Jump to content

Jeff-66

Members
  • Posts

    10
  • Joined

  • Last visited

Posts posted by Jeff-66

  1. Here's the report that MBAM generated:

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Protection Event Date: 10/29/19
    Protection Event Time: 4:09 PM
    Log File: 0479d250-fa88-11e9-b777-7085c23887fd.json

    -Software Information-
    Version: 3.8.3.2965
    Components Version: 1.0.629
    Update Package Version: 1.0.13107
    License: Premium

    -System Information-
    OS: Windows 10 (Build 18362.418)
    CPU: x64
    File System: NTFS
    User: System

    -Ransomware Details-
    File: 1
    Malware.Ransom.Agent.Generic, Z:\Epic\Hades\x64\Hades.exe, Blocked, [0], [392685],0.0.0


    (end)

  2. Disregard.

    After reading similar posts where the resolution was "you better change all your passwords, disconnect from the internet, and format ASAP", I decided to do the same. I know the trojan was still resident, and hiding, and I can't risk it. So I went ahead and formatted and reinstalled windows.

    I would very much like to know, though, how a file named xxx.xxx can even run. MBAM even said "xxx.xxx is attempting to open" and let me quarantine it. Since when is .xxx an executable extension?

    It also prevented me from deleting it, from Ctrl-A selecting all files in the temp folder, and other powerful behavior.

  3. I got my first virus/trojan today. MSSE noticed it first, and said it's removal was successful, but far from it. I tried ESET Nod32, and that didn't even see the virus. Then I tried AVG's DOS boot CD, which has networking, and it started up, downloaded it's latest defs, scans the system ... finds nothing. Useless. Superantispyware ... same thing, doesn't even see the malware. ProcessExplorer doesn't show a recognizable process for it.

    So after googling a bit more, I find out about MBAM and give it a try. Sure enough, the free version found the whole thing, and it's variants in my HD. I forget the name of the trojan, but I know it puts an xXx.xXx and uUu.uUu files into my users/me/local/temp directory, and the xxx one cannot be killed.

    So I let MBAM do it's thing, it reboots and finishes the job. It says the bad stuff is all gone. Now, before I removed it, I noticed very strange behavior in Firefox (3.6.3), sometimes I was prevented from surfing at all. Other times, I'd get a popup saying "Firefox has stopped working", it also seemed to be trying to intercept my downloads.

    Later, after MBAM finishes, I open Firefox again and MBAM pops up and tells me that xxx.xxx is attempting to load, and has been stopped. I click Quarantine. so i figure the bloody thing is still hiding somewhere. I disable SystemRestore, and reboot into SafeMode, and let MBAM scan the HD's. It finds nothing at all.

    I reboot again, all seems well. Odd, random lettered exe's are no longer showing in MSConfig's startup area. the xxx.xxx and uuu.uuu files are no longer present in the temp folder. Good so far. Until ...

    I start Firefox ... and once again, MBAM intercepts xxx.xxx and keeps it from starting. So clearly, this trojan is somehow hooked into Firefox. So I need some advice about what I should do next. Of course, I'm trying to avoid a full system re-install. It would take me a solid week to get things back to the way they are now.

    Thanks

    reports follow. DDS.txt report: ok, attach.text: ok, GMER: would not run: small screenshot in zip.

    Here's the DDS.txt report:

    DDS (Ver_10-03-17.01) - NTFSX64

    Run by Jeff at 15:30:59.71 on Fri 04/16/2010

    Internet Explorer: 8.0.7600.16385

    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6142.4705 [GMT

    -4:00]

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe

    C:\Windows\system32\lsm.exe

    C:\Windows\system32\svchost.exe -k DcomLaunch

    C:\Windows\system32\nvvsvc.exe

    C:\Windows\system32\svchost.exe -k RPCSS

    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

    C:\Windows\system32\svchost.exe -k netsvcs

    C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

    C:\Windows\system32\svchost.exe -k LocalService

    C:\Windows\system32\WUDFHost.exe

    C:\Windows\system32\nvvsvc.exe

    C:\Windows\system32\WUDFHost.exe

    C:\Windows\system32\svchost.exe -k NetworkService

    C:\Windows\System32\spoolsv.exe

    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

    C:\Applications\Hardware\nHancer\nHancerService.exe

    C:\Windows\system32\Dwm.exe

    C:\Windows\system32\taskhost.exe

    C:\Windows\system32\taskeng.exe

    C:\Windows\Explorer.EXE

    C:\Applications\Video\FRAPS\fraps.exe

    C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe

    C:\Applications\Tools\Disk\O&O Defrag\oodag.exe

    C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe

    C:\Applications\Tools\Disk\Macrium Reflect\ReflectService.exe

    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

    C:\Windows\system32\svchost.exe -k imgsvc

    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

    C:\Applications\Hardware\Logitech Setpoint-64\SetPointP\SetPoint.exe

    C:\Users\Jeff\AppData\Roaming\Dropbox\bin\Dropbox.exe

    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

    C:\Applications\Tools\Security\Malwarebytes\mbamgui.exe

    C:\Applications\Hardware\MSI Afterburner\MSIAfterburner.exe

    C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe

    C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe

    C:\Windows\system32\SearchIndexer.exe

    C:\Program Files\Windows Media Player\wmpnetwk.exe

    C:\Windows\System32\svchost.exe -k LocalServicePeerNet

    C:\Applications\Video\FRAPS\fraps64.dat

    C:\Program Files\Windows Media Player\WMPSideShowGadget.exe

    C:\Program Files (x86)\Windows Media Player\wmplayer.exe

    C:\Windows\system32\taskhost.exe

    C:\Applications\Tools\Security\Malwarebytes\mbamservice.exe

    C:\Applications\Internet\Firefox\firefox.exe

    C:\Applications\Text\Notepad++\notepad++.exe

    C:\Windows\system32\SearchProtocolHost.exe

    C:\Windows\system32\SearchFilterHost.exe

    C:\Users\Jeff\Desktop\dds.scr

    C:\Windows\system32\conhost.exe

    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com

    uSearch Bar = hxxp://www.google.com/ie

    uDefault_Search_URL = hxxp://www.google.com/ie

    mLocal Page = c:\windows\syswow64\blank.htm

    uSearchAssistant = hxxp://www.google.com/ie

    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} -

    c:\program files (x86)\common files\microsoft shared\windows live

    \WindowsLiveLogin.dll

    mRun: [MSIAfterburner] "c:\applications\hardware\msi afterburner

    \MSIAfterburnerWrapper.exe" /s

    mRun: [Malwarebytes' Anti-Malware] c:\applications\tools\security

    \malwarebytes\mbamgui.exe /starttray

    StartupFolder: c:\users\jeff\appdata\roaming\micros~1\windows

    \startm~1\programs\startup\dropbox.lnk - c:\users\jeff\appdata\roaming

    \dropbox\bin\Dropbox.exe

    mPolicies-explorer: NoActiveDesktop = 1 (0x1)

    mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

    mPolicies-system: EnableLUA = 0 (0x0)

    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

    E99415F33AEC} - c:\program files (x86)\windows live\writer

    \WriterBrowserExtension.dll

    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -

    hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab

    Notify: !SASWinLogon - c:\applications\tools\security\sas\SASWINLO.dll

    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:

    \applications\tools\security\sas\SASSEH.DLL

    mASetup: installed components - c:\users\jeff\appdata\local\temp\CQEsV.exe

    uASetup: installed components - c:\users\jeff\appdata\local\temp\CQEsV.exe

    mRun-x64: [OODefragTray] c:\applications\tools\disk\o&o defrag\oodtray.exe

    mRun-x64: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel

    software\LgDevAgt.exe"

    mRun-x64: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd

    manager\LCDMon.exe"

    mRun-x64: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-

    series software\LGDCore.exe" /SHOWHIDE

    mRun-x64: [EvtMgr6] c:\applications\hardware\logitech setpoint-64\setpointp

    \SetPoint.exe /launchGaming

    STS-X64: FencesShlExt Class: {1984DD45-52CF-49cd-AB77-18F378FEA264} - c:

    \applications\tools\desktop\fences\FencesMenu64.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\jeff\appdata\roaming\mozilla\firefox\profiles

    \moif23al.default\

    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

    FF - plugin: c:\applications\photo\picasa3\npPicasa3.dll

    FF - plugin: c:\applications\video\win7 codecs\rm\browser\plugins

    \nppl3260.dll

    FF - plugin: c:\applications\video\win7 codecs\rm\browser\plugins

    \nprpjplug.dll

    FF - plugin: c:\program files (x86)\google\google earth\plugin

    \npgeplugin.dll

    FF - plugin: c:\program files (x86)\google\update

    \1.2.183.23\npGoogleOneClick8.dll

    FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dv.dll

    FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll

    ---- FIREFOX POLICIES ----

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("ui.use_native_colors", true);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("ui.use_native_popup_windows", false);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.enable_click_image_resizing", true);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("accessibility.browsewithcaret_shortcut.enabled", true);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("javascript.options.mem.high_water_mark", 32);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("javascript.options.mem.gc_frequency", 1600);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("network.auth.force-generic-ntlm", false);

    c:\applications\internet\firefox\greprefs\all.js - pref("svg.smil.enabled",

    false);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("ui.trackpoint_hack.enabled", -1);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.formfill.debug", false);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.formfill.agedWeight", 2);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.formfill.bucketSize", 1);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.formfill.maxTimeGroupings", 25);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.formfill.timeGroupingSize", 604800);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.formfill.boundaryWeight", 25);

    c:\applications\internet\firefox\greprefs\all.js - pref

    ("browser.formfill.prefixWeight", 5);

    c:\applications\internet\firefox\greprefs\all.js - pref("html5.enable",

    false);

    c:\applications\internet\firefox\greprefs\security-prefs.js - pref

    ("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_p

    ref", true);

    c:\applications\internet\firefox\greprefs\security-prefs.js - pref

    ("security.ssl.renego_unrestricted_hosts", "");

    c:\applications\internet\firefox\greprefs\security-prefs.js - pref

    ("security.ssl.treat_unsafe_negotiation_as_broken", false);

    c:\applications\internet\firefox\greprefs\security-prefs.js - pref

    ("security.ssl.require_safe_negotiation", false);

    c:\applications\internet\firefox\greprefs\security-prefs.js - pref

    ("security.ssl3.rsa_seed_sha", true);

    c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref

    ("app.update.download.backgroundInterval", 600);

    c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref

    ("app.update.url.manual", "http://www.firefox.com");

    c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref

    ("browser.search.param.yahoo-fr-ja", "mozff");

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

    "chrome://browser/locale/browser.properties");

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

    "chrome://browser/locale/browser.properties");

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("xpinstall.whitelist.add", "addons.mozilla.org");

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("xpinstall.whitelist.add.36", "getpersonas.com");

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("lightweightThemes.update.enabled", true);

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("browser.allTabs.previews", false);

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("plugins.hide_infobar_for_outdated_plugin", false);

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("plugins.update.notifyUser", false);

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("toolbar.customization.usesheet", false);

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("browser.taskbar.previews.enable", false);

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("browser.taskbar.previews.max", 20);

    c:\applications\internet\firefox\defaults\pref\firefox.js - pref

    ("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R2 MBAMService;MBAMService;c:\applications\tools\security\malwarebytes

    \mbamservice.exe [2010-4-16 303952]

    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\applications

    \tools\disk\macrium reflect\ReflectService.exe [2010-3-17 301024]

    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files

    (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]

    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4

    202776]

    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009

    -6-4 1417240]

    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4

    94744]

    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows

    \system32\drivers\LGBusEnum.sys [2009-11-23 22408]

    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows

    \system32\drivers\LGVirHid.sys [2009-11-23 16008]

    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4

    -16 24664]

    R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers

    \nvoclk64.sys [2009-9-15 42088]

    R3 RTCore64;RTCore64;c:\applications\hardware\msi afterburner\RTCore64.sys

    [2010-1-31 14648]

    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys

    [2009-3-1 187392]

    S1 SASDIFSV;SASDIFSV;c:\applications\tools\security\sas\sasdifsv.sys [2010-

    2-17 12872]

    S1 SASKUTIL;SASKUTIL;c:\applications\tools\security\sas\SASKUTIL.SYS [2010-

    2-17 66632]

    S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google

    \update\GoogleUpdate.exe [2010-4-13 136176]

    S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing

    Service;c:\program files (x86)\common files\creative labs shared\service

    \AL6Licensing.exe [2010-4-10 79360]

    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing

    Service;c:\program files (x86)\common files\creative labs shared\service

    \CTAELicensing.exe [2010-4-10 79360]

    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]

    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4

    1417240]

    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]

    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\games\rpg\dragon

    age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]

    S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows

    \system32\drivers\psmounter.sys [2010-3-17 39904]

    S3 SASENUM;SASENUM;c:\applications\tools\security\sas\SASENUM.SYS [2010-2-17

    12872]

    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows

    \system32\wat\WatAdminSvc.exe [2010-4-10 1255736]

    ============== File Associations ===============

    .txt=Notepad++_file

    =============== Created Last 30 ================

    2010-04-16 17:35:14 0 d-----w- c:\users\jeff\appdata

    \roaming\Malwarebytes

    2010-04-16 17:35:04 24664 ----a-w- c:\windows\system32\drivers

    \mbam.sys

    2010-04-16 17:35:04 0 d-----w- c:\programdata\Malwarebytes

    2010-04-16 15:50:32 0 d-----w- c:\users\jeff\appdata

    \roaming\WindowsServices

    2010-04-16 15:25:53 612352 ----a-w- c:\windows

    \system32\vbscript.dll

    2010-04-16 15:25:53 427520 ----a-w- c:\windows

    \syswow64\vbscript.dll

    2010-04-16 15:25:52 286720 ----a-w- c:\windows\system32\drivers

    \mrxsmb10.sys

    2010-04-16 15:25:52 157696 ----a-w- c:\windows\system32\drivers

    \mrxsmb.sys

    2010-04-16 15:25:52 125952 ----a-w- c:\windows\system32\drivers

    \mrxsmb20.sys

    2010-04-16 15:25:51 5509008 ----a-w- c:\windows

    \system32\ntoskrnl.exe

    2010-04-16 15:25:51 3899280 ----a-w- c:\windows

    \syswow64\ntoskrnl.exe

    2010-04-16 15:25:50 3954568 ----a-w- c:\windows

    \syswow64\ntkrnlpa.exe

    2010-04-16 15:24:23 220672 ----a-w- c:\windows

    \system32\wintrust.dll

    2010-04-16 15:24:23 172032 ----a-w- c:\windows

    \syswow64\wintrust.dll

    2010-04-16 15:24:23 139264 ----a-w- c:\windows

    \system32\cabview.dll

    2010-04-16 15:24:23 132608 ----a-w- c:\windows

    \syswow64\cabview.dll

    2010-04-16 14:58:30 0 d-----w- c:\users\jeff\appdata

    \roaming\Foxit Software

    2010-04-16 14:58:09 0 d-----w- c:\program files

    (x86)\WindowsServices

    2010-04-15 20:25:05 0 d-----w- c:\programdata

    \SUPERAntiSpyware.com

    2010-04-15 20:24:59 0 d-----w- c:\users\jeff\appdata

    \roaming\SUPERAntiSpyware.com

    2010-04-15 18:15:55 0 d-----w- c:\programdata\BioWare

    2010-04-15 17:37:10 0 d-----w- c:\users\jeff\appdata

    \roaming\InfraRecorder

    2010-04-15 16:16:06 0 d-sh--w- c:\programdata\SecuROM

    2010-04-15 16:07:50 0 d-----w- c:\program files

    (x86)\common files\Wise Installation Wizard

    2010-04-15 16:07:48 0 d-----w- c:\programdata\Media Center

    Programs

    2010-04-15 15:55:17 0 d-----w- c:\program files

    (x86)\common files\BioWare

    2010-04-15 15:39:29 0 d-----w- c:\users\jeff\Tracing

    2010-04-15 15:30:15 0 d-----w- c:\program files

    (x86)\Microsoft SQL Server Compact Edition

    2010-04-15 15:30:01 0 d-----w- c:\program files

    (x86)\Microsoft

    2010-04-15 15:29:48 0 d-----w- c:\program files

    (x86)\Windows Live SkyDrive

    2010-04-15 15:24:19 0 d-----w- c:\program files

    (x86)\common files\Windows Live

    2010-04-15 15:12:35 0 d-----w- c:\users\jeff\appdata

    \roaming\runic games

    2010-04-14 22:53:47 0 d-----w- c:\program files

    (x86)\common files\Futuremark Shared

    2010-04-14 20:03:30 45 ----a-w- c:\windows

    \syswow64\initdebug.nfo

    2010-04-14 15:41:21 390330392 ----a-w- c:\windows

    \MEMORY.DMP

    2010-04-14 12:50:08 0 d-----w- c:\users\jeff\appdata

    \roaming\foobar2000

    2010-04-14 12:31:58 0 d-----w- c:\windows\pss

    2010-04-14 12:29:26 18960 ----a-w- c:\windows\system32\drivers

    \LNonPnP.sys

    2010-04-14 12:29:11 0 d-----w- c:\programdata\Logishrd

    2010-04-14 12:28:09 0 d-----w- c:\program files\common

    files\LogiShrd

    2010-04-14 12:28:06 0 d-----w- c:\users\jeff\appdata

    \roaming\Logishrd

    2010-04-13 22:49:55 0 d-----w- c:\users\jeff\appdata

    \roaming\Win7codecs

    2010-04-13 22:48:45 0 d-----w- c:\programdata\Win7codecs

    2010-04-13 16:17:23 540688 ----a-w- c:\windows

    \system32\d3dx10_39.dll

    2010-04-13 16:17:23 4992520 ----a-w- c:\windows

    \system32\D3DX9_39.dll

    2010-04-13 16:17:23 467984 ----a-w- c:\windows

    \syswow64\d3dx10_39.dll

    2010-04-13 16:17:23 3851784 ----a-w- c:\windows

    \syswow64\D3DX9_39.dll

    2010-04-13 16:17:23 1942552 ----a-w- c:\windows

    \system32\D3DCompiler_39.dll

    2010-04-13 16:17:23 1493528 ----a-w- c:\windows

    \syswow64\D3DCompiler_39.dll

    2010-04-13 16:07:26 0 d-----w- c:\program files (x86)\Eagle

    Dynamics

    2010-04-13 14:46:41 15867 ----a-w- c:\windows

    \system32\Blank.ico

    2010-04-13 12:40:56 0 d-----w- c:\programdata\Skype

    2010-04-12 20:30:54 0 d-----w- c:\programdata\Codemasters

    2010-04-12 20:11:29 0 d-----w- c:\windows\syswow64\xlive

    2010-04-12 20:11:29 0 d-----w- c:\program files

    (x86)\Microsoft Games for Windows - LIVE

    2010-04-12 20:11:10 17686528 ----a-w- c:\windows

    \syswow64\mkl_blueripple.dll

    2010-04-12 20:11:10 1347584 ----a-w- c:\windows

    \syswow64\rapture3d_oal.dll

    2010-04-12 20:11:10 0 d-----w- c:\program files (x86)\BRS

    2010-04-12 20:11:06 519000 ----a-w- c:\windows

    \system32\d3dx10_40.dll

    2010-04-12 20:11:06 452440 ----a-w- c:\windows

    \syswow64\d3dx10_40.dll

    2010-04-12 20:11:06 2605920 ----a-w- c:\windows

    \system32\D3DCompiler_40.dll

    2010-04-12 20:11:06 2036576 ----a-w- c:\windows

    \syswow64\D3DCompiler_40.dll

    2010-04-12 20:11:05 5631312 ----a-w- c:\windows

    \system32\D3DX9_40.dll

    2010-04-12 20:11:05 4379984 ----a-w- c:\windows

    \syswow64\D3DX9_40.dll

    2010-04-12 19:39:40 64512 ----a-w- c:\windows

    \system32\HPPLVS.dll

    2010-04-12 19:39:40 398336 ----a-w- c:\windows

    \system32\HP1006LM.DLL

    2010-04-12 19:39:39 0 d-----w- c:\program files\HP

    2010-04-12 17:27:48 0 d-----w- c:\programdata\Macrium

    2010-04-12 15:49:03 0 d-----w- c:\users\jeff\appdata

    \roaming\HiFi

    2010-04-12 15:46:41 0 d-----w- c:\windows\Downloaded

    Installations

    2010-04-12 14:50:19 0 d-----w- c:\users\jeff\appdata

    \roaming\EZCA

    2010-04-12 13:03:20 0 d-----w- c:\users\jeff\appdata

    \roaming\Autodesk

    2010-04-12 13:03:20 0 d-----w- c:\programdata\TEMP

    2010-04-12 13:03:20 0 d-----w- c:\programdata\Alias

    2010-04-12 12:34:24 0 d-----w- c:\users\jeff\appdata

    \roaming\HandBrake

    2010-04-12 03:00:25 0 d-----w- c:\program files

    (x86)\Vstplugins

    2010-04-12 02:56:56 0 d-----w- c:\programdata\Sony

    2010-04-12 02:56:55 0 d-----w- c:\program files (x86)\Sony

    2010-04-12 00:56:19 0 d-----w- c:\users\jeff\appdata

    \roaming\NVIDIA

    2010-04-11 20:56:21 0 dc-h--w- c:\programdata\{A87EB928-

    0C6C-4071-AEF1-59E32BAEDF1B}

    2010-04-11 20:56:21 0 d-----w- c:\users\jeff\appdata

    \roaming\Stardock

    2010-04-11 14:30:25 49120 ----a-w- c:\windows

    \system32\oodbs.lor

    2010-04-11 13:18:18 0 d-----w- c:\programdata\Logitech

    2010-04-11 13:18:18 0 d-----w- c:\program files\Logitech

    2010-04-11 13:12:42 0 d-----w- c:\windows\system32\oodag

    2010-04-11 13:08:48 0 d-----w- c:\program files\OO Software

    2010-04-11 12:24:10 0 ---ha-w- c:\windows\system32\drivers

    \Msft_User_lgSSBW_01_00_00.Wdf

    2010-04-11 12:24:01 0 ---ha-w- c:\windows\system32\drivers

    \Msft_User_lgSSQVGA_01_00_00.Wdf

    2010-04-11 12:12:49 0 d-----w- c:\users\jeff\appdata

    \roaming\Trillian

    2010-04-11 11:51:56 0 d-----w- c:\users\jeff\appdata

    \roaming\Dropbox

    2010-04-11 04:31:06 0 d-----w- c:\windows\Panther

    2010-04-11 04:08:38 0 d-----w- c:\users\jeff\appdata

    \roaming\KeePass

    2010-04-11 03:55:26 0 d-----w- c:\users\jeff\appdata

    \roaming\uTorrent

    2010-04-11 03:31:59 0 d-----w- c:\users\jeff\appdata

    \roaming\nHancer

    2010-04-11 03:28:47 0 d-----w- c:\programdata\nHancer

    2010-04-11 03:13:48 0 d-----w- c:\program files (x86)\MSXML

    4.0

    2010-04-11 03:13:46 0 d-----w- c:\program files

    (x86)\common files\Microsoft Games

    2010-04-11 03:02:32 0 d-----w- c:\windows\PCHEALTH

    2010-04-11 02:51:16 0 ---ha-w- c:\windows\system32\drivers

    \Msft_User_WpdFs_01_09_00.Wdf

    2010-04-11 02:49:39 0 d-----w- c:\program files

    (x86)\common files\Steam

    2010-04-11 02:41:09 0 d-----w- c:\windows\syswow64\Macromed

    2010-04-11 02:32:45 0 d-----w- c:\windows\syswow64\directx

    2010-04-11 02:29:17 0 d-----w- c:\windows\syswow64\Wat

    2010-04-11 02:29:17 0 d-----w- c:\windows\system32\Wat

    2010-04-11 02:27:03 311808 ----a-w- c:\windows

    \system32\msv1_0.dll

    2010-04-11 02:27:03 257024 ----a-w- c:\windows

    \syswow64\msv1_0.dll

    2010-04-11 02:23:29 464896 ----a-w- c:\windows\system32\drivers

    \srv.sys

    2010-04-11 02:23:29 162304 ----a-w- c:\windows\system32\drivers

    \srvnet.sys

    2010-04-11 01:58:14 0 d-----w- c:\programdata\NVIDIA

    2010-04-11 01:57:52 0 d-----w- c:\program files

    (x86)\NVIDIA Corporation

    2010-04-11 01:57:45 0 d-----w- c:\program files\NVIDIA

    Corporation

    2010-04-11 01:56:12 930272 ----a-w- c:\windows

    \system32\dpinst.exe

    2010-04-11 01:56:02 0 d-----w- C:\NVIDIA

    2010-04-11 01:50:33 647872 ------w- c:\windows

    \syswow64\Mscomct2.ocx

    2010-04-11 01:50:33 53248 ------w- c:\windows\Ctregrun.exe

    2010-04-11 01:35:38 788 ----a-w- c:\windows

    \system32\DVCState-{00000007-00000000-00000000-00001102-00000005-

    00211102}.rfx

    2010-04-11 01:35:38 61616 ----a-w- c:\windows

    \system32\BMXStateBkp-{00000007-00000000-00000000-00001102-00000005-

    00211102}.rfx

    2010-04-11 01:35:38 61616 ----a-w- c:\windows

    \system32\BMXState-{00000007-00000000-00000000-00001102-00000005-

    00211102}.rfx

    2010-04-11 01:34:47 7062 ----a-w- c:\windows

    \syswow64\audiopid.vxd

    2010-04-11 01:34:23 0 d--h--w- c:\program files

    (x86)\Creative Installation Information

    2010-04-11 01:34:23 0 d-----w- c:\program files

    (x86)\common files\Creative

    2010-04-11 01:34:16 0 d-----w- c:\program files

    (x86)\common files\Creative Labs Shared

    2010-04-11 01:34:11 0 d-----w- c:\program files\Creative

    2010-04-11 01:34:02 0 d-----w- c:\program files

    (x86)\Creative

    2010-04-11 01:33:57 0 d-----w- c:\programdata\Creative

    2010-04-11 01:33:56 107008 ----a-w- c:\windows

    \system32\cttele64.dll

    2010-04-11 01:33:56 102400 ----a-w- c:\windows

    \syswow64\cttele32.dll

    2010-04-11 01:33:32 466520 ----a-w- c:\windows

    \system32\wrap_oal.dll

    2010-04-11 01:33:32 445016 ----a-w- c:\windows

    \syswow64\wrap_oal.dll

    2010-04-11 01:33:32 122904 ----a-w- c:\windows

    \system32\OpenAL32.dll

    2010-04-11 01:33:32 109080 ----a-w- c:\windows

    \syswow64\OpenAL32.dll

    2010-04-11 01:33:32 0 d-----w- c:\program files

    (x86)\OpenAL

    2010-04-11 01:33:31 89088 ----a-w- c:\windows

    \system32\CmdRtr64.DLL

    2010-04-11 01:33:31 73728 ----a-w- c:\windows

    \syswow64\CmdRtr.DLL

    2010-04-11 01:33:31 190976 ----a-w- c:\windows

    \system32\APOMgr64.DLL

    2010-04-11 01:33:31 159 ---ha-r- c:\windows\ctfile.rfc

    2010-04-11 01:33:31 148480 ----a-w- c:\windows

    \syswow64\APOMngr.DLL

    2010-04-11 01:32:52 12288 ----a-w- c:\windows

    \system32\INRES.DLL

    2010-04-11 01:32:52 11776 ----a-w- c:\windows

    \syswow64\INRES.DLL

    2010-04-11 01:32:52 0 d-----w- c:\windows\syswow64\Data

    2010-04-11 01:32:52 0 d-----w- c:\windows\system32\Data

    2010-04-11 01:32:46 22691984 ----a-w- c:\windows

    \syswow64\AppSetup.exe

    2010-04-11 01:29:15 53248 ----a-w- c:\windows

    \syswow64\CSVer.dll

    2010-04-11 01:12:02 169 ----a-w- c:\windows

    \system32\autopart.opt

    2010-04-11 01:12:02 0 d-----w- c:\windows\Acronis

    2010-04-11 01:10:47 0 d-----w- c:\programdata\Acronis

    2010-04-11 01:10:02 269408 ----a-w- c:\windows\system32\drivers

    \snapman.sys

    2010-04-11 01:08:33 0 d-sh--w- c:\windows\Installer

    2010-04-11 01:00:24 212864 ------w- c:\windows

    \system32\MpSigStub.exe

    2010-04-11 00:54:05 0 d-----w- C:\Applications

    2010-04-11 00:43:32 0 d-sh--w- C:\Recovery

    2010-04-03 22:42:00 61032 ----a-w- c:\windows

    \system32\nvshext.dll

    2010-04-03 22:42:00 159336 ----a-w- c:\windows

    \system32\nvvsvc.exe

    2010-04-03 22:42:00 14828648 ----a-w- c:\windows

    \system32\nvcpl.dll

    2010-04-03 22:42:00 116328 ----a-w- c:\windows

    \system32\nvmctray.dll

    2010-04-03 22:42:00 1067624 ----a-w- c:\windows

    \system32\nvsvc64.dll

    2010-04-03 22:41:38 66714 ----a-w- c:\windows

    \system32\NvwsApps.xml

    2010-04-03 22:41:38 276196 ----a-w- c:\windows

    \system32\NvApps.xml

    2010-04-02 21:57:30 499712 ----a-w- c:\windows

    \syswow64\msvcp71.dll

    2010-04-02 21:57:30 348160 ----a-w- c:\windows

    \syswow64\msvcr71.dll

    2010-03-31 05:15:22 86016 ----a-w- c:\windows

    \syswow64\frapsvid.dll

    2010-03-31 05:15:20 84992 ----a-w- c:\windows

    \system32\frapsv64.dll

    2010-03-22 18:38:00 3600384 ----a-w- c:\windows

    \syswow64\GPhotos.scr

    ==================== Find3M ====================

    2010-03-17 14:02:54 39904 ----a-w- c:\windows\system32\drivers

    \psmounter.sys

    2010-02-23 08:22:50 1192960 ----a-w- c:\windows

    \system32\wininet.dll

    2010-02-23 07:56:00 977920 ----a-w- c:\windows

    \syswow64\wininet.dll

    2010-02-23 07:55:56 1225216 ----a-w- c:\windows

    \syswow64\urlmon.dll

    2010-02-23 07:55:45 606208 ----a-w- c:\windows

    \syswow64\mstime.dll

    2010-02-23 07:55:43 64512 ----a-w- c:\windows

    \syswow64\msfeedsbs.dll

    2010-02-23 07:55:43 5964800 ----a-w- c:\windows

    \syswow64\mshtml.dll

    2010-02-23 07:55:24 10978816 ----a-w- c:\windows

    \syswow64\ieframe.dll

    2010-02-23 07:55:20 381440 ----a-w- c:\windows

    \syswow64\iedkcs32.dll

    2010-02-21 08:48:22 85504 ----a-w- c:\windows

    \syswow64\ff_vfw.dll

    2010-02-15 17:00:00 185920 ----a-w- c:\windows

    \syswow64\rmoc3260.dll

    2010-02-04 14:01:14 78680 ----a-w- c:\windows

    \system32\XAPOFX1_4.dll

    2010-02-04 14:01:14 74072 ----a-w- c:\windows

    \syswow64\XAPOFX1_4.dll

    2010-02-04 14:01:14 530776 ----a-w- c:\windows

    \system32\XAudio2_6.dll

    2010-02-04 14:01:14 528216 ----a-w- c:\windows

    \syswow64\XAudio2_6.dll

    2010-02-04 14:01:14 24920 ----a-w- c:\windows

    \system32\X3DAudio1_7.dll

    2010-02-04 14:01:14 238936 ----a-w- c:\windows

    \syswow64\xactengine3_6.dll

    2010-02-04 14:01:14 22360 ----a-w- c:\windows

    \syswow64\X3DAudio1_7.dll

    2010-02-04 14:01:14 176984 ----a-w- c:\windows

    \system32\xactengine3_6.dll

    2010-02-02 08:36:47 2048 ----a-w- c:\windows

    \system32\tzres.dll

    2010-02-02 07:45:54 2048 ----a-w- c:\windows

    \syswow64\tzres.dll

    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib

    \0409\perfd.dat

    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib

    \0409\perfc.dat

    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib

    \0409\perfi.dat

    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib

    \0409\perfh.dat

    2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini

    2009-07-14 04:54:24 174 --sha-w- c:\program files

    (x86)\desktop.ini

    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib

    \0000\perfi.dat

    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib

    \0000\perfh.dat

    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib

    \0000\perfd.dat

    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib

    \0000\perfc.dat

    2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts

    \StaticCache.dat

    2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config

    \systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat

    2009-07-14 04:55:03 32768 --sha-w- c:\windows\syswow64\config

    \systemprofile\appdata\local\microsoft\windows\temporary internet files

    \content.ie5\index.dat

    2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config

    \systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat

    2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs

    \amd64_microsoft-windows-mail-

    app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe

    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs

    \x86_microsoft-windows-mail-

    app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 15:31:15.97 ===============

  4. Hello Jeff-66 ,Welcome to Malwarebytes.org

    As we don't work on Malware removal or diagnostics in the general forums.

    Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

    One of the expert helpers there will give you one-on-one assistance when one becomes available.

    After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

    Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

    PS - No need to leave ID numbers here -

    Thank You - :)

    EDIT - Please only use one A/V on your computer at any time - It can cause problems -

    I only use MSE these days -

    Thanks, I'll follow your directions. Sorry about the ID thing. I've been on forums where no one would help until you showed your paid I.D. :)

  5. {Win7 Home Premium 64-bit}

    Hi all,

    I got my first virus/trojan today. MSSE noticed it first, and said it's removal was successful, but far from it. I tried ESET Nod32, and that didn't even see the virus. Then I tried AVG's DOS boot CD, which has networking, and it started up, downloaded it's latest defs, scans the system ... finds nothing. Useless. Superantispyware ... same thing, doesn't even see the malware. ProcessExplorer doesn't show a recognizable process for it.

    So after googling a bit more, I find out about MBAM and give it a try. Sure enough, the free version found the whole thing, and it's variants in my HD. I forget the name of the trojan, but I know it puts an xXx.xXx and uUu.uUu files into my users/me/local/temp directory, and the xxx one cannot be killed.

    So I let MBAM do it's thing, it reboots and finishes the job. It says the bad stuff is all gone. Now, before I removed it, I noticed very strange behavior in Firefox (3.6.3), sometimes I was prevented from surfing at all. Other times, I'd get a popup saying "Firefox has stopped working", it also seemed to be trying to intercept my downloads.

    Later, after MBAM finishes, I open Firefox again and MBAM pops up and tells me that xxx.xxx is attempting to load, and has been stopped. I click Quarantine. so i figure the bloody thing is still hiding somewhere. I disable SystemRestore, and reboot into SafeMode, and let MBAM scan the HD's. It finds nothing at all.

    I reboot again, all seems well. Odd, random lettered exe's are no longer showing in MSConfig's startup area. the xxx.xxx and uuu.uuu files are no longer present in the temp folder. Good so far. Until ...

    I start Firefox ... and once again, MBAM intercepts xxx.xxx and keeps it from starting. So clearly, this trojan is somehow hooked into Firefox. So I need some advice about what I should do next. Of course, I'm trying to avoid a full system re-install. It would take me a solid week to get things back to the way they are now.

    Thanks

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.