Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Win security 2012 - Keeps coming back - Firefox?

This is a discussion on Win security 2012 - Keeps coming back - Firefox? within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Ran combofix, malwarebytes, spybot, and deleted associated files manually. This damn thing keeps coming back. I first had it on


 
 
Thread Tools Search this Thread
Old 12-29-2011, 06:37 PM   #1
Registered Member
 
Join Date: Jan 2010
Posts: 35
OS: windows 7


Angry

Ran combofix, malwarebytes, spybot, and deleted associated files manually. This damn thing keeps coming back. I first had it on my desktop, now it's on my laptop, two different networks, so I'm thinking Firefox is the culprit, as I have some sync feature on.

As asked here's the requested files. I haven't done anything to remove it yet on my laptop but close the process, move it to recycle bin, and restore default .exe associations.



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Demetri at 20:34:19 on 2011-12-29
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3835.2021 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\SysWOW64\srvany.exe
C:\Windows\KMService.exe
C:\Windows\system32\conhost.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
mRun: [<NO NAME>]
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 3 (0x3)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} - hxxps://www.select2perform.com/cabs/QOLCheck.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A}\0484F6D65623231453 : DhcpNameServer = 68.87.74.166 68.87.68.166
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A}\0514354514D4F4E435455425 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A}\2416D626F6F6 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A}\2456C6B696E6F5E4F575962756C6563737F5340303336353 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A}\4656661657C647 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A}\665736B60297F657 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{29E4C054-8BFC-4FC6-98A6-7604FC9C977A}\D4166727F6D6F6E647 : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
LSA: Notification Packages = DPPassFilter scecli
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
EB-X64: {5802D092-1784-4908-8CDB-99B6842D353D} - No File
mRun-x64: [(Default)]
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Demetri\AppData\Roaming\Mozilla\Firefox\Profiles\8ueq7ga0.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Users\Demetri\AppData\Roaming\Mozilla\Firefox\Profiles\8ueq7ga0.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2011/10/25 21:41:55];C:\Program Files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [2011-8-25 148976]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2010-11-9 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-9-8 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
R2 KMService;KMService;C:\Windows\System32\srvany.exe [2011-2-11 8192]
R2 ntk_PowerDVD;ntk_PowerDVD;C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys [2011-10-25 75248]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 clwvd;HP Webcam Splitter;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
R3 LADF_CaptureOnly;LADF Capture Filter Driver;C:\Windows\system32\DRIVERS\ladfGSCamd64.sys --> C:\Windows\system32\DRIVERS\ladfGSCamd64.sys [?]
R3 LADF_RenderOnly;LADF Render Filter Driver;C:\Windows\system32\DRIVERS\ladfGSRamd64.sys --> C:\Windows\system32\DRIVERS\ladfGSRamd64.sys [?]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AODDriver4.0;AODDriver4.0;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 CrossLoopService;CrossLoop Service;C:\Users\Demetri\AppData\Local\CrossLoop\CrossLoopService.exe [2011-2-5 564976]
S3 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]
S3 MHIKEY10;MHIKEY10;C:\Windows\system32\Drivers\MHIKEY10x64.sys --> C:\Windows\system32\Drivers\MHIKEY10x64.sys [?]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\system32\DRIVERS\silabenm.sys --> C:\Windows\system32\DRIVERS\silabenm.sys [?]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;C:\Windows\system32\DRIVERS\silabser.sys --> C:\Windows\system32\DRIVERS\silabser.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 tvnserver;TightVNC Server;C:\Users\Demetri\AppData\Local\CrossLoop\tvnserver.exe [2011-2-5 814080]
S3 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2010-2-23 1799472]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [2011-10-25 83240]
S4 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [2011-10-25 75048]
S4 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe [2011-10-25 292136]
S4 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-9-22 431464]
.
=============== Created Last 30 ================
.
2011-12-29 15:44:33 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59817365-18E7-4E70-ACA5-EE02C302BB85}\offreg.dll
2011-12-29 02:56:54 -------- d-----w- C:\Users\Demetri\AppData\Local\Logitech
2011-12-29 02:56:31 -------- d-----w- C:\Program Files\Logitech Gaming Software
2011-12-29 00:15:12 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59817365-18E7-4E70-ACA5-EE02C302BB85}\mpengine.dll
2011-12-21 01:23:19 -------- d-----w- C:\ProgramData\CCP
2011-12-21 01:09:55 -------- d-----w- C:\Program Files (x86)\CCP
2011-12-21 00:13:40 73064 ----a-w- C:\Windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.3.5500.0.dll
2011-12-21 00:13:40 109416 ----a-w- C:\Windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.3.5500.0.dll
2011-12-21 00:13:40 105832 ----a-w- C:\Windows\System32\SQSRVRES.DLL
2011-12-20 23:36:04 -------- d-----w- C:\Users\Demetri\AppData\Local\CCP
2011-12-15 21:30:07 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-15 21:30:05 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-15 21:30:04 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-15 21:30:04 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-15 21:29:59 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-15 21:29:59 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-10 01:08:23 -------- d-----w- C:\Program Files (x86)\NovaLogic
2011-12-10 01:07:48 304128 ----a-w- C:\Windows\IsUninst.exe
2011-12-09 06:03:27 -------- d-----w- C:\Users\Demetri\AppData\Local\Diagnostics
2011-12-09 05:56:54 -------- d-----w- C:\Program Files (x86)\EGOSOFT
2011-12-09 00:02:49 53248 ----a-r- C:\Users\Demetri\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-09 00:02:44 -------- d-----w- C:\Users\Demetri\AppData\Local\Logishrd
2011-12-08 23:44:24 -------- d-----w- C:\ProgramData\PreEmptive Solutions
2011-12-08 23:04:23 -------- d-----w- C:\ProgramData\VS
2011-12-08 22:46:23 -------- d-----w- C:\Users\Demetri\AppData\Local\assembly
2011-12-04 04:56:40 77878 ----a-w- C:\Windows\SysWow64\temp.001
2011-12-04 04:56:40 466991 ----a-w- C:\Program Files (x86)\Windows NT\HyperTerminal\Hypertrm.dll
2011-12-04 04:56:40 36910 ----a-w- C:\Program Files (x86)\Windows NT\HyperTerminal\Hticons.dll
2011-12-04 04:56:40 295000 ----a-w- C:\Windows\SysWow64\temp.000
2011-12-04 04:56:40 20524 ----a-w- C:\Program Files (x86)\Windows NT\HyperTerminal\HyperTrm.exe
2011-12-04 04:56:40 149504 ----a-w- C:\Windows\UNWISE32.EXE
2011-12-04 04:56:40 117390 ----a-w- C:\Program Files (x86)\Windows NT\HyperTerminal\register.exe
2011-12-04 04:56:40 113236 ----a-w- C:\Program Files (x86)\Windows NT\HyperTerminal\Purchase Private Edition.exe
2011-12-04 04:54:22 -------- d-----w- C:\Program Files (x86)\HyperTerminal
2011-12-02 09:34:30 -------- d-----w- C:\Users\Demetri\AppData\Roaming\Unity
2011-12-02 09:33:04 -------- d-----w- C:\Users\Demetri\AppData\Roaming\PACE Anti-Piracy
2011-12-02 09:33:04 -------- d-----w- C:\Users\Demetri\AppData\Local\PACE Anti-Piracy
2011-12-02 09:33:04 -------- d-----w- C:\ProgramData\PACE Anti-Piracy
2011-12-02 09:32:12 -------- d-----w- C:\Users\Demetri\AppData\Local\Unity
2011-12-02 09:29:22 -------- d-----w- C:\Program Files (x86)\Unity
2011-12-02 09:04:32 -------- d-----w- C:\Windows\SysWow64\xlive
2011-12-02 09:04:29 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2011-12-02 08:55:31 -------- d-----w- C:\Scripts
2011-12-02 08:55:31 -------- d-----w- C:\Lib
2011-12-02 08:53:30 -------- d-----r- C:\Users\Demetri\Dropbox
2011-12-02 08:49:39 -------- d-----w- C:\Users\Demetri\AppData\Roaming\Dropbox
2011-12-02 06:05:01 -------- d-----w- C:\Users\Demetri\AppData\Roaming\TS3Client
2011-12-02 06:00:56 -------- d-----w- C:\Program Files\TeamSpeak 3 Client
2011-12-02 05:34:58 78872 ----a-w- C:\Windows\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-12-02 05:34:58 50200 ----a-w- C:\Windows\SysWow64\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-12-02 05:34:07 -------- d-----w- C:\Windows\System32\RsFx
2011-12-02 05:29:12 -------- d-----w- C:\Program Files\Microsoft SQL Server
2011-12-02 05:28:51 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server
2011-12-02 05:28:02 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2011-12-02 05:28:01 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-12-02 05:24:36 -------- d-----w- C:\Program Files (x86)\Microsoft ASP.NET
2011-12-02 05:24:30 -------- d-----w- C:\Program Files\IIS
2011-12-02 05:24:30 -------- d-----w- C:\Program Files (x86)\IIS
2011-12-02 05:23:30 2482592 ----a-w- C:\ProgramData\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-12-02 05:17:02 -------- d-----w- C:\Windows\SysWow64\1033
2011-12-02 05:16:51 -------- d-----w- C:\Program Files (x86)\Microsoft F#
2011-12-02 05:16:51 -------- d-----w- C:\Program Files (x86)\HTML Help Workshop
2011-12-02 05:16:51 -------- d-----w- C:\Program Files (x86)\Common Files\Merge Modules
2011-12-02 05:16:50 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0
2011-12-02 05:12:59 -------- d-----w- C:\Windows\System32\1033
2011-12-02 05:12:59 -------- d-----w- C:\Program Files\Microsoft Visual Studio 10.0
2011-12-02 05:12:59 -------- d-----w- C:\Program Files\Microsoft Help Viewer
2011-11-30 20:33:56 -------- d-----w- C:\SwSetup
2011-11-30 20:31:54 -------- d-----w- C:\Program Files (x86)\HP
.
==================== Find3M ====================
.
2011-12-09 00:02:37 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2011-11-16 05:22:19 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 20:34:38.60 ===============
Attached Files
File Type: zip Attach.zip (3.1 KB, 17 views)
demetri01ws6 is offline  
Sponsored Links
Advertisement
 
Old 01-01-2012, 07:32 AM   #2
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi demetri01ws6,

I see you ran ComboFix. Kindly post the log it would have produced as it contains important information for us. You'll find the log at:
C:\ComboFix.txt
Will Watts is offline  
Old 01-01-2012, 08:07 AM   #3
Registered Member
 
Join Date: Jan 2010
Posts: 35
OS: windows 7



No I ran the programs on my desktop but these logs are from my latop which hasnt been touched yet.
demetri01ws6 is offline  
Sponsored Links
Advertisement
 
Old 01-01-2012, 09:13 AM   #4
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi demetri01ws6,

I see. Have you used any USB devices on both computer recently?

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)

Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
--------------------------------------
Will Watts is offline  
Old 01-03-2012, 03:48 PM   #5
Registered Member
 
Join Date: Jan 2010
Posts: 35
OS: windows 7



Here.
Attached Files
File Type: txt aswMBR.txt (2.2 KB, 13 views)
File Type: zip MBR.zip (531 Bytes, 22 views)
demetri01ws6 is offline  
Old 01-03-2012, 03:53 PM   #6
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Thanks, we need to run Combofix.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back it up now just as a precaution.

------------------------------------------------------

Due to the restrictions on Windows 7, all tools should be started by right-click > Run as Administrator

------------------------------------------------------

Try to carry out the next set of instructions using Normal mode. If you cannot, be sure to boot into Safe Mode with Networking

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on combofix.exe & follow the prompts.

  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  5. When finished, it shall produce a log for you. Post that log in your next reply


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
Will Watts is offline  
Old 01-03-2012, 04:34 PM   #7
Registered Member
 
Join Date: Jan 2010
Posts: 35
OS: windows 7



Here.
Attached Files
File Type: txt ComboFix.txt (18.1 KB, 17 views)
demetri01ws6 is offline  
Old 01-03-2012, 04:53 PM   #8
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Have you used any USB devices on both computer recently? Are you still experiencing any symptoms on this computer?
  • Download TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Skip is selected.
    NOTE: Please do not attempt any fix yet.
  • Once complete, a log will be produced at the root drive which is typically C:\
    For example, C:\TDSSKiller.2.6.25.0_date_time_log.txt
  • Attach that log, please.
--------------------------------------
Will Watts is offline  
Old 01-03-2012, 04:56 PM   #9
Registered Member
 
Join Date: Jan 2010
Posts: 35
OS: windows 7



No USB devices used. Haven't experienced any symptoms so far. I will say on my desktop, I ran Malwarebytes on full scan and it seems to have gotten rid of it all. I was previously running just a quick.
Attached Files
File Type: txt TDSSKiller.2.6.25.0_03.01.2012_18.54.19_log.txt (83.5 KB, 20 views)
demetri01ws6 is offline  
Old 01-03-2012, 05:06 PM   #10
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



I'm not seeing much on this computer, the exe's you deleted may have been all that installed.

As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

Quote:
3. Uninstall the following via Add or Remove Programs in Control Panel:
  • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( utorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

----------------------------------------

Your Java is out of date.

Java(TM) can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. Let me know if it does not.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.
--------------------------------------

You have this program installed, Malwarebytes Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
--------------------------------------

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
------------------------------------------------------
Will Watts is offline  
Old 01-03-2012, 05:15 PM   #11
Registered Member
 
Join Date: Jan 2010
Posts: 35
OS: windows 7



Nothing, seems to be gone. I should be good, thanks.
demetri01ws6 is offline  
Old 01-03-2012, 05:19 PM   #12
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi demetri01ws6,

We need to carry out further checks to ensure all the malware is gone. The method of infection still remains, which hasn't been addressed by Combofix or a different tool. We frequently find hidden malware during this stage.
Will Watts is offline  
Old 01-04-2012, 11:59 PM   #13
Registered Member
 
Join Date: Jan 2010
Posts: 35
OS: windows 7



Here.
Attached Files
File Type: txt mbam-log-2012-01-05 (01-55-12).txt (1.8 KB, 27 views)
demetri01ws6 is offline  
Old 01-05-2012, 05:27 AM   #14
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi demetri01ws6, could you also run the ESET scan and post any log it produces.
Will Watts is offline  
Old 01-10-2012, 05:41 PM   #15
TSF Team
Manager Emeritus
 
Will Watts's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,966
OS: Windows 7 SP1 x64



Hi demetri01ws6, are you still with us? As mentioned, the forum is very busy. Please reply within 24 hours or this thread will be closed.
Will Watts is offline  
Old 01-17-2012, 10:23 AM   #16
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum
__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
"System Fix" virus hijacked computer
Hello, I’ve got a computer infected with the “System Fix” Virus. I believe the OS is Windows XP Professional. Searching the Tech Support Forum lead me to this thread: https://www.techsupportforum.com/forums/f50/im-in-trouble-614906.html Since that thread is getting quite long, I figured...
SilentJim Resolved HJT Threads 48 12-02-2011 09:10 AM
Sluggish computer, & threats found
My system is Microsoft Windows XP Version 2002 Service Pack 3. When I restart my computer I receive the following: 1785 Multibay incorrectly instqalled. The multibay must be attached to the IDE controller as device 0. No other IDE device may be attached to the same controller. I recently did 2...
CarolBT Resolved HJT Threads 194 11-12-2011 11:14 AM
virus has taken over
Ok, last week I got a virus that disabled my internet and most programs. I was able to get to mbam in safe mode and change the extension to get it to run. That gave me control of the machine again, but there are lingering issues. The machine runs slower. I have the google re-direct virus. The...
Mundy84 Resolved HJT Threads 25 07-01-2011 08:12 PM
Can someone help me see what's up?
I'm a real computer noob I don't know exactly what's going on but ill try to describe it, mostly I'm concerned about a keylogger though. The other problems are every now and then on Google I'll click a link and I'll get sent to some random website, sometimes outta nowhere a new tab will open up to...
soboman Virus/Trojan/Spyware Help 13 05-13-2011 03:20 PM
pc blocked
i installed a program ,winmate,and after that my problems started,if i try to open any application ,i get an error, and if i try to run my browser it crashes,so I can only use it in safe mode.I did a scan with antivir and i found an hidden object and 36 warning,now i get a clean report scan ,but my...
ladymushroom Resolved HJT Threads 25 05-10-2011 11:14 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 07:24 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts