Jump to content

Recommended Posts

For the past couple of days i have been infected with this virus, i had visited a website with some instructions on how to remove it but no luck, first i used Rkill, then iExplorer.com, then tdskiller then malwarebytes, and last unhide. After this process, the computer looks like it's all clear and well but as soon as i restart its back to 0 again and MalwareBytes keeps finding the files it had deleted in a previous scan.

It has turned in to a routine every morning to repeat the process.

Any Help is very much appreciated

i also included the rkill log file

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by User at 10:54:39 on 2011-12-03

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3316.1917 [GMT -5:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\PMObserv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\AERTSrv.exe

C:\Windows\System32\svchost.exe -k Akamai

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\ProgramData\yEfRqQhDUGAmlI.exe

C:\Users\User\AppData\Local\Akamai\netsession_win.exe

C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files\XWindows Dock\XWD.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\RDS\RMClient\MplHDDisp.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Program Files\RDS\RMClient\PMJobCliMsg.exe

C:\Users\User\AppData\Local\Akamai\netsession_win.exe

C:\Windows\system32\attrib.exe

C:\ProgramData\tHdDLh6T2S5r5y.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\attrib.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

BHO: {0ea10b9e-6b94-40cb-b4d6-5f1291c9b252} - c:\users\user\appdata\local\ServicePTR.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File

uRun: [Akamai NetSession Interface] c:\users\user\appdata\local\akamai\netsession_win.exe

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [JobHisInit] c:\program files\rds\rmclient\JobHisInit.exe

mRun: [MplSetUp] c:\program files\rds\rmclient\MplSetUp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [yEfRqQhDUGAmlI.exe] c:\programdata\yEfRqQhDUGAmlI.exe

StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\user\appdata\roaming\dropbox\bin\Dropbox.exe

StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\xwindo~1.lnk - c:\program files\xwindows dock\XWD.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLinkedConnections = 1 (0x1)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: c:\windows\system32\wpclsp.dll

DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: Interfaces\{0D8CBD7B-5252-4D37-B188-0AFD74053582} : NameServer = 167.206.251.130,167.206.251.129

TCP: Interfaces\{488124FF-9F4D-48A3-9448-D32D4FC9F86F} : DhcpNameServer = 169.254.2.2

TCP: Interfaces\{FFF7425D-E8CA-4C8D-A35F-15A3B43D667E} : DhcpNameServer = 172.16.145.103 172.16.145.103

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks enterprise solutions 9.0\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: AVGRSSTX.DLL

STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\5v4smkpb.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=ConduitEngine&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\users\user\appdata\roaming\mozilla\firefox\profiles\5v4smkpb.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-11-24 21504]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-11-24 21504]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-8 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-24 47640]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-28 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-28 22216]

R3 PMObserv;PMObserv;c:\windows\system32\PMObserv.exe [2010-4-7 245907]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-23 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-23 136176]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-8-28 17408]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

.

=============== Created Last 30 ================

.

2011-12-03 15:38:32 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e40b47a9-720d-49e7-9343-cfb8caa6b2ec}\offreg.dll

2011-12-02 14:49:14 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e40b47a9-720d-49e7-9343-cfb8caa6b2ec}\mpengine.dll

2011-12-02 14:28:06 352512 ---ha-w- c:\programdata\tHdDLh6T2S5r5y.exe

2011-11-30 14:19:00 -------- d-----w- c:\program files\Loaris

2011-11-28 18:06:33 -------- d--h--w- c:\users\user\appdata\roaming\Malwarebytes

2011-11-28 18:06:24 -------- d--h--w- c:\programdata\Malwarebytes

2011-11-28 18:06:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-28 18:06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-28 15:22:21 444672 ----a-w- c:\programdata\yEfRqQhDUGAmlI.exe

2011-11-23 19:22:03 0 ----a-w- c:\windows\system32\0.19091899603614915.exe

2011-11-10 00:18:04 -------- d--h--w- c:\users\user\appdata\local\Akamai

2011-11-09 07:07:30 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2011-11-09 07:07:27 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 07:07:16 707584 ----a-w- c:\program files\common files\system\wab32.dll

.

==================== Find3M ====================

.

2011-11-19 15:30:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-26 17:38:10 0 ----a-w- c:\windows\system32\qzicirwzzh.tmp

2011-10-07 04:00:34 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-10-07 04:00:34 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-10-07 04:00:34 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2011-10-07 04:00:34 30592 ----a-w- c:\windows\system32\LMIport.dll

2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys

2006-12-03 00:50:42 18662912 ----a-w- c:\program files\common files\TaxWise Workstation.msi

.

============= FINISH: 10:57:49.69 ===============

Attach.txt

DDS.txt

rkill.log

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.