local\Windows Live
2012-05-31 12:02 . 2012-05-31 12:02 -------- d-----w- C:\OutputFolder
2012-05-31 12:02 . 2012-05-31 12:02 -------- d-----w- c:\program files\Digiarty
2012-05-31 01:36 . 2012-05-31 01:36 -------- d-----w- c:\users\User\AppData\Local\Downloaded Installations
2012-05-19 12:25 . 2012-05-19 12:25 -------- d-----w- c:\users\User\AppData\Local\ESET
2012-05-19 03:01 . 2012-05-19 03:01 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-17 22:24 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-17 22:24 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-17 21:41 . 2012-05-17 21:41 -------- d-----w- c:\windows\system32\SPReview
2012-05-17 21:40 . 2012-05-17 21:40 -------- d-----w- c:\windows\system32\EventProviders
2012-05-16 08:47 . 2012-05-16 08:47 -------- d-----w- c:\users\User\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-05-14 06:16 . 2012-05-14 06:16 -------- d-----w- c:\users\User\AppData\Roaming\Xilisoft
2012-05-14 06:15 . 2012-05-14 06:15 -------- d-----w- c:\programdata\Xilisoft
2012-05-14 06:15 . 2012-05-14 06:15 -------- d-----w- c:\program files\Xilisoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 12:12 . 2011-03-28 06:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-05-17 21:55 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-04-19 22:54 . 2012-04-19 22:54 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-04-19 22:54 . 2012-04-19 22:54 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-04-19 22:54 . 2012-04-19 22:54 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-04-19 22:54 . 2012-04-19 22:54 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-04-19 22:54 . 2012-04-19 22:54 161792 ----a-w- c:\windows\system32\msls31.dll
2012-04-19 22:54 . 2012-04-19 22:54 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-04-19 22:54 . 2012-04-19 22:54 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-04-19 22:47 . 2012-04-19 22:47 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-04-19 22:47 . 2012-04-19 22:47 367104 ----a-w- c:\windows\system32\html.iec
2012-04-19 22:47 . 2012-04-19 22:47 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-04-19 22:47 . 2012-04-19 22:47 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-19 22:47 . 2012-04-19 22:47 152064 ----a-w- c:\windows\system32\wextract.exe
2012-04-19 22:47 . 2012-04-19 22:47 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-04-19 22:47 . 2012-04-19 22:47 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-04-19 22:47 . 2012-04-19 22:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-04-19 22:47 . 2012-04-19 22:47 11776 ----a-w- c:\windows\system32\mshta.exe
2012-04-19 22:47 . 2012-04-19 22:47 101888 ----a-w- c:\windows\system32\admparse.dll
2012-04-18 08:23 . 2012-04-18 08:23 61440 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2012-04-18 08:23 . 2012-04-18 08:23 61440 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\ARPPRODUCTICON.exe
2012-04-18 08:23 . 2012-04-18 08:23 106496 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2012-04-18 08:23 . 2012-04-18 08:23 106496 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2012-04-18 08:23 . 2012-04-18 08:23 106496 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2012-04-18 08:23 . 2012-04-18 08:23 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
2012-04-01 06:20 . 2012-04-01 06:20 421888 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-03-31 04:39 . 2012-05-12 03:34 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-12 03:34 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 02:36 . 2012-05-12 03:34 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 10:23 . 2012-05-12 03:34 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-17 07:27 . 2012-05-12 03:34 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-04-18 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-05-02 17355912]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2012-04-29 6379888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-08-10 1324384]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"TosWaitSrv"="c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe" [2009-08-07 611672]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2009-08-06 466792]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2009-08-06 29528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-06 1461080]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-26 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-7 2680160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 135664]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-05-30 3048136]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-04-04 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-03 257696]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 135664]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-05-14 4231680]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-31 171520]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-19 1343400]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-10-06 35168]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-30 176128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-07-18 181616]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-10-06 472280]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 62832]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-08-10 181616]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 12920]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-08-07 685424]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-03 22:48]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 12:40]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-11 12:40]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1073669500-3249634009-2592816823-1004Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-18 05:25]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1073669500-3249634009-2592816823-1004UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-18 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-13 10:05:04
ComboFix-quarantined-files.txt 2012-06-12 22:05
ComboFix2.txt 2012-06-12 09:58
.
Pre-Run: 163,484,418,048 bytes free
Post-Run: 163,433,926,656 bytes free
.
- - End Of File - - B6D577764326C348E98E59C6F5F8138E
__________________
omjb is offline  
Old 06-13-2012, 01:12 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,776
OS: XP Win7 Ubuntu 10.10



Great. Now, let's go into other details and also check for remnants.

I see BitTorrent installed on this machine. This practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it via Add or Remove Programs in Control Panel as suggested in our
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

Quote:
  • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link
====================

Java(TM) 6 Update 14 is way out of date. Please go to Start > Control Panel > Programs and Features and remove the Java program(s) installed.
Next, download the latest Java, version 7 update 4 from the following link:

Download Free Java Software

====================

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Launch Malwarebyte's, and select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

=================

Go here to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________

amateur is offline  
Old 06-15-2012, 10:54 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,776
OS: XP Win7 Ubuntu 10.10



Hi omjb,

Are you still with us?

The topics are usually closed if no reply has been received for three days.
__________________

amateur is offline  
Old 06-19-2012, 02:39 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,776
OS: XP Win7 Ubuntu 10.10



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Untraceable Worm/Virus named Brontok
So first, this virus made .exe in every single folder on my D: drive. I formatted the C: drive and then formatted D: as well. It was like a completely new PC. Last night, the same virus came back, it's showing up on my AVG. The exact name is: I-Worm Brontok.X I downloaded a "tool" that...
c0ldpr0xy Resolved HJT Threads 32 06-02-2012 11:54 PM
Multiple bsods all related to different drivers help!(zip attached)....
Alright this has been bugging me for a long time, I keep getting bsods on a self built machine, everytime I seem to have beaten one another pops up I just dont know what to do, ive tried updating, replacing drivers, replacing the memory everything im at my wits end can you take a look at my zip...
thatcrazypengui BSOD, App Crashes And Hangs 5 09-01-2011 09:51 PM
Search engines (bing, yahoo...) & all google pages (mail, calendar...) refuse to load
Good morning! I think I am posting everything as requested - if there's anything else you need to help me or I am submitting incorrectly, please let me know. Thank you! ~Robyn My situation My computer started having problems a few days ago with redirects when clicking on search results. My...
robynrld Resolved HJT Threads 31 08-19-2011 01:00 PM
Possible worm/rootkit?
Hi /all- Recently I Have been having alot of slowdowns, lots of hanging programs/crashes, and most annoyingly people on my contact lists are recieving emails from me with ad's and links, that I did not send. ("uncoincedently" started about the time I let my siblings use my rig/user :upset: next...
BHM Resolved HJT Threads 7 02-15-2011 06:01 AM
[SOLVED] Please help explain/identify Freezing - suspect GFX drivers
Hi all, I'm really at my witts end here - was about to RMA my N470SO as I'm constantly getting random hard freezes during MOH 2010. Borrowed exactly the same card from a friend - same issue - so doesn't appear to be a hardware (GFX anyway) fault. Good job I didnt sent it as RMA. Could any of...
trivstar Motherboards, Bios & CPU 10 02-14-2011 03:06 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 06:52 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts