MrBryant Posted December 3, 2011 ID:500834 Share Posted December 3, 2011 For the past couple of days i have been infected with this virus, i had visited a website with some instructions on how to remove it but no luck, first i used Rkill, then iExplorer.com, then tdskiller then malwarebytes, and last unhide. After this process, the computer looks like it's all clear and well but as soon as i restart its back to 0 again and MalwareBytes keeps finding the files it had deleted in a previous scan.It has turned in to a routine every morning to repeat the process.Any Help is very much appreciated i also included the rkill log file.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421Run by User at 10:54:39 on 2011-12-03Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3316.1917 [GMT -5:00].SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\PMObserv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\AERTSrv.exeC:\Windows\System32\svchost.exe -k AkamaiC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\LogMeIn\x86\LMIGuardianSvc.exeC:\Program Files\LogMeIn\x86\LogMeIn.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Windows\WindowsMobile\wmdSync.exeC:\Program Files\DivX\DivX Plus Web Player\DDMService.exeC:\Windows\RtHDVCpl.exeC:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\DivX\DivX Update\DivXUpdate.exeC:\ProgramData\yEfRqQhDUGAmlI.exeC:\Users\User\AppData\Local\Akamai\netsession_win.exeC:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exeC:\Program Files\XWindows Dock\XWD.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\RDS\RMClient\MplHDDisp.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Windows\system32\svchost.exe -k WindowsMobileC:\Program Files\RDS\RMClient\PMJobCliMsg.exeC:\Users\User\AppData\Local\Akamai\netsession_win.exeC:\Windows\system32\attrib.exeC:\ProgramData\tHdDLh6T2S5r5y.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\attrib.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uSearch Page = hxxp://www.google.comuStart Page = hxxp://www.google.com/uSearch Bar = hxxp://www.google.com/ieuDefault_Search_URL = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%suURLSearchHooks: H - No FileuURLSearchHooks: H - No FileBHO: {0ea10b9e-6b94-40cb-b4d6-5f1291c9b252} - c:\users\user\appdata\local\ServicePTR.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dllBHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No FileTB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No FileuRun: [Akamai NetSession Interface] c:\users\user\appdata\local\akamai\netsession_win.exemRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"mRun: [JobHisInit] c:\program files\rds\rmclient\JobHisInit.exemRun: [MplSetUp] c:\program files\rds\rmclient\MplSetUp.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exemRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exemRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbyloginmRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" startmRun: [RtHDVCpl] RtHDVCpl.exemRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXEmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOWmRun: [yEfRqQhDUGAmlI.exe] c:\programdata\yEfRqQhDUGAmlI.exeStartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\user\appdata\roaming\dropbox\bin\Dropbox.exeStartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\xwindo~1.lnk - c:\program files\xwindows dock\XWD.exemPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableLinkedConnections = 1 (0x1)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)dPolicies-system: DisableTaskMgr = 1 (0x1)IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLLSP: c:\windows\system32\wpclsp.dllDPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100TCP: Interfaces\{0D8CBD7B-5252-4D37-B188-0AFD74053582} : NameServer = 167.206.251.130,167.206.251.129TCP: Interfaces\{488124FF-9F4D-48A3-9448-D32D4FC9F86F} : DhcpNameServer = 169.254.2.2TCP: Interfaces\{FFF7425D-E8CA-4C8D-A35F-15A3B43D667E} : DhcpNameServer = 172.16.145.103 172.16.145.103Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks enterprise solutions 9.0\HelpAsyncPluggableProtocol.dllHandler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dllNotify: igfxcui - igfxdev.dllAppInit_DLLs: AVGRSSTX.DLLSTS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll.================= FIREFOX ===================.FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\5v4smkpb.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=ConduitEngine&SearchSource=3&q={searchTerms}FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - component: c:\users\user\appdata\roaming\mozilla\firefox\profiles\5v4smkpb.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dllFF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dllFF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dllFF - plugin: c:\program files\divx\divx plus web player\npdivx32.dllFF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dllFF - plugin: c:\program files\google\picasa3\npPicasa3.dllFF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dllFF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll.---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - true============= SERVICES / DRIVERS ===============.R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-11-24 21504]R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-11-24 21504]R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-8 374152]R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-24 47640]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-28 366152]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-28 22216]R3 PMObserv;PMObserv;c:\windows\system32\PMObserv.exe [2010-4-7 245907]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-23 136176]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-23 136176]S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-8-28 17408]S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?].=============== Created Last 30 ================.2011-12-03 15:38:32 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e40b47a9-720d-49e7-9343-cfb8caa6b2ec}\offreg.dll2011-12-02 14:49:14 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e40b47a9-720d-49e7-9343-cfb8caa6b2ec}\mpengine.dll2011-12-02 14:28:06 352512 ---ha-w- c:\programdata\tHdDLh6T2S5r5y.exe2011-11-30 14:19:00 -------- d-----w- c:\program files\Loaris2011-11-28 18:06:33 -------- d--h--w- c:\users\user\appdata\roaming\Malwarebytes2011-11-28 18:06:24 -------- d--h--w- c:\programdata\Malwarebytes2011-11-28 18:06:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-11-28 18:06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-11-28 15:22:21 444672 ----a-w- c:\programdata\yEfRqQhDUGAmlI.exe2011-11-23 19:22:03 0 ----a-w- c:\windows\system32\0.19091899603614915.exe2011-11-10 00:18:04 -------- d--h--w- c:\users\user\appdata\local\Akamai2011-11-09 07:07:30 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat2011-11-09 07:07:27 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys2011-11-09 07:07:16 707584 ----a-w- c:\program files\common files\system\wab32.dll.==================== Find3M ====================.2011-11-19 15:30:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-10-26 17:38:10 0 ----a-w- c:\windows\system32\qzicirwzzh.tmp2011-10-07 04:00:34 87424 ----a-w- c:\windows\system32\LMIinit.dll2011-10-07 04:00:34 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll2011-10-07 04:00:34 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll2011-10-07 04:00:34 30592 ----a-w- c:\windows\system32\LMIport.dll2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys2006-12-03 00:50:42 18662912 ----a-w- c:\program files\common files\TaxWise Workstation.msi.============= FINISH: 10:57:49.69 ===============Attach.txtDDS.txtrkill.log Link to post Share on other sites More sharing options...
LDTate Posted December 7, 2011 ID:502323 Share Posted December 7, 2011 Logs will be closed if you haven't replied within 3 days Please don't attach the scans / logs for these tools, use "copy/paste".DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.Please run a new MBAM scan being sure to update before scanning.Post the scan resultsAlso please describe how your computer behaves at the moment.Please don't attach the scans / logs, use "copy/paste". Link to post Share on other sites More sharing options...
LDTate Posted December 12, 2011 ID:504229 Share Posted December 12, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts