Jump to content

Jeff-66

Members
  • Posts

    10
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Someone should really tell the Hades devs this is happening. Or maybe MBAM devs could coordinate with them to stop this from happening in the future.
  2. @jukebox, I think they updated the game again today, and every time they do, it gets re-detected as ransomware. Maybe someone should let Supergiant games know this is happening?
  3. Here's the report that MBAM generated: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 10/29/19 Protection Event Time: 4:09 PM Log File: 0479d250-fa88-11e9-b777-7085c23887fd.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.629 Update Package Version: 1.0.13107 License: Premium -System Information- OS: Windows 10 (Build 18362.418) CPU: x64 File System: NTFS User: System -Ransomware Details- File: 1 Malware.Ransom.Agent.Generic, Z:\Epic\Hades\x64\Hades.exe, Blocked, [0], [392685],0.0.0 (end)
  4. It's the same game as the post above. When it happened, I googled it and that's how i got this thread. That said, the game has updated a number of times since August, so the exe has no doubt changed. The game is sold by Epic Games, and has both 32-bit and 64-bit exe's. I've attached both. I renamed the files accordingly, but both files actual name is hades.exe thanks hades false positive.zip
  5. You may have whitelisted this, but I just had Hades (game) locked as ransomware too. (Oct 29, 2019), so it's apparently broken again.
  6. Disregard. After reading similar posts where the resolution was "you better change all your passwords, disconnect from the internet, and format ASAP", I decided to do the same. I know the trojan was still resident, and hiding, and I can't risk it. So I went ahead and formatted and reinstalled windows. I would very much like to know, though, how a file named xxx.xxx can even run. MBAM even said "xxx.xxx is attempting to open" and let me quarantine it. Since when is .xxx an executable extension? It also prevented me from deleting it, from Ctrl-A selecting all files in the temp folder, and other powerful behavior.
  7. I got my first virus/trojan today. MSSE noticed it first, and said it's removal was successful, but far from it. I tried ESET Nod32, and that didn't even see the virus. Then I tried AVG's DOS boot CD, which has networking, and it started up, downloaded it's latest defs, scans the system ... finds nothing. Useless. Superantispyware ... same thing, doesn't even see the malware. ProcessExplorer doesn't show a recognizable process for it. So after googling a bit more, I find out about MBAM and give it a try. Sure enough, the free version found the whole thing, and it's variants in my HD. I forget the name of the trojan, but I know it puts an xXx.xXx and uUu.uUu files into my users/me/local/temp directory, and the xxx one cannot be killed. So I let MBAM do it's thing, it reboots and finishes the job. It says the bad stuff is all gone. Now, before I removed it, I noticed very strange behavior in Firefox (3.6.3), sometimes I was prevented from surfing at all. Other times, I'd get a popup saying "Firefox has stopped working", it also seemed to be trying to intercept my downloads. Later, after MBAM finishes, I open Firefox again and MBAM pops up and tells me that xxx.xxx is attempting to load, and has been stopped. I click Quarantine. so i figure the bloody thing is still hiding somewhere. I disable SystemRestore, and reboot into SafeMode, and let MBAM scan the HD's. It finds nothing at all. I reboot again, all seems well. Odd, random lettered exe's are no longer showing in MSConfig's startup area. the xxx.xxx and uuu.uuu files are no longer present in the temp folder. Good so far. Until ... I start Firefox ... and once again, MBAM intercepts xxx.xxx and keeps it from starting. So clearly, this trojan is somehow hooked into Firefox. So I need some advice about what I should do next. Of course, I'm trying to avoid a full system re-install. It would take me a solid week to get things back to the way they are now. Thanks reports follow. DDS.txt report: ok, attach.text: ok, GMER: would not run: small screenshot in zip. Here's the DDS.txt report: DDS (Ver_10-03-17.01) - NTFSX64 Run by Jeff at 15:30:59.71 on Fri 04/16/2010 Internet Explorer: 8.0.7600.16385 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6142.4705 [GMT -4:00] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\WUDFHost.exe C:\Windows\system32\nvvsvc.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Applications\Hardware\nHancer\nHancerService.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Applications\Video\FRAPS\fraps.exe C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe C:\Applications\Tools\Disk\O&O Defrag\oodag.exe C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe C:\Applications\Tools\Disk\Macrium Reflect\ReflectService.exe C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe C:\Applications\Hardware\Logitech Setpoint-64\SetPointP\SetPoint.exe C:\Users\Jeff\AppData\Roaming\Dropbox\bin\Dropbox.exe C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE C:\Applications\Tools\Security\Malwarebytes\mbamgui.exe C:\Applications\Hardware\MSI Afterburner\MSIAfterburner.exe C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Applications\Video\FRAPS\fraps64.dat C:\Program Files\Windows Media Player\WMPSideShowGadget.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\system32\taskhost.exe C:\Applications\Tools\Security\Malwarebytes\mbamservice.exe C:\Applications\Internet\Firefox\firefox.exe C:\Applications\Text\Notepad++\notepad++.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Jeff\Desktop\dds.scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie mLocal Page = c:\windows\syswow64\blank.htm uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live \WindowsLiveLogin.dll mRun: [MSIAfterburner] "c:\applications\hardware\msi afterburner \MSIAfterburnerWrapper.exe" /s mRun: [Malwarebytes' Anti-Malware] c:\applications\tools\security \malwarebytes\mbamgui.exe /starttray StartupFolder: c:\users\jeff\appdata\roaming\micros~1\windows \startm~1\programs\startup\dropbox.lnk - c:\users\jeff\appdata\roaming \dropbox\bin\Dropbox.exe mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB- E99415F33AEC} - c:\program files (x86)\windows live\writer \WriterBrowserExtension.dll DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab Notify: !SASWinLogon - c:\applications\tools\security\sas\SASWINLO.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c: \applications\tools\security\sas\SASSEH.DLL mASetup: installed components - c:\users\jeff\appdata\local\temp\CQEsV.exe uASetup: installed components - c:\users\jeff\appdata\local\temp\CQEsV.exe mRun-x64: [OODefragTray] c:\applications\tools\disk\o&o defrag\oodtray.exe mRun-x64: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe" mRun-x64: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe" mRun-x64: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g- series software\LGDCore.exe" /SHOWHIDE mRun-x64: [EvtMgr6] c:\applications\hardware\logitech setpoint-64\setpointp \SetPoint.exe /launchGaming STS-X64: FencesShlExt Class: {1984DD45-52CF-49cd-AB77-18F378FEA264} - c: \applications\tools\desktop\fences\FencesMenu64.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\jeff\appdata\roaming\mozilla\firefox\profiles \moif23al.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - plugin: c:\applications\photo\picasa3\npPicasa3.dll FF - plugin: c:\applications\video\win7 codecs\rm\browser\plugins \nppl3260.dll FF - plugin: c:\applications\video\win7 codecs\rm\browser\plugins \nprpjplug.dll FF - plugin: c:\program files (x86)\google\google earth\plugin \npgeplugin.dll FF - plugin: c:\program files (x86)\google\update \1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dv.dll FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll ---- FIREFOX POLICIES ---- c:\applications\internet\firefox\greprefs\all.js - pref ("ui.use_native_colors", true); c:\applications\internet\firefox\greprefs\all.js - pref ("ui.use_native_popup_windows", false); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.enable_click_image_resizing", true); c:\applications\internet\firefox\greprefs\all.js - pref ("accessibility.browsewithcaret_shortcut.enabled", true); c:\applications\internet\firefox\greprefs\all.js - pref ("javascript.options.mem.high_water_mark", 32); c:\applications\internet\firefox\greprefs\all.js - pref ("javascript.options.mem.gc_frequency", 1600); c:\applications\internet\firefox\greprefs\all.js - pref ("network.auth.force-generic-ntlm", false); c:\applications\internet\firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\applications\internet\firefox\greprefs\all.js - pref ("ui.trackpoint_hack.enabled", -1); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.formfill.debug", false); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.formfill.agedWeight", 2); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.formfill.bucketSize", 1); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.formfill.maxTimeGroupings", 25); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.formfill.timeGroupingSize", 604800); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.formfill.boundaryWeight", 25); c:\applications\internet\firefox\greprefs\all.js - pref ("browser.formfill.prefixWeight", 5); c:\applications\internet\firefox\greprefs\all.js - pref("html5.enable", false); c:\applications\internet\firefox\greprefs\security-prefs.js - pref ("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_p ref", true); c:\applications\internet\firefox\greprefs\security-prefs.js - pref ("security.ssl.renego_unrestricted_hosts", ""); c:\applications\internet\firefox\greprefs\security-prefs.js - pref ("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\applications\internet\firefox\greprefs\security-prefs.js - pref ("security.ssl.require_safe_negotiation", false); c:\applications\internet\firefox\greprefs\security-prefs.js - pref ("security.ssl3.rsa_seed_sha", true); c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref ("app.update.download.backgroundInterval", 600); c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref ("app.update.url.manual", "http://www.firefox.com"); c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref ("browser.search.param.yahoo-fr-ja", "mozff"); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("xpinstall.whitelist.add", "addons.mozilla.org"); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("xpinstall.whitelist.add.36", "getpersonas.com"); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("lightweightThemes.update.enabled", true); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("browser.allTabs.previews", false); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("plugins.hide_infobar_for_outdated_plugin", false); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("plugins.update.notifyUser", false); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("toolbar.customization.usesheet", false); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("browser.taskbar.previews.enable", false); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("browser.taskbar.previews.max", 20); c:\applications\internet\firefox\defaults\pref\firefox.js - pref ("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R2 MBAMService;MBAMService;c:\applications\tools\security\malwarebytes \mbamservice.exe [2010-4-16 303952] R2 ReflectService;Macrium Reflect Image Mounting Service;c:\applications \tools\disk\macrium reflect\ReflectService.exe [2010-3-17 301024] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232] R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776] R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009 -6-4 1417240] R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744] R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows \system32\drivers\LGBusEnum.sys [2009-11-23 22408] R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows \system32\drivers\LGVirHid.sys [2009-11-23 16008] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4 -16 24664] R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers \nvoclk64.sys [2009-9-15 42088] R3 RTCore64;RTCore64;c:\applications\hardware\msi afterburner\RTCore64.sys [2010-1-31 14648] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-3-1 187392] S1 SASDIFSV;SASDIFSV;c:\applications\tools\security\sas\sasdifsv.sys [2010- 2-17 12872] S1 SASKUTIL;SASKUTIL;c:\applications\tools\security\sas\SASKUTIL.SYS [2010- 2-17 66632] S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google \update\GoogleUpdate.exe [2010-4-13 136176] S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\common files\creative labs shared\service \AL6Licensing.exe [2010-4-10 79360] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service \CTAELicensing.exe [2010-4-10 79360] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744] S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\games\rpg\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832] S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows \system32\drivers\psmounter.sys [2010-3-17 39904] S3 SASENUM;SASENUM;c:\applications\tools\security\sas\SASENUM.SYS [2010-2-17 12872] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows \system32\wat\WatAdminSvc.exe [2010-4-10 1255736] ============== File Associations =============== .txt=Notepad++_file =============== Created Last 30 ================ 2010-04-16 17:35:14 0 d-----w- c:\users\jeff\appdata \roaming\Malwarebytes 2010-04-16 17:35:04 24664 ----a-w- c:\windows\system32\drivers \mbam.sys 2010-04-16 17:35:04 0 d-----w- c:\programdata\Malwarebytes 2010-04-16 15:50:32 0 d-----w- c:\users\jeff\appdata \roaming\WindowsServices 2010-04-16 15:25:53 612352 ----a-w- c:\windows \system32\vbscript.dll 2010-04-16 15:25:53 427520 ----a-w- c:\windows \syswow64\vbscript.dll 2010-04-16 15:25:52 286720 ----a-w- c:\windows\system32\drivers \mrxsmb10.sys 2010-04-16 15:25:52 157696 ----a-w- c:\windows\system32\drivers \mrxsmb.sys 2010-04-16 15:25:52 125952 ----a-w- c:\windows\system32\drivers \mrxsmb20.sys 2010-04-16 15:25:51 5509008 ----a-w- c:\windows \system32\ntoskrnl.exe 2010-04-16 15:25:51 3899280 ----a-w- c:\windows \syswow64\ntoskrnl.exe 2010-04-16 15:25:50 3954568 ----a-w- c:\windows \syswow64\ntkrnlpa.exe 2010-04-16 15:24:23 220672 ----a-w- c:\windows \system32\wintrust.dll 2010-04-16 15:24:23 172032 ----a-w- c:\windows \syswow64\wintrust.dll 2010-04-16 15:24:23 139264 ----a-w- c:\windows \system32\cabview.dll 2010-04-16 15:24:23 132608 ----a-w- c:\windows \syswow64\cabview.dll 2010-04-16 14:58:30 0 d-----w- c:\users\jeff\appdata \roaming\Foxit Software 2010-04-16 14:58:09 0 d-----w- c:\program files (x86)\WindowsServices 2010-04-15 20:25:05 0 d-----w- c:\programdata \SUPERAntiSpyware.com 2010-04-15 20:24:59 0 d-----w- c:\users\jeff\appdata \roaming\SUPERAntiSpyware.com 2010-04-15 18:15:55 0 d-----w- c:\programdata\BioWare 2010-04-15 17:37:10 0 d-----w- c:\users\jeff\appdata \roaming\InfraRecorder 2010-04-15 16:16:06 0 d-sh--w- c:\programdata\SecuROM 2010-04-15 16:07:50 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard 2010-04-15 16:07:48 0 d-----w- c:\programdata\Media Center Programs 2010-04-15 15:55:17 0 d-----w- c:\program files (x86)\common files\BioWare 2010-04-15 15:39:29 0 d-----w- c:\users\jeff\Tracing 2010-04-15 15:30:15 0 d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition 2010-04-15 15:30:01 0 d-----w- c:\program files (x86)\Microsoft 2010-04-15 15:29:48 0 d-----w- c:\program files (x86)\Windows Live SkyDrive 2010-04-15 15:24:19 0 d-----w- c:\program files (x86)\common files\Windows Live 2010-04-15 15:12:35 0 d-----w- c:\users\jeff\appdata \roaming\runic games 2010-04-14 22:53:47 0 d-----w- c:\program files (x86)\common files\Futuremark Shared 2010-04-14 20:03:30 45 ----a-w- c:\windows \syswow64\initdebug.nfo 2010-04-14 15:41:21 390330392 ----a-w- c:\windows \MEMORY.DMP 2010-04-14 12:50:08 0 d-----w- c:\users\jeff\appdata \roaming\foobar2000 2010-04-14 12:31:58 0 d-----w- c:\windows\pss 2010-04-14 12:29:26 18960 ----a-w- c:\windows\system32\drivers \LNonPnP.sys 2010-04-14 12:29:11 0 d-----w- c:\programdata\Logishrd 2010-04-14 12:28:09 0 d-----w- c:\program files\common files\LogiShrd 2010-04-14 12:28:06 0 d-----w- c:\users\jeff\appdata \roaming\Logishrd 2010-04-13 22:49:55 0 d-----w- c:\users\jeff\appdata \roaming\Win7codecs 2010-04-13 22:48:45 0 d-----w- c:\programdata\Win7codecs 2010-04-13 16:17:23 540688 ----a-w- c:\windows \system32\d3dx10_39.dll 2010-04-13 16:17:23 4992520 ----a-w- c:\windows \system32\D3DX9_39.dll 2010-04-13 16:17:23 467984 ----a-w- c:\windows \syswow64\d3dx10_39.dll 2010-04-13 16:17:23 3851784 ----a-w- c:\windows \syswow64\D3DX9_39.dll 2010-04-13 16:17:23 1942552 ----a-w- c:\windows \system32\D3DCompiler_39.dll 2010-04-13 16:17:23 1493528 ----a-w- c:\windows \syswow64\D3DCompiler_39.dll 2010-04-13 16:07:26 0 d-----w- c:\program files (x86)\Eagle Dynamics 2010-04-13 14:46:41 15867 ----a-w- c:\windows \system32\Blank.ico 2010-04-13 12:40:56 0 d-----w- c:\programdata\Skype 2010-04-12 20:30:54 0 d-----w- c:\programdata\Codemasters 2010-04-12 20:11:29 0 d-----w- c:\windows\syswow64\xlive 2010-04-12 20:11:29 0 d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE 2010-04-12 20:11:10 17686528 ----a-w- c:\windows \syswow64\mkl_blueripple.dll 2010-04-12 20:11:10 1347584 ----a-w- c:\windows \syswow64\rapture3d_oal.dll 2010-04-12 20:11:10 0 d-----w- c:\program files (x86)\BRS 2010-04-12 20:11:06 519000 ----a-w- c:\windows \system32\d3dx10_40.dll 2010-04-12 20:11:06 452440 ----a-w- c:\windows \syswow64\d3dx10_40.dll 2010-04-12 20:11:06 2605920 ----a-w- c:\windows \system32\D3DCompiler_40.dll 2010-04-12 20:11:06 2036576 ----a-w- c:\windows \syswow64\D3DCompiler_40.dll 2010-04-12 20:11:05 5631312 ----a-w- c:\windows \system32\D3DX9_40.dll 2010-04-12 20:11:05 4379984 ----a-w- c:\windows \syswow64\D3DX9_40.dll 2010-04-12 19:39:40 64512 ----a-w- c:\windows \system32\HPPLVS.dll 2010-04-12 19:39:40 398336 ----a-w- c:\windows \system32\HP1006LM.DLL 2010-04-12 19:39:39 0 d-----w- c:\program files\HP 2010-04-12 17:27:48 0 d-----w- c:\programdata\Macrium 2010-04-12 15:49:03 0 d-----w- c:\users\jeff\appdata \roaming\HiFi 2010-04-12 15:46:41 0 d-----w- c:\windows\Downloaded Installations 2010-04-12 14:50:19 0 d-----w- c:\users\jeff\appdata \roaming\EZCA 2010-04-12 13:03:20 0 d-----w- c:\users\jeff\appdata \roaming\Autodesk 2010-04-12 13:03:20 0 d-----w- c:\programdata\TEMP 2010-04-12 13:03:20 0 d-----w- c:\programdata\Alias 2010-04-12 12:34:24 0 d-----w- c:\users\jeff\appdata \roaming\HandBrake 2010-04-12 03:00:25 0 d-----w- c:\program files (x86)\Vstplugins 2010-04-12 02:56:56 0 d-----w- c:\programdata\Sony 2010-04-12 02:56:55 0 d-----w- c:\program files (x86)\Sony 2010-04-12 00:56:19 0 d-----w- c:\users\jeff\appdata \roaming\NVIDIA 2010-04-11 20:56:21 0 dc-h--w- c:\programdata\{A87EB928- 0C6C-4071-AEF1-59E32BAEDF1B} 2010-04-11 20:56:21 0 d-----w- c:\users\jeff\appdata \roaming\Stardock 2010-04-11 14:30:25 49120 ----a-w- c:\windows \system32\oodbs.lor 2010-04-11 13:18:18 0 d-----w- c:\programdata\Logitech 2010-04-11 13:18:18 0 d-----w- c:\program files\Logitech 2010-04-11 13:12:42 0 d-----w- c:\windows\system32\oodag 2010-04-11 13:08:48 0 d-----w- c:\program files\OO Software 2010-04-11 12:24:10 0 ---ha-w- c:\windows\system32\drivers \Msft_User_lgSSBW_01_00_00.Wdf 2010-04-11 12:24:01 0 ---ha-w- c:\windows\system32\drivers \Msft_User_lgSSQVGA_01_00_00.Wdf 2010-04-11 12:12:49 0 d-----w- c:\users\jeff\appdata \roaming\Trillian 2010-04-11 11:51:56 0 d-----w- c:\users\jeff\appdata \roaming\Dropbox 2010-04-11 04:31:06 0 d-----w- c:\windows\Panther 2010-04-11 04:08:38 0 d-----w- c:\users\jeff\appdata \roaming\KeePass 2010-04-11 03:55:26 0 d-----w- c:\users\jeff\appdata \roaming\uTorrent 2010-04-11 03:31:59 0 d-----w- c:\users\jeff\appdata \roaming\nHancer 2010-04-11 03:28:47 0 d-----w- c:\programdata\nHancer 2010-04-11 03:13:48 0 d-----w- c:\program files (x86)\MSXML 4.0 2010-04-11 03:13:46 0 d-----w- c:\program files (x86)\common files\Microsoft Games 2010-04-11 03:02:32 0 d-----w- c:\windows\PCHEALTH 2010-04-11 02:51:16 0 ---ha-w- c:\windows\system32\drivers \Msft_User_WpdFs_01_09_00.Wdf 2010-04-11 02:49:39 0 d-----w- c:\program files (x86)\common files\Steam 2010-04-11 02:41:09 0 d-----w- c:\windows\syswow64\Macromed 2010-04-11 02:32:45 0 d-----w- c:\windows\syswow64\directx 2010-04-11 02:29:17 0 d-----w- c:\windows\syswow64\Wat 2010-04-11 02:29:17 0 d-----w- c:\windows\system32\Wat 2010-04-11 02:27:03 311808 ----a-w- c:\windows \system32\msv1_0.dll 2010-04-11 02:27:03 257024 ----a-w- c:\windows \syswow64\msv1_0.dll 2010-04-11 02:23:29 464896 ----a-w- c:\windows\system32\drivers \srv.sys 2010-04-11 02:23:29 162304 ----a-w- c:\windows\system32\drivers \srvnet.sys 2010-04-11 01:58:14 0 d-----w- c:\programdata\NVIDIA 2010-04-11 01:57:52 0 d-----w- c:\program files (x86)\NVIDIA Corporation 2010-04-11 01:57:45 0 d-----w- c:\program files\NVIDIA Corporation 2010-04-11 01:56:12 930272 ----a-w- c:\windows \system32\dpinst.exe 2010-04-11 01:56:02 0 d-----w- C:\NVIDIA 2010-04-11 01:50:33 647872 ------w- c:\windows \syswow64\Mscomct2.ocx 2010-04-11 01:50:33 53248 ------w- c:\windows\Ctregrun.exe 2010-04-11 01:35:38 788 ----a-w- c:\windows \system32\DVCState-{00000007-00000000-00000000-00001102-00000005- 00211102}.rfx 2010-04-11 01:35:38 61616 ----a-w- c:\windows \system32\BMXStateBkp-{00000007-00000000-00000000-00001102-00000005- 00211102}.rfx 2010-04-11 01:35:38 61616 ----a-w- c:\windows \system32\BMXState-{00000007-00000000-00000000-00001102-00000005- 00211102}.rfx 2010-04-11 01:34:47 7062 ----a-w- c:\windows \syswow64\audiopid.vxd 2010-04-11 01:34:23 0 d--h--w- c:\program files (x86)\Creative Installation Information 2010-04-11 01:34:23 0 d-----w- c:\program files (x86)\common files\Creative 2010-04-11 01:34:16 0 d-----w- c:\program files (x86)\common files\Creative Labs Shared 2010-04-11 01:34:11 0 d-----w- c:\program files\Creative 2010-04-11 01:34:02 0 d-----w- c:\program files (x86)\Creative 2010-04-11 01:33:57 0 d-----w- c:\programdata\Creative 2010-04-11 01:33:56 107008 ----a-w- c:\windows \system32\cttele64.dll 2010-04-11 01:33:56 102400 ----a-w- c:\windows \syswow64\cttele32.dll 2010-04-11 01:33:32 466520 ----a-w- c:\windows \system32\wrap_oal.dll 2010-04-11 01:33:32 445016 ----a-w- c:\windows \syswow64\wrap_oal.dll 2010-04-11 01:33:32 122904 ----a-w- c:\windows \system32\OpenAL32.dll 2010-04-11 01:33:32 109080 ----a-w- c:\windows \syswow64\OpenAL32.dll 2010-04-11 01:33:32 0 d-----w- c:\program files (x86)\OpenAL 2010-04-11 01:33:31 89088 ----a-w- c:\windows \system32\CmdRtr64.DLL 2010-04-11 01:33:31 73728 ----a-w- c:\windows \syswow64\CmdRtr.DLL 2010-04-11 01:33:31 190976 ----a-w- c:\windows \system32\APOMgr64.DLL 2010-04-11 01:33:31 159 ---ha-r- c:\windows\ctfile.rfc 2010-04-11 01:33:31 148480 ----a-w- c:\windows \syswow64\APOMngr.DLL 2010-04-11 01:32:52 12288 ----a-w- c:\windows \system32\INRES.DLL 2010-04-11 01:32:52 11776 ----a-w- c:\windows \syswow64\INRES.DLL 2010-04-11 01:32:52 0 d-----w- c:\windows\syswow64\Data 2010-04-11 01:32:52 0 d-----w- c:\windows\system32\Data 2010-04-11 01:32:46 22691984 ----a-w- c:\windows \syswow64\AppSetup.exe 2010-04-11 01:29:15 53248 ----a-w- c:\windows \syswow64\CSVer.dll 2010-04-11 01:12:02 169 ----a-w- c:\windows \system32\autopart.opt 2010-04-11 01:12:02 0 d-----w- c:\windows\Acronis 2010-04-11 01:10:47 0 d-----w- c:\programdata\Acronis 2010-04-11 01:10:02 269408 ----a-w- c:\windows\system32\drivers \snapman.sys 2010-04-11 01:08:33 0 d-sh--w- c:\windows\Installer 2010-04-11 01:00:24 212864 ------w- c:\windows \system32\MpSigStub.exe 2010-04-11 00:54:05 0 d-----w- C:\Applications 2010-04-11 00:43:32 0 d-sh--w- C:\Recovery 2010-04-03 22:42:00 61032 ----a-w- c:\windows \system32\nvshext.dll 2010-04-03 22:42:00 159336 ----a-w- c:\windows \system32\nvvsvc.exe 2010-04-03 22:42:00 14828648 ----a-w- c:\windows \system32\nvcpl.dll 2010-04-03 22:42:00 116328 ----a-w- c:\windows \system32\nvmctray.dll 2010-04-03 22:42:00 1067624 ----a-w- c:\windows \system32\nvsvc64.dll 2010-04-03 22:41:38 66714 ----a-w- c:\windows \system32\NvwsApps.xml 2010-04-03 22:41:38 276196 ----a-w- c:\windows \system32\NvApps.xml 2010-04-02 21:57:30 499712 ----a-w- c:\windows \syswow64\msvcp71.dll 2010-04-02 21:57:30 348160 ----a-w- c:\windows \syswow64\msvcr71.dll 2010-03-31 05:15:22 86016 ----a-w- c:\windows \syswow64\frapsvid.dll 2010-03-31 05:15:20 84992 ----a-w- c:\windows \system32\frapsv64.dll 2010-03-22 18:38:00 3600384 ----a-w- c:\windows \syswow64\GPhotos.scr ==================== Find3M ==================== 2010-03-17 14:02:54 39904 ----a-w- c:\windows\system32\drivers \psmounter.sys 2010-02-23 08:22:50 1192960 ----a-w- c:\windows \system32\wininet.dll 2010-02-23 07:56:00 977920 ----a-w- c:\windows \syswow64\wininet.dll 2010-02-23 07:55:56 1225216 ----a-w- c:\windows \syswow64\urlmon.dll 2010-02-23 07:55:45 606208 ----a-w- c:\windows \syswow64\mstime.dll 2010-02-23 07:55:43 64512 ----a-w- c:\windows \syswow64\msfeedsbs.dll 2010-02-23 07:55:43 5964800 ----a-w- c:\windows \syswow64\mshtml.dll 2010-02-23 07:55:24 10978816 ----a-w- c:\windows \syswow64\ieframe.dll 2010-02-23 07:55:20 381440 ----a-w- c:\windows \syswow64\iedkcs32.dll 2010-02-21 08:48:22 85504 ----a-w- c:\windows \syswow64\ff_vfw.dll 2010-02-15 17:00:00 185920 ----a-w- c:\windows \syswow64\rmoc3260.dll 2010-02-04 14:01:14 78680 ----a-w- c:\windows \system32\XAPOFX1_4.dll 2010-02-04 14:01:14 74072 ----a-w- c:\windows \syswow64\XAPOFX1_4.dll 2010-02-04 14:01:14 530776 ----a-w- c:\windows \system32\XAudio2_6.dll 2010-02-04 14:01:14 528216 ----a-w- c:\windows \syswow64\XAudio2_6.dll 2010-02-04 14:01:14 24920 ----a-w- c:\windows \system32\X3DAudio1_7.dll 2010-02-04 14:01:14 238936 ----a-w- c:\windows \syswow64\xactengine3_6.dll 2010-02-04 14:01:14 22360 ----a-w- c:\windows \syswow64\X3DAudio1_7.dll 2010-02-04 14:01:14 176984 ----a-w- c:\windows \system32\xactengine3_6.dll 2010-02-02 08:36:47 2048 ----a-w- c:\windows \system32\tzres.dll 2010-02-02 07:45:54 2048 ----a-w- c:\windows \syswow64\tzres.dll 2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib \0409\perfd.dat 2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib \0409\perfc.dat 2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib \0409\perfi.dat 2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib \0409\perfh.dat 2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini 2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini 2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib \0000\perfi.dat 2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib \0000\perfh.dat 2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib \0000\perfd.dat 2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib \0000\perfc.dat 2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts \StaticCache.dat 2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config \systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat 2009-07-14 04:55:03 32768 --sha-w- c:\windows\syswow64\config \systemprofile\appdata\local\microsoft\windows\temporary internet files \content.ie5\index.dat 2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config \systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat 2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs \amd64_microsoft-windows-mail- app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe 2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs \x86_microsoft-windows-mail- app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe ============= FINISH: 15:31:15.97 ===============
  8. Thanks, I'll follow your directions. Sorry about the ID thing. I've been on forums where no one would help until you showed your paid I.D.
  9. P.S. I'm now a registered user. After MBAM was the only thing that found and fixed this, I registered the program. My ref number is: 11364481.
  10. {Win7 Home Premium 64-bit} Hi all, I got my first virus/trojan today. MSSE noticed it first, and said it's removal was successful, but far from it. I tried ESET Nod32, and that didn't even see the virus. Then I tried AVG's DOS boot CD, which has networking, and it started up, downloaded it's latest defs, scans the system ... finds nothing. Useless. Superantispyware ... same thing, doesn't even see the malware. ProcessExplorer doesn't show a recognizable process for it. So after googling a bit more, I find out about MBAM and give it a try. Sure enough, the free version found the whole thing, and it's variants in my HD. I forget the name of the trojan, but I know it puts an xXx.xXx and uUu.uUu files into my users/me/local/temp directory, and the xxx one cannot be killed. So I let MBAM do it's thing, it reboots and finishes the job. It says the bad stuff is all gone. Now, before I removed it, I noticed very strange behavior in Firefox (3.6.3), sometimes I was prevented from surfing at all. Other times, I'd get a popup saying "Firefox has stopped working", it also seemed to be trying to intercept my downloads. Later, after MBAM finishes, I open Firefox again and MBAM pops up and tells me that xxx.xxx is attempting to load, and has been stopped. I click Quarantine. so i figure the bloody thing is still hiding somewhere. I disable SystemRestore, and reboot into SafeMode, and let MBAM scan the HD's. It finds nothing at all. I reboot again, all seems well. Odd, random lettered exe's are no longer showing in MSConfig's startup area. the xxx.xxx and uuu.uuu files are no longer present in the temp folder. Good so far. Until ... I start Firefox ... and once again, MBAM intercepts xxx.xxx and keeps it from starting. So clearly, this trojan is somehow hooked into Firefox. So I need some advice about what I should do next. Of course, I'm trying to avoid a full system re-install. It would take me a solid week to get things back to the way they are now. Thanks
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.