Jump to content

Search the Community

Showing results for tags '.exe'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 15 results

  1. Last week, I downloaded a program offline that I thought was safe, however, it ended up being off of the wrong website (wrong domain) and I ran the .exe file, after that, my amazon account was compromised... I don't know if that was just a coincidence or if I am still infected? Please help, thank you
  2. I got a virus that renames .exe files by adding "g" to them (example: gfirefox.exe). Not just that it hides the .exe files, so they don't appear when i searched them. It's ruining a lot of my files so please help....
  3. So i just have this weird detection were avast detects different .exe files. I cant open chrome because of this.
  4. Hello, I'm new to the forum so excuse if this post is not in the correct place but i really need some help on this one.. My fathers computer has been running terribly slow and he says it's been turning off and restarting and just acting strange. So i figured i can run malwarebytes + other virus scanners, CCleaner, clear his cache and cookies and web history and i figured that would do the trick but after i did all the troubleshooting, the same symptoms are appearing. So i pulled up netstat and I found out his computer is connecting to pornhub.com via firefox sessions( which aren't open) and 1sass.exe appears to be the one that's opening them? I've tried scanning with multiple antivirus programs, tried different firewalls. I tried going through command prompt to delete the file but it woudln't allow me to do so. I've attached a screenshot. What should i do? Thank you
  5. I have done some digging and found my pc to be infected with the malware that auto generates the g***.tmp files into the windows folder. I have seen you all help a few other people and would like to be aided as well. Thank you in advance
  6. Hello, so I'm having a lot of issues with my PC right now. I'm running windows 10. Whenever I try to open pretty much any .exe file, it gives me the error: "The requested resource is in use". I have had this problem for about a month now but it has really gotten annoying now. I looked it up before and found a solution for it when I first got it and I downloaded some external malwarebytes program which got rid of the problem for a while. I just now noticed that the problem has came back and the external program doesn't work. I have been trying to fix this for hours now, looking on many websites for a solution but none of them worked. I can't run any anti malware program so I'm not sure what to do. Any support would be greatly appreciated.
  7. Hello, Someone tried to hack my PC. Installed a number of suspicious software and tools, disabled Windows Defender by a group policy, and there is a virus/malware I can not remove from my system. Once Windows 10 boots this file "g****.tmp.exe/g****.tmp" is automatically generated in the Windows temp folder and every time I end the task/process from the task manager and delete the files they generate again when I restart the Windows and Windows Defender is ineffective to clean my system. I managed to remove most of the suspicious software and tools and turn on Windows Defender. But there are some security issues I need to correct. Could you please help? I think my security issues are similar to "Kevin777" topic. https://forums.malwarebytes.com/topic/194088-a-tmpexe-files-in-the-temp-folder-malware-or-a-browser-hijacker/ Thank you.
  8. Hi. I registered because I have a problem. I don't know if this is the right website, but I've found a similar problem to mine on two websites, yours is one of them. https://forums.malwarebytes.org/topic/119495-exe-files-wont-open-in-windows-xp/ Here is the topic I found and followed a little bit, which I know that I shouldn't have done so. I was searching for a programme to open some files named "sf1" and google pointed me towards a malicious programme named "Advanced file optimizer". Before I downloaded it, my antivirus ESET NOD32 warned me about it, that it is suspicious, but I ignored it twice since I couldn't find another programme for the files. After this programme did its work, I couldn't open any programmes ending with .exe. Because I tried to solve the problem on my own I think I've caused more trouble myself than the programme itself. Honestly, this is probably a big mess, but after I found that I could make programmes work by just renaming their end to let's say .com, I thought the problem is not even that serious. But I've done some things later, in a wish to restore the system back to its old self. I wanted to simply restore the system to an earlier point, so it could all disappear, but it didn't run. The second website's topic I was following http://www.bleepingcomputer.com/forums/t/542716/infected-with-advanced-file-optimizer/ If this isn't the place for this problem I'll go to bleeping computer site, which seems more appropriate for this type of problem since this website is for users of Malwarebytes I presume. But at that website all the starters of topics, stopped replying, like they couldn't find the solution, so they just closed the topic due to their inactivity. Here you solved the problem, with the user's confirmation. I have denied an user called "trustedinstaller" because it wasn't allowing me to rename some stuff, and I figured it as a virus, but it probably was something important. The computer asks me for permissions before renaming some programmes, which before didn't. After some programmes being renamed to .com, my PC has renamed most of them? So now I can open some things, like Regedit, and command prompt, without big problems, so maybe this can be fixed after all? If I have to pay anything, say so up-front, and I'll try my best to pay for it. I tried uploading report from Rkill in notepad text form, but it sends error from your website saying " There was a problem processing the uploaded file. -200 ". If you're willing to help me, I'll follow your instructions, will provide what you need and do as you'll say. With regards, makrarom. P.S. very sorry about the mess, if it's too much just say so!
  9. This can be reproduced (for the time being). The game League of Legends (http://na.leagueoflegends.com/) latest installment will toss a false positive. Attached are the requested files. logs.zip LoLPatcher.zip Malwarebytes Anti-Ransomware.zip
  10. After running a scan and restarting my computer, everything that I try to open gives me a ______.exe bad image error. Some things open anyway, others don't.
  11. I am running windows XP and have 512 ram (Dinosaur), I removed java completely a while ago and decided to try it again. I can download it, and it is in Chrome downloads, and in download folder's too. But when I try to "open" it, nothing happens. I gave up, and a few days later, I tried to download and open a memory test, it wouldn't "open" either. It too is in my download folder I googled ".exe files won't open running windows XP" and It brought me to a forum post here. I don't have the same symptoms as the post but the solution offered may solve my problem. Njustice replied to the forum and offered this: Please download EXE (lnk and regfile) Fix for Windows XP and save it to your desktop I run malware bytes regularly and after doing an update and running again It found a (pum highjack.startupmenu) I assume that is a virus, it has been quarantined. But I have no idea how long it has been there or what damage has been done. The following is Malware byte log: Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.12.12.14 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Curtis Lumpkin :: CURTIS [limited] 12/12/2012 6:39:07 PM mbam-log-2012-12-12 (18-39-07).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 209192 Time elapsed: 6 minute(s), 39 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Attached is the DDS notepad thingie and also the "Attach" too. I hope I have made this post correctly and I apologize in advance if it's not I do regularly run CCleaner and do the registry also. I do have the last 4 logs or so of those if they are required. Thank You, Doug Hendon dds.txt attach.txt
  12. Hi guys, I must've browsed something bad because I currently cannot open any .exe files yet I can open whatever is on my system tray. I also tried doing the basic registry fix that Microsoft recommends when you can't open exe files under HHKEY_CLASSES_ROOT\exe and HHKEY_CLASSES_ROOT\exefile... but those appeared to be normal. I am also an Avast customer but unfortunately it did not detect anything so I may have to start using Malwarebytes instead. I ran Malwarebytes and all it found was some PUP.BundleOffers.IIQ files which I had malwarebytes remove and I am pasting below. I restarted and ran Malwarebytes again and it didn't detect anything yet I still cannot open .exe files. Thanks Malwarebytes Anti-Malware (Trial) 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.16.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Jason :: JASON-33450E334 [administrator] Protection: Enabled 11/15/2012 11:40:34 PM mbam-log-2012-11-16 (08-26-44).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 266312 Time elapsed: 31 minute(s), 29 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\System Volume Information\_restore{E74E2C52-9F18-48D0-A30E-2D1652DE08A2}\RP457\A0067857.exe (PUP.BundleOffers.IIQ) -> No action taken. C:\System Volume Information\_restore{E74E2C52-9F18-48D0-A30E-2D1652DE08A2}\RP457\A0067858.exe (PUP.BundleOffers.IIQ) -> No action taken. C:\System Volume Information\_restore{E74E2C52-9F18-48D0-A30E-2D1652DE08A2}\RP457\A0067859.exe (PUP.BundleOffers.IIQ) -> No action taken. C:\System Volume Information\_restore{E74E2C52-9F18-48D0-A30E-2D1652DE08A2}\RP457\A0067860.exe (PUP.BundleOffers.IIQ) -> No action taken. (end) Also Hijack this log: (Note I have an external soundcard E-MU which started having static but now works normally after malwarebytes removed the PUP.BundleOffers.IIQ files shown above) Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:49:40 PM, on 11/15/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVAST Software\Avast\afwServ.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\AVAST Software\Avast\avastUI.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\RunDLL32.exe C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\SNDVOL32.EXE C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Jason\My Documents\Downloads\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O4 - HKLM\..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKUS\S-1-5-21-57989841-220523388-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-57989841-220523388-1801674531-1003\..\Run: [setDefaultMIDI] MIDIDef.exe (User '?') O4 - HKUS\S-1-5-21-57989841-220523388-1801674531-1003\..\Run: [Google Update] "C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?') O4 - HKUS\S-1-5-21-57989841-220523388-1801674531-1003\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet (User '?') O4 - HKUS\S-1-5-21-57989841-220523388-1801674531-1003\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US (User '?') O4 - HKUS\S-1-5-21-57989841-220523388-1801674531-1003\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (User '?') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: avast! Firewall - AVAST Software - C:\Program Files\AVAST Software\Avast\afwServ.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 7120 bytes
  13. Hello, since two days I face an issue when trying to open Excel within my Standard User account - after almost 2 years without problems. There is no difference in double clicking an .xlsx file in Windows Explorer, choosing Excel pinned to the Start Menu, clicking on Start>>All Programs>>Microsoft Office>>Microsoft Excel 2010, or picking the Application file in C:\Program files (x86)\Microsoft Office\Office14. When doing so, I receive the message "Windows cannot access the specified device, path, or file. You ay not have the appropriate permissions to access the item." All other Office programs don't show this behavior. After changing the account from Standard User to Administrator everything seemed to work fine, but when turning back being logged on as Standard User the message returns. I'm running Windows 7 Ultimate 64bit. Does this sound like a malware infection? Your help is very much appreciated. Cheers, t.
  14. Merged 3 post (Reposted from PC Help - Thank you mods for pointing me to the correct forum) This is going to be a mouthfull, so a million thank-you's before hand. I'm working on a shared computer my office. I come in after several days off to find that the computer has a fake antivirus program. I don't know who downloaded it or from where. I run Malwarebytes Antimalware and Superantispyware as my protection programs. I was unable to update due to the fake antivurus, so I restarted in safe mode and ran some scans there. I ran a scan for both Malwarebytes and Superantispyware and this is what I found (Note to readers: The logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Superantispyware Log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/29/2012 at 03:14 PM Application Version : 5.0.1148 Core Rules Database Version : 8601 Trace Rules Database Version: 6413 Scan type : Complete Scan Total Scan Time : 00:25:36 Operating System Information Windows 7 Professional 32-bit (Build 6.01.7600) UAC Off - Administrator Memory items scanned : 342 Memory threats detected : 0 Registry items scanned : 42788 Registry threats detected : 1 File items scanned : 31213 File threats detected : 17 Adware.Tracking Cookie C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@advertising[2].txt [ Cookie:brent@advertising.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@atdmt[1].txt [ Cookie:brent@atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@pointroll[2].txt [ Cookie:brent@pointroll.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@ru4[2].txt [ Cookie:brent@ru4.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@adbrite[2].txt [ Cookie:brent@adbrite.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@c.atdmt[2].txt [ Cookie:brent@c.atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@lucidmedia[1].txt [ Cookie:brent@lucidmedia.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@yieldmanager[1].txt [ Cookie:brent@yieldmanager.net/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@serving-sys[2].txt [ Cookie:brent@serving-sys.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@kanoodle[2].txt [ Cookie:brent@kanoodle.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@legolas-media[2].txt [ Cookie:brent@legolas-media.com/ ] ds.serving-sys.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] socialstreamingplayer.crystalmedianetworks.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\SYSTEM@S3.TRAFFICNO[2].TXT [ /S3.TRAFFICNO ] Trojan.Agent/Gen-FakeAlert[Local] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\$RECYCLE.BIN\S-1-5-21-1557514261-2431698323-2000263041-1000\$RM1A0AX.LNK [b7E8586B000083BB67CF2E1FA6014588] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART FORTRESS 2012\SMART FORTRESS 2012.LNK Malwarebytes Log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.29.07 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 3:28:07 PM mbam-log-2012-05-29 (15-54-52).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 364709 Time elapsed: 26 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> No action taken. HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Users\User\AppData\Local\uzsqvv.exe (Trojan.Agent) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\00000001.@ (Trojan.Small) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\80000000.@ (Trojan.Sirefef) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\800000cb.@ (Rootkit.0Access) -> No action taken. (end) After doing this in safemode, I restarted the copmuter, updaded both programs to the current versions, and restarted again in safemode and scanned again. Only Malwarebytes found infected files this time. Scan log follows (Note to readers: Again, the logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.15.06 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 2:49:26 PM mbam-log-2012-05-29 (15-16-54).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 361863 Time elapsed: 26 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> No action taken. Registry Values Detected: 3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ipcofmon (IPH.Trojan.Agent.CPN) -> Data: rundll32 "C:\Users\User\AppData\Local\Temp\audiicpl.dll",CreateProcessNotify -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MdRandomGeneratorCtrl (Trojan.Agent.SZ) -> Data: "C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe" /w -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B7E8586B000083BB67CF2E1FA6014588 (Trojan.LameShield) -> Data: C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Users\User\AppData\Local\Temp\audiicpl.dll (IPH.Trojan.Agent.CPN) -> No action taken. C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe (Trojan.Agent.SZ) -> No action taken. C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe (Trojan.LameShield) -> No action taken. C:\Users\User\AppData\Local\Temp\~!#6BC0.tmp (Trojan.Agent.SZ) -> No action taken. C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. (end) I restarted in safe mode, scanned a third time and found nothing. I wasn't convinced it was gone, however, and decided ot try one more scan. I restarted regularly this time and scanned a third time to try and catch anything that might only be visible to the program after a normal startup. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.02.05 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/2/2012 10:24:55 AM mbam-log-2012-06-02 (10-24-55).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 369234 Time elapsed: 32 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|qeupd (Trojan.Agent) -> Data: rundll32.exe "C:\Users\User\AppData\Local\Temp\qeupd.dll",SteamAPI_GetSteamInstallPath -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. (end) I scanned several times after, both in safe mode as well as after a normal startup, and found nothing. I kept an eye on the machine for several days, updating and scanning whenever I could. Today is about 5 days later, I even scanned this morning and didn't find any problems. This is where things get. . . wierd. . . I noticed while trying to work that a Microsoft Word file wouldn't open. There was no error message, the mouse would show the Windows loading wheel for about one full second and then. . . Nothing. Even after a restart, no joy. I tried Excel and PowerPoint as well. Same thing. Then I tried to open a new, blank document. Same thing. At this point, I'm confused so I go into program files and find. . .nothing (See attached "Office Clip 1-3"). By now, I'm sure it has something to do with the virus. So I downlaod and Install HijackThis and run the scan, copy the log into two different online analyzers. Both of these didn't come up with anything that could be dnagerous (to my limited knowledge and experience). The log follows. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:57:47 AM, on 6/5/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\WordWeb\wweb32.exe C:\Windows\System32\rundll32.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup O4 - HKCU\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup (User '?') O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize (User '?') O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- End of file - 5523 bytes I know that some viruses begin with a startup file, so here is also a log of my startup files copied out of CCleaner. Yes HKCU:Run nemsv rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize Yes HKCU:Run WordWeb "C:\Program Files\WordWeb\wweb32.exe" -startup Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe Yes HKLM:Run IntelliPoint "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" Yes HKLM:Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe" Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s Yes HKLM:Run Sophos AutoUpdate Monitor C:\Program Files\Sophos\AutoUpdate\almon.exe Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe" So, this is the gist of it. I have no clue what to do here, I don't even know what's wrong. I would just relaod MS Office, but I have a code key without a disk (for activating computers preloaded with MS Office) and I think you guys can help me better than having to jump through hoops to have Microsoft send me a CD with office on it. If I'm missing any information that is relevant, please let me know and I'll update as soon as possible. UPDATE: I scanned again this morning, two more hits. Scrrencap attached with removal log. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.06.04 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/6/2012 7:49:59 AM mbam-log-2012-06-06 (07-49-59).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 370594 Time elapsed: 32 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Users\User\AppData\Local\Temp\tempfiles.exe (Trojan.Agent.H) -> Quarantined and deleted successfully. C:\Users\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\41dd9ccd-7ef6735c (Trojan.Agent.H) -> Quarantined and deleted successfully. (end) Forgot to attach to above.
  15. This is going to be a mouthfull, so a million thank-you's before hand. I'm working on a shared computer my office. I come in after several days off to find that the computer has a fake antivirus program. I don't know who downloaded it or from where. I run Malwarebytes Antimalware and Superantispyware as my protection programs. I was unable to update due to the fake antivurus, so I restarted in safe mode and ran some scans there. I ran a scan for both Malwarebytes and Superantispyware and this is what I found (Note to readers: The logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Superantispyware Log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/29/2012 at 03:14 PM Application Version : 5.0.1148 Core Rules Database Version : 8601 Trace Rules Database Version: 6413 Scan type : Complete Scan Total Scan Time : 00:25:36 Operating System Information Windows 7 Professional 32-bit (Build 6.01.7600) UAC Off - Administrator Memory items scanned : 342 Memory threats detected : 0 Registry items scanned : 42788 Registry threats detected : 1 File items scanned : 31213 File threats detected : 17 Adware.Tracking Cookie C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@advertising[2].txt [ Cookie:brent@advertising.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@atdmt[1].txt [ Cookie:brent@atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@pointroll[2].txt [ Cookie:brent@pointroll.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@ru4[2].txt [ Cookie:brent@ru4.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@adbrite[2].txt [ Cookie:brent@adbrite.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@c.atdmt[2].txt [ Cookie:brent@c.atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@lucidmedia[1].txt [ Cookie:brent@lucidmedia.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@yieldmanager[1].txt [ Cookie:brent@yieldmanager.net/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@serving-sys[2].txt [ Cookie:brent@serving-sys.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@kanoodle[2].txt [ Cookie:brent@kanoodle.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@legolas-media[2].txt [ Cookie:brent@legolas-media.com/ ] ds.serving-sys.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] socialstreamingplayer.crystalmedianetworks.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\SYSTEM@S3.TRAFFICNO[2].TXT [ /S3.TRAFFICNO ] Trojan.Agent/Gen-FakeAlert[Local] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\$RECYCLE.BIN\S-1-5-21-1557514261-2431698323-2000263041-1000\$RM1A0AX.LNK [b7E8586B000083BB67CF2E1FA6014588] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART FORTRESS 2012\SMART FORTRESS 2012.LNK Malwarebytes Log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.29.07 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 3:28:07 PM mbam-log-2012-05-29 (15-54-52).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 364709 Time elapsed: 26 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> No action taken. HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Users\User\AppData\Local\uzsqvv.exe (Trojan.Agent) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\00000001.@ (Trojan.Small) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\80000000.@ (Trojan.Sirefef) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\800000cb.@ (Rootkit.0Access) -> No action taken. (end) After doing this in safemode, I restarted the copmuter, updaded both programs to the current versions, and restarted again in safemode and scanned again. Only Malwarebytes found infected files this time. Scan log follows (Note to readers: Again, the logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.15.06 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 2:49:26 PM mbam-log-2012-05-29 (15-16-54).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 361863 Time elapsed: 26 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> No action taken. Registry Values Detected: 3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ipcofmon (IPH.Trojan.Agent.CPN) -> Data: rundll32 "C:\Users\User\AppData\Local\Temp\audiicpl.dll",CreateProcessNotify -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MdRandomGeneratorCtrl (Trojan.Agent.SZ) -> Data: "C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe" /w -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B7E8586B000083BB67CF2E1FA6014588 (Trojan.LameShield) -> Data: C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Users\User\AppData\Local\Temp\audiicpl.dll (IPH.Trojan.Agent.CPN) -> No action taken. C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe (Trojan.Agent.SZ) -> No action taken. C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe (Trojan.LameShield) -> No action taken. C:\Users\User\AppData\Local\Temp\~!#6BC0.tmp (Trojan.Agent.SZ) -> No action taken. C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. (end) I restarted in safe mode, scanned a third time and found nothing. I wasn't convinced it was gone, however, and decided ot try one more scan. I restarted regularly this time and scanned a third time to try and catch anything that might only be visible to the program after a normal startup. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.02.05 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/2/2012 10:24:55 AM mbam-log-2012-06-02 (10-24-55).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 369234 Time elapsed: 32 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|qeupd (Trojan.Agent) -> Data: rundll32.exe "C:\Users\User\AppData\Local\Temp\qeupd.dll",SteamAPI_GetSteamInstallPath -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. (end) I scanned several times after, both in safe mode as well as after a normal startup, and found nothing. I kept an eye on the machine for several days, updating and scanning whenever I could. Today is about 5 days later, I even scanned this morning and didn't find any problems. This is where things get. . . wierd. . . I noticed while trying to work that a Microsoft Word file wouldn't open. There was no error message, the mouse would show the Windows loading wheel for about one full second and then. . . Nothing. Even after a restart, no joy. I tried Excel and PowerPoint as well. Same thing. Then I tried to open a new, blank document. Same thing. At this point, I'm confused so I go into program files and find. . .nothing (See attached "Office Clip 1-3"). By now, I'm sure it has something to do with the virus. So I downlaod and Install HijackThis and run the scan, copy the log into two different online analyzers. Both of these didn't come up with anything that could be dnagerous (to my limited knowledge and experience). The log follows. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:57:47 AM, on 6/5/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\WordWeb\wweb32.exe C:\Windows\System32\rundll32.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup O4 - HKCU\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup (User '?') O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize (User '?') O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- End of file - 5523 bytes I know that some viruses begin with a startup file, so here is also a log of my startup files copied out of CCleaner. Yes HKCU:Run nemsv rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize Yes HKCU:Run WordWeb "C:\Program Files\WordWeb\wweb32.exe" -startup Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe Yes HKLM:Run IntelliPoint "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" Yes HKLM:Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe" Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s Yes HKLM:Run Sophos AutoUpdate Monitor C:\Program Files\Sophos\AutoUpdate\almon.exe Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe" So, this is the gist of it. I have no clue what to do here, I don't even know what's wrong. I would just relaod MS Office, but I have a code key without a disk (for activating computers preloaded with MS Office) and I think you guys can help me better than having to jump through hoops to have Microsoft send me a CD with office on it. If I'm missing any information that is relevant, please let me know and I'll update as soon as possible.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.