magicman
-
Posts
9 -
Joined
-
Last visited
-
Thank You, blade81 for your interest. A strange thing happened today. A mail was sent from my gmail acount to some of my contacts. I did not send that mail. It contained a link to a russian website (lots russian sites are known to host malware). I did not click the link myself - it had a .ru appended. Probably due this occurance, google blocked my account, and I had to go through the process of unlocking it. Google also made me change my password (I would have done it anyway). I immediately sent off another ail to the contacts in question warning them not to click the link. I'm curious to know how this happened & how to prevent this in future ? Thanks again!
-
Hi, Ran a full MSE scan overnight on Sunday night. No threats detected. Thank You !
-
Hi, No - I ran a (quick) scan with MSE. It came clean. Also, MSE warning about the trojan everytime I booted has also stopped. I plan to run a full scan overnight - will keep you posted. Thank You !
-
Hi, I took a break to catch a night's sleep ! As instructed (Note: combofix updated itself from the DOS console before continuing) : NEW COMBOFIX LOG: ComboFix 10-06-10.03 - Royce 11/06/10 12:59:36.2.2 - x86 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.303 [GMT 5.5:30] Running from: d:\common\Setups\Security & Maintenance\Malware Bytes\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\%appdata% . ((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 ))))))))))))))))))))))))))))))) . 2010-06-11 07:44 . 2010-06-11 07:45 -------- d-----w- c:\users\Royce\AppData\Local\temp 2010-06-11 07:44 . 2010-06-11 07:44 -------- d-----w- c:\users\Public\AppData\Local\temp 2010-06-11 07:44 . 2010-06-11 07:44 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-06-11 07:26 . 2010-06-11 07:27 -------- d-----w- C:\32788R22FWJFW 2010-06-10 07:06 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll 2010-06-10 07:05 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys 2010-06-10 07:04 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll 2010-06-10 07:03 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll 2010-06-10 07:03 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll 2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\users\Royce\AppData\Roaming\Malwarebytes 2010-06-09 07:38 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\programdata\Malwarebytes 2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-09 07:38 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-05 15:18 . 2010-06-05 15:18 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-06-05 15:18 . 2010-06-05 15:18 -------- d-----w- c:\program files\Java 2010-06-05 06:10 . 2010-06-05 06:10 -------- d-----w- c:\programdata\Protexis 2010-06-05 06:05 . 2010-06-05 06:05 -------- d-----w- c:\users\Royce\AppData\Local\Microsoft Help 2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft SDKs 2010-06-05 06:01 . 2010-06-05 06:02 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0 2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft.NET 2010-06-05 06:01 . 2010-06-05 06:08 -------- d-----w- c:\programdata\Microsoft Help 2010-06-05 06:00 . 2010-06-05 06:00 -------- d-----w- c:\program files\gs 2010-06-05 05:59 . 2010-06-05 05:59 -------- d-----w- c:\program files\Common Files\Corel 2010-06-05 05:58 . 2010-06-05 05:58 -------- d-----w- c:\programdata\Corel 2010-06-05 05:51 . 2010-06-05 05:51 -------- d-----w- c:\program files\Corel 2010-06-02 12:14 . 2010-06-05 06:10 -------- d-----w- c:\users\Royce\AppData\Roaming\Corel 2010-06-01 11:48 . 2010-06-11 07:02 -------- d-----w- c:\users\Royce\AppData\Roaming\skypePM 2010-06-01 11:47 . 2010-06-11 07:46 -------- d-----w- c:\users\Royce\AppData\Roaming\Skype 2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----w- c:\program files\Common Files\Skype 2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----r- c:\program files\Skype 2010-06-01 11:45 . 2010-06-01 11:46 -------- d-----w- c:\programdata\Skype 2010-06-01 09:42 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll 2010-05-23 16:54 . 2010-05-23 16:54 -------- d-----w- c:\program files\Common Files\Protexis 2010-05-14 16:54 . 2010-05-14 16:54 -------- d-----w- c:\program files\Common Files\Windows Live 2010-05-14 16:53 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys 2010-05-14 16:50 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2010-05-14 16:50 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll 2010-05-14 16:47 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll 2010-05-14 16:47 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys 2010-05-14 16:41 . 2010-05-14 16:42 -------- d-----w- c:\program files\Microsoft Security Essentials . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-06 11:51 . 2010-03-27 14:17 68896 ----a-w- c:\users\Royce\AppData\Local\GDIPFONTCACHEV1.DAT 2010-06-06 03:16 . 2010-04-05 08:07 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 16:24 . 2010-04-02 09:13 -------- d-----w- c:\users\Royce\AppData\Roaming\uTorrent 2010-06-03 09:49 . 2010-04-02 09:13 -------- d-----w- c:\program files\uTorrent 2010-06-01 11:48 . 2010-06-01 11:48 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-06-01 09:58 . 2010-05-09 14:40 -------- d-----w- c:\program files\Allway Sync 2010-05-21 08:44 . 2010-03-27 14:03 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-14 16:57 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail 2010-05-14 16:38 . 2010-03-27 13:36 -------- d-----w- c:\program files\Common Files\XSync 2010-05-14 16:38 . 2010-05-14 16:38 6 ----a-w- c:\program files\Common Files\UnInstallCompleted.tmp 2010-05-14 04:54 . 2010-03-27 13:45 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll 2010-05-14 04:54 . 2010-03-27 13:45 43584 ----a-w- c:\windows\system32\AES_bak.dll 2010-05-14 04:54 . 2010-03-27 13:36 81920 ----a-w- c:\windows\system32\fstcp_bak.dll 2010-05-14 04:54 . 2010-03-27 13:36 76800 ----a-w- c:\windows\system32\spekekit_bak.dll 2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\users\Royce\AppData\Roaming\Sync App Settings 2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\programdata\Sync App Settings 2010-04-03 10:01 . 2010-04-03 10:01 413696 ----a-w- c:\windows\system32\wrap_oal.dll 2010-04-03 10:01 . 2010-04-03 10:01 110592 ----a-w- c:\windows\system32\OpenAL32.dll 2010-03-29 11:27 . 2010-03-27 13:36 138304 ----a-w- c:\program files\Common Files\osdinst.dll 2010-03-29 11:27 . 2010-03-27 13:36 1097038 ----a-w- c:\program files\Common Files\ptlosd.cab 2010-03-27 13:36 . 2010-03-29 11:27 4870208 ----a-w- c:\program files\Common Files\xsignal.exe 2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat 2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-30 133104] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-22 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-22 173592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2009-11-22 18:19 150552 ----a-w- c:\windows\System32\igfxpers.exe R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368] R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [2009-10-08 17920] R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [2009-10-08 63872] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-27 1343400] S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-02-15 322336] . Contents of the 'Scheduled Tasks' folder 2010-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000Core.job - c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30] 2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000UA.job - c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30] . . ------- Supplementary Scan ------- . uStart Page = about:blank IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(2528) c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Essentials\MsMpEng.exe c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\windows\system32\taskhost.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\windows\system32\conhost.exe c:\users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Skype\Plugin Manager\skypePM.exe c:\windows\system32\sppsvc.exe . ************************************************************************** . Completion time: 2010-06-11 13:23:11 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-11 07:53 ComboFix2.txt 2010-06-10 07:41 Pre-Run: 11,594,563,584 bytes free Post-Run: 11,544,981,504 bytes free - - End Of File - - 2965C0B762F5008B7484F851052E83AE NEW DDS LOG: DDS (Ver_10-03-17.01) - NTFSx86 Run by Royce at 13:35:49.27 on 11/06/10 Internet Explorer: 8.0.7600.16385 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.236 [GMT 5.5:30] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Windows\System32\igfxtray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Windows\system32\svchost.exe -k SDRSVC C:\Windows\Explorer.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe D:\Common\Setups\Security & Maintenance\Malware Bytes\dds.scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = about:blank BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll uRun: [Google Update] "c:\users\royce\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll ============= SERVICES / DRIVERS =============== R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040] R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-3-27 10752] R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128] R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-7-1 43944] R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-28 29472] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-2-15 322336] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888] S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368] S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-3-28 17920] S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-3-28 63872] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-27 1343400] =============== Created Last 30 ================ 2010-06-11 07:45:44 0 d-----w- C:\$RECYCLE.BIN 2010-06-10 07:15:44 98816 ----a-w- c:\windows\sed.exe 2010-06-10 07:15:44 77312 ----a-w- c:\windows\MBR.exe 2010-06-10 07:15:44 256512 ----a-w- c:\windows\PEV.exe 2010-06-10 07:15:44 161792 ----a-w- c:\windows\SWREG.exe 2010-06-10 07:06:07 977920 ----a-w- c:\windows\system32\wininet.dll 2010-06-10 07:05:26 2326528 ----a-w- c:\windows\system32\win32k.sys 2010-06-10 07:04:56 67584 ----a-w- c:\windows\system32\asycfilt.dll 2010-06-10 07:03:18 34304 ----a-w- c:\windows\system32\atmlib.dll 2010-06-10 07:03:18 293888 ----a-w- c:\windows\system32\atmfd.dll 2010-06-09 11:53:06 0 ----a-w- c:\users\royce\defogger_reenable 2010-06-09 07:38:47 0 d-----w- c:\users\royce\appdata\roaming\Malwarebytes 2010-06-09 07:38:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-09 07:38:17 0 d-----w- c:\programdata\Malwarebytes 2010-06-09 07:38:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-09 07:38:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-05 15:18:55 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-06-05 06:10:23 0 d-----w- c:\programdata\Protexis 2010-06-05 06:01:19 0 d-----w- c:\programdata\Microsoft Help 2010-06-05 06:00:39 0 d-----w- c:\program files\gs 2010-06-05 05:59:49 0 d-----w- c:\program files\common files\Corel 2010-06-05 05:58:51 0 d-----w- c:\programdata\Corel 2010-06-05 05:51:26 0 d-----w- c:\program files\Corel 2010-06-01 11:48:34 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-06-01 11:46:04 0 d-----r- c:\program files\Skype 2010-06-01 11:45:56 0 d-----w- c:\programdata\Skype 2010-06-01 09:42:01 2048 ----a-w- c:\windows\system32\tzres.dll 2010-05-23 16:54:54 0 d-----w- c:\program files\common files\Protexis 2010-05-14 16:54:35 0 d-----w- c:\program files\common files\Windows Live 2010-05-14 16:53:08 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys 2010-05-14 16:50:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2010-05-14 16:50:44 1037312 ----a-w- c:\windows\system32\lsasrv.dll 2010-05-14 16:47:33 740864 ----a-w- c:\windows\system32\inetcomm.dll 2010-05-14 16:47:32 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys 2010-05-14 16:41:33 0 d-----w- c:\program files\Microsoft Security Essentials 2010-05-13 07:18:36 88 --sh--r- c:\programdata\3EE703C242.sys ==================== Find3M ==================== 2010-06-03 13:51:29 2828 --sha-w- c:\programdata\KGyGaAvL.sys 2010-05-21 08:44:28 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-14 16:38:25 6 ----a-w- c:\program files\common files\UnInstallCompleted.tmp 2010-05-14 04:54:25 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll 2010-05-14 04:54:25 43584 ----a-w- c:\windows\system32\AES_bak.dll 2010-05-14 04:54:15 81920 ----a-w- c:\windows\system32\fstcp_bak.dll 2010-05-14 04:54:14 76800 ----a-w- c:\windows\system32\spekekit_bak.dll 2010-04-03 10:01:40 413696 ----a-w- c:\windows\system32\wrap_oal.dll 2010-04-03 10:01:40 110592 ----a-w- c:\windows\system32\OpenAL32.dll 2010-03-29 20:25:49 8 --sha-r- c:\programdata\AF939F5E94.sys 2010-03-29 11:27:10 138304 ----a-w- c:\program files\common files\osdinst.dll 2010-03-29 11:27:10 1097038 ----a-w- c:\program files\common files\ptlosd.cab 2010-03-27 13:36:12 4870208 ----a-w- c:\program files\common files\xsignal.exe 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat 2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe ============= FINISH: 13:36:18.87 =============== Thank You.
-
Hi, After running Remover in 'Fix' mode, It restarted my PC, but Windows Refused to boot due inaccessible code/device. Fortunately, I had the installation CD handy, and could repair the startup problem. Thereafter Windows started normally, and no sign of the Trojan as yet. I ran a scan in MSE, & it came clean. Please advise if you still recommend running combofix / DDS. I'll happily do it if you think it is necessary. Thank You.
-
Hi , Here the log from bootkit remover: Bootkit Remover version 1.0.0.1 © 2009 eSage Lab www.esagelab.com \\.\C: -> \\.\PhysicalDrive0 MD5: cfed09de05f9d4be9db68f7fe7dabeba \\.\D: -> \\.\PhysicalDrive0 Size Device Name MBR Status -------------------------------------------- 149 GB \\.\PhysicalDrive0 Unknown boot code Unknown boot code has been found on some of your physical disks. To inspect the boot code manually, dump the master boot sector: remover.exe dump <device_name> [output_file] To disinfect the master boot sector, use the following command: remover.exe fix <device_name> Thank You!
-
Hi, The trojan MSE detects is "Trojan Downloader:Win32/Unruy.D" Under "Items" is this line: file:C:\System Volume Information\Microsoft\smss.exe Hope this is what you need. MSE also points to this link for "more information about this item online" : http://www.microsoft.com/security/portal/T...atid=2147629791 Thank You !
-
Thank You, Blade 81, I did as told. The 2 files are pasted below. You did not ask for 'attach.txt', so I've not attached it. I'm not sure if Combofix is supposed to fix anything - I got the warning again from MSE the moment I re-enabled its real time protection. Thanks again ! COMBOFIX LOG : ComboFix 10-06-09.02 - Royce 10/06/10 12:48:15.1.2 - x86 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.255 [GMT 5.5:30] Running from: d:\common\Setups\Security & Maintenance\Malware Bytes\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\%appdata% . ((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 ))))))))))))))))))))))))))))))) . 2010-06-10 07:31 . 2010-06-10 07:31 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-06-10 07:31 . 2010-06-10 07:34 -------- d-----w- c:\users\Royce\AppData\Local\temp 2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\users\Royce\AppData\Roaming\Malwarebytes 2010-06-09 07:38 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\programdata\Malwarebytes 2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-09 07:38 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-05 15:18 . 2010-06-05 15:18 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-06-05 15:18 . 2010-06-05 15:18 -------- d-----w- c:\program files\Java 2010-06-05 06:10 . 2010-06-05 06:10 -------- d-----w- c:\programdata\Protexis 2010-06-05 06:05 . 2010-06-05 06:05 -------- d-----w- c:\users\Royce\AppData\Local\Microsoft Help 2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft SDKs 2010-06-05 06:01 . 2010-06-05 06:02 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0 2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft.NET 2010-06-05 06:01 . 2010-06-05 06:08 -------- d-----w- c:\programdata\Microsoft Help 2010-06-05 06:00 . 2010-06-05 06:00 -------- d-----w- c:\program files\gs 2010-06-05 05:59 . 2010-06-05 05:59 -------- d-----w- c:\program files\Common Files\Corel 2010-06-05 05:58 . 2010-06-05 05:58 -------- d-----w- c:\programdata\Corel 2010-06-05 05:51 . 2010-06-05 05:51 -------- d-----w- c:\program files\Corel 2010-06-02 12:14 . 2010-06-05 06:10 -------- d-----w- c:\users\Royce\AppData\Roaming\Corel 2010-06-01 11:48 . 2010-06-10 06:56 -------- d-----w- c:\users\Royce\AppData\Roaming\skypePM 2010-06-01 11:47 . 2010-06-10 07:13 -------- d-----w- c:\users\Royce\AppData\Roaming\Skype 2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----w- c:\program files\Common Files\Skype 2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----r- c:\program files\Skype 2010-06-01 11:45 . 2010-06-01 11:46 -------- d-----w- c:\programdata\Skype 2010-06-01 09:42 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll 2010-05-23 16:54 . 2010-05-23 16:54 -------- d-----w- c:\program files\Common Files\Protexis 2010-05-14 16:54 . 2010-05-14 16:54 -------- d-----w- c:\program files\Common Files\Windows Live 2010-05-14 16:53 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys 2010-05-14 16:50 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2010-05-14 16:50 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll 2010-05-14 16:47 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll 2010-05-14 16:47 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys 2010-05-14 16:41 . 2010-05-14 16:42 -------- d-----w- c:\program files\Microsoft Security Essentials . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-06 11:51 . 2010-03-27 14:17 68896 ----a-w- c:\users\Royce\AppData\Local\GDIPFONTCACHEV1.DAT 2010-06-06 03:16 . 2010-04-05 08:07 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 16:24 . 2010-04-02 09:13 -------- d-----w- c:\users\Royce\AppData\Roaming\uTorrent 2010-06-03 09:49 . 2010-04-02 09:13 -------- d-----w- c:\program files\uTorrent 2010-06-01 11:48 . 2010-06-01 11:48 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-06-01 09:58 . 2010-05-09 14:40 -------- d-----w- c:\program files\Allway Sync 2010-05-21 08:44 . 2010-03-27 14:03 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-14 16:57 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail 2010-05-14 16:38 . 2010-03-27 13:36 -------- d-----w- c:\program files\Common Files\XSync 2010-05-14 16:38 . 2010-05-14 16:38 6 ----a-w- c:\program files\Common Files\UnInstallCompleted.tmp 2010-05-14 04:54 . 2010-03-27 13:45 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll 2010-05-14 04:54 . 2010-03-27 13:45 43584 ----a-w- c:\windows\system32\AES_bak.dll 2010-05-14 04:54 . 2010-03-27 13:36 81920 ----a-w- c:\windows\system32\fstcp_bak.dll 2010-05-14 04:54 . 2010-03-27 13:36 76800 ----a-w- c:\windows\system32\spekekit_bak.dll 2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\users\Royce\AppData\Roaming\Sync App Settings 2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\programdata\Sync App Settings 2010-04-03 10:01 . 2010-04-03 10:01 413696 ----a-w- c:\windows\system32\wrap_oal.dll 2010-04-03 10:01 . 2010-04-03 10:01 110592 ----a-w- c:\windows\system32\OpenAL32.dll 2010-03-29 11:27 . 2010-03-27 13:36 138304 ----a-w- c:\program files\Common Files\osdinst.dll 2010-03-29 11:27 . 2010-03-27 13:36 1097038 ----a-w- c:\program files\Common Files\ptlosd.cab 2010-03-27 13:36 . 2010-03-29 11:27 4870208 ----a-w- c:\program files\Common Files\xsignal.exe 2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat 2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-30 133104] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-22 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-22 173592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2009-11-22 18:19 150552 ----a-w- c:\windows\System32\igfxpers.exe R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368] R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [2009-10-08 17920] R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [2009-10-08 63872] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-27 1343400] S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-02-15 322336] . Contents of the 'Scheduled Tasks' folder 2010-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000Core.job - c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30] 2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000UA.job - c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30] . . ------- Supplementary Scan ------- . uStart Page = about:blank IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . - - - - ORPHANS REMOVED - - - - AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60 . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(1312) c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Essentials\MsMpEng.exe c:\system volume information\Microsoft\services.exe c:\system volume information\Microsoft\smss.exe c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\system32\sppsvc.exe c:\program files\Internet Explorer\iexplore.exe . ************************************************************************** . Completion time: 2010-06-10 13:11:52 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-10 07:41 Pre-Run: 11,374,112,768 bytes free Post-Run: 11,649,417,216 bytes free - - End Of File - - 92E6ACBE3108A823BF2BD062703397A5 NEW DDS LOG: DDS (Ver_10-03-17.01) - NTFSx86 Run by Royce at 13:23:36.39 on 10/06/10 Internet Explorer: 8.0.7600.16385 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.155 [GMT 5.5:30] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\igfxtray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\igfxext.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\sppsvc.exe C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe D:\Common\Setups\Security & Maintenance\Malware Bytes\dds.scr C:\Windows\system32\conhost.exe ============== Pseudo HJT Report =============== uStart Page = about:blank BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll uRun: [Google Update] "c:\users\royce\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll ============= SERVICES / DRIVERS =============== R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040] R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-3-27 10752] R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128] R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-7-1 43944] R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-28 29472] R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-2-15 322336] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888] S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-3-28 17920] S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-3-28 63872] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-27 1343400] =============== Created Last 30 ================ 2010-06-10 07:40:57 0 d-sh--w- C:\$RECYCLE.BIN 2010-06-10 07:15:44 98816 ----a-w- c:\windows\sed.exe 2010-06-10 07:15:44 77312 ----a-w- c:\windows\MBR.exe 2010-06-10 07:15:44 256512 ----a-w- c:\windows\PEV.exe 2010-06-10 07:15:44 161792 ----a-w- c:\windows\SWREG.exe 2010-06-09 11:53:06 0 ----a-w- c:\users\royce\defogger_reenable 2010-06-09 07:38:47 0 d-----w- c:\users\royce\appdata\roaming\Malwarebytes 2010-06-09 07:38:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-09 07:38:17 0 d-----w- c:\programdata\Malwarebytes 2010-06-09 07:38:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-09 07:38:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-05 15:18:55 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-06-05 06:10:23 0 d-----w- c:\programdata\Protexis 2010-06-05 06:01:19 0 d-----w- c:\programdata\Microsoft Help 2010-06-05 06:00:39 0 d-----w- c:\program files\gs 2010-06-05 05:59:49 0 d-----w- c:\program files\common files\Corel 2010-06-05 05:58:51 0 d-----w- c:\programdata\Corel 2010-06-05 05:51:26 0 d-----w- c:\program files\Corel 2010-06-01 11:48:34 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-06-01 11:46:04 0 d-----r- c:\program files\Skype 2010-06-01 11:45:56 0 d-----w- c:\programdata\Skype 2010-06-01 09:42:01 2048 ----a-w- c:\windows\system32\tzres.dll 2010-05-23 16:54:54 0 d-----w- c:\program files\common files\Protexis 2010-05-14 16:54:35 0 d-----w- c:\program files\common files\Windows Live 2010-05-14 16:53:08 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys 2010-05-14 16:50:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2010-05-14 16:50:44 1037312 ----a-w- c:\windows\system32\lsasrv.dll 2010-05-14 16:47:33 740864 ----a-w- c:\windows\system32\inetcomm.dll 2010-05-14 16:47:32 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys 2010-05-14 16:41:33 0 d-----w- c:\program files\Microsoft Security Essentials 2010-05-13 07:18:36 88 --sh--r- c:\programdata\3EE703C242.sys ==================== Find3M ==================== 2010-06-03 13:51:29 2828 --sha-w- c:\programdata\KGyGaAvL.sys 2010-05-21 08:44:28 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-14 16:38:25 6 ----a-w- c:\program files\common files\UnInstallCompleted.tmp 2010-05-14 04:54:25 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll 2010-05-14 04:54:25 43584 ----a-w- c:\windows\system32\AES_bak.dll 2010-05-14 04:54:15 81920 ----a-w- c:\windows\system32\fstcp_bak.dll 2010-05-14 04:54:14 76800 ----a-w- c:\windows\system32\spekekit_bak.dll 2010-04-03 10:01:40 413696 ----a-w- c:\windows\system32\wrap_oal.dll 2010-04-03 10:01:40 110592 ----a-w- c:\windows\system32\OpenAL32.dll 2010-03-29 20:25:49 8 --sha-r- c:\programdata\AF939F5E94.sys 2010-03-29 11:27:10 138304 ----a-w- c:\program files\common files\osdinst.dll 2010-03-29 11:27:10 1097038 ----a-w- c:\program files\common files\ptlosd.cab 2010-03-27 13:36:12 4870208 ----a-w- c:\program files\common files\xsignal.exe 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat 2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe ============= FINISH: 13:24:57.83 ===============
-
Hi, MS Security Essentials keeps telling me at every boot that it's found "Unruy.D", asking to remove. I remove it. Then MSE asks to restart to complete the removal, which I also do. But on the next boot, "Unruy.D" is back and MSE repeats the process. Finally I came across this forum. As instructed, I am pasting the contents of "DDS.txt" , and attaching "ark.txt", and "attach.txt" . These are as instructed in the topic http://forums.malwarebytes.org/index.php?showtopic=9573&hl=i'm+infected Thanks for your help ! attach.zip DDS.TXT: DDS (Ver_10-03-17.01) - NTFSx86 Run by Royce at 17:37:03.19 on 09/06/10 Internet Explorer: 8.0.7600.16385 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.242 [GMT 5.5:30] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Windows\system32\taskhost.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe C:\Windows\System32\igfxtray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Skype\Phone\Skype.exe C:\Users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Windows\system32\igfxext.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe C:\Windows\system32\sppsvc.exe C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe D:\Common\Setups\Security & Maintenance\Malware Bytes\dds.scr C:\Windows\system32\conhost.exe ============== Pseudo HJT Report =============== uStart Page = about:blank BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll uRun: [Google Update] "c:\users\royce\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll ============= SERVICES / DRIVERS =============== R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040] R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-3-27 10752] R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128] R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-7-1 43944] R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-28 29472] R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368] R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-3-28 17920] R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-3-28 63872] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-2-15 322336] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-27 1343400] =============== Created Last 30 ================ 2010-06-09 11:53:06 0 ----a-w- c:\users\royce\defogger_reenable 2010-06-09 07:38:47 0 d-----w- c:\users\royce\appdata\roaming\Malwarebytes 2010-06-09 07:38:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-09 07:38:17 0 d-----w- c:\programdata\Malwarebytes 2010-06-09 07:38:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-09 07:38:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-06 03:19:31 0 d-sh--w- c:\windows\system32\%APPDATA% 2010-06-05 15:18:55 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-06-05 06:10:23 0 d-----w- c:\programdata\Protexis 2010-06-05 06:01:19 0 d-----w- c:\programdata\Microsoft Help 2010-06-05 06:00:39 0 d-----w- c:\program files\gs 2010-06-05 05:59:49 0 d-----w- c:\program files\common files\Corel 2010-06-05 05:58:51 0 d-----w- c:\programdata\Corel 2010-06-05 05:51:26 0 d-----w- c:\program files\Corel 2010-06-01 11:48:34 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-06-01 11:46:04 0 d-----r- c:\program files\Skype 2010-06-01 11:45:56 0 d-----w- c:\programdata\Skype 2010-06-01 09:42:01 2048 ----a-w- c:\windows\system32\tzres.dll 2010-05-23 16:54:54 0 d-----w- c:\program files\common files\Protexis 2010-05-14 16:54:35 0 d-----w- c:\program files\common files\Windows Live 2010-05-14 16:53:08 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys 2010-05-14 16:50:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2010-05-14 16:50:44 1037312 ----a-w- c:\windows\system32\lsasrv.dll 2010-05-14 16:47:33 740864 ----a-w- c:\windows\system32\inetcomm.dll 2010-05-14 16:47:32 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys 2010-05-14 16:41:33 0 d-----w- c:\program files\Microsoft Security Essentials 2010-05-13 07:18:36 88 --sh--r- c:\programdata\3EE703C242.sys ==================== Find3M ==================== 2010-06-03 13:51:29 2828 --sha-w- c:\programdata\KGyGaAvL.sys 2010-05-21 08:44:28 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-14 16:38:25 6 ----a-w- c:\program files\common files\UnInstallCompleted.tmp 2010-05-14 04:54:25 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll 2010-05-14 04:54:25 43584 ----a-w- c:\windows\system32\AES_bak.dll 2010-05-14 04:54:15 81920 ----a-w- c:\windows\system32\fstcp_bak.dll 2010-05-14 04:54:14 76800 ----a-w- c:\windows\system32\spekekit_bak.dll 2010-04-03 10:01:40 413696 ----a-w- c:\windows\system32\wrap_oal.dll 2010-04-03 10:01:40 110592 ----a-w- c:\windows\system32\OpenAL32.dll 2010-03-29 20:25:49 8 --sha-r- c:\programdata\AF939F5E94.sys 2010-03-29 11:27:10 138304 ----a-w- c:\program files\common files\osdinst.dll 2010-03-29 11:27:10 1097038 ----a-w- c:\program files\common files\ptlosd.cab 2010-03-27 13:36:12 4870208 ----a-w- c:\program files\common files\xsignal.exe 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat 2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe ============= FINISH: 17:38:31.50 ===============